The Box at Penn State service is authorized for storage of certain High information (Level 3).

Users are responsible in their use of Box at Penn State to securely store, collaborate or share High information, such as Protected Health Information (PHI).  PHI is subject to federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), that require you to exercise special care. Meeting the requirements below will help you store and share PHI and any other High information safely in Box at Penn State and will reduce the risk of costly fines and penalties to yourself and your unit.

For a more detailed discussion of storing PHI in Box at Penn State, please visit this page.

Hershey Medical Center users should refer to this page.

System Requirements

WhatWhyMore Info
All users who login to Box will require Two Factor Authentication (2FA) .The security of information for academic, research, and administrative activities is important. The Two-Factor Authentication (2FA) service provides application owners with higher assurance that only authorized users can gain access to critical information, systems, and services. 2FA is part of a two-level authentication process. The first level (something you know) is the verification of the Penn State AccessID and password. The second level (something you have) is a randomly generated passcode provided by the Penn State 2FA serviceDetails on Penn State's 2FA program can be found here:
Special Box Non-Person Accounts configured to store High information (Level 3) are available to Penn State users. High information must be stored in these types of accounts.These Box accounts will:

1) Be named using the following format:

2) Top level folders will have the following settings:

• Check "Only Owners and Co-owners can send collaborator invites."

• Check “Restrict collaboration to within Penn State”

• Leave "Allow anyone who can access this folder from a shared link to join" unchecked.

• Check "Only collaborators can access this folder via shared links" for both files and folders.

These will be set by the Box service team upon account creation; only co-owners of folders within these accounts will be able to change these settings.
Users can request High information (Level 3)-configured Non-Person Accounts here:

Users who need to share High information outside of Penn State should email a request to


User Requirements

WhatWhyMore Info
Unit policies and restrictions might be more stringent than University Policies.In some cases it is permissible to store Level 3 “High” information on Box. This includes PHI and small quantities of PII. In any case, regardless of the quantity, all Level 3 data must have an approved Authority to Operate (ATO) from the Office of Information Security. Additional information on the ATO process, including how to submit a request can be found at

Consult your supervisor or local unit IT leader.
Box users must save files containing High information ONLY to Non-Person account folders that have been configured for storing this type of information. Users are not permitted to store files containing High information in any other type of Box folder or account.Penn State’s Box service has contractual security measures applied to it and Penn State system administrators have permissions to perform troubleshooting and incident response (i.e., restoring files that were inadvertently deleted or assisting users in assigning collaboration permissions.) Penn State has no control, visibility or contractual assurance of data stored in commercial Box accounts or Box accounts owned by other universities or institutions.Types of Box accounts not authorized for High information:

• Commercial Box accounts

• Personal (i.e., associated with user’s Access ID) PSU Box accounts

• NPAs not configured for High information

• Folders owned by individuals outside of Penn State (these are colored grey on the Box web interface)
Users shall not sync (using Box Sync or other means) any Box folders that contain High information.Having additional copies of the data increases the risk of unintended and inappropriate access.Box Sync puts a copy of Box files onto your laptop or desktop computer, and keeps it synchronized to Box when you make changes. Security measures on individual computers cannot be assured centrally, so High information files copied to individual computers may not be secure.
Users will keep the list of collaborators (the people to whom they give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (for example, when they leave the university or change jobs).It is the user’s responsibility to make sure that only those people who need access to the data to do their jobs have that access. It is important to keep the list of collaborators up-to-date as their access needs change.See Box's Invite Colleagues And Friends for instructions on inviting collaborators.
Users shall assign collaborators only the permissions they need to do their university work and no more. Providing the minimum required (to do one’s job) access decreases the chance of an inadvertent compromise of High information.

For example, if someone does not need to make changes to files in a folder, give them only view or preview access; do not give them edit access. Best practice dictates that there should only be two or three co-owners in an NPA; do not give everyone co-owner rights.
An overview of the various permissions available in Box is here:

Note: When reading this article, Penn State is an Enterprise Account.
Users shall assign a tag labelled “Level 3” to folders that contain this type of dataTags will clearly identify locations where High information (Level 3) is stored. These tags can be viewed from each user’s Files and Folders page. In addition users can use the search feature within Box to easily find any folders storing Level 3 information.Tags can be assigned by right-clicking on a folder name, then Add/Edit Tags. More information on how tags work within Box can be found here:
Users shall not download files containing High information to their personal mobile device (phone, tablet, etc.)These devices travel and are more easily lost than a computer; they may also be less secure.Penn State enforces a four-digit access code to the Box application on mobile devices. It is recommended that users enable a strong password for the device itself.

If a mobile device is lost, the user should contact the IT Service Desk who can remotely remove the Box app from the device, thereby blocking access to Box from the device.

If there are any questions about how to store High information (Level 3) on Box, please contact or contact the IT Service Desk at (814)865-4357.

For additional questions pertaining to whether or not certain classifications of information can be stored in Box, please contact

Skip to toolbar