Rules for Storing Protected Health Information in Box

The Box at UMN service is authorized for storage of Protected Health Information (PHI).

Users are responsible for using Box at UMN securely to store, collaborate or share restricted data, such as Protected Health Information (PHI).  PHI is subject to federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), that require you to exercise special care. Meeting the requirements below will help you store and share PHI data safely in Box at UMN and will reduce the risk of costly fines and penalties to yourself and your unit.

For a more detailed discussion of storing PHI in Box at UMN, please visit this page.

System Requirements

What Why More Info
All users who login to Box will require Two Factor Authentication (2FA). The security of information for academic, research, and administrative activities is important. The Two-Factor Authentication (2FA) service provides application owners with higher assurance that only authorized users can gain access to critical information, systems, and services. 2FA is part of a two-level authentication process. The first level (something you know) is the verification of the UMN AccessID and password. The second level (something you have) is a randomly generated passcode provided by the UMN 2FA service Details on UMN's 2FA program can be found here:
Box personal and group folders are configured to store PHI. These Box folders will have the following settings:
  • Check "Only Owners and Co-owners can send collaborator invites."
  • Leave "Allow anyone who can access this folder from a shared link to join" unchecked.
  • Check "Restrict shared links to collaborators only" for both files and folders.
These will be set by the Box service team upon account creation; co-owners and collaborators of folders within these accounts will be unable to change these settings.


User Requirements

What Why More Info
Unit policies and restrictions might be more stringent than university policies. Users must follow local rules for file storage. Even though Box @ UMN meets regulatory safeguards and has been approved by UMN for the storage of PHI, your local unit may have more stringent rules regarding storage of PHI. Local units may have specific funding, regulatory or administrative requirements that prevent PHI from being stored on Box.
Consult your supervisor or local unit IT leader.
Box users must save files containing PHI ONLY to UMN Box accounts and folders that have been configured for storing PHI. Users are not permitted to store files containing PHI in any other type of Box folder or account.UMN’s Box service has contractual security measures applied to it and UMN system administrators have permissions to perform troubleshooting and incident response (i.e., restoring files that were inadvertently deleted or assisting users in assigning collaboration permissions.) UMN has no control, visibility or contractual assurance of data stored in commercial Box accounts or Box accounts owned by other universities or institutions. Types of Box accounts not authorized for PHI:
  • Commercial Box accounts
  • Personal (i.e., associated with user’s personal NON UMN adress)
  • Folders owned by individuals outside of UMN (these are colored grey on the Box web interface)
Users shall not sync (using Box Sync or other means) any Box folders that contain PHI to unsupported or unmanaged devices. Having additional copies of the data increases the risk of unintended and inappropriate access. Box Sync puts a copy of Box files onto your laptop or desktop computer, and keeps it synchronized to Box when you make changes. Security measures on individual computers cannot be assured centrally, so PHI files copied to individual computers may not be secure.
Users will keep the list of collaborators (the people to whom they give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (for example, when they leave the university or change jobs). It is the user’s responsibility to make sure that only those people who need access to the data to do their jobs have that access. It is important to keep the list of collaborators up-to-date as their access needs change. See Box's Inviting Collaborators for instructions on inviting collaborators.
Users shall assign collaborators only the permissions they need to do their university work and no more. Providing the minimum required (to do one’s job) access decreases the chance of an inadvertent compromise of PHI data.

For example, if someone does not need to make changes to files in a folder, give them only view or preview access; do not give them edit access. Best practice dictates that there should only be two or three co-owners in an NPA; do not give everyone co-owner rights.
An overview of the various permissions available in Box is here:

Note: When reading this article, UMN is an Enterprise Account.
Users shall not download files containing PHI to their personal mobile device (phone, tablet, etc.) These devices travel and are more easily lost than a computer; they may also be less secure. UMN enforces a four-digit access code to the Box application on mobile devices. It is recommended that users enable a strong password for the device itself.

If a mobile device is lost, the user should contact the IT Service Desk who can remotely remove the Box app from the device, thereby blocking access to Box from the device.

If there are any questions about how to store PHI on Box, please contact the IT Service Desk at 612-301-4357.