Box is a file sharing and cloud management service used by businesses. Through Box, users can manage content on Windows, MacOS, and several mobile platforms. Box has claimed that its service is HIPAA compliant, provided the user configures the service correctly. The issue of Is Box HIPAA compliance is discussed below.
How is Box Used By Healthcare Providers?
Box is a content management service that supports collaboration and sharing of data between users. Users can, among other things, invite other users to view, edit, or upload content. Box is available for both personal use and business use.
Is Box HIPAA Compliant? Box and the HIPAA Conduit Exception Rule
Under the “HIPAA conduit exception,” telecommunication companies (i.e., Verizon, Sprint) and Internet Service Providers that simply act as conduits through which data flows, can be used by covered entities without the need for a business associate agreement. However, cloud storage services are not considered “conduits,” even if these services claim that they do not access user data. Therefore, a covered entity may only use services such as Box to store or transmit electronic protected health information (ePHI) if they enter into a business associate agreement with Box.
Box is willing to sign a business associate agreement with HIPAA covered entities and business associates. However, Box only offers a business associate agreement to those covered entities with an elite or enterprise account.
Box For Healthcare
Box’s service has been verified as supporting HIPAA compliance by an independent auditor. The service contains all of the necessary security controls for Box to comply with the HIPAA Security Rule. These security controls include firewalls, data encryption at rest and in transit, administrative controls that allow users to monitor access, and audit controls. While Box offers these controls, the covered entity bears the responsibility for ensuring the controls are correctly configured. Box’s new “Box for Healthcare” service integrates with healthcare vendors such as Microsoft and Apple, and allows healthcare providers to coordinate care and collaborate with research institutions.
So, Is Box HIPAA Compliant?
Provided that a covered entity enters into a business associate agreement with Box before using the service, and then properly configures the security controls, Box is HIPAA compliant.