What types of data are appropriate for my IU Box account?

Important:
Individuals who work with institutional data are responsible for ensuring that those data are stored in approved locations. In addition, regulated data such as health information or personally identifiable information are often subject to federal and state laws (e.g., HIPAA and FERPA) that require users to apply additional security measures.

Indiana University has approved Box at IU:

You may not use your IU Box account to store institutional data classified as Critical, except for PHI as described in this document. This includes, but is not limited to:

  • Social Security and driver's license numbers (even if considered PHI)
  • Banking and student loan information
  • Student academic transcript information
  • Passwords and passphrases
  • PINs and credit card numbers
  • Financial account information
  • Information regulated by Export Control Laws, such as certain types of research or information about restricted items, technology, or software; see Office of Research Compliance: Export Control

The IU Committee of Data Stewards and the University Information Policy Office (UIPO) set official classification levels and data management standards for institutional data in accordance with the university's Management of Institutional Data (DM-01) policy. If you have questions about the classifications of institutional data, contact the appropriate Data Steward. If you have a use case for storing institutional data classified at a higher level in Box, email the IU Committee of Data Stewards for consideration.

Note:
Information classification levels may or may not correspond to the applicable regulation, e.g., some information regulated by the Family Educational Rights and Privacy Act (FERPA) may be classified as Restricted, while other types of FERPA-regulated information are classified as Critical. Also, some information may be protected under multiple state and federal regulations (e.g., Social Security numbers may be protected under HIPAA, FERPA, and/or state law.) Confirm the classification level of the data you are working with prior to uploading.

For information about working with sensitive institutional data at IU, see:

Important:
Before you begin using your IU Box account, be sure to revise your settings according to How do I securely set up my IU Box account?

Health information

Note:
IU Box is not intended for use as a research storage or database solution. The Research Technologies division of UITS provides advanced supercomputing, storage, and database systems designed specifically to support the needs of biomedical researchers, and IU offers REDCap as a secure database solution; for more storage and database options, see At IU, what research computing services are available?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

See also:

Complying with HIPAA's requirements is a shared responsibility. If you store and share data containing PHI in Box at IU, you must meet the following conditions. For detailed guidelines, see Protecting sensitive data in Box.

  • Comply with IU's terms of use for Box accounts
  • Comply with applicable IU, departmental, and/or research policies and procedures
  • Apply additional safeguards in accordance with University policy and the HIPAA Privacy and Security Rules. These include, but are not limited to:
    • Only storing health information in designated Box Health Data Accounts
    • Using and disclosing only the minimum amount of information necessary for the intended purpose
    • Obtaining the appropriate permissions/authorizations for using and disclosing PHI, such as:
      • Allowed use under the Privacy Rule without authorization
      • IRB approval
      • Authorization
      • Waiver of authorization
      • Limited Data Set pursuant to Data Use Agreements
      • Business Associate Agreements
    • Managing access to the information or Box Health Data Account appropriately:
      • Providing access only to those who have a business need and are permitted access under the Rule
      • Terminating access when the user no longer needs access, such as when an individual terminates or leaves a project
    • Following or complying with:
      • IU's process for setting up a Box Health Data Account
      • Additional steps required by Indiana University's HIPAA Privacy and Security Compliance Plan
      • IU's HIPAA policies and procedures
      • School or unit's HIPAA policies and procedures
      • IU's Information Technology Policies
      • IU's affiliates' HIPAA policies and procedures, as appropriate
      • Contractual obligations

This is document bbvn in the Knowledge Base.
Last modified on 2015-08-25.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.