Limited-time offer: LAUNCH50 gives 50% off forever. Auto-applied at checkout.See pricing

Dropbox

Is Dropbox HIPAA Compliant for Medical Clinics?

What small clinics need to know about Dropbox's BAA availability, plan requirements, shared-link restrictions, and the compliance gaps that remain even with a signed agreement.

Short answer

Dropbox offers a BAA on Business Plus and above plans, but the agreement comes with strict usage conditions. Shared links containing PHI are prohibited under the BAA terms, and the clinic must configure specific admin controls to limit exposure. Dropbox was designed for file collaboration, not for clinical compliance workflows.

Short answer

Dropbox can be used for PHI storage under specific conditions: the clinic must be on Business Plus or a higher plan, the BAA must be signed through Dropbox’s own process, and the admin must restrict shared links and enforce access controls. It is not a default-safe choice for PHI, and the shared-link restriction catches many clinics by surprise.

BAA availability and plan requirements

Dropbox offers a HIPAA BAA on the following plans:

  • Business Plus (the lowest tier that qualifies)
  • Business
  • Enterprise

The BAA is not available on Dropbox Plus, Professional, or the free tier. Clinics must request the BAA through Dropbox’s dedicated HIPAA page and sign it before storing any PHI in the account.

How to enable HIPAA-compatible use

After signing the BAA, the admin must configure the Dropbox account to limit exposure:

  1. Restrict link sharing. Disable public shared links and viewer-without-account links in the Admin Console. PHI must not be accessible via any link that does not require authentication.
  2. Enable device approvals. Require admin approval before a new device can sync to the account.
  3. Set session expiration. Limit how long unattended sessions remain open.
  4. Audit third-party app access. Review which third-party apps have OAuth access to your Dropbox and revoke any not covered by a BAA.
  5. Configure team folder permissions. Use group-based permissions so staff only see the folders relevant to their role.

None of these steps are automated on upgrade. The clinic’s admin is responsible for reviewing and applying each control.

Known limitations and PHI restrictions

The shared-link restriction is the most operationally significant constraint. Clinical staff are accustomed to sending Dropbox links for quick file handoffs. Under HIPAA and Dropbox’s own BAA terms, any link that allows unauthenticated access to a PHI-containing file violates both. That means:

  • No public links to patient records, lab results, referral letters, or any document with identifiable patient data
  • No “anyone with the link” access settings on team folders
  • No forwarding of Dropbox-generated links via email to patients or referring providers

Beyond shared links, Dropbox does not have built-in audit trail functionality at the depth HIPAA’s access log requirements demand. You can export account activity logs, but there is no patient-record-level access control or purpose-based access tracking.

What not to put there even with a BAA

Even after signing the BAA and applying all admin controls, Dropbox is not the right home for:

  • Active clinical documentation that needs a full audit trail per-record
  • Incident reports, breach notifications, or risk assessment documents that need version-controlled access logs
  • Compliance training records and attestation logs
  • Any workflow where the file must route through multiple approvers with documented sign-off

These functions belong in a system purpose-built for clinical compliance work, not in a general file-storage product.

When Dropbox fails clinical fit

Dropbox is designed for team file storage and collaboration. That design shows in the product: broad sharing defaults, consumer-friendly link mechanics, and no clinical workflow layer. Even a fully configured, BAA-covered Dropbox account does not give a clinic the task accountability, policy attestation, incident tracking, or compliance program oversight that HIPAA operations require.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources

FAQ

Questions clinics ask before using this software with PHI

Does Dropbox automatically sign a BAA when you upgrade to Business?

No. The clinic must navigate to Dropbox's HIPAA page and execute the BAA separately. Upgrading a plan alone does not create a signed agreement.

Can staff share a Dropbox folder with a patient using a shared link?

Not if the folder contains PHI. Dropbox's BAA explicitly prohibits using shared links for files that include protected health information.

Is Dropbox Paper covered under the Dropbox BAA?

Dropbox has historically excluded certain product features from BAA coverage. Verify with Dropbox's current BAA text before using Dropbox Paper for PHI-related content.

What happens if a staff member shares a PHI file via a public link by mistake?

That is a potential breach under the HIPAA Breach Notification Rule, requiring risk assessment and possibly OCR notification within 60 days. Admin controls that disable public link creation are a first line of defense.

Operational assurance

Turn vendor research into a system your clinic can actually run.

PHIGuard gives small clinics a BAA-ready operating layer, recurring compliance work, and a safer home for patient-adjacent tasks.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.