Child Item

Proposed design for uploading and sharing to Dropbox for Healthcare customers

I'd like to get feedback about whether my plan for using the APIs is a good fit for our use-case.

Use case:

Our company produces files, and some of our customers who have "Dropbox for Healthcare" accounts want us to deliver files to their accounts.

Planned use of APIs:

1) Create a "basic" Dropbox account. Would uploads to this be covered by Dropbox's HIPAA BAA? How would we get a BAA from Dropbox?

2) Create one top-level folder per customer, and use a sharing API to invite a list of customer email addresses to the folder.

3) Every time we create a new file for a customer, auto-upload it to a path under their top-level folder.

4) If a recipient edits, renames, or deletes a file we delivered, we can safely ignore any API notifications because we don't need their edits.

Our expectation is that, once each customer recipient accepted their sharing invitation, they would place the shared folder whereever they want in their own folder structure, and whenever we upload a file to a shared folder, the invited users would silently receive a copy of the upload.

Is this plan the best use of the APIs for our use-case?

Find more posts tagged with

Developers

Accepted answers

Greg-DB

Yes, using a full Dropbox API app to upload to a shared folder like that would work.

All comments

Greg-DB

I'm happy to help with any technical questions or issues you have regarding the Dropbox API, but I can't offer HIPAA policy or legal guidance. For information on HIPAA/BAA on Dropbox, please refer to this help article: https://help.dropbox.com/accounts-billing/security/hipaa-hitech-overview

As for the technical aspects of using the Dropbox API described here, if I understand correctly, it sounds like you would have just a single Dropbox account connected to your API app, containing all of the files for all of your end-users, is that correct?

Note that the Dropbox API was designed with the intention that each end-user would directly connect their own Dropbox account to the API app, in order to interact with their own files. It is technically possible to connect to just one account, by always using a specific access token. Please be aware that we don't recommend doing so, for various technical and security reasons. (Most of the security concerns are allayed if you're building a server-side app where you can keep the access token secret on the server though.)

PagingMrHerman

Yes, our use of the API would be exclusively via a server-based process (that keeps its credentials in env vars instead of its code).

My main technical question is: Would creating one top-level folder per customer, and inviting the customer's users via their Dropbox-registered email addresses, allow us to deliver files to those users by having our server upload to that folder whenever we have a new file to deliver to them?

Greg-DB

Yes, using a full Dropbox API app to upload to a shared folder like that would work.