Dropbox Sign (formerly known as HelloSign) has stated that it enables HIPAA compliance.
Dropbox Sign appears to provide HIPAA-friendly solutions for covered entities, ensuring security and privacy for all documents that contain protected health information (PHI). The service uses Transport Layer Security (TLS) encryption for all communications in transit and AES 256-bit encryption for stored files.
Enterprise-level security controls include two levels of encryption for each document: a unique document encryption key (DEK) for each file and a master key that protects the DEK, which is regularly rotated for additional security. This configuration offers an extra layer of security in the event that someone bypasses physical security measures to access a hard drive.
Dropbox Sign also offers audit reports that track activity and changes made to each document, giving covered entities the ability to view the audit trail as needed. Dropbox Sign conducts regular user access reviews and provides extensive training for employees on HIPAA’s security and privacy rules.
Customers must have a Dropbox Sign Enterprise account to access features that enable HIPAA compliance and Service Organization Control (SOC) 2.
