Is Box HIPAA compliant?
BAA on select plansPHI with conditionsSOC 2 Type II
Will Box sign a HIPAA BAA?
Sometimes — Box signs a HIPAA BAA only on specific plans or add-ons.
Box has signed BAAs with healthcare/life-sciences customers since 2013, available only on Enterprise, Enterprise Plus, or Enterprise Advanced plans and requested via the Admin Console.
PHI eligibility
PHI can be stored once a signed BAA is in place and the customer configures Box appropriately on an eligible Enterprise plan.
SOC 2
SOC 2 Type II
Trust center
Sub-processors
—
Notes
Lower tiers (Personal, Starter, Business) cannot execute a BAA despite identical security controls.
Get notified when this changes
We track Box's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.
How to request and sign a BAA with Box
Sometimes — Box signs a HIPAA BAA only on specific plans or add-ons.
Request routeSelf-serve — enable it in your account
- 1Get on a qualifying planBox has signed BAAs with healthcare/life-sciences customers since 2013, available only on Enterprise, Enterprise Plus, or Enterprise Advanced plans and requested via the Admin Console.
- 2Request the Business Associate AgreementBox lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
- 3Confirm what PHI is allowed before you store anyPHI can be stored once a signed BAA is in place and the customer configures Box appropriately on an eligible Enterprise plan. Match your configuration to this scope before putting protected health information into Box.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Box before you rely on it. This is cited public information, not legal advice.
Frequently asked questions
Does Box sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — Box signs a HIPAA BAA only on specific plans or add-ons. Box has signed BAAs with healthcare/life-sciences customers since 2013, available only on Enterprise, Enterprise Plus, or Enterprise Advanced plans and requested via the Admin Console.
Is Box HIPAA compliant?
Box can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI can be stored once a signed BAA is in place and the customer configures Box appropriately on an eligible Enterprise plan.
Can you store PHI (protected health information) in Box?
PHI can be stored once a signed BAA is in place and the customer configures Box appropriately on an eligible Enterprise plan.
Is Box SOC 2 certified?
Box reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Box?
Box lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with Box before storing PHI.
What plan do I need to sign a BAA with Box?
Box has signed BAAs with healthcare/life-sciences customers since 2013, available only on Enterprise, Enterprise Plus, or Enterprise Advanced plans and requested via the Admin Console.
Sources
https://support.box.com/hc/en-us/articles/360044194833-Box-HIPAA-and-HITECH-Overview-and-FAQ
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Box before processing protected health information.
Check another vendor
See all HIPAA compliant cloud storage →
Browse all 105 vendors by category →