HIPAA
Cloud Storage

Is Dropbox HIPAA Compliant? Business Plans & BAA Requirements

Dropbox can be HIPAA compliant, but only on Business Advanced and Enterprise plans where Dropbox signs a Business Associate Agreement. The free, Plus, Professional, and standard Business Essentials plans do not offer BAAs and cannot be used to store or share protected health information.

Conditional — Dropbox can be compliant with configuration

Dropbox is HIPAA compliant on Business Advanced and Enterprise plans with a signed BAA. Free, Plus, Professional, and Business Essentials plans are NOT compliant. Even on qualifying plans, you must configure sharing restrictions and access controls.

Compliance Assessment

AspectStatus
Data Encryption

Dropbox encrypts files at rest using AES-256 and in transit using TLS 1.2+. Block-level encryption splits files into blocks before encryption.

Yes
Business Associate Agreement

BAA available on Business Advanced and Enterprise plans. Must be requested through the admin console or sales team.

With Configuration
Access Controls

Business plans offer SSO (SAML), two-step verification, admin-managed sharing permissions, and team folder access controls.

Yes
Audit Logging

Admin console provides activity logs for file access, sharing events, login activity, and admin actions.

Yes
Remote Wipe

Admins can remotely wipe Dropbox data from lost or stolen devices, protecting PHI on mobile devices and laptops.

Yes
Sharing Controls

External sharing can be restricted at the team and folder level. Must be configured to prevent accidental PHI exposure.

With Configuration
Data Recovery

Extended version history (180 days on Business, 365 on Enterprise) allows recovery of deleted or modified files.

Yes
Third-Party Integrations

Dropbox integrations and connected apps are not covered under the BAA. Each must be independently assessed.

Partial
Watermarking & DLP

Dropbox offers document watermarking and classification on Enterprise plans. Basic DLP requires third-party tools.

With Configuration
Data Residency

Dropbox offers data residency in the US and EU for eligible plans but does not guarantee all processing stays in-region.

Partial

Business Associate Agreement (BAA)

BAA is available

Dropbox provides a BAA for Business Advanced and Enterprise plan customers. The BAA covers Dropbox file storage, sharing, and Dropbox Paper. You can request the BAA through the Dropbox admin console or by contacting Dropbox sales. The BAA does not cover third-party app integrations.

How to Make Dropbox HIPAA Compliant

1

Subscribe to Dropbox Business Advanced or Enterprise and sign the BAA through the admin console.

2

Enable SSO (SAML) integration and enforce two-step verification for all team members.

3

Restrict external sharing to prevent team members from sharing PHI-containing files outside the organization.

4

Configure folder permissions to enforce minimum necessary access to patient data.

5

Disable third-party app connections that are not independently HIPAA compliant.

6

Set up admin alerts for suspicious activity including mass downloads, unusual sharing patterns, and failed login attempts.

Limitations

  • Free, Plus, Professional, and Business Essentials plans do not offer BAAs.
  • Third-party Dropbox integrations and connected apps are not covered under the BAA.
  • Dropbox does not offer customer-managed encryption keys on standard business plans.
  • Limited DLP capabilities compared to enterprise-focused cloud storage solutions.
  • Dropbox Paper collaboration features require additional review for PHI handling.

Alternative Tools & Related Assessments

HIPAA

HIPAA-Compliant Cloud Storage

Cloud Storage

HIPAA

Google Workspace

Productivity Suite

HIPAA

HIPAA-Compliant Hosting Providers

Web Hosting

HIPAA

Microsoft Teams

Team Collaboration

Related Resources

hipaa security rulehipaa access controlhipaa risk assessmenthipaa breach notificationhipaa phihipaa baaencryption at restencryption in transit

Frequently Asked Questions

Is Dropbox HIPAA compliant?

Dropbox is HIPAA compliant on Business Advanced and Enterprise plans with a signed BAA. Free, Plus, Professional, and Business Essentials plans are not HIPAA compliant.

Does Dropbox offer a BAA?

Yes, Dropbox offers a BAA for Business Advanced and Enterprise customers. Request it through the admin console or by contacting Dropbox sales.

Can I store patient files on Dropbox?

Only on Business Advanced or Enterprise plans with a signed BAA and proper configuration of sharing restrictions and access controls. Never store PHI on free or personal Dropbox accounts.

Is Dropbox encrypted?

Yes. Dropbox uses AES-256 encryption at rest and TLS 1.2+ in transit on all plans. However, encryption alone does not equal HIPAA compliance — a BAA and proper configuration are also required.

How much does HIPAA-compliant Dropbox cost?

Dropbox Business Advanced is approximately $24/user/month (billed annually). Enterprise pricing is custom. Both qualify for the BAA required for HIPAA compliance.

Is Dropbox safer than Google Drive for HIPAA?

Both can be HIPAA compliant with BAAs and proper configuration. Google Drive (via Workspace) offers broader coverage with more integrated services. Dropbox offers simplicity and strong file sync. Choose based on your workflow needs.

All Tool AssessmentsHIPAA OverviewRequirements GuidesCompliance Glossary

Generate HIPAA policies for your stack

PoliWriter creates all the HIPAA policies you need, customized to tools like Dropbox and your specific configuration. AI-powered, audit-ready, hours not months.

Get Started Free