ARCHIVED: Types of data appropriate for IU Box accounts

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

On this page:

Approved and non-approved types of data


IU's Box cloud storage service was retired on May 10, 2021. For information about cloud storage options available at IU, see Storage at IU.

Individuals who work with institutional data are responsible for ensuring that those data are stored in approved locations. In addition, regulated data such as health information or personally identifiable information are often subject to federal and state laws (for example, HIPAA and FERPA) that require users to apply additional security measures.

Indiana University has approved Box at IU:

  • For personal files
  • For work involving Public or University-Internal data; UITS recommends using a ARCHIVED: Group or Organizational Account for any institutional data
  • For work involving Restricted data, only when stored within a Box Entrusted Data Account
  • For work involving some health information, including protected health information (PHI), only when stored in a Box Health Data Account with appropriate safeguards described below and in ARCHIVED: Protect sensitive data in Box. You may not use an IU Box Health Data Account (BHDA) as a legal medical record or to store information that is part of the legal medical record (such as clinic notes, lab results and/or images). You may, however, use a BHDA to store copies of a medical record (for example, for research purposes).

You may not use your IU Box account to store Critical data, except for PHI as described in this document. This includes, but is not limited to:

  • Social Security and driver's license numbers (even if considered PHI)
  • PINs and credit/payment card information (even if considered PHI)
  • Banking and student loan information
  • Student academic transcripts that contain student Social Security numbers
  • Passwords and passphrases
  • Financial account information
  • Information regulated by Export Control Laws, such as certain types of research or information about restricted items, technology, or software (see Compliance: Export Control)

Official Classification levels of institutional data are defined in Management of Institutional Data (DM-01). If you have questions about the classifications of institutional data, contact the appropriate Data Steward. If you have a use case for storing institutional data classified at a higher level in Box, email the University Data Management Council (UDMC) for consideration.

Information classification levels may or may not correspond to the applicable regulation; for example, some information regulated by the Family Educational Rights and Privacy Act (FERPA) may be classified as Restricted, while other types of FERPA-regulated information are classified as Critical. Also, some information may be protected under multiple state and federal regulations (for example, Social Security numbers may be protected under HIPAA, FERPA, and/or state law.) Confirm the Classification levels of institutional data you are working with prior to uploading.

For information about working with sensitive institutional data at IU, see:

More about health information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).

See also:

Complying with HIPAA's requirements is a shared responsibility. If you store and share data containing PHI in Box at IU, you must meet the following conditions. For detailed guidelines, see ARCHIVED: Protect sensitive data in Box.

  • Comply with IU's terms of use for Box accounts
  • Comply with applicable IU, departmental, and/or research policies and procedures
  • Apply additional safeguards in accordance with University policy and the HIPAA Privacy and Security Rules. These include, but are not limited to:
    • Only storing health information in designated Box Health Data Accounts
    • Using and disclosing only the minimum amount of information necessary for the intended purpose
    • Obtaining the appropriate permissions/authorizations for using and disclosing PHI, such as:
      • Allowed use under the Privacy Rule without authorization
      • IRB approval
      • Authorization
      • Waiver of authorization
      • Limited Data Set pursuant to Data Use Agreements
      • Business Associate Agreements
    • Managing access to the information or Box Health Data Account appropriately:
      • Providing access only to those who have a business need and are permitted access under the Rule
      • Terminating access when the user no longer needs access, such as when an individual terminates or leaves a project
    • Following or complying with:
      • IU's process for setting up a Box Health Data Account
      • Additional steps required by Indiana University's HIPAA Privacy and Security Compliance Plan
      • IU's HIPAA policies and procedures
      • School or unit's HIPAA policies and procedures
      • IU's Information Technology Policies
      • IU's affiliates' HIPAA policies and procedures, as appropriate
      • Contractual obligations

This is document bbvn in the Knowledge Base.
Last modified on 2021-02-26 10:56:22.