Is Dropbox Sign HIPAA compliant?

Dropbox Sign is an electronic signature and workflow automation solution designed to streamline document signing processes. Based on the information from their website, Dropbox Sign can be HIPAA compliant, considering its security measures, willingness to sign a Business Associate Agreement (BAA), and data protection practices.

What is Dropbox Sign?

Dropbox Sign is an electronic signature solution that facilitates document management and signature processes. It caters to individuals, businesses, and organizations seeking a streamlined and efficient way to handle documents requiring signatures. Dropbox Sign offers features that include document display, delivery, acknowledgment, storage, and electronic signing capabilities. The service ensures authentication through a Dropbox Sign account or email-based signature requests.

See also: Is ProofHub HIPAA compliant?

Dropbox Sign and business associate agreement (BAA)

Under HIPAA, a BAA is a crucial document that outlines the responsibilities of third-party vendors when handling protected health information (PHI). Any software or service that stores, processes, or transmits PHI on behalf of a healthcare entity is considered a business associate and should, therefore, sign a BAA.

Since Dropbox Sign offers electronic signature and document management services that involve processing and storing sensitive information, it would likely be categorized as a business associate when used in healthcare settings.

We reviewed their official documentation to ascertain Dropbox Sign's commitment to HIPAA compliance. Upon reviewing Dropbox Sign's documentation, specifically their terms of service and related policies, we found that they do offer a BAA to clients on their annual Standard or Premium plan. 

Dropbox Sign states: "Dropbox Sign supports HIPAA compliance for customers who are on an annual Standard or Premium plan, have a signed Business Associate Agreement (BAA), and meet the minimum contract value." This is available upon contacting your account manager as an existing member or contacting the sales team if you are new to the service.

See also: Is PanTerra HIPAA compliant?

Dropbox Sign and data security

1. Data deletion/destruction: Dropbox Sign offers data deletion and destruction services upon request, expunging customer data and solely owned documents from its systems. Documents under legal hold or co-owned by multiple parties are handled accordingly.
2. Payment info: Payment processing is conducted through Stripe, with cardholder data not stored on Dropbox Sign's servers. Dropbox Sign maintains PCI compliance for secure payment processing.
3. Sub-processors: An annual review of sub-processors is carried out by Dropbox Sign. Any identified risks are addressed in collaboration with these providers to ensure data security and resolution.
4. Security incidents & reporting: Users can report potential security incidents to Dropbox Sign through the appropriate channels.
5. Encryption: Dropbox Sign employs encryption measures to secure documents. Data is stored behind a firewall, transmitted using industry-standard TLS, and kept in certified data centers. Documents at rest are encrypted using AES 256-bit encryption.
6. Audit trails: Every action on documents is tracked and time-stamped in a non-editable audit trail, providing verifiable proof of access, review, and signature.

Is Dropbox Sign HIPAA compliant?

Dropbox Sign can be HIPAA compliant if the user purchases their annual standard or premium plan. Dropbox Sign demonstrates a commitment to data security through its advanced encryption techniques and comprehensive security measures. Furthermore, their willingness to sign a BAA reinforces their compliance with HIPAA standards. 

See also: HIPAA Compliant Email: The Definitive Guide