It also lacks the audit controls that HIPAA demands." "Dropbox keeps metadata which includes the file name, which is not secure. "HIPAA would require that all aspects of a PHI file – even the name, which can potentially hold identifying information – be encrypted and private," he writes.
DROPBOX BUSINESS HIPAA UPDATE
We'll update this page with any new certifications as we receive them."Īs Boston-based security consultant Josh Ablett explained in a blog post this past month, even though Dropbox is "The most popular and arguably the most well-developed of the cloud storage providers … usually the first provider people think when they think 'cloud storage,'" it falls short when it comes to handling personal health information.
DROPBOX BUSINESS HIPAA ISO
Indeed, Dropbox itself makes that point clear on its website: "Dropbox does not currently have HIPAA, FERPA, SAS 70/SSAE 16, ISO 9001, ISO 27001, or PCI certifications. The answer from another user came back almost immediately: "HIPAA, and it's a no no." My question is, does using dropbox in this manner constitute a HIPPA (sic) violation?"
The clinic is halfway across the country and it is research related somehow. "Recently I found out that one of the clinics that they do work with utilizes dropbox for sharing videos. Went into long term storage on encrypted drives locked in a safe somewhere.
At first the videos stayed completely in house. "The psychology clinic I support videotapes some of their sessions. That's a lesson that was learned by one system administrator, who posted a thread on Reddit with a question: Dropbox officials did not respond to a request for an interview.īut while the cloud service is popular among many in the healthcare trenches for the ease with which it enables the swapping of files, it is not HIPAA-compliant. That's not to say, necessarily, that the company would never sign one under any circumstances – just that they've shown little inclination to so far.
"And they would come back to me very disappointed because Dropbox was certainly unwilling to sign a BAA." "My answer to that is, 'Yes, and here it is. Stephanie Musso, RN, privacy officer at Stony Brook University Hospital, on Long Island, said she's gotten "emails we got from our researchers: 'You told us we can't use Dropbox, now we can! HIPAA says we can! We just have to have that business associate agreement signed, right?' Torie Jones, former chief privacy officer at University of Pennsylvania Health System, had an ironclad rule in place for her staff: "No PHI in the cloud until you have a BAA in place."įor most cloud-based vendors, those who are used to the specific demands of working in healthcare, getting that business associate agreement in place wouldn't be much of a problem.īut when it comes to using the the popular file hosting service Dropbox, that all-important contract isn't something that's readily forthcoming.
0 kommentar(er)
