Document Storage for ePHI in SecureBox

Staff Responsibilities for using SecureBox service

  • Use only the designated, certified workstation(s) to access the SecureBox folder.
  • Use a VPN connection when accessing the data from a remote location.
  • The SecureBox Folder owner must work with any external collaborators to ensure that the workstation(s) they are using meets these security guidelines as outlined in the Workstation Security Requirements document: Secure-Endpoint-Configuration-Matrix (10-22-20).
  • Ensure that data acquisition stored in the SecureBox folder uses one of the following methods:
    • Encrypted drive (external or USB)
    • Secure Web portal using HTTPS
    • Secure File Transfer Protocol
  • Ensure that if data is to be temporarily stored outside of the SecureBox folder, that the following approved locations are used:
    • Encrypted external hard drive which employs hardware-based encryption
    • USB thumb drive which employs hardware-based encryption.
    • The Secured computer’s encrypted internal hard drive
  • Box-Edit may be used on a secured workstation.

IT department security requirements

  • Maintain an accurate list of workstations accessing the SecureBox folder.
  • Regularly review and remediate identified Qualys compliance gaps and vulnerabilities.
    • For gaps that cannot be remediated, mitigation strategy must be documented and uploaded into the SecureBox compliance folder.
  • Maintain an accurate user list, with appropriate access rights for the SecureBox folder.
  • Complete a written procedure for handling data while in use and train staff on the use of a SecureBox folder. This procedure must also define what a remote location is and how to use the VPN when remote.
  • Produce monthly reports validating that the asset remains in compliance and is being updated and patched appropriately.

Statistical results, which do not contain any HIPAA identifiers can be stored on other systems.  These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set.  If any uncertainly exists to the exact definition of what constitutes a Limited Data Set PHI, contact the UW–Madison HIPAA Privacy Officer.

 

This is an accordion element with a series of buttons that open and close related content panels.

Anti-virus, anti-malware

Firewall

Run a host-based firewall at all times.

Administrator access

Administrator access will be restricted to designated local IT security professionals.

Data acquisition

Data acquisition requires one of the following:

  • Encrypted drive (external or USB)
  • Secure Web portal using HTTPS
  • Secure File Transfer Protocol

Data storage

PHI can be stored on an approved UW Box PHI project folder, after completing the requirements as outlined in this webpage.

If the project study requires data be temporarily stored outside of the SecureBox folder, these storage locations must be encrypted.

Approved storage locations are:

  • Encrypted external harddrive which employs hardware-based encryption
  • USB thumb drive which employs hardware-based encryption
  • The secured computer’s encrypted internal harddrive

Box-sync or box-edit may be used on a secured workstation.

Data processing

All processing of the data set shall be executed on only the workstations that have been certified to meet the criteria set forth on this webpage, using storage locations outlined in the previous section.

No processing will be done on any third party systems, other cloud services or other computers.

Statistical results, which do not contain any HIPAA identifiers, are considered the output of the research and can be stored on other systems. These shall not contain any dates (other than year alone), or any other HIPAA identifiers, from the original data set. If any uncertainty exists to the exact definition of what constitutes LDS PHI, contact the UW HIPAA Privacy Officer.

Maintenance and testing of security posture

Per UW Endpoint Management and Security policy 526 (Source: policy.wisc.edu) and Information Technology (IT) Asset Reporting policy 527 (Source: policy.wisc.edu) , your IT department is required to maintain and test the security posture of these devices.

Workstation requirements for non UW-Madison/external collaborators

All collaborator’s listed as accessing SecureBox folder shouldt fill out and submit an Endpoint Security Checklist (pdf).

 

FAQs

This is an accordion element with a series of buttons that open and close related content panels.

What is the intended use for SecureBox folder for ePHI?

A secure SecureBox folder is primarily intended for storing ePHI or a Limited Data Set (LDS) securely for collaboration with external (outside of the UW–‍Madison) entities. There may be more appropriate secure collaboration solutions for sharing data internally between UW–‍Madison departments and/or UW Health. Please consult with your local HIPAA Security Coordinator or IT department before requesting a SecureBox folder.

Once I obtain a HIPAA-approved SecureBox, can I use any device to access it?

No, you may only use UW–Madison managed devices which meet the technical compliance standards established in this process. These devices must be identified and documented with your request.

Who is responsible for maintaining technical configuration compliance of my workstation(s)?

Your HIPAA Security Coordinator will work with your local IT department to verify compliance initially and make sure it continues to meet security requirements on a regular basis. This includes routine security patches and anti-malware updates among other things.

Can I use Box-sync?

Yes. Box sync may be used on approved and managed workstations.

How long will it take to get an ePHI SecureBox folder approved and working?

The process to create a SecureBox folder to store ePHI is a collaboration between the Office of Cybersecurity and your local IT department and/or HIPAA security coordinator. The workstations used to access the SecureBox folder must meet technical compliance standards before folder access is granted. External collaborators should complete and submit the External Collaborator’s Asset security form. Consult with your HIPAA security coordinator and/or your local IT department prior to submitting the request form to ensure that an ePHI SecureBox folder is an appropriate solution.

Who is my HIPAA security coordinator?

UW–‍Madison HIPAA security coordinators are listed on the HIPAA Program website.

How do I know if I am storing ePHI?

The Office of Compliance has developed a webpage that defines ePHI/PHI and how to keep it confidential.

Questions about SecureBox Folder requirements?