Is HelloFax HIPAA Compliant?
HelloFax is HIPAA compliant provided organizations subscribe to a “Standard” or “Premium” business plan with Dropbox Sign, agree to the terms of the Dropbox Sign Business Associate Agreement, and configure the digital fax service to comply with the Administrative and Technical Safeguards of the Security Rule. In addition, it may also be necessary to train HelloFax users on permissible disclosures of Protected Health Information (PHI) and the Minimum Necessary Standard.
In 2019, HelloSign – the parent company of HelloFax – was acquired by Dropbox. The digital fax service was rebranded Dropbox Fax and included in the new Dropbox Sign suite of products. However, due to the popularity of HelloFax prior to the acquisition of its parent company, the former name is often still used to identify the service. Indeed, the FAQ section of the Dropbox Fax web page, HelloFax is referenced in all the answers to the frequently asked questions.
Is Dropbox Fax/HelloFax HIPAA Compliant?
When subscribed to as part of a “Standard” or “Premium” Dropbox Sign business plan (*), Dropbox Fax/HelloFax has the capabilities to support HIPAA compliance. The service is “SOC 2 ready” for security, availability, and confidentiality, and ISO 27001 certified for its physical, technical, and legal safeguards. Customers can also request Security Rule and Breach Notification Rule HIPAA compliance reports by reaching out to the Sales Team.
With regards to entering into a Business Associate Agreement for the Dropbox Fax/HelloFax service, customers need to enter into a Business Associate Agreement with Dropbox Sign rather than with Dropbox Teams (the main Dropbox service). To obtain a copy of the Document Sign Business Associate Agreement, customers must contact the sales team. It is not possible to sign a Document Sign Business Associate Agreement through the Admin Panel.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
(*) UPDATE: In June 2024, Dropbox Sign amended its conditions for entering into a Business Associate Agreement with new customers, who now have to meet a “minimum contract value”. No information is provided about what the minimum contract value is, and smaller organizations are advised to obtain this information prior to subscribing to a “Standard” or “Premium” Dropbox Sign account.
Configuration and User Training
Making Dropbox Fax/HelloFax HIPAA compliant is straightforward. System administrators should configure the fax service to ensure message accountability, disable permanent deletions, and implement access controls (or SSO authentication) to ensure only users with the appropriate authorizations can send or receive digital faxes. Procedures should also be in place for unlinking and wiping devices in compliance with the requirements of §164.308(a)(3).
With regards to user training, inasmuch as it is important that authorized workforce members use Dropbox Fax/HelloFax in compliance with the HIPAA Security, it is equally important the content of forms, faxes, and signed documents complies with the Privacy Rule’s permissible disclosures of PHI and minimum necessary standard. To mitigate the risk of impermissible disclosures of PHI, it is advisable to provide authorized workforce members with refresher HIPAA training.
