Is Dropbox HIPAA Compliant?

Dropbox can be HIPAA compliant — but only under specific plans, with a signed Business Associate Agreement, and with the right configuration. Out of the box, no Dropbox plan is HIPAA compliant. The free, Plus, and Family tiers never will be.

If your practice stores, shares, or syncs files containing protected health information through Dropbox, this is what you need to know before the next OCR audit.

Which Dropbox Plans Support HIPAA Compliance?

Only Dropbox Business, Business Plus, and Enterprise plans are eligible for HIPAA compliance. These are the only tiers where Dropbox will execute a Business Associate Agreement.

Dropbox Basic (free), Plus, and Family plans do not qualify. Dropbox will not sign a BAA for these tiers. No amount of configuration makes them compliant. If anyone in your practice is using a personal Dropbox account to store or share patient files, that is a HIPAA violation — full stop.

The distinction matters because many practices have staff members who default to their personal Dropbox accounts out of convenience. The practice may have a compliant plan, but if a single team member syncs PHI to a personal account, the BAA does not cover that data.

What Dropbox Provides for HIPAA-Eligible Plans

On the Business and Enterprise tiers, Dropbox offers a set of security features that align with HIPAA's technical safeguard requirements:

• BAA execution. Available through the admin console on Business plans or through Dropbox sales for Enterprise agreements. The BAA must be signed before any PHI enters the platform.
• AES-256 encryption at rest. Files stored on Dropbox servers are encrypted using AES-256, which meets the HIPAA encryption standard for data at rest.
• SSL/TLS encryption in transit. Data moving between your devices and Dropbox servers is encrypted via SSL/TLS, protecting PHI during transfer.
• Two-step verification. Supports app-based and SMS-based two-factor authentication for all team members.
• Admin console with user management. Centralized controls for adding, removing, and managing team member access — critical for workforce access controls under HIPAA.
• Remote wipe. Administrators can remotely wipe Dropbox data from lost or stolen devices, a requirement for any organization handling ePHI on mobile endpoints.
• Granular sharing permissions. Folder and file-level sharing controls allow administrators to restrict who can view, edit, or share specific content.
• Audit logging. Activity logs track who accessed what file and when — supporting HIPAA's audit control requirements under 45 CFR § 164.312(b).
• Version history. Business plans include 180-day version history; Enterprise plans offer extended retention. This supports data integrity and recovery requirements.

These features give you the technical foundation. But having the features available and having them properly configured are two different things.

Settings You Must Configure Before Storing PHI

Signing the BAA is step one, not the finish line. Dropbox's default settings are designed for general business use, not healthcare. Several defaults are too permissive for a practice handling patient data.

Sign the BAA first

Access it through the Dropbox admin console under Settings > Account > Business Associate Agreement. For Enterprise plans, contact Dropbox sales directly. Do this before any team member uploads a single file containing PHI.

Enforce two-step verification

Enable mandatory two-step verification for every team member on the account. Do not leave this optional. A single account without MFA is a single point of compromise for your entire shared file system.

Restrict external sharing and link permissions

By default, Dropbox allows users to share files and folders with anyone, including external recipients and via public links. Change the team default to team only. If external sharing is necessary for specific workflows — referral documents, for example — configure it as an exception with expiration dates and password protection, not as the default.

Disable or verify Dropbox Paper

Dropbox Paper is a separate collaboration tool within the Dropbox ecosystem. If your team does not use it, disable it. If they do, verify that it falls under the scope of your BAA. Not all Dropbox sub-products are automatically covered.

Configure device approval policies

Restrict which devices can access your team's Dropbox account. Require admin approval for new device connections. This prevents PHI from syncing to unapproved personal computers, tablets, or phones.

Set up remote wipe

Ensure remote wipe is configured and that your admin team knows how to execute it. A lost laptop with a synced Dropbox folder containing patient records is a reportable breach — unless you can demonstrate the data was wiped before unauthorized access occurred.

Review third-party app integrations

Dropbox integrates with hundreds of third-party applications. Each integration that can access files containing PHI is a potential business associate relationship. Audit which apps are connected, remove any that are unnecessary, and verify that remaining integrations have their own BAAs in place.

