HIPAA & BAA · Cloud storage
Is Dropbox HIPAA compliant?
Conditionally. Dropbox will sign a BAA for team plans (Standard/Advanced/Enterprise/Education), and an admin can self-sign it in the Admin console before storing PHI; personal and Basic plans are not covered.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Dropbox team plans (Standard, Advanced, Enterprise, Education); a team admin self-signs the BAA in the Admin console (Settings > Team profile > Set up BAA). US-based customers; individual/Basic plans are not eligible.
- Official source: Dropbox Help — Sign a BAA for your team account — https://help.dropbox.com/account-settings/business-associate-agreement (verified 2026-06)
How to use Dropbox in a HIPAA-compliant way
- Confirm you have an eligible Dropbox team plan and are a US-based customer.
- As an admin, go to Admin console > Settings > Team profile > Set up BAA and complete the agreement before transferring any PHI.
- Restrict sharing, enable two-step verification, set device approvals, and configure access controls and logging.
- Disable reseller support (incompatible once a BAA is signed) and limit third-party app connections.
- Document your risk assessment and retain the downloaded BAA copy.
Important caveats
- Individual/Basic Dropbox accounts cannot be made HIPAA-compliant; the BAA is team-plan only.
- Electronic self-service BAA signing is limited to US-based customers, and signing a BAA disables reseller support.
- Dropbox Sign (e-signature) has its own separate HIPAA terms — the storage BAA does not automatically cover it.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Dropbox correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Dropbox.
Frequently asked questions
Does Dropbox sign a BAA?
On specific plans. Dropbox team plans (Standard, Advanced, Enterprise, Education); a team admin self-signs the BAA in the Admin console (Settings > Team profile > Set up BAA). US-based customers; individual/Basic plans are not eligible. A signed BAA is required before any PHI is involved.
Is Dropbox HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Dropbox offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Dropbox with PHI?
Individual/Basic Dropbox accounts cannot be made HIPAA-compliant; the BAA is team-plan only.