Vendor documentation review

Is Dropbox HIPAA Compliant? (2026 Verdict)

Yes, with conditions

Dropbox offers a BAA for certain team plans and can store PHI after the agreement is in place and the team account is configured appropriately.

Last verified:

At a glance

BAA available
Yes
Plan required
Eligible Dropbox team plan
Configuration required
Sign the BAA, restrict sharing and deletion, monitor access, manage devices, and review third-party apps.
Category
Storage
Official site
Visit Dropbox

What Dropbox says officially

Dropbox’s HIPAA and HITECH overview applies to certain teams on Standard, Advanced, Enterprise, Education, Business, and Business Plus plans. It says a Business Associate Agreement must be in place before PHI is transferred to the account. A US-based team administrator can sign electronically from the admin console; sales handles plan questions and other account arrangements.

Dropbox recommends configuring sharing permissions, disabling permanent deletions, monitoring activity, and understanding third-party apps. It explicitly says integrations are not covered by the Dropbox terms or BAA. Dropbox Dash is also excluded from the supported healthcare path.

Dropbox provides team controls such as required twostep verification , but the administrator must enable and operate them. The documented agreement, eligible plans, and control guidance support a positive verdict with those conditions.

What this means for a medical practice

A cloud folder can spread PHI through shared links, synchronized laptops, mobile devices, local caches, backups, previews, comments, and connected apps. Moving a file into an eligible Dropbox team account is only the beginning of the workflow.

Personal Dropbox accounts should not be mixed with the practice team. If a clinician owns a folder personally, the organization may not be able to enforce access, recover records, or remove synchronized copies during offboarding. Broad links and permanent deletion also interfere with access control and retention policies.

Folder naming also matters. A shared-link email can reveal a patient’s condition through the filename even if the recipient never opens the document. Use the minimum identifying information needed, and make link recipients authenticate whenever the workflow permits it.

The same chain matters when a HIPAAconscious medical website sends uploads to storage. A form plugin, automation service, or email notification may touch the file before Dropbox does. A thoughtful patient engagement workflow should tell patients where to upload documents without exposing a reusable public folder.

How to use it safely

  1. Confirm the exact Dropbox team plan is eligible and assign a practice-controlled team administrator.
  2. Execute Dropbox’s BAA and retain the agreement before uploading real PHI.
  3. Require two-step verification, use named accounts, limit admin roles, and document prompt offboarding.
  4. Restrict external sharing and public links. Set team defaults that match the minimum-necessary rule.
  5. Configure deletion and retention deliberately, monitor activity, and test file recovery.
  6. Inventory synchronized computers and phones. Require device encryption, screen locks, updates, and remote-removal procedures.
  7. Review every app and integration separately; do not enable Dash for PHI based on the Dropbox BAA.
  8. Test uploads, shares, downloads, comments, alerts, integrations, and deletion with fictional files.

Compliant alternatives

Google Drive is included in Google’s Workspace BAA path for managed organizations, while Microsoft lists OneDrive for Business and SharePoint among services covered by its BAA. Both alternatives still require identity, sharing, device, and integration controls.

Bottom line

Dropbox offers a documented BAA for certain team plans and can support PHI storage after that agreement is effective. Use a managed team, configure sharing and retention, control synchronized devices, and treat every connected app as a separate vendor.

Frequently asked questions

Does Dropbox sign a Business Associate Agreement?

Yes. Dropbox documents a BAA for certain eligible team plans and lets US team administrators sign it electronically in the admin console.

Does the Dropbox BAA cover connected apps?

No. Dropbox says third-party apps and integrations are not included under its team-plan terms or BAA and must be evaluated separately.

Can PHI be uploaded before the BAA is signed?

No. Dropbox instructs regulated customers to have the BAA in place before transferring PHI into the account.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review