HIPAA Compliance – for Box.com
HiPAA Compliance – The electronic age has made it easier for doctor’s offices and hospitals to store patient information without much paperwork. They do, however, must adhere to special regulations concerning storage of that data. These rules are known as the Health Insurance Portability and Accountability Act, or HIPAA, and the Health Information Technology for Economic and Clinical Health, better known as HITECH.
Cloud computing is becoming more prevalent. It is imperative for business which collects sensitive information to use a cloud service provider which adheres to HIPAA and HITECH. Box.com is a leader as a commercial cloud provider. Is Box.com HIPAA compliant?
How Does Box Meet HIPAA Compliance Standards?
Box is considered HIPAA compliance standards. For Enterprise and Elite accounts needing HIPAA protection, Box signs business associate agreement, BAA, when they ask for it. Any BAA required should be signed before the customer begins storing sensitive information within their cloud account.
While there is no official certification process, Box’s features ensure that protected health information stays safe in the cloud. This provider not only encrypts data as it is transferred from hard drive to cloud, and the cloud to the hard disk, but it remains encrypted while on their servers.
Additionally, Box restricts access to the physical server farms where the information resides. The company also uses strict logical system access controls to maintain security.
Consumers have administrative controls to help govern their data. Administrators choose which the following employee access:
- Lock documents
- Password protect files
Administrators can monitor access to data seeing who accessed them, shared them, or edited the. Audits also report the account activities for not only content but users alike. Administrators can also use this area to train employees on different security controls and policies.
Box – HIPAA Compliance, to Extent
Like all online service providing HIPAA compliance, the responsibility does not just lay with them to protect your data. In fact, their compliance standards only go so far as to ensure documents are safe while in storage. Box does not control how your employees treat protected health information.
For better security, all users need to activate Box’s two-factor verification. The first factor being a secure password with upper and lowercase letters, as well as numbers and special symbols. The second factor is a unique code sent via SMS to the user’s cell phone, a voice call, or use of particular security application to access their account. This additional step prevents unauthorized logins.
As an administrator, you can limit who within your corporation has access to sensitive information. By restricting access, you limit the danger of file sharing when there is no need. Using Box’s built-in feature for locking and password protecting data helps to keep these records from unnecessary user access.
As Box is simply a cloud storage provider, it is up to the network administrator to ensure email services, like Office 365 or Gmail, is HIPAA compliant. Both Microsoft and Google have HIPAA compliant services using BAA just as Box. If you use these services for email, contact their support groups for assistance in bringing their services into compliance if you have not already done so.
Any patient authorization forms allowing you to transmit data to them or others via an electronic service is your responsibility to maintain. As with email services, Box does not take responsibility for ensuring you have permission to share files from your Box account with a third party or the patient. While all records transmitted to and from Box are encrypted, you must explain the risks of sending information electronically.
Backup Your Backup
Many health professionals use Box as both a storage and backup location by many health practitioners. It is uncommon for data loss while stored on their servers; it can happen. That is why it is necessary to have a backup of your backup.
CloudAlly offers backup solutions for Box Enterprise customers. Our Amazon S3 servers save all files and folders for each user. Administrators can choose to back up every day or every few days as they see needs. Additionally, administrators can include all users in the backup or just a select few.
For added security, CloudAlly can send you a daily log of your backup activity. This record includes a summary of data added to your account and a more extensive look at which users and files contained in the daily sweep.
In the event data is missing from your Box account, restoration of the missing file is easy and non-destructive. You control what files remain in your CloudAlly account. CloudAlly doesn’t delete files unless requested and authorized by your admin.