HIPAA & BAA · Cloud storage
Is Box HIPAA compliant?
Conditionally. Box signs a HIPAA BAA for Enterprise-tier accounts, requested through the Admin Console; the BAA must be in place and the account configured properly before storing PHI.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Enterprise, Enterprise Plus, or Enterprise Advanced accounts; an admin requests the BAA from the Admin Console (Account & Billing > HIPAA Compliance > Request a HIPAA BAA), returned by Box Legal in 3-5 business days.
- Official source: Box Support — HIPAA and HITECH Overview and FAQ — https://support.box.com/hc/en-us/articles/360044194833-Box-HIPAA-and-HITECH-Overview-and-FAQ (verified 2026-06)
How to use Box in a HIPAA-compliant way
- Confirm an eligible Box Enterprise, Enterprise Plus, or Enterprise Advanced account.
- As an admin/co-admin, go to Admin Console > Account & Billing > HIPAA Compliance > Request a HIPAA BAA and complete the form.
- Wait for Box Legal Operations to return the signed addendum (typically 3-5 business days) and execute it before uploading PHI.
- Configure granular sharing permissions, device/login controls, encryption, and audit reporting.
- Document policies and your own HIPAA risk analysis.
Important caveats
- Non-Enterprise Box plans (Individual/Business tiers) are not eligible for a HIPAA BAA.
- A BAA must be executed before any PHI is stored; you are responsible for configuring Box compliantly.
- Some Box integrations and third-party apps may fall outside the BAA scope.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Box correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Box.
Frequently asked questions
Does Box sign a BAA?
On specific plans. Enterprise, Enterprise Plus, or Enterprise Advanced accounts; an admin requests the BAA from the Admin Console (Account & Billing > HIPAA Compliance > Request a HIPAA BAA), returned by Box Legal in 3-5 business days. A signed BAA is required before any PHI is involved.
Is Box HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Box offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Box with PHI?
Non-Enterprise Box plans (Individual/Business tiers) are not eligible for a HIPAA BAA.