Is Box HIPAA Compliant?
Box is HIPAA compliant and can be used to store, manage, and share files and folders containing Protected Health Information provided an organization subscribes to an Enterprise or Enterprise Plus Plan, configures Box to support HIPAA compliance, and enforces organizational policies to meet HIPAA compliance requirements. In addition, it will be necessary to agree to Box’s Business Associate Agreement in order to make the use of Box HIPAA compliant.
What is Box?
Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit, or upload content. Box can be used for personal use; however, businesses need to sign up for either a Business, Enterprise, or Enterprise plus account (Note: It is necessary to sign up for an Enterprise or Enterprise Plus account to use Box in compliance with HIPAA).
Is Box Covered by the Conduit Exception Rule?
The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim they never access any data uploaded to their cloud service. Therefore, cloud storage services can only be used if a business associate agreement is entered into with the service provider.
Box and the HIPAA Business Associate Agreement
Box is confident it has put appropriate security controls in place to ensure all customers’ data is secured, both in transit to Box and while stored in the cloud. The company was formed in 2004, although it took nine years for the company to make its move into the healthcare sphere. In April 2013, Box started signing business associate agreements with HIPAA covered entities and their business associates. Box only offers a BAA to HIPAA covered entities if they have an Enterprise or Enterprise Plus account.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Box for Healthcare Launched
In addition to agreeing to sign a BAA and having its service verified as supporting HIPAA compliance by an independent auditor, the company has now launched its Box for Healthcare service. The Box for Healthcare service has been developed to integrate seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. The service helps healthcare organizations coordinate care, collaborate with research organizations, and share information securely with third parties outside the protection of the firewall.
The service includes all the necessary security controls to comply with the HIPAA Security Rule including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow customers to monitor access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.
Is Box HIPAA Compliant?
Any cloud service can be used in a manner that violates HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the product or service itself. That said, Box has implemented a wide range of safeguards and controls to ensure data privacy and security. So, is Box HIPAA compliant?
Provided a BAA has been obtained before the platform is used to store documents containing PHI, Box can be considered a HIPAA compliant cloud storage provider. However, it is the responsibility of the covered entity to ensure that the service is configured correctly and HIPAA Rules are followed.
