Is Dropbox HIPAA Compliant? What Healthcare Practices Need to Know
Dropbox can support HIPAA compliance, but not out of the box. A Business Associate Agreement has to be in place first, and until it is, putting Protected Health Information into Dropbox is itself the violation.
Dropbox can support HIPAA compliance on Dropbox Business or Dropbox Education plans. Dropbox will sign a Business Associate Agreement, and that BAA must be in place before any PHI is moved into the account.
Plan / requirement: Dropbox Business or Dropbox Education. Electronic BAA signing through the Admin Console is available to US-based customers.
Sources: Sign a Business Associate Agreement for your Dropbox team account Dropbox and HIPAA/HITECH overview. Last verified 2026-06-14.
What HIPAA actually requires here
HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Dropbox, that mechanism works like this:
A Dropbox team admin signs the Business Associate Agreement directly in the Admin Console. Electronic signing is limited to US-based customers.
The conditions that decide whether you are actually covered:
- The BAA must be signed before PHI is transferred into Dropbox.
- Dropbox provides a SOC 2 examination covering the HIPAA/HITECH Security, Privacy, and Breach Notification rules.
Where the vendor stops and you begin
The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:
| Where responsibility sits |
|---|
| Dropbox acts as Business Associate once the BAA is signed. |
| You control sharing links, folder permissions, and which staff can reach PHI folders. |
| You are responsible for disabling public links and expiring shared access to PHI. |
Compliance review
Not sure your Dropbox setup holds up to an audit?
Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.
Configuring Dropbox the right way
A defensible Dropbox deployment in a healthcare practice comes down to a short, ordered checklist:
- Have a team admin sign the BAA in the Admin Console before uploading PHI.
- Disable public and password-free shared links for PHI folders.
- Restrict PHI folders to named users with least-privilege permissions.
- Enable two-step verification for all team members.
- File the SOC 2 report and BAA copy for your records.
Mistakes that quietly void compliance
- Uploading PHI to a personal or Basic Dropbox account with no BAA.
- Leaving a public share link on a folder that contains PHI.
- Assuming encryption alone substitutes for the BAA. It does not.
Where Cobrix fits
Cobrix is a California MSP/MSSP that configures and monitors tools like Dropbox for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.
Free resource
Dropbox HIPAA setup checklist
The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.
Frequently asked questions
Is Dropbox HIPAA compliant?
Dropbox can support HIPAA compliance on Dropbox Business or Dropbox Education plans. Dropbox will sign a Business Associate Agreement, and that BAA must be in place before any PHI is moved into the account.
How do I get a BAA with Dropbox?
A Dropbox team admin signs the Business Associate Agreement directly in the Admin Console. Electronic signing is limited to US-based customers.
What plan do I need for Dropbox to be HIPAA compliant?
Dropbox Business or Dropbox Education. Electronic BAA signing through the Admin Console is available to US-based customers.
Does a BAA alone make Dropbox compliant?
No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.