Storing Restricted Data in Box

This document identifies how the University at Buffalo community is able to store restriced data effectively and safely in UBbox.

About Storing Sensitive Data

UB and Box have signed a business associate agreement (BAA). This BAA is necessary in order to permit the storage of SUNY HIPAA regulated data in UBbox. Please note that non-SUNY HIPAA-regulated data (e.g., data belonging to UBMD Practice Plans) is not covered by this BAA. Therefore, storing non-SUNY HIPAA-regulated data in UBbox is a HIPAA violation.

Restriced data includes but is not limited to:

  • Category 1: Restricted Data as described in UB's Data Risk Classification Policy. This includes Electronic Protected Health Information (ePHI) subject to compliance with the Health Insurance Portability and Accountability Act (HIPAA).

As of July 31, 2017, the only HIPAA-related entities at UB are:

  • HIPAA covered function (HIPAA-regulated entities): UB School of Dental Medicine
  • HIPAA business associate (provides services to HIPAA-regulated entities): UB School of Dental Medicine

This document provides a paradigm suitable for storing HIPAA-regulated data in UBbox. This paradigm is also suitable for other Category 1: Restricted Data. Business processes may require modifying or loosening restrictions. Any changes to technical configuration, policies, or procedures defined in this document must be approved by the appropriate security/privacy officials and the Information Security Office (ISO) of the Vice President and Chief Information Officer (VPCIO).

This document specifically addresses:

  • Approval for storing sensitive data in UBbox
  • User responsibilities when storing and accessing sensitive data in UBbox
  • Provisioning of folders in UBbox for storing sensitive data
  • Technical configuration of UBbox folders used for storing sensitive data
  • Auditing and event alerting
  • Breach protocol
  • Sensitive data life cycle