Dropbox in healthcare: A love-hate thing
Torie Jones, former chief privacy officer at University of Pennsylvania Health System, had an ironclad rule in place for her staff: "No PHI in the cloud until you have a BAA in place."
For most cloud-based vendors, those who are used to the specific demands of working in healthcare, getting that business associate agreement in place wouldn't be much of a problem.
But when it comes to using the the popular file hosting service Dropbox, that all-important contract isn't something that's readily forthcoming.
Stephanie Musso, RN, privacy officer at Stony Brook University Hospital, on Long Island, said she's gotten "emails we got from our researchers: 'You told us we can't use Dropbox, now we can! HIPAA says we can! We just have to have that business associate agreement signed, right?'
"My answer to that is, 'Yes, and here it is. Get them to sign it.'" said Musso. "And they would come back to me very disappointed because Dropbox was certainly unwilling to sign a BAA."
That's not to say, necessarily, that the company would never sign one under any circumstances – just that they've shown little inclination to so far. Dropbox officials did not respond to a request for an interview.
But while the cloud service is popular among many in the healthcare trenches for the ease with which it enables the swapping of files, it is not HIPAA-compliant.
That's a lesson that was learned by one system administrator, who posted a thread on Reddit with a question:
"The psychology clinic I support videotapes some of their sessions. At first the videos stayed completely in house. Never left our servers. Went into long term storage on encrypted drives locked in a safe somewhere.
"Recently I found out that one of the clinics that they do work with utilizes dropbox for sharing videos. The clinic is halfway across the country and it is research related somehow. My question is, does using dropbox in this manner constitute a HIPPA (sic) violation?"
The answer from another user came back almost immediately: "HIPAA, and it's a no no."
Indeed, Dropbox itself makes that point clear on its website: "Dropbox does not currently have HIPAA, FERPA, SAS 70/SSAE 16, ISO 9001, ISO 27001, or PCI certifications. We'll update this page with any new certifications as we receive them."
As Boston-based security consultant Josh Ablett explained in a blog post this past month, even though Dropbox is "The most popular and arguably the most well-developed of the cloud storage providers … usually the first provider people think when they think 'cloud storage,'" it falls short when it comes to handling personal health information.
"HIPAA would require that all aspects of a PHI file – even the name, which can potentially hold identifying information – be encrypted and private," he writes. "Dropbox keeps metadata which includes the file name, which is not secure. It also lacks the audit controls that HIPAA demands."
Still, it remains very popular with many who are unaware of (or unconcerned with) those risks. And so far the service has been unwilling to subject itself to the scrutiny and accountability of a business associate agreement.
"We had researchers who were in two different countries and wanted to collaborate on their research project using Dropbox, and they were told, 'Here's the BAA, send it out to Dropbox and see if they'll sign it,'" said Musso. The answer came back, 'Absolutely not.'
"I don't want to beat up on Dropbox, but you mention it to most privacy and security people in healthcare and there is usually some eye-rolling and gnashing of teeth," said Jones. "We do not like Dropbox. They have never indicated that they are willing to be a business associate agreement, ever. But providers and research associates LOVE it. So we monitor that very closely."
[See also: New HIPAA rule could change BAA talks]