Box at Penn State is a contracted, cloud-based collaboration and storage solution that allows you to collaborate with people inside and outside of the university through file storage, shared links, commenting, versioning, workflows and many other useful features. Box at Penn State is obtained through a contract with Internet2 Net+ (http://www.internet2.edu/vision-initiatives/initiatives/internet2-netplus/) which includes security provisions giving Penn Staters a place for storing many kinds of data in a safe and secure manner.
Penn State’s contract with Internet2 Net+ includes a Business Associate Agreement (BAA). This means individuals may use this service to store Protected Health Information (PHI) regulated by the federal Health Insurance Portability and Accountability Act (HIPAA). Complying with HIPAA’s requirements is a shared responsibility. Penn State and Box work together to provide a file collaboration and storage environment that is as secure as possible for the types of data authorized to be stored. Individual users who share and store PHI in Box are responsible for complying with HIPAA safeguards, including:
• Using and disclosing only the minimum necessary PHI for the intended purpose.
• Obtaining all required authorizations for using and disclosing PHI.
• Ensuring that PHI is seen only by those who are authorized to see it.
• Obtaining all necessary data-sharing agreements for using and disclosing PHI.
• Adhering to all relevant data use agreements, contracts, IRB policies, compliance conditions and local unit rules.
Hershey Medical Center Users
Regardless of the source, prior to creating, using, storing, transmitting or sharing Protected Health Information, one must be certain that their activities are permissible in accordance with prevailing laws, regulations, standards and institutional policy.
The Penn State Milton S. Hershey Medical Center (HMC) does not currently recognize Box as an authorized repository for creating, using, storing, transmitting or sharing Protected Health Information (PHI). This includes PHI that originates from the Penn State Milton S. Hershey Medical Center and PHI that originates from entities external to the Penn State Milton S. Hershey Medical Center.
Exceptions to the HMC corporate policy are only permissible when they are authorized in writing by the recognized HMC Information Owner and then, only when information security standards established by the HMC Department of Information Technology are properly implemented and maintained.
Questions pertaining to the access and use of Protected Health Information created or maintained by the Penn State Milton S. Hershey Medical Center should be directed to your supervisor and then, as appropriate, to the recognized HMC Information Owner via the IT Technical Support Center at 717-531-6281.
Other Restricted Data
Although PHI and some other Restricted data may be stored on Box at Penn State, other types of Personally Identifiable Information (PII), such as Social Security Numbers, Driver’s License Numbers, Credit Card Numbers, etc. are not permitted to be stored on Box at this time. Please refer to the Box DataCat page (http://datacat.psu.edu/box-storage/) for further information on what is permitted to be stored on Box at Penn State.
If there are any questions about how to store PHI on Box, please send your question to firstname.lastname@example.org or contact the IT Service Desk at (814)865-4357.