HelloFax, now operating under the Dropbox ecosystem as Dropbox Fax, can support HIPAA compliance, but only under specific conditions. You need a qualifying paid plan, a signed Business Associate Agreement (BAA), and proper configuration. A free or basic HelloFax account does not meet HIPAA requirements on its own.
HelloFax Is Now Part of Dropbox
If you’re searching for HelloFax specifically, you should know that the service has been absorbed into Dropbox’s suite of tools. HelloFax was acquired by Dropbox years ago and now falls under Dropbox’s broader infrastructure for faxing and document signing. This matters for HIPAA compliance because the policies, security features, and legal agreements all come through Dropbox, not a standalone HelloFax product.
Any HIPAA-related protections you get will depend on your Dropbox plan level and whether you complete the necessary legal steps through Dropbox’s admin tools.
Which Plans Qualify for HIPAA Compliance
Dropbox will sign a BAA with customers on its Standard, Advanced, Enterprise, or Education plans. These are all team-level (business) subscriptions. If you’re using a personal Dropbox account or a free-tier HelloFax account, you cannot get a BAA, which means you cannot use the service in a HIPAA-compliant way for protected health information (PHI).
For Dropbox Sign, which handles electronic signatures and is closely related to the fax functionality, HIPAA support requires an annual Standard or Premium plan, a signed BAA, and meeting a minimum contract value. The exact minimum contract threshold isn’t publicly listed, so you may need to contact Dropbox sales to confirm eligibility.
Why the BAA Matters
A Business Associate Agreement is the legal document that makes a vendor accountable for protecting health information under HIPAA. Without one, even a highly secure platform isn’t considered compliant. The BAA spells out what the vendor is responsible for, how they’ll handle breaches, and what safeguards they commit to maintaining. No BAA means no HIPAA compliance, regardless of encryption or other technical features.
Simply paying for a qualifying plan doesn’t automatically activate HIPAA protections. You have to actively sign the BAA through Dropbox’s admin console.
How to Sign the BAA
If you’re on an eligible Dropbox team plan, the process is straightforward and handled entirely online. A team admin can sign the BAA directly through the admin console by following these steps:
- Log in to dropbox.com with admin credentials.
- Click “Admin console” in the left sidebar.
- Click “Settings” in the left sidebar.
- Under Account, click “Team profile.”
- Under Advanced, click “Set up BAA.”
- Review and complete the agreement.
One important limitation: the electronic BAA signing option through the admin console is only available to US-based customers. If your organization is based outside the US, you’ll likely need to contact Dropbox directly to arrange the agreement.
Security Features Behind the Scenes
Dropbox’s infrastructure uses encryption for data both in transit (while being sent) and at rest (while stored on their servers). The platform also offers application-level access controls, meaning admins can restrict who sees specific documents down to the individual file level. These are the types of technical safeguards HIPAA expects from a service handling PHI.
That said, technical security alone doesn’t equal compliance. Your organization is responsible for configuring the platform properly, training staff on handling PHI, and maintaining your own HIPAA policies. Dropbox provides the tools, but the responsibility for how those tools are used falls on you.
What This Means If You’re Faxing PHI
If you’re a healthcare practice, clinic, or any covered entity looking to fax documents containing patient information, here’s the practical picture: you can use Dropbox Fax (formerly HelloFax) in a HIPAA-compliant workflow, but you need to upgrade to at least a Dropbox Standard team plan, sign the BAA through your admin console, and configure access controls so only authorized staff can view faxed documents.
If you’re currently on a free or personal HelloFax account and faxing anything with PHI, that setup does not meet HIPAA requirements. The lack of a BAA alone is a compliance gap, even if the underlying technology is secure. Upgrading to a qualifying business plan and completing the BAA process should be your first step before sending any health-related documents through the platform.