What Dropbox Does Not Do

This is where practices get into trouble. Dropbox is a file storage and sharing tool. It is not a compliance program. Signing the BAA and configuring settings correctly makes Dropbox a compliant component of your infrastructure — it does not make your practice compliant.

Dropbox does not:

• Perform your risk assessment. HIPAA requires a documented security risk assessment covering all systems that store or transmit ePHI. Dropbox is one of those systems. It will not assess itself for you.
• Train your staff. Your workforce needs documented HIPAA training that covers how to use Dropbox correctly — what can be stored, how sharing works, what is prohibited. Dropbox provides none of this.
• Create your policies. You need written policies covering data storage, file sharing, access controls, and incident response. These are your responsibility.
• Handle incident response. If a breach occurs through Dropbox — a shared link exposed publicly, an unauthorized device accessing the account — your practice is responsible for detection, investigation, notification, and remediation.
• Track BAAs for other vendors. Dropbox signs its own BAA. It does not track whether your EHR, email provider, billing platform, or other cloud tools have BAAs in place. That is your compliance obligation.
• Make personal plans compliant. There is no upgrade path, configuration, or workaround that makes Dropbox Basic, Plus, or Family plans HIPAA eligible.

Common Mistakes Practices Make With Dropbox

These are the failures that show up in OCR investigations. Every one of them is preventable.

Using personal accounts for practice files. A staff member's personal Dropbox is not covered by your practice's BAA. Even if the file is encrypted, the account is outside your compliance boundary.

Sharing folders with public links containing PHI. Dropbox makes it easy to generate a shareable link. If that link is public and the file contains patient information, you have created an unsecured disclosure of ePHI.

Not signing the BAA before storing patient data. The BAA must be in place before PHI enters the system. Retroactively signing one does not cover the period of noncompliance.

Syncing practice files to personal devices without MDM. If Dropbox syncs PHI to a staff member's personal laptop or phone without mobile device management controls, you have lost control of that data.

Using third-party integrations without verifying their BAA status. Every app connected to your Dropbox that can access PHI-containing files is a potential compliance gap. If that app does not have its own BAA, the data flowing through it is unprotected.

Leaving sharing defaults wide open. Dropbox's out-of-the-box sharing settings are designed for collaboration, not healthcare security. If you do not change the defaults, your team can share PHI externally with a single click.

Where Cloud Storage Fits in Your Compliance Program

File storage is one layer of your data flow — not your compliance program. Getting Dropbox configured correctly is necessary if you use it, but it covers a single vendor in what is typically a stack of 8 to 15 systems that touch patient data in an independent practice.

You still need a documented risk assessment, written policies and procedures, workforce training, vendor management across every business associate, and an incident response plan. Each of these is a separate HIPAA requirement. None of them are optional.

Patient Protect tracks your full compliance posture — including vendor BAAs, data flows, risk assessments, staff training, and policy documentation — in a single platform built for independent practices. Plans start at $39/month with no long-term contracts.

Frequently Asked Questions

Is Dropbox free HIPAA compliant?

No. Dropbox Basic (free), Plus, and Family plans are not eligible for HIPAA compliance. Dropbox will not sign a Business Associate Agreement for these tiers. Only Business, Business Plus, and Enterprise plans qualify.

Does Dropbox sign a BAA?

Yes — but only for Business, Business Plus, and Enterprise plans. You can access the BAA through the admin console or by contacting Dropbox sales. The BAA must be executed before any protected health information is stored on the platform.

Can I store patient records in Dropbox?

You can store patient records in Dropbox if you are on a Business or Enterprise plan, have a signed BAA in place, and have configured sharing permissions, access controls, and device policies to meet HIPAA requirements. Simply having the right plan is not sufficient without proper configuration.

Is Dropbox encrypted?

Yes. Dropbox uses AES-256 encryption for data at rest and SSL/TLS encryption for data in transit. However, encryption alone does not equal HIPAA compliance. You also need access controls, audit logging, a signed BAA, and administrative policies governing how the platform is used.

What Dropbox plan do I need for HIPAA?

You need Dropbox Business, Business Plus, or Enterprise. These are the only plans where Dropbox will execute a BAA and where the administrative controls necessary for HIPAA compliance are available. Personal and consumer-tier plans do not meet the requirements regardless of configuration.