Is Dropbox HIPAA Compliant? Plans, BAAs & Limits

Dropbox can support HIPAA compliance, but only on specific paid team plans and only after you sign a Business Associate Agreement (BAA) through the admin console. The free personal plan and lower-tier plans do not qualify. Even on an eligible plan, Dropbox alone doesn’t make your organization compliant. You’re responsible for configuring it correctly and managing how your team handles protected health information (PHI).

Which Plans Support HIPAA Compliance

Dropbox offers its BAA to customers on its team plans: Standard, Business, Advanced, Business Plus, and Enterprise. The electronic BAA is available only to US-based customers and can be signed directly through the admin console without contacting sales or waiting for a manual review. You log into the admin console, navigate to Settings, then Team Profile, and complete the agreement under the Advanced section.

The free Dropbox Basic plan and the paid Plus plan for individuals do not support a BAA. If you’re a solo practitioner, you still need a team-level account to use Dropbox for anything involving patient data. The Advanced plan, which explicitly lists “Enable HIPAA compliance” as a feature, starts at $24 per user per month.

What a BAA Actually Covers

A BAA is a legal contract required by HIPAA whenever a healthcare organization shares PHI with a third-party service. It obligates Dropbox to protect that data according to HIPAA’s security and privacy rules. Without a signed BAA, storing any patient information on Dropbox violates federal law, regardless of how secure the platform may be.

The BAA covers Dropbox’s core file storage and syncing services. It does not automatically extend to every feature or third-party integration connected to your account. If you use apps that plug into Dropbox, those integrations typically fall outside the BAA unless you have a separate agreement with each vendor. The safest approach is to block third-party apps by default in your admin settings and only allow integrations you’ve individually vetted and contracted as business associates.

Security Features Dropbox Provides

Dropbox encrypts files in transit using TLS and at rest using AES-256, which is the same encryption standard used by banks and government agencies. Team plans also include admin access controls that let you manage who can view, edit, or share specific folders, along with activity logging that tracks file access and changes.

Dropbox holds a long list of independent security certifications. These include ISO 27001 (the leading international standard for information security management), ISO 27018 (cloud privacy and data protection), and SOC 1, SOC 2, and SOC 3 audit reports covering security, confidentiality, availability, integrity, and privacy. It also holds CSA STAR Level 2 certification for cloud security and a NIST SP 800-171 attestation for protecting controlled unclassified information. These certifications don’t make Dropbox “HIPAA certified” (no such certification exists), but they demonstrate that its infrastructure meets rigorous, independently verified security standards.

What Dropbox Does Not Do for You

This is where most organizations run into trouble. Signing a BAA makes Dropbox a compliant business associate, but HIPAA places the bulk of the compliance burden on the covered entity: your practice, clinic, or organization. Dropbox does not enforce HIPAA-safe sharing settings by default. It won’t prevent someone on your team from sharing a file containing patient records through a public link. It won’t restrict access from personal or unmanaged devices. It won’t monitor your account for compliance violations.

Your responsibilities after signing the BAA include:

  • Configuring sharing permissions so PHI cannot be sent via public or external links
  • Restricting device access to managed, organization-approved devices
  • Conducting a documented risk analysis that specifically covers your use of cloud storage for PHI
  • Reviewing audit logs regularly to catch unauthorized access or unusual activity
  • Training your staff on which folders contain PHI, how to share files safely, and what not to do

Skipping any of these steps can result in a HIPAA violation even though you have a signed BAA with Dropbox. The agreement protects you legally by establishing Dropbox as a responsible partner, but it doesn’t substitute for your own internal safeguards.

How to Set Up Dropbox for HIPAA Use

Start by upgrading to an eligible team plan and signing the BAA through the admin console. Then lock down your settings before anyone stores PHI. Disable public link sharing at the team level. Set folder permissions so only the people who need access to patient files can reach them. Turn off third-party app integrations you haven’t verified, and require two-factor authentication for every user on the account.

Create a clear folder structure that separates PHI from general business files. This makes it easier to apply strict permissions only where they’re needed and reduces the risk of accidental exposure. Document your configuration choices as part of your HIPAA risk analysis, because auditors will want to see not just that you signed a BAA but that you actively managed the environment around it.

Review your audit logs on a regular schedule. Dropbox’s activity logging on business plans tracks who accessed, edited, or shared files, giving you a paper trail if something goes wrong. Without regular review and retention of those logs, you lose one of the key safeguards HIPAA expects.

Dropbox vs. Purpose-Built Healthcare Platforms

Dropbox is a general-purpose cloud storage tool, not a healthcare-specific platform. It works well for storing and sharing documents, but it doesn’t offer healthcare workflows like secure patient messaging, electronic health record integration, or built-in consent tracking. Organizations with complex compliance needs sometimes pair Dropbox with additional tools or choose platforms designed specifically for healthcare data.

That said, many small practices and healthcare businesses use Dropbox successfully for HIPAA-covered work. The key difference between Dropbox and a healthcare-specific platform is how much configuration you need to do yourself. Dropbox gives you the building blocks (encryption, access controls, audit logs, a BAA) but expects you to assemble them correctly. A healthcare platform typically ships with stricter defaults out of the box. If your team has the technical ability to configure and maintain those settings, Dropbox on an Advanced or Enterprise plan is a viable, cost-effective option for storing PHI.