[abofh]

Quite right -- a better example is PCI compliance (hundreds of pages IIRC, and several volumes depending on exactly what you're doing; not a law, but similar ramifications if you don't comply);

Still, complying with HIPAA does make one point _very_ clear -- audit controls - Dropbox has none exposed to you, and thus it simply does not comply unless you have your own layer of controls (encryption) on top.

It also seems to fall down under 'Standard: Person or entity authentication' as well, but that's just me being snarky.

Health-care and finance are places with legal (or contractual) obligations -- and that was my main point: if you have a set of rules (or even best practices), and you fall afowl of them, don't go screaming that someone else is to blame.