A lot of my healthcare clients use Dropbox. Many assume, incorrectly, that it is HIPAA compliant. I am generally concerned with any service that declares itself to be HIPAA compliant. Like many services, Dropbox can be used in a HIPAA compliant manner, but the burden rests on the user, not on Dropbox.
From Samuel Okoruwa, writing for Cloudwards:
Dropbox offers health organizations a secure way to store sensitive files. It’s not HIPAA compliant in itself, but relies on the user to use it in HIPAA-compliant ways.
Health organizations that use Dropbox to upload medical information bear the greater responsibility of protecting this information by issuing Dropbox a contract called a business associate agreement and correctly configuring their accounts.
Health organizations can take steps to correctly configure their accounts by limiting health information access to only authorized users, monitoring user activity and evaluating third-party apps.