Box HIPAA and HITECH Overview and FAQ

In April of 2013, Box announced its ability to support the HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. Box is one of the few cloud-based application providers that signs HIPAA Business Associate Agreements (BAAs), demonstrating our ongoing investment in enterprise security, compliancy and control for our customers.

 

General Information

 

What is HIPAA?

• HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
• HIPAA is a federal mandate that requires protections regarding security and privacy on Protected Health Information (PHI). More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html

 

What is the HITECH Act and the Final HIPAA Omnibus rule?

• The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
• In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.

 

How does Box facilitate HIPAA compliance for its customers?

• The Box product/platform meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling.
• Box signs BAA addendums to with its customers who have an Enterprise or Elite account and want to be HIPAA compliant. A signed BAA should be in place between Box and the customer prior to storing any Protected Health Information (PHI) on Box.
• Customers are responsible for configuring Box in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance.

 

Is there any kind of industry certification that Box has undergone to prove it supports HIPAA compliance?

• There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, Box has reviewed the HIPAA regulations and updated its product, policies and procedures to support customers around their need to be HIPAA compliant.
• Box has also been evaluated by an independent, third party auditor who has issued an evaluation report (HIPAA AUP) that details the controls Box has in place to meet HIPAA requirements in regards to data privacy and security.

 

How do I get a copy of the third party audit report on Box HIPAA compliance?

• Please contact your Box representative.

 

How does Box support HIPAA compliance within its product and platform?

In addition to being able to sign HIPAA Business Associate Agreements (BAAs), Box has the following features in its product as well as organizational policies:

• Data encryption in transit and at rest
• Restricted physical access to production servers
• Strict logical system access controls
• Configurable administrative controls available to the customer to:
  • Grant explicit authorization to customer files to read, download, edit, lock and password protect files
  • Monitor access
  • Reporting and audit trail of account activities on both users and content
  • Formally defined and tested breach notification policy
  • Training of employees on security policies and controls
  • Employee access to customer data files are highly restricted
  • Mirrored, active-active data center facilities to mitigate disaster situations
  • 99.9% uptime SLA
  • SSAE 16 SOC1 and AT-101 SOC2 Type II Reports
  • Additionally, Box is ISO 27001 certified

What types of customer and administrator controls does Box have that are relevant to HIPAA requirements?

• Controls to provide reasonable assurance that instructions and information provided to Box by the customer are in accordance with the provisions of the Box Service Agreement with the customer, or other applicable governing agreements or documents between Box and its customers.
• Controls to provide reasonable assurance that only authorized individuals from the user entity are granted the ability to access, modify, and delete information from Box’s application.
• Controls to provide reasonable assurance that the user entity’s method for accessing Box’s application is configured with proper logical security protocols.
• Controls to provide reasonable assurance that the confidentiality of the user entity’s sensitive information is not compromised by its users.
• Controls to provide reasonable assurance for defining and granting access to users permitted by the user entity.
• Controls to provide reasonable assurance that user accounts and access permissions are correctly specified on an ongoing basis, including revoking accounts.

 

Has Box signed HIPAA Business Associate Agreements (BAAs) with customers to date?

• Yes, Box has signed BAAs with several healthcare and life sciences customers to date.

 

What types of Box accounts can be HIPAA compliant?

• Box applies the same security and privacy controls for all of its customers, whether Personal, Starter, Business, Enterprise or Elite accounts.
• However, customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must have an Enterprise or Elite account with Box and sign a HIPAA Business Associate Agreement (BAA). To comply with HIPAA they must configure Box and enforce policies within their organizations to meet HIPAA requirements.

 

Are Box partners or OneCloud apps automatically HIPAA compliant?

• Box partners that offer a product or service to a HIPAA Covered Entity or another HIPAA Business Associate (BA) and are handling Protected Health Information (PHI) must sign a HIPAA Business Associate Agreement (BAA) with the customer; in addition, the customer should also sign a BAA with Box. Please refer to the Box partner’s website for information on their HIPAA compliance.

 

Can Box sign HIPAA Business Associate Agreements with partners who are doing business with healthcare customers (e.g., Covered Entities or other Business Associates)?

• Yes, Box has the ability to enter into a direct Business Associate Agreement (BAA) with the partner as well as directly with the partner’s customer as needed.

 

Can I request a HIPAA Business Associate Agreement (BAA) from within the app? 

Yes, if you're an enterprise admin or co-admin.  To do this, from the Box Admin Console, click Account & Billing, and scroll down (if necessary) to the HIPAA Compliance section.   Then click Request a HIPAA BAA.  Box displays a form asking for information about your organization, the BAA signer, whether you're storing Personal Health Information (PHI) in Box, and whether you’re a HIPAA covered entity (CE) or business associate (BA).  Complete the form and click Continue.  In 3-5 business days the Box Legal Operations team emails you the addendum.

 

Basic HIPAA Terms and Glossary

 

What is Protected Health Information (PHI)?

• Protected Health Information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care.

 

What is Personally Identifiable Information (PII)?

• Personally Identifiable Information (PII) is a subset of Protected Health Information (PHI), and refers to information that is uniquely identifying to a specific individual. Protected Health Information (PHI) is specific to medical and health-related use.

 

What is a HIPAA Covered Entity?

• A HIPAA Covered Entity (CE) stewards Protected Health Information (PHI) and/or Personally Identifiable Information (PII) on patients in the process of providing healthcare care or paying for care. Examples of HIPAA Covered Entities (CE) are one of the following:
  • Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies that transmits any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
  • Including health insurance companies, HMOs, company health pans, government programs that pay for healthcare (like Medicare and Medicaid)
  • Including entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
• Healthcare provider:
• Health plan:
• Healthcare clearinghouses:

 

What is a HIPAA Business Associate (BA)?

• A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) or Personally Identifiable Information (PII) that the covered entity is stewarding on behalf of the patient.
• Business Associates (BAs) include those vendors or services that do business with the HIPAA covered entity (CE). Examples are service organizations or vendors that contract with the HIPAA Covered Entity (CE) that may provide: software such as Electronic Health Records (EHRs), claims processing, data analysis, utilization review, billing, legal services, actuarial services, accounting services, consulting services, data aggregation, accreditation services, or financial services. To be a HIPAA Business Associate (BA), the work of an organization must deal directly with the use or disclosure of Protected Health Information (PHI) and/or Personally Identifiable Information (PII).

 

What is a HIPAA Business Associate Agreement (BAA)?

• A HIPAA Business Associate Agreement (BAA) is a legal document that a HIPAA Business Associate (BA) enters into with a HIPAA Covered Entity (CE).

 

What is the HITECH Act?

• The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology in the U.S.

 

What does the HITECH Act have to do with HIPAA or patient privacy?

• Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

 

What is the final omnibus rule and how does this apply to HIPAA?

• The final omnibus rule is based on statutory changes under the HITECH Act, and was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The rule made the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996.
• The omnibus rule greatly enhanced a patient’s privacy rights and protections, as well as included support for the Genetic Information Nondiscrimination Act of 2008 (GINA). It also strengthened the government’s ability to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a HIPAA covered entity (like a health plan, a health care provider or retail pharmacy) or one of their third party contractors that is a HIPAA Business Associate.

 

Where can I get more information?

• Box’s healthcare announcement blog post: http://blog.box.com/?p=26102
• More information about Box for healthcare: https://www.box.com/ industries/healthcare-life- sciences/
• More information about Box’s healthcare partner integrations: https://cloud.box.com/apps
• More information about Box’s security leadership: https://cloud.box.com/s/1m10ey3oh5m4mov4fop7