Q&A: Encryption for Google Drive, Dropbox

Q: What are the encryption requirements when using Google Drive™, Dropbox®, or other information-storing applications? How do we ensure HIPAA compliance when using them?

A: You can find the required level of encryption in the National Institute of Standards and Technology (NIST) Special Publication 800-175B, Revision 1. There are different standards for data transmission versus encryption of data at rest. For the most part, vendors such as Google, Dropbox, Box®, and others would pass muster with NIST. This means the HIPAA Breach Notification Rule safe harbor is met. However, this is true for the business versions of these platforms (not necessarily the consumer versions), and you will still need to obtain a signed business associate agreement (BAA) from your vendor of choice.

If you use these vendors, it is a good idea to either ask them to complete a security questionnaire annually or submit a report such as a SOC 2 Type II report. This lets you determine for yourself whether a vendor is continuing to provide the necessary security for your data, and it indicates you are exercising due diligence.

The exception for these platforms is iCloud®. Apple will not sign a BAA even after the flurry of news around what Apple offers to the healthcare sector. The unwillingness to sign a BAA means even if the security of iCloud is solid (which it is), you cannot use iCloud to store protected health information (PHI).

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.