Can Healthcare Organizations Use Box Without Violating HIPAA Rules?

Box is another popular cloud storage and content management service. Anyone can create a Box account and use personally for file-sharing, uploading content and inviting others to view or edit the content. Businesses that want to use Box must sign up for a business, enterprise or elite account. Can healthcare organizations also use Box for storing and sharing protected health information without violating HIPAA rules?

According to the HIPAA conduit exception rule, HIPAA covered entities can use certain services without needing a business associate agreement. This rule applies to internet service providers and telecom companies that function only as conduits of data. Despite the claims of cloud storage services that they do not access any uploaded data, they are still not covered under the conduit exception is rule. Hence, healthcare organizations may only use cloud storage services if the service provider is willing to sign a business associate agreement.

Box started way back in 2004 and has been providing customers with secure data in cloud storage and in transit. In April 2013, Box started servicing the healthcare industry by signing business associate agreements with HIPAA covered entities that have Box enterprise or elite accounts. Box offers ample security controls including data encryption, audit controls and configurable administrative controls making sure that its services are HIPAA-compliant.

Box also launched its Box for Healthcare service to help healthcare organizations collaborate with research organizations by facilitating secure sharing of information with third parties beyond the protection of a firewall. This service integrates seamlessly with many vendors including IBM, Apple, Microsoft, eHealth Technologies, EDCO Health apps and TigerText.

As the foregoing discussion shows, Box is a cloud service with features that ensure data security and privacy making it eligible for HIPAA compliance. But healthcare organizations need to obtain a business associate agreement first prior to using the platform in association with PHI. In addition, the covered entity is responsible for configuring the cloud service correctly so that HIPAA rules are completely followed.