Is Dropbox HIPAA Compliant for Medical Imaging?
If you’ve ever thought of sharing medical images or any other Protected Health Information (PHI) using Dropbox, you have probably asked yourself: "Is Dropbox HIPAA compliant for medical imaging." Dropbox is one of the most popular file sharing services and is on millions of desktop computers around the world. But just because you use it for many of your other tasks, does not mean you should use Dropbox for medical image storage. Here are 4 reasons to be careful when using Dropbox as your medical imaging solution...
Reason #1: Your Use of Dropbox is likely NOT HIPAA, GDPR or Australia Personal Privacy Compliant
Despite what Dropbox states, many popular uses of Dropbox are not in compliance with HIPAA, GDPR, or with other jurisdictions prohibitions on personal privacy.
If you use any add-in products that work with Dropbox files, Dropbox specifically states that they are not covered as part of their HIPAA guidelines. Either way, you must also get a signed Business Associates Agreement (BAA) from Dropbox. Unless you have a premium business version of Dropbox, they will be reticent to sign one with you as an individual. Even with a BAA in place, Dropbox deflects responsibility to the user to be sure they are in compliance with sharing, access, deletion and verification permissions as these are not inherently set up to be in compliance with HIPAA.
And with legislation like the EU’s GDPR and the Australian Personal Privacy regulations, information can inadvertently be replicated to prohibited geographies, or can run afoul of the delete on demand requirements of GDPR.
Reason #2: Medical Images Are Enormous
The second reason to avoid Dropbox for medical image storage is both a security and a usability issue. Medical images are some of the densest and largest volume files that physicians work with. These files, which can be as large as several gigabytes, take up a significant amount of storage and bandwidth to transmit. When you load a file to Dropbox, it actually transmits these files among all the devices that you have linked to your account. If you are not careful, this private health information can end up on unintended devices, like your mobile phone or tablet. The last thing you want to be doing with files as large as medical images is physically replicating them among all your connected devices. Replicating these files onto devices that are not as secure as your office computer is not a best practice for this sensitive information.
Most of us would prefer to keep the limited storage space that we have available on Dropbox for more innocuous things like photos of our kids, dogs, or latest vacation. The transfer also sucks up bandwidth and, if you are paying for data on your mobile phone network, this can cost you.
Reason #3: Do You Know Who You Are Sharing Files With?
If you are a Dropbox user, perhaps you have shared a file or a directory with a third party. If you are like many other Dropbox users, you may have forgotten who you have shared a specific file with. Thus copying additional documents, potentially with Protected Health Information into shared directories could be an expensive disaster.
Dropbox has no audit trail for where your files have traveled. Without this, you are subject to your own faulty memory or ensuring your security controls are always current to avoid transmitting protected information to someone without the appropriate privilege to receive this information. And there is virtually no way to recapture your secure files should they get into the wrong hands.
Reason #4: Archiving Files is Not the Same as Having Access to Them
Once you get past all of these caveats and you decide you still want to use Dropbox for storing your medical images, you still should be aware of the difference between storing files and having PACS access. With a PACS in the cloud, you can search through the medical images that are of interest to you, often by name, patient ID or some other such indicator and summon up a medical image for your view with the click of your mouse. If instead you choose to store your images with a file sharing system like Dropbox, you will have to know exactly which file you are looking for, then load it onto your viewing station, import it into your PACS and only then will you get to view it. If you’ve got the wrong file, you will have to do this process all over again. Valuable time wasted.
So if Dropbox isn’t the Answer, What About the Old Standby: CDs, DVDs, or USBs?
Of course you could revert back to copying patient images onto CDs or DVDs. But we all know how burdensome and time-consuming copying these large DICOM files can be. The propensity to copy incorrect data or damage the physical disc adds to the anxiety and expense of this process. Even worse, should these discs get into the wrong hands through loss, human error or just plain negligence, you again can risk a HIPAA violation. Storing of CDs, DVDs, or USBs in a shoe box is a far cry from having a PACS available at your fingertips – and far less secure.
The Optimal Way to Share Medical Images is in a Purpose-Built Cloud
Purpose-built cloud storage and sharing of medical imaging puts fast access, security, and ease-of-use at the forefront. There are no worries about where your files are located. You can carefully control with whom they are shared.
Even when HIPAA is not required, as with Veterinarians or countries not covered by this or similar regulations, the simplicity and cost of sharing and accessing medical images alone is worth using a purpose built PACS cloud.