What types of data are appropriate for my IU Box account?
Indiana University has approved Box at IU:
- For personal files
- For work involving institutional data classified as Public or University-internal; UITS recommends using a Group or Organizational Account for any institutional data
- For work involving institutional data classified as Restricted; UITS strongly recommends using Box Entrusted Data Accounts for this purpose
- For work involving some health information, including protected health information (PHI), only when stored in a Box Health Data Account with appropriate safeguards described below and in Protecting sensitive data in Box. You may not use an IU Box Health Data Account (BHDA) as a legal medical record or to store information that is part of the legal medical record (e.g., clinic notes, lab results and/or images). You may, however, use a BHDA to store copies of a medical record (e.g., for research purposes).
- Social Security and driver's license numbers (even if considered PHI)
- PINs and credit/payment card information (even if considered PHI)
- Banking and student loan information
- Student academic transcripts that contain student Social Security numbers
- Passwords and passphrases
- Financial account information
- Information regulated by Export Control Laws, such as certain types of research or information about restricted items, technology, or software; see Office of Research Compliance: Export Control
Official classification levels for institutional data at IU are defined in the university's Management of Institutional Data (DM-01) policy. If you have questions about the classifications of institutional data, contact the appropriate Data Steward. If you have a use case for storing institutional data classified at a higher level in Box, email the University Data Management Council (UDMC) for consideration.
For information about working with sensitive institutional data at IU, see:
- Critical Data Guide
- At IU, which dedicated file storage services and IT services with storage components are appropriate for sensitive institutional data, including research data containing protected health information?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules protecting the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule set national standards requiring organizations and individuals to implement certain administrative, physical, and technical safeguards to maintain the confidentiality, integrity, and availability of protected health information (PHI).
- Which data elements in the classifications of institutional data are considered protected health information (PHI)?
- What are the penalties for violating HIPAA?
Complying with HIPAA's requirements is a shared responsibility. If you store and share data containing PHI in Box at IU, you must meet the following conditions. For detailed guidelines, see Protecting sensitive data in Box.
- Comply with applicable IU, departmental, and/or research policies and procedures
- Apply additional safeguards in accordance with University policy and the HIPAA Privacy and Security Rules. These include, but are not limited to:
- Only storing health information in designated Box Health Data Accounts
- Using and disclosing only the minimum amount of information necessary for the intended purpose
- Obtaining the appropriate permissions/authorizations for using and disclosing PHI, such as:
- Allowed use under the Privacy Rule without authorization
- IRB approval
- Waiver of authorization
- Limited Data Set pursuant to Data Use Agreements
- Business Associate Agreements
- Managing access to the information or Box Health Data Account appropriately:
- Providing access only to those who have a business need and are permitted access under the Rule
- Terminating access when the user no longer needs access, such as when an individual terminates or leaves a project
- Following or complying with:
- IU's process for setting up a Box Health Data Account
- Additional steps required by Indiana University's HIPAA Privacy and Security Compliance Plan
- IU's HIPAA policies and procedures
- School or unit's HIPAA policies and procedures
- IU's Information Technology Policies
- IU's affiliates' HIPAA policies and procedures, as appropriate
- Contractual obligations
This is document bbvn in the Knowledge Base.
Last modified on 2017-02-02 18:19:51.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.