Does Dropbox Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 4 min read
Key Takeaways
- ✓ Yes — Dropbox signs a HIPAA BAA on Business and Business Plus plans
- ⚠ Free Dropbox and Dropbox Plus (personal) are not eligible — do not store PHI there
- ✓ Must request the BAA through Dropbox Business support — not self-service
- ✓ Dropbox's BAA covers file storage and sync; Dropbox Sign (e-signature) has its own BAA
- ✓ You still need BAAs with any other vendors who access your Dropbox-stored files
Dropbox is commonly used in small medical practices for file sharing — patient intake forms, imaging files, billing documents. If any of those files contain PHI, your Dropbox account must be covered by a BAA. Here's what you need to know.
Which Dropbox Plans Qualify for a HIPAA BAA?
Dropbox's HIPAA BAA is available on:
- Dropbox Business (team plan, starts at 3 users)
- Dropbox Business Plus
- Dropbox Business Advanced
- Dropbox Enterprise
Not eligible: Dropbox Free, Dropbox Plus (individual $9.99/mo plan), Dropbox Professional. These are personal plans and do not qualify for a HIPAA BAA under any circumstances.
How to Request Dropbox's HIPAA BAA
Unlike Google Workspace's self-service Admin console acceptance, Dropbox requires a manual request:
- Ensure your organization is on a qualifying Dropbox Business plan
- Contact Dropbox Business support through your admin account
- Request the HIPAA Business Associate Agreement
- Dropbox will send a BAA document for your review, negotiation (if needed), and signature
- Retain a copy of the signed BAA for your compliance records
The BAA execution process typically takes a few business days. Do not store PHI in Dropbox prior to completing BAA execution.
Dropbox vs. Dropbox Sign (Two Separate BAAs)
Many healthcare organizations use both Dropbox (for file storage) and Dropbox Sign (for electronic signatures). These are separate products that require separate BAAs:
- Dropbox Business BAA — covers file storage, sync, and sharing in Dropbox
- Dropbox Sign BAA — covers e-signature workflows in Dropbox Sign (formerly HelloSign); available on Business plan
If you use both products with PHI, you need BAAs with both. A Dropbox BAA does not automatically cover Dropbox Sign.
What Dropbox's BAA Covers
Dropbox's HIPAA BAA covers:
- Dropbox's obligations to safeguard PHI stored in your Dropbox Business account
- Encryption of files at rest (AES-256) and in transit (TLS)
- Breach notification to your organization
- Access control and audit logging through Dropbox admin tools
- PHI return or deletion at account termination
Managing multiple vendor BAAs?
Generate HIPAA-compliant BAAs for each of your vendors — EHR, billing, cloud storage, and more. Free to start.
Generate BAA for Free →