Is Dropbox Secure Enough for HIPAA Compliance?

Yes, Dropbox has several plans that follow HIPAA rules. These plans are Standard, Advanced, Business, Business Plus, Enterprise and Education.

Is Google Drive HIPAA Compliant?

Yes, Google will sign a BAA as long as you use Google Workspace products that follow HIPAA rules. Examples include Gmail, Calendar, Docs and Sheets, among others.

Is OneDrive HIPAA Compliant?

Yes. OneDrive will enter into a BAA with companies that have HIPAA data and use Microsoft products. Many of Microsoft’s products are HIPAA compliant, including Office 365 and Azure.

What Cloud Storage Is HIPAA Compliant?

Most cloud storage services that do business in the United States are HIPAA compliant. However, it’s in your best interest to verify HIPAA compliance before using a cloud storage service.

Table of Contents

↑

Is Dropbox HIPAA Compliant in 2024? How to Secure PHI On a Dropbox Account

Dropbox has many features for storing and sharing files. However, if you want to use it to store sensitive or confidential health information, you need to answer the question, “Is Dropbox HIPAA compliant?”

Written by Jason Stagnitto (Writer)

Reviewed by Valentina Bravo (Editor)

Facts checked by Igor Kurtz (Fact-checking editor)

Last Updated: 21 Mar'24 2024-03-21T15:29:53+00:00

All our content is written fully by humans; we do not publish AI writing. Learn more here.

Key Takeaways: Is Dropbox HIPAA Compliant?

Dropbox includes HIPAA-compliant features in several of its plans, including Standard, Advanced, Business, Business Plus, Enterprise and Education.
You’ll need to sign a Business Associate Agreement (BAA) with Dropbox to store HIPAA-related data in your account.
There are several HIPAA-compliant alternatives to Dropbox, including Sync.com, which offers zero-knowledge encryption for your account.

Facts & Expert Analysis About Dropbox HIPAA Compliance:

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. congress in 1996. Title II of the act sets up a framework for patient privacy by defining a set of protected health information. According to the HIPAA Journal, healthcare data breaches have increased year-over-year since 2009, with the exception of a small dip in 2015.¹
Administrators on the abovementioned Dropbox plans can ensure that protected health information (PHI) isn’t permanently deleted and set sharing permissions to exclude HIPAA data.
Using third-party tools and plugins for security features like data loss prevention (DLP) and identity access management (IAM) and security information and event management (SIEM) can make your PHI more secure, but also requires you to sign additional BAA’s with other companies.

Dropbox is a popular cloud storage provider with many features that appeal to a wide range of consumers. Personal users will enjoy its ease of use and sharing features, while business users can take advantage of Dropbox’s collaboration and productivity tools. However, when it comes to your health information, it’s worth asking the question: Is Dropbox HIPAA compliant?

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that was signed into law in 1996 to regulate the security and privacy of medical information. Cloud storages that hold this type of information must adhere to strong security and privacy practices. Dropbox — specifically, Dropbox Business — is no exception.

Having zero-knowledge encryption is a great way for cloud storage to be HIPAA compliant, though it’s not required. Dropbox recently purchased Boxcryptor with the intent to bring zero-knowledge capabilities to its Dropbox Business plans. At the time of this article, that addition hasn’t been implemented. Even though it lacks zero knowledge, we’ll explore Dropbox’s HIPAA compliance.

Meet the experts

Jason Stagnitto (Writer)

Jason Stagnitto is a distinguished expert in cloud storage solutions, with a robust background in online backup, data security and cloud computing. With over a year of contributions to Cloudwards, his expertise extends to file sharing, data management and IT infrastructure within the realm of virtual data storage. Holding a Master’s in IT from Southern New Hampshire University, Jason combines his academic knowledge with practical insights into data encryption and cloud services. Beyond his technical expertise, he harbors a love for fantasy and sci-fi literature, movies, and a keen focus on health and well-being.

