HelloFax, now offered as Dropbox Fax within Dropbox Sign, can support HIPAA compliance when a healthcare organization subscribes to a Standard or Premium Dropbox Sign business plan, enters into the Dropbox Sign Business Associate Agreement, and configures the service and user practices to meet applicable HIPAA Security Rule safeguards for electronic protected health information.
HelloFax was developed by HelloSign, which Dropbox acquired in 2019, and the service was rebranded as Dropbox Fax and incorporated into the Dropbox Sign product suite. The HelloFax name continues to be used as an identifier for the service, including within product FAQs. For HIPAA-regulated use cases, the compliance scope is tied to the Dropbox Sign plan level and to the contractual terms offered for regulated customers.
Dropbox Fax and HelloFax have capabilities to support HIPAA compliance under the Standard and Premium plans. The service is described as SOC 2 ready for security, availability, and confidentiality, and it is ISO 27001 certified for physical, technical, and legal safeguards. Customers can request HIPAA Security Rule and HIPAA Breach Notification Rule compliance reports by contacting the sales team.
A Business Associate Agreement is obtained through Dropbox Sign rather than Dropbox Teams. The Business Associate Agreement is not executed through an admin panel workflow and is provided through the sales channel. Dropbox Sign amended conditions for new customers in June 2024 to require a minimum contract value to enter into a Business Associate Agreement, and organizations should determine whether they meet that threshold before relying on the service for workflows involving electronic protected health information.
HIPAA compliance also depends on configuration and operational controls applied by the customer. Administrative personnel are expected to configure the service for message accountability, disable permanent deletions, and implement access controls or single sign-on so that only authorized users can send or receive digital faxes. Operational procedures are also needed to unlink and wipe devices in alignment with workforce clearance and termination requirements under 45 C.F.R. § 164.308(a)(3).
Workforce use controls extend beyond the mechanics of fax transmission. Users who send or receive faxes and signed documents should be trained on permissible disclosures of protected health information under the HIPAA Privacy Rule and on applying the HIPAA Minimum Necessary Rule to the content transmitted through the service.