Dropbox in healthcare: A love-hate thing
November 19, 2013 in Medical Technology
Torie Jones, former chief privacy officer at University of Pennsylvania Health System, had an ironclad rule in place for her staff: “No PHI in the cloud until you have a BAA in place.”
[See also: New HIPAA rule could change BAA talks]
For most cloud-based vendors, those who are used to the specific demands of working in healthcare, getting that business associate agreement in place wouldn’t be much of a problem.
But when it comes to using the the popular file hosting service Dropbox, that all-important contract isn’t something that’s readily forthcoming.
Stephanie Musso, RN, privacy officer at Stony Brook University Hospital, on Long Island, said she’s gotten “emails we got from our researchers: ‘You told us we can’t use Dropbox, now we can! HIPAA says we can! We just have to have that business associate agreement signed, right?’
“My answer to that is, ‘Yes, and here it is. Get them to sign it.’” said Musso. “And they would come back to me very disappointed because Dropbox was certainly unwilling to sign a BAA.”
That’s not to say, necessarily, that the company would never sign one under any circumstances – just that they’ve shown little inclination to so far. Dropbox officials did not respond to a request for an interview.
But while the cloud service is popular among many in the healthcare trenches for the ease with which it enables the swapping of files, it is not HIPAA-compliant.
That’s a lesson that was learned by one system administrator, who posted a thread on Reddit with a question:
“The psychology clinic I support videotapes some of their sessions. At first the videos stayed completely in house. Never left our servers. Went into long term storage on encrypted drives locked in a safe somewhere.
“Recently I found out that one of the clinics that they do work with utilizes dropbox for sharing videos. The clinic is halfway across the country and it is research related somehow. My question is, does using dropbox in this manner constitute a HIPPA violation?”
The answer from another user came back almost immediately: “HIPAA, and its a no no.”
Indeed, Dropbox itself makes that point clear on its website: “Dropbox does not currently have HIPAA, FERPA, SAS 70/SSAE 16, ISO 9001, ISO 27001, or PCI certifications. We’ll update this page with any new certifications as we receive them.”