University of Wisconsin–Madison

Document Storage for ePHI in Secure Box Folders

To request a secure Box folder:

  1. Read this entire webpage and all supporting information prior to requesting a Secure Box folder. 
  2. Determine which staff need access to the PHI and who, if anyone, from outside UW Madison needs access? If sharing research data with outside users, has IRB approved the collaboration?
  3. Determine which workstations will be used to transfer data to and from the Secure Box folder.  Identify who provides support to the workstation(s).
  4. Ensure all workstations used to access the PHI meet the specific configuration requirements listed below.
  5. Ensure that all UW- Madison staff interacting with PHI in a Secure Box folder complete the annual HIPAA training program. 

Fill out the request form

Already have a secure Box folder but need to modify it? Fill out the modification-request form

UW–Madison Workstation Security Requirements

This section identifies requirements for workstations that receive, access, process and/or store PHI on behalf of UW–⁠Madison. All employees who use computers designated for processing such data shall complete the UW–⁠Madison annual HIPAA training before interacting with PHI.

Any UW–⁠Madison workstation used to access Secure Box folders containing PHI must be periodically patched and security updates applied. Reports on the security status of each workstation must be generated monthly.

The UW–Madison IT Security Baseline Program in conjunction with the Secure End Point Configuration Matrix defines the minimal system security criteria. If the system(s) meet these two standards, they will be in compliance with the requirements stated in this section.  The unit’s departmental IT professionals will be required to provide compliance verification to the HIPAA Security Coordinator and the Office of Cybersecurity. 

Find HIPAA Security and Privacy contacts here

Local IT staff may implement additional security controls, beyond those listed here. When implementing additional controls, the IT staff shall document those additional controls and share the documentation with the UW–Madison HIPAA Privacy and Security Officers. A repository for such documentation will be provided.

The division/department responsible for the workstations interacting with PHI must have a full-time, professionally trained IT staff person, or contract for the services of such a professional (for example, a contract with DoIT or AIMS). Those professionals shall execute the steps outlined in this section and maintain all documentation listed as required.

For every workstation that interacts with PHI, the IT professionals shall take the following steps and generate reports that document evidence of compliance. Reports must be stored in a repository that shall be provided by DoIT for compliance reporting. 

Please Reference the Secure End Point Configuration Matrix.


This is an accordion element with a series of buttons that open and close related content panels.

System configuration

Qualys Cloud Agent enabled for policy compliance will scan and document workstation configuration.

  • Review Qualys report for compliance gaps 
  • If less than 100%, mitigate gaps, document compliance gaps which cannot be addressed. Submit report for review by UW–Madison Office of Cybersecurity.

System patching & vulnerability management

Qualys Cloud Agent enabled for vulnerability management will scan and document workstation vulnerabilities.

  • Review Qualys reporting for vulnerabilities. 
  • Vulnerabilities that cannot be remedied should be documented.
  • Submit report for review by UW Madison Office of Cybersecurity.

Anti-virus, anti-malware


Run a host-based firewall at all times.

Administrator access

Administrator access will be restricted to designated local IT security professionals.

Data acquisition

Data acquisition requires one of the following:

  • Encrypted drive (external or USB)
  • Secure Web portal using HTTPS
  • Secure File Transfer Protocol

Data storage

PHI can be stored on an approved UW Box PHI project folder, after completing the requirements as outlined in this webpage.

If the project study requires data be temporarily stored outside of the secure box folder, these storage locations must be encrypted.

Approved storage locations are:

  • Encrypted external harddrive which employs hardware-based encryption
  • USB thumb drive which employs hardware-based encryption
  • The secured computer’s encrypted internal harddrive

Box-sync or box-edit may be used on a secured workstation.

Data processing

All processing of the data set shall be executed on only the workstations that have been certified to meet the criteria set forth on this webpage, using storage locations outlined in the previous section.

No processing will be done on any third party systems, other cloud services or other computers.

Statistical results, which do not contain any HIPAA identifiers, are considered the output of the research and can be stored on other systems. These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set. If any uncertainty exists to the exact definition of what constitutes LDS PHI, contact the UW HIPAA Privacy Officer.

Maintenance and testing of security posture

  • Reports shall be run monthly and stored in the study’s compliance reporting folder.
  • Reports shall be available to the Privacy and Security officers and their designees for audit purposes.
  • A UW–Madison Box PHI report share will be provided to the professional IT staff.

Workstation requirements for non UW-Madison/external collaborators

All collaborator’s listed as accessing Secure Box folder must fill out and submit an External Collaborator’s Asset Security form.  

External Collaborator Endpoint Security Checklist



This is an accordion element with a series of buttons that open and close related content panels.

What is the intended use for secure Box folder for ePHI?

A secure Box folder is primarily intended for storing ePHI or a Limited Data Set (LDS) securely for collaboration with external (outside of the UW–‍Madison) entities. There may be more appropriate secure collaboration solutions for sharing data internally between UW–‍Madison departments and/or UW Health. Please consult with your local HIPAA Security Coordinator or IT department before requesting a secure Box folder.

Once I obtain a HIPAA-approved Box, can I use any device to access it?

No, you may only use UW–‍Madison managed devices which meet the technical compliance standards established in this process. These devices must be identified and documented with your request. If you’d like access provided to additional devices please submit a request so we can ensure the device(s) meet our minimum security requirements.

Who is responsible for maintaining technical configuration compliance of my workstation(s)?

Your HIPAA Security Coordinator will work with your local IT department to verify compliance initially and make sure it continues to meet security requirements on a regular basis. This includes routine security patches and anti-malware updates among other things.

Can I use Box-sync?

Yes. Box sync may be used on approved and managed workstations.

How long will it take to get an ePHI Box folder approved and working?

The process to create a secure folder to store ePHI is a collaboration between the Office of Cybersecurity and your local IT department and/or HIPAA security coordinator. The workstations used to access the Box folder must meet technical compliance standards before folder access is granted. External collaborators must complete and submit the External Collaborator’s Asset security form. Consult with your HIPAA security coordinator and/or your local IT department prior to submitting the request form to ensure that a secure ePHI Box folder is an appropriate solution.

Who is my HIPAA security coordinator?

UW–‍Madison HIPAA security coordinators are listed on the HIPAA Program website.

How do I know if I am storing ePHI?

The Office of Compliance has developed a webpage that defines ePHI/PHI and how to keep it confidential.

Questions about Secure Box Folder requirements?