This document identifies how the University at Buffalo community is able to store restricted data effectively and safely in UBbox.
UB and Box have signed a business associate agreement (BAA). This BAA is necessary in order to permit the storage of SUNY HIPAA regulated data in UBbox. Please note that non-SUNY HIPAA-regulated data (e.g., data belonging to UBMD Practice Plans) is not covered by this BAA. Therefore, storing non-SUNY HIPAA-regulated data in UBbox is a HIPAA violation.
Restricted data includes but is not limited to:
As of July 31, 2017, the only HIPAA-related entities at UB are:
This document provides a paradigm suitable for storing HIPAA-regulated data in UBbox. This paradigm is also suitable for other Category 1: Restricted Data. Business processes may require modifying or loosening restrictions. Any changes to technical configuration, policies, or procedures defined in this document must be approved by the appropriate security/privacy officials and the Information Security Office (ISO) of the Vice President and Chief Information Officer (VPCIO).
This document specifically addresses: