Dropbox and HIPAA?

In your opinion, is Dropbox HIPAA compliant? they say they have 256 bit encryption and  ssl/tls secure transfer tunnel. If password protected, seems like that would meet HIPAA guidelines, though the laws never specifically say what are adequate protection measures.
LVL 3
maharlikaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
It is unlikely because HIPAA also requires physical security.  If you were audited, how would you show that Dropbox has the physical security required by HIPAA?
maharlikaAuthor Commented:
HIPAA requires that PHI is encrypted at rest (e.g. where it's stored) and while in transit (if it's uploaded or moved). That's been our understanding, anyway. Same logic as for email, it must be encrypted both during transfer and storage, but we have no control over physical security once the message is sent.
Dave BaldwinFixer of ProblemsCommented:
But Dropbox is an 'at rest' storage location.  ??
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

maharlikaAuthor Commented:
Dropbox says it's encrypted both at rest and in transit, so that seems like it meets HIPAA guidelines.
Dave BaldwinFixer of ProblemsCommented:
It might then.
Rich RumbleSecurity SamuraiCommented:
You can use hosting providers in HIPAA and PCI etc... but as pointed out they must have certain controls, or you do to ensure the data can't be snooped on by the provider. You probably can't use DropBox as is and pass compliance. Encrypted in transit part is about all you can be sure of, and even then it's possible for them to man in the middle themselves and you'd never know it, and they could read your data in transit.
BOX claims they are compliant and are certified to be used by organizations that need HIPAA https://support.box.com/hc/en-us/articles/200526618-Box-HIPAA-and-HITECH-Overview-and-FAQs
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
DropBox has yet to make the same assertions.
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.