More about Jason Stagnitto

Valentina Bravo (Editor)

Valentina Bravo is a prominent editor at Cloudwards, specializing in cloud storage and online backup solutions. Her expertise is deeply rooted in the technology sector, with a particular focus on how cloud services can optimize data management and enhance operational efficiency. Valentina holds a Bachelor’s degree in Liberal Arts and a triple Master’s degree in Literary and Cultural Studies, blending her rich academic background with a practical understanding of technological advancements. Her experience as an academic writing instructor, coupled with over a decade of freelance editing in various domains, including tech education and academic publishing, has equipped her with the ability to produce insightful and strategically impactful content. Valentina’s contributions to Cloudwards are instrumental in guiding readers through the intricacies of cloud storage and online backup, ensuring they are well-informed about the latest trends and best practices in the field.

More about Valentina Bravo

Learn more about our editorial team and our research process.

03/21/2024 Facts checked

Rewritten to include updated HIPAA-related information for Dropbox.
updates

Is Dropbox HIPAA Compliant?

Yes, Dropbox has a few plans with policies and tools that adhere to HIPAA regulations. You can enable HIPAA compliance for Dropbox’s Standard, Advanced, Business and Business Plus plans. This option also applies to the Dropbox Enterprise and Education plans. Dropbox also provides a framework of recommendations to keep your cloud storage compliant.

Dropbox HIPAA Business Associate Agreement (BAA) Opportunities

As per Dropbox’s standards and regulations compliance page, the service will sign a BAA for customers on the Standard, Advanced, Enterprise or Education plans if needed. Signing a BAA with Dropbox (or any other company) means that it can also be held liable for PHI exposure, and it accepts responsibility for the appropriate handling of patient data. Additionally, Dropbox will provide a SOC 2 examination evaluating its controls for HIPAA upon request.

dropbox baa — You can sign a business associate agreement if you need to store
protected health information (PHI) on your Dropbox account.

How to Make Dropbox HIPAA Compliant

There are several ways to ensure that Dropbox functions in a HIPAA-compliant manner, which is the best practice for protecting sensitive data like protected health information (PHI) on your account.

Avoid permanent deletions: Don’t permanently delete any HIPAA-protected data. Administrators can configure your account so that HIPAA data can’t be permanently deleted.
Limit sharing: Users can configure their sharing permissions to limit the sharing of HIPAA-protected data.
Choose the right plan: If you’re going to use Dropbox for HIPAA data, make sure to choose a plan that lets you enable HIPAA compliance.
Monitor usage: Administrators can monitor how team members access and share data, ensuring that there are no HIPAA violations.
Sign a BAA: Dropbox will sign a BAA as long as you have the corresponding plan that supports it.
Minimize third-party apps: Reduce the number of third-party apps connecting to your account and verify the HIPAA-compliant ones.

The Best HIPAA-Compliant Dropbox Alternative: Sync.com

If you’re looking for an alternative to Dropbox, check out our list of the best HIPAA-compliant cloud storage services. The top option is Sync.com as it offers zero-knowledge encryption for your entire account. Additionally, you have control over user permissions, which lets you limit who can share or access PHI. Find out more in our Sync.com review.

Final Thoughts: Is Dropbox HIPAA Compliant?

Dropbox is HIPAA compliant as long as you choose the correct plan. With the right Dropbox plan, administrators can limit the sharing of PHI data and disable permanent data deletions. Dropbox isn’t the only option, as alternative cloud storage services like Sync.com will also help you avoid HIPAA violations.

Do you need to store HIPAA data with a cloud storage provider? Do you use Dropbox with your HIPAA data? If not, what is your preferred cloud storage for maintaining HIPAA compliance? Let us know in the comments section below. Thanks for reading our article.

FAQ: Dropbox HIPAA Compliance

Yes, Dropbox has several plans that follow HIPAA rules. These plans are Standard, Advanced, Business, Business Plus, Enterprise and Education.
Yes, Google will sign a BAA as long as you use Google Workspace products that follow HIPAA rules. Examples include Gmail, Calendar, Docs and Sheets, among others.
Yes. OneDrive will enter into a BAA with companies that have HIPAA data and use Microsoft products. Many of Microsoft’s products are HIPAA compliant, including Office 365 and Azure.
Most cloud storage services that do business in the United States are HIPAA compliant. However, it’s in your best interest to verify HIPAA compliance before using a cloud storage service.

Sources:

Healthcare Data Breach Statistics – HIPAA Journal