may earn a small commission from some purchases made through our site. However, any earnings do not affect how we review services. Learn more about our editorial integrity and research process.

Is Dropbox HIPAA Compliant

Is Dropbox HIPAA Compliant in 2024? How to Secure PHI On a Dropbox Account

Dropbox has many features for storing and sharing files. However, if you want to use it to store sensitive or confidential health information, you need to answer the question, “Is Dropbox HIPAA compliant?”

Jason StagnittoValentina BravoIgor Kurtz

Written by Jason Stagnitto (Writer)

Reviewed by Valentina Bravo (Editor)

Facts checked by Igor Kurtz (Fact-checking editor)

Last Updated: 2024-03-21T15:29:53+00:00

All our content is written fully by humans; we do not publish AI writing. Learn more here.

Key Takeaways: Is Dropbox HIPAA Compliant?
  • Dropbox includes HIPAA-compliant features in several of its plans, including Standard, Advanced, Business, Business Plus, Enterprise and Education.
  • You’ll need to sign a Business Associate Agreement (BAA) with Dropbox to store HIPAA-related data in your account.
  • There are several HIPAA-compliant alternatives to Dropbox, including, which offers zero-knowledge encryption for your account.

Facts & Expert Analysis About Dropbox HIPAA Compliance:

  • The Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. congress in 1996. Title II of the act sets up a framework for patient privacy by defining a set of protected health information. According to the HIPAA Journal, healthcare data breaches have increased year-over-year since 2009, with the exception of a small dip in 2015.1
  • Administrators on the abovementioned Dropbox plans can ensure that protected health information (PHI) isn’t permanently deleted and set sharing permissions to exclude HIPAA data.
  • Using third-party tools and plugins for security features like data loss prevention (DLP) and identity access management (IAM) and security information and event management (SIEM) can make your PHI more secure, but also requires you to sign additional BAA’s with other companies.

Dropbox is a popular cloud storage provider with many features that appeal to a wide range of consumers. Personal users will enjoy its ease of use and sharing features, while business users can take advantage of Dropbox’s collaboration and productivity tools. However, when it comes to your health information, it’s worth asking the question: Is Dropbox HIPAA compliant?

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that was signed into law in 1996 to regulate the security and privacy of medical information. Cloud storages that hold this type of information must adhere to strong security and privacy practices. Dropbox — specifically, Dropbox Business — is no exception.

Having zero-knowledge encryption is a great way for cloud storage to be HIPAA compliant, though it’s not required. Dropbox recently purchased Boxcryptor with the intent to bring zero-knowledge capabilities to its Dropbox Business plans. At the time of this article, that addition hasn’t been implemented. Even though it lacks zero knowledge, we’ll explore Dropbox’s HIPAA compliance.

  • 03/21/2024 Facts checked

    Rewritten to include updated HIPAA-related information for Dropbox.

Is Dropbox HIPAA Compliant?

Yes, Dropbox has a few plans with policies and tools that adhere to HIPAA regulations. You can enable HIPAA compliance for Dropbox’s Standard, Advanced, Business and Business Plus plans. This option also applies to the Dropbox Enterprise and Education plans. Dropbox also provides a framework of recommendations to keep your cloud storage compliant.

dropbox hipaa
Dropbox adheres to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

Dropbox HIPAA Business Associate Agreement (BAA) Opportunities

As per Dropbox’s standards and regulations compliance page, the service will sign a BAA for customers on the Standard, Advanced, Enterprise or Education plans if needed. Signing a BAA with Dropbox (or any other company) means that it can also be held liable for PHI exposure, and it accepts responsibility for the appropriate handling of patient data. Additionally, Dropbox will provide a SOC 2 examination evaluating its controls for HIPAA upon request. 

dropbox baa
You can sign a business associate agreement if you need to store
protected health information (PHI) on your Dropbox account.

How to Make Dropbox HIPAA Compliant

There are several ways to ensure that Dropbox functions in a HIPAA-compliant manner, which is the best practice for protecting sensitive data like protected health information (PHI) on your account.

  • Avoid permanent deletions: Don’t permanently delete any HIPAA-protected data. Administrators can configure your account so that HIPAA data can’t be permanently deleted.
  • Limit sharing: Users can configure their sharing permissions to limit the sharing of HIPAA-protected data.
  • Choose the right plan: If you’re going to use Dropbox for HIPAA data, make sure to choose a plan that lets you enable HIPAA compliance. 
  • Monitor usage: Administrators can monitor how team members access and share data, ensuring that there are no HIPAA violations.
  • Sign a BAA: Dropbox will sign a BAA as long as you have the corresponding plan that supports it.
  • Minimize third-party apps: Reduce the number of third-party apps connecting to your account and verify the HIPAA-compliant ones.

The Best HIPAA-Compliant Dropbox Alternative:

If you’re looking for an alternative to Dropbox, check out our list of the best HIPAA-compliant cloud storage services. The top option is as it offers zero-knowledge encryption for your entire account. Additionally, you have control over user permissions, which lets you limit who can share or access PHI. Find out more in our review.

Final Thoughts: Is Dropbox HIPAA Compliant?

Dropbox is HIPAA compliant as long as you choose the correct plan. With the right Dropbox plan, administrators can limit the sharing of PHI data and disable permanent data deletions. Dropbox isn’t the only option, as alternative cloud storage services like will also help you avoid HIPAA violations.

Do you need to store HIPAA data with a cloud storage provider? Do you use Dropbox with your HIPAA data? If not, what is your preferred cloud storage for maintaining HIPAA compliance? Let us know in the comments section below. Thanks for reading our article.

FAQ: Dropbox HIPAA Compliance

  • Yes, Dropbox has several plans that follow HIPAA rules. These plans are Standard, Advanced, Business, Business Plus, Enterprise and Education.

  • Yes, Google will sign a BAA as long as you use Google Workspace products that follow HIPAA rules. Examples include Gmail, Calendar, Docs and Sheets, among others.

  • Yes. OneDrive will enter into a BAA with companies that have HIPAA data and use Microsoft products. Many of Microsoft’s products are HIPAA compliant, including Office 365 and Azure.

  • Most cloud storage services that do business in the United States are HIPAA compliant. However, it’s in your best interest to verify HIPAA compliance before using a cloud storage service.


  1. Healthcare Data Breach Statistics – HIPAA Journal
↑ Top