Thursday, March 7, 2013


We had a several-email conversation with the HIPAA compliance office today and the basic answer we got was: NO, nobody can use Dropbox to access any type of PHI. Of course, we never expected to be able to do anything like this as med students, but it was surprising that nobody can.  The reasoning went like this, Although Dropbox does not store data in an insecure manner and could be used in a private practice to store this type of data, the UNM HSC does not have any policies in place pertaining to the use of a third party file syncing system.  It seems that if you had a legitimate use, were at least a resident, and had the time and energy to fight for it, you could get the UNM HSC to change policies and allow dropbox to be used for transporting PHI.  

SO, moral of the story is, if you really want to use dropbox or any other emerging technology in the medical field to its fullest, you must be in a position to take all the liability on your own head.  In other words, if you are running a clinic or in private practice, you can use dropbox all you want, as long as you are using it responsibly.  In that situation, everything below still applies.  It is a reliable, and very safe method for encrypted, cloud storage and would be as secure as any other file on your computer.

Hey all,

WARNING: sorta geeky stuff ahead.  Short version: it looks like dropbox is HIPAA compliant and pretty darn secure IF your device and dropbox service have sufficiently complex passwords and are set to auto-lock when left alone. However, we have not heard back from the HIPAA compliance officer on this issue yet. Stay tuned for updates.

If you haven't begun using Dropbox yet, you can use this link to get started:

Also, make sure to link your .edu email address to get extra space:

Dropbox is an awesome way to sync files between your laptop, desktop, smartphone, iPad, school computers, or anything else with an internet connection.

Longer version:

I've researched this a little bit lately and found this short article that I have linked to below talks about this very subject.  The arguments are pretty convincing.  Also, if you check out the Dropbox FAQ page and read about their security, it is quite impressive.  Apparently they are just using Amazon Simple Storage Service (Amazon S3) for their servers.  The reason that is important is that Amazon S3 uses 256 bit encryption and apparently, 256 bit encryption is sufficient for "Top Secret" information according to this source:

I have emailed the question to the compliance officer at the UNM HSC, so this isn't the final word, but it makes me more comfortable about my dropbox files.


So, happy dropboxing to you all!


Categories: , , ,


Post a Comment