Handling Restricted/PHI Data with UAB Box

Storing data classified as Restricted/PHI (protected health information) in UAB Box is permitted, but only if you have completed a risk assessment with UAB Health System.

The use of UAB Box must comply with all applicable laws, regulations and UAB policies.

Refer to these policies for more information:

Only UAB Box accounts are approved for storing UAB data that is classified as Sensitive or Restricted/PHI. Use of any other Box.com accounts (e.g. personal, starter, business, etc.) for storing sensitive and/or Restricted/PHI UAB data is prohibited.

Likewise, the use of any similar Internet-based file sharing systems (such as Dropbox, GoogleDocs, etc.) for storing or sharing sensitive or restricted/PHI UAB data is prohibited, unless the system has been formally approved by the Office of the Vice President for Information Technology.

Storing cardholder data subject to the Payment Card Industry Data Security Standard (PCI DSS) in UAB Box is prohibited.

In addition, if you are processing ePHI with UAB Box or any other service, UAB HIPAA Policies require a completed and current risk assessment.  The risk assessment form can be requested by sending an email to UAB Health System Information Security (HSIS) at riskassessments@uabmc.edu. The request must include a description of the use case tied to sharing ePHI via UAB Box, along with specifics on the type of ePHI being shared and with whom it will be shared. HSIS will respond, provide a risk assessment template, and work with the requesting party in examining its needs and any associated risks.

Please be aware that the standard method is ShareFile for users with a uabmc.edu email.  It is the responsibility of any user sharing PHI to ensure that who they are sharing with has been properly reviewed and has the proper contracts in place.  Research projects are bound by data usage agreements specific to the research studies.