Skip to content
Don WisdomDec 2, 2022 9:10:58 AM4 min read

Is dropbox HIPAA Compliant?

HIPAA and HITECH regulations with Dropbox

Dropbox creates a secure environment and allows you to switch between a variety of digital tools, so you meet HIPAA and HITECH standards.

Is Dropbox HIPAA Compliant?

Dropbox's HIPAA compliance isn't clear, and there are lot of security concerns to consider before choosing a file-sharing platform.

audit ad

Dropbox now claims to be compliant with the HIPAA and HITECH Act, but this does not mean it is fully HIPAA compliant. There's no way for a software or file sharing platform to be completely in compliance with HIPAA because there are too many ways that the software could be used. Healthcare organizations who use Dropbox to share or store files containing protected health information should note the following important factors to keep in mind pertaining to the HIPAA Rules:

Business associates are required by law to enter into a Business Associate Agreement with the covered entity (a.k.a. your employer) before sharing any PHI with them, so Dropbox is acceptable if you want to share files with employees outside the company right away without getting them added first.

Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a violation, the agreement must be obtained before any PHI is uploaded to Dropbox. The agreement can be signed electronically via their Account page.

Dropbox allows third party apps to be used, although it is important to note that they are not covered by the BAA. If third party apps are used with a Dropbox account, you need to assess those apps separately before their use.

For security reasons, you need to be careful when setting up Dropbox accounts. Here are some guidelines to follow:

HIPAA regulation requires all healthcare institutions to have certain security measures put in place, including the use of a secured dropbox. As long as your storage is correctly configured, and you're running it through a BAA document - even if it was signed - then

To avoid a HIPAA violation, be sure to use permission controls that restrict access to PHI files to only those who are authorized. Don’t share any PHI files outside of your team by setting the sharing permissions. The use of two-step verification helps make sure that you're the only one who has access to your account.

Files with PHI cannot be permanently deleted. Administrators can disable the deletion of files on the Admin Console, which will ensure that they cannot be deleted for as long as the account is active

One important way to help keep your protected health information (PHI) safe is by monitoring your Dropbox account. Administrators should delete individuals when they leave the company, so users with decreased privileges don’t have access to PHI. There's a list of linked devices that must be checked for remotely wiping. Dropbox is one such option, and it wipes locally stored content when linking it to the app on other devices. Make sure this happens when a user leaves the organization or if their device goes missing or gets stolen.

Dropbox is known to stay on top of user activity. It is possible to generate reports on file access and look at all the details of who may be sharing sensitive information. This way, you can track down any potential security risks before they become major problems.

Dropbox have offered to provide a mapping of their internal practices on request. They've also provided an assurance report showing the controls that have been put in place to keep files secure. These reports can be found on Dropbox's account management page.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) rely on technology for security and privacy in healthcare.

Which people are affected by HIPAA/HITECH compliance?

Hospitals, doctors, dentists and chiropractors who work with protected health information (PHI) have to comply with HIPAA/HITECH compliance regulations.

Adopting best practices for HIPAA and HITECH

Dropbox is set up to make it easy for you to stay secure and abide by legal requirements

Dropbox provides security and regulatory guidance based on the type of account you have. However, it is ultimately your responsibility to maintain compliance with your country-specific regulations as Dropbox cannot provide legal advice.

  • Configuring sharing permissions

  • Two-step verification

  • SSO

  • Disabling permanent deletions

  • Signing a Business Associate Agreement (BAA) with Dropbox

  • Understanding the role of 3rd party apps

  • Download Getting Started with HIPAA

audit ad

Strengthen the security of your Protect Health Information

You can use your Dropbox Business account to connect to third-party apps for added functionality. Integrations like SIEM, DLP, and identity management can offer powerful tools for strengthening your company.

How can my organization benefit from Dropbox?

Dropbox storage may be HIPAA compliant for healthcare organizations, but before using the service you should confirm with Dropbox on the HIPAA question about whether it can store and share protected health information.


You asked, "Is Dropbox HIPAA compliant?" The answer to that is it depends on each individual user. There are security controls in place for those who protect their files and there's also a privacy policy in place to keep your data secure, but ultimately compliance depends on you. A Business Associate Agreement establishes that privacy is taken seriously and helps Dropbox users to share PHI internally without violating the HIPAA Rules.



Don Wisdom

Don Wisdom is the Founder and President of Datalink Networks. He is a channel industry veteran with a career spanning over 30 years.