The Box at Penn State service is authorized for storage of Protected Health Information (PHI).

Users are responsible for using Box at Penn State securely to store, collaborate or share restricted data, such as Protected Health Information (PHI).  PHI is subject to federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), that require you to exercise special care. Meeting the requirements below will help you store and share PHI data safely in Box at Penn State and will reduce the risk of costly fines and penalties to yourself and your unit.

For a more detailed discussion of storing PHI in Box at Penn State, please visit this page.

Hershey Medical Center users should refer to this page.

System Requirements

WhatWhyMore Info
All users who login to Box will require Two Factor Authentication (2FA) .The security of information for academic, research, and administrative activities is important. The Two-Factor Authentication (2FA) service provides application owners with higher assurance that only authorized users can gain access to critical information, systems, and services. 2FA is part of a two-level authentication process. The first level (something you know) is the verification of the Penn State AccessID and password. The second level (something you have) is a randomly generated passcode provided by the Penn State 2FA serviceDetails on Penn State's 2FA program can be found here:
Special Box Non-Person Accounts configured to store PHI are available to Penn State users. PHI must be stored in these types of accounts.These Box accounts will:

1) Be named using the following format:

2) Top level folders will have the following settings:

• Check "Only Owners and Co-owners can send collaborator invites."

• Check “Restrict collaboration to within Penn State”

• Leave "Allow anyone who can access this folder from a shared link to join" unchecked.

• Check "Restrict shared links to collaborators only" for both files and folders.

These will be set by the Box service team upon account creation; co-owners and collaborators of folders within these accounts will be unable to change these settings.
Users can request PHI-configured Non-Person Accounts here:

Users who need to share PHI outside of Penn State should email a request to


User Requirements

WhatWhyMore Info
Unit policies and restrictions might be more stringent than university policies.Users must follow local rules for file storage. Even though Box @ Penn State meets regulatory safeguards and has been approved by Penn State for the storage of PHI, your local unit may have more stringent rules regarding storage of PHI. Local units may have specific funding, regulatory or administrative requirements that prevent PHI from being stored on Box.
Consult your supervisor or local unit IT leader.
Box users must save files containing PHI ONLY to Non-Person account folders that have been configured for storing PHI. Users are not permitted to store files containing PHI in any other type of Box folder or account.Penn State’s Box service has contractual security measures applied to it and Penn State system administrators have permissions to perform troubleshooting and incident response (i.e., restoring files that were inadvertently deleted or assisting users in assigning collaboration permissions.) Penn State has no control, visibility or contractual assurance of data stored in commercial Box accounts or Box accounts owned by other universities or institutions.Types of Box accounts not authorized for PHI:

• Commercial Box accounts

• Personal (i.e., associated with user’s Access ID) PSU Box accounts

• NPAs not configured for PHI

• Folders owned by individuals outside of Penn State (these are colored grey on the Box web interface)
Users shall not sync (using Box Sync or other means) any Box folders that contain PHI.Having additional copies of the data increases the risk of unintended and inappropriate access.Box Sync puts a copy of Box files onto your laptop or desktop computer, and keeps it synchronized to Box when you make changes. Security measures on individual computers cannot be assured centrally, so PHI files copied to individual computers may not be secure.
Users will keep the list of collaborators (the people to whom they give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (for example, when they leave the university or change jobs).It is the user’s responsibility to make sure that only those people who need access to the data to do their jobs have that access. It is important to keep the list of collaborators up-to-date as their access needs change.See Box's Invite Colleagues And Friends for instructions on inviting collaborators.
Users shall assign collaborators only the permissions they need to do their university work and no more. Providing the minimum required (to do one’s job) access decreases the chance of an inadvertent compromise of PHI data.

For example, if someone does not need to make changes to files in a folder, give them only view or preview access; do not give them edit access. Best practice dictates that there should only be two or three co-owners in an NPA; do not give everyone co-owner rights.
An overview of the various permissions available in Box is here:

Note: When reading this article, Penn State is an Enterprise Account.
Users shall assign a tag labelled “PHI” to folders that contain this type of dataTags will clearly identify locations where PHI data is stored. These tags can be viewed from each user’s Files and Folders page. In addition users can use the search feature within Box to easily find any folders storing PHI.Tags can be assigned by right-clicking on a folder name, then Add/Edit Tags. More information on how tags work within Box can be found here:
Users shall not download files containing PHI to their personal mobile device (phone, tablet, etc.)These devices travel and are more easily lost than a computer; they may also be less secure.Penn State enforces a four-digit access code to the Box application on mobile devices. It is recommended that users enable a strong password for the device itself.

If a mobile device is lost, the user should contact the IT Service Desk who can remotely remove the Box app from the device, thereby blocking access to Box from the device.

If there are any questions about how to store PHI on Box, please send your question to or contact the IT Service Desk at (814)865-4357.


Skip to toolbar