Box - HIPAA Protected Data Project Folders

Specialized UW-Madison Enterprise Box Services are available for use with HIPAA protected data and these folders are considered on a case-by-case basis. Please review the requirements and step-by-guide prior to requesting a Secure Box folder.


In order for the UW–⁠Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. PHI may only be stored, with approval, in specific folders that have access managed by authorized data administrators. In addition, workstations used to access and store PHI must meet specific security guidelines.  Additionally, Enterprise Box Service folder for HIPAA protected data cannot be used on the UW Health network (clinical practices and clinical projects) as the service is not approved for access on UW Health managed resources.

  1. A UW Madison NetID that has access to
  2. Determine which staff need access to the PHI and who, if anyone, from outside UW Madison needs access. If sharing research data with outside users, has IRB approved the collaboration?
  3. Determine which workstations will be used to transfer data to and from the Secure Box folder.  Identify who provides support to the workstation(s).
  4. Ensure all workstations used to access the PHI meet the specific configuration requirements listed below.
  5. Ensure that all UW- Madison staff interacting with PHI in a Secure Box folder complete the annual HIPAA training program.
  6. Note, this solution is not supported by UW Health and UW Health does not allow Box on their network.

Step-by-step guide

  1. Review requirements section.
  2. Contact Surgery IT team for alternatives to a Secure Box folder.
  3. If you have Department of Surgery research questions, please contact the department's research group.
  4. When you have established the requirements for requesting a Secure Box folder, please complete this campus survey to initiate a formal request.  It is recommended that you review the survey's information requirements by clicking on the link, gather the necessary information, and then return to the survey to complete it.
  5. Document the process for your internal research controls.  For example, if there are research team additions, those data access additions need to follow the requirements for workstation security and HIPAA training.  If there are subtractions to the research team, then please follow the Secure Box access workflow to remove access to the PHI data.

Please direct any questions related to this article to

Keywords:Box hippa   Doc ID:111774
Owner:Viviana P.Group:UW Department of Surgery
Created:2021-06-18 09:00 CDTUpdated:2021-08-10 11:55 CDT
Sites:UW Department of Surgery
Feedback:  0   0