Restrictions and Permitted Methods of Accessing Restricted Data in UBbox

Customers using UBbox to store restricted data should familiarize themselves with restricted and permitted ways of logging into and using UBbox.

On this page:

HIPAA Regulated and Non-Regulated Data

HIPAA-Regulated Data: Any application that stores data, even temporarily, on third-party infrastructure not managed by UB or Box, is forbidden for HIPAA-regulated data if no BAA is in place with that third party.

Non-HIPAA-Regulated Data: Any application that stores data, even temporarily, on third-party infrastructure that is not managed by UB or Box is not forbidden for non-HIPAA-regulated data. However, use of the application requires approval by the data stewards and security/privacy officials.

Box Apps

Only official Box apps are approved for use with restricted data.  See the list of official Box apps.  Some apps, although not forbidden, require certain awareness as noted below. 

Box Drive

Box Drive caches files from Box on a client computer's local disk which could present a security risk for regulated data.  Use of Box Drive is not forbidden, but requires approval by the data steward and security/privacy officials.

Box Sync

Box Sync stores files on client devices which could present a security risk for regulated data.  By default Box Sync is disabled at the account level for USDAs and UHDAs.  This prevents Box Sync from being used on any folders owned by these accounts.  Allowing Box Sync to be used requires approval by the data steward and security/privacy officials.  The associated technical configuration change can only be made by UBIT Box Administrators.

Client Devices

Client devices used to access restricted data by persons affiliated with UB must be maintained by CIT professionals.  Personal client devices may not be used to access restricted data.

Google Docs and Google Sheets

Google Docs and Google Sheets create temporary working copies of data on Google infrastructure.  Use of Google Docs and Google Sheets is forbidden for HIPAA-regulated data because no BAA is in place with Google.  Use of Google Docs and Google Sheets is not forbidden for non-HIPAA-regulated data but requires approval by the data steward and security/privacy officials.

Inviting a "Group" to Collaborate

Collaboration invitations to "groups" are not permitted.  Members can be added to and removed from a group without folder owner being aware.

Microsoft Online Tools

Microsoft Online Tools create temporary working copies of data on Microsoft infrastructure.  Use of Microsoft Online Tools is forbidden for HIPAA-regulated data because no BAA is in place with Microsoft.  Use of Microsoft Online Tools is not forbidden for non-HIPAA-regulated data but requires approval by the data steward and security/privacy officials.

Web Browser Interface

Web browser access is permitted.

Exceptions to Restrictions

Any exceptions to the above restrictions must be approved by the associated data steward and security and privacy officials. The Information Security Office must be consulted when making exceptions.