Is Dropbox HIPAA Compliant?

Dropbox is one of the most popular cloud file storage and sharing platforms available today, so you might be wondering, can I use Dropbox to safely store and share sensitive documents such as patient records and PHI?

The Short Answer: Yes, but only after signing a BAA with Dropbox and setting up proper safeguards.

While Dropbox can be HIPAA compliant, it is not automatically HIPAA compliant after simply signing up. Dropbox offers several security features that align with the HIPAA and HITECH requirements for data security, such as encryption and access controls, but organizations that wish to make Dropbox HIPAA compliant must implement additional measures and configure the platform appropriately to ensure compliance is met. In other words, simply using Dropbox as-is does not automatically make it a HIPAA-compliant solution.

What Dropbox plans support HIPAA compliance?

Only Dropbox Business plans (Standard, Advanced, and Enterprise) are eligible for HIPAA compliance; personal plans do not offer HIPAA compliance.

How can I sign a BAA with Dropbox?

HIPAA requires covered entities to have Business Associate Agreements (BAAs) with any third-party vendors that handle PHI. This is a crucial step to making Dropbox HIPAA compliant, after signing up for the correct plan you must obtain this BAA between Dropbox and your organization. The BAA can be signed electronically by a Dropbox business team admin through the admin console.

Beware of third-party apps

Third-party apps linked to Dropbox are not covered by Dropbox's terms of use or the BAA, so they should be strictly evaluated for HIPAA compliance. If it is deemed these third-party apps will have access to documents containing PHI in Dropbox, then you should reach out to the third-party app to obtain a separate BAA with them.

How to configure Dropbox for maximum security & HIPAA compliance

  • Enable 2 Factor Auth (2FA) or SSO

    Enable two-step verification for your Dropbox account. This adds an extra layer of security by requiring a verification code in addition to the password when logging in. Alternatively, you can use an existing SSO (single sign on) solution.

  • Limit Sharing Permissions

    Configure sharing permissions to limit access to sensitive files. Only authorized users in your organization should have access to confidential health information.

  • Monitor Activity Reports

    Regularly monitor the user activity reports that are provided by Dropbox. This allows you to track file sharing, authentication, and administrator activities to identify any unauthorized or unusual behavior.

  • Disable Permanent Deletion

    Prevent the permanent deletion of files containing PHI by disabling this feature. Limit the ability to permanently delete files to authorized administrators only.

Dropbox HIPAA Compliance Checklist

  • Sign up for a Standard, Advanced, or Enterprise account.

    Do not use a personal account.
  • Sign a BAA with Dropbox.

    The BAA can be signed electronically in Dropbox through the admin console.
  • Configure your Dropbox account for maximum security.

    Enable 2FA or SSO, restrict file sharing to only authorized users, disable permanent file deletion, and monitor activity reports for unusual behavior.

Looking for a HIPAA-Compliant solution to scan documents & capture e-forms

EncryptScan is trusted by industry-leading Healthcare providers.