Box & HIPAA Compliance
Box is a cloud storage and content management service that allows collaboration and file-sharing or users.
Account holders can share files, allow others to view, edit or upload content. Box can be used for personal use; however, companies need to register for either a business, enterprise, or elite account.
The HIPAA conduit exception rule was enacted to allow HIPAA covered entities to use specific communications channels without having to complete a business associate agreement. The conduit exception rule is for telecoms companies and Internet service providers that work as conduits through which data flows. Cloud storage services are not included in the HIPAA conduit exception rule, even if those entities claim they never look at any data uploaded to their cloud service. Therefore, cloud storage services can only be implemented if a business associate agreement is entered into with the service provider.
Box is happy that it has put appropriate security controls in place to make sure that all customers’ data is safeguarded, both in transit to Box and while saved in the cloud. The company was set up in 2004, although it took nine years for the company to work within the healthcare sector. In April 2013, Box started signing business associate agreements with HIPAA covered groups and their business associates. Box only provides a BAA to HIPAA covered entities if they register for an enterprise or elite account.
Along with agreeing to sign a BAA and having its service verified as being HIPAA compliant by an independent auditor, the company has now released its Box for Healthcare service. The Box for Healthcare service has been created to link up seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health applications. The service helps healthcare organizations manage care, collaborate with research groups, and share information securely with third parties outside the security of the firewall.
The service incorporates all the required security controls to comply with the HIPAA Security Rule including data encryption at rest and on the move, audit controls, and configurable administrative controls that permit customers to review access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.
Any cloud service can be used in a way that breaches HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the actual product or service. Even so, Box has implemented a wide variety of security measures and controls to ensure data privacy and security.
Once a BAA has been completed prior to the platform is used to store documents including PHI, Box can be thought of as a HIPAA compliant cloud storage provider. However, the covered entity is obligated to ensure that the service is configured correctly and HIPAA Rules are adhered to.