Does Box Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

Box is one of the leading cloud content management platforms used by healthcare organizations to store contracts, patient intake forms, imaging reports, compliance documentation, and inter-department files. Its HIPAA compliance program is mature and well-documented, making it a reliable choice for covered entities and business associates that need HIPAA-eligible cloud storage.

Box Plan Coverage for HIPAA BAA

Why Box Is Used in Healthcare

Box has invested heavily in compliance infrastructure that makes it particularly well-suited for healthcare organizations:

• FedRAMP Authorization — Box holds FedRAMP Moderate authorization, which is required for federal healthcare agencies and signals rigorous security controls
• Box Shield — an add-on that provides AI-powered content classification, malware detection, and data loss prevention specifically designed for regulated industries
• Granular access controls — folder-level permissions, external collaboration controls, and watermarking features that satisfy HIPAA's access control requirements
• Audit logging — comprehensive event logs required by HIPAA's audit control safeguards
• Encryption — AES-256 encryption at rest and TLS in transit, with customer-managed encryption key options at Enterprise Plus tier

These features make Box one of the more capable cloud storage platforms for healthcare use cases compared to general-purpose consumer cloud storage.

How to Get a HIPAA BAA from Box

Box's HIPAA BAA process is straightforward for qualifying plans:

• Contact Box sales to purchase a Business Plus, Enterprise, or Enterprise Plus plan
• Request the HIPAA Business Associate Agreement addendum during contract negotiation
• Box's standard HIPAA BAA addendum is provided as a standard part of the enterprise agreement
• After executing the BAA, work with your Box administrator to configure HIPAA-appropriate settings including Box Shield and access controls

Box's enterprise sales team is experienced with healthcare customers and HIPAA requirements. The BAA process is typically completed alongside the enterprise service agreement without significant friction.

What Happens If You Use Box Without a BAA?

Using Box on an Individual, Starter, or standard Business plan to store PHI is a HIPAA violation. These plans lack the contractual protections a BAA requires, and Box's standard terms of service for these plans do not include HIPAA obligations. If a breach occurred involving PHI stored on a non-BAA Box plan, your organization would bear full regulatory liability with no contractual recourse against Box.

Additionally, storing PHI without a BAA means your organization cannot legally compel Box to notify you of breaches within HIPAA's 60-day notification window, and Box would have no obligation to return or destroy your PHI upon termination.

For a comparison of cloud storage platforms for healthcare, see our Dropbox HIPAA BAA guide. For a broader vendor review, see our vendor BAA lookup guide.

Frequently Asked Questions

Does Box sign a HIPAA BAA?

Yes — Box signs a HIPAA BAA for Business Plus, Enterprise, and Enterprise Plus plan customers. Individual, Starter, and standard Business plans do not qualify for HIPAA coverage.

Which Box plan includes a BAA?

Box's HIPAA BAA is available starting with Business Plus and is standard on Enterprise and Enterprise Plus plans. The standard Business plan ($20/user/month) does not include a BAA — you must upgrade to Business Plus or higher.

How does Box compare to Dropbox for HIPAA compliance?

Both Box and Dropbox offer HIPAA BAAs at their enterprise tiers. Box holds FedRAMP authorization (Dropbox does not) and offers Box Shield for advanced content security. For healthcare organizations with strong regulatory requirements, Box's compliance feature set is generally considered more comprehensive than Dropbox's.

Can I use Box for storing patient records?

Yes — Box on Business Plus, Enterprise, or Enterprise Plus with an executed HIPAA BAA can be used to store patient records and documents containing PHI. The BAA must be signed before storing any PHI. Consider adding Box Shield for enhanced content classification and data loss prevention controls.