In order for the UW–Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. PHI may only be stored, with approval, in specific folders that have access managed by authorized data administrators. In addition, workstations used to access and store PHI must meet specific security guidelines. Additionally, Enterprise Box Service folder for HIPAA protected data cannot be used on the UW Health network (clinical practices and clinical projects) as the service is not approved for access on UW Health managed resources.
- A UW Madison NetID that has access to https://uwmadison.box.com/
- Determine which staff need access to the PHI and who, if anyone, from outside UW Madison needs access. If sharing research data with outside users, has IRB approved the collaboration?
- Determine which workstations will be used to transfer data to and from the Secure Box folder. Identify who provides support to the workstation(s).
- Ensure all workstations used to access the PHI meet the specific configuration requirements listed below.
- Ensure that all UW- Madison staff interacting with PHI in a Secure Box folder complete the annual HIPAA training program.
- Note, this solution is not supported by UW Health and UW Health does not allow Box on their network.