How to request a PHI folder in Box
The University of Illinois has signed a Business Associate Agreement (BAA) with Box.com. The BAA allows the UofI the ability to provide Box Health Data Folders for the secure sharing and storage of health information. Only employees, volunteers, trainees, and other persons under the direct control of the University are eligible to apply for a BHDF.
To request a PHI folder in Box:
- Read and understand the protections and proper use of Box.com with PHI as outlined in the document Protecting PHI in Box.
- Fill out the University Box Health Data Folder Request Form (https://go.uillinois.edu/RequestBoxHealthFolder).
- Once reviewed and approved by the HIPAA Privacy Official, you will receive notification that your application has been accepted and that the requested folder has been created within Box. The new BHDF will appear in your Box dashboard when you log in but is subject to the restrictions outlined in this document. You are designated the “owner” of the BHDF and ultimately responsible for access controls.
- All users of the BHDF must understand and implement the required security measures discussed below.
- Individuals must read and understand this document before applying for a BHDF if they wish to disclose PHI to Box.
- Individuals must apply for and be granted a BHDF from the HIPAA Privacy Official.
- If granted, BHDF “owners” must ensure that all folders (including subfolders) within Box have names that begin with “[Box Health].”
- Extreme care must be taken when inviting collaborators to BHDFs.
- Box sync for these folders is discouraged.
- If used, BHDFs may only be synced to university owned endpoint computers or devices that are encrypted per campus security policies and the University’s HIPAA Directive.
- Everyone who interacts with PHI within Box, including “owners,” “co-owners,” and “collaborators,” must keep it secure.
- Individuals that disclose PHI to Box are responsible for not only abiding by the University’s HIPAA Directive and the terms of this document, but are also accountable for making sure that any other individual with whom the PHI is shared also abides.
- Storage of PHI in a “personal” (i.e., non-BHDF) folder is strictly prohibited.