Dropbox is a cloud-based collaboration and file-storage service that includes cloud storage, tools, and integrations with other services. You can use it to create, edit, share, and collaborate on cloud-based content.
Dropbox at U-M provides a secure environment in which to maintain or share university data, including some types of sensitive regulated data classified as High.
- As a best practice, you should use a Dropbox Team Folder when sharing and storing sensitive data in Dropbox (data classified as High), and you are highly encouraged to use Team Folders more broadly for workflow and collaboration. Complete the Dropbox Team Folders Request Form to request a Dropbox Team Folder and see Team folders: an overview (Dropbox) for more information on how to share content inside Team Folders.
- Data classified as Restricted may not be maintained or shared in Dropbox.
Dropbox allows you to synchronize data in the cloud and on your devices. If you store and synchronize data in locations other than the Dropbox cloud storage, you will also need to follow any sensitive data restrictions for the devices and storage locations to which you synchronize.
Dropbox also allows integrations with other products. Similarly, you must follow any sensitive data restrictions for the products you integrate Dropbox with. For example, see Dropbox: Google Drive and Microsoft Office Integrations with PHI and HIPAA-Regulated Data (ITS Knowledge Base).
U-M's agreement with Dropbox includes a Business Associate Agreement (BAA). This means individuals may use this service to maintain Protected Health Information (PHI) regulated by HIPAA. Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in U-M Dropbox are responsible for complying with HIPAA safeguards, including:
- Use a Dropbox Team Folder.
- Use and disclose only the minimum necessary PHI for the intended purpose.
- Obtain all required authorizations for using and disclosing PHI.
- Ensure that PHI is seen only by those who are authorized to see it.
- Follow any additional steps required by your unit to comply with HIPAA.