HIPAA FAQs
What is HIPAA?  
  • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
  • It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI).
  • More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html.
What is the HITECH Act and the Final HIPAA Omnibus rule?  

Box Answer:

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
  • In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.
How does Box facilitate HIPAA compliance for its customers?  

Box Answer:

  • The Box product/platform meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling.
  • Box signed BAA addendums to with UNMC RITO who have an Enterprise or Elite account and want to be HIPAA compliant.
  • RITO Answer: UNMC RITO configured UNMC Box with required security settings for enforcing policies to meet HIPAA compliance. The security settings were reviewed by Security, Privacy, and Compliance before BAA was signed. Some additional security has been imposed in 2017 to provide additional protection to the hosted data.
Is there any kind of industry certification that Box has undergone to prove it supports HIPAA compliance?  

Box Answer:

  • There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, Box has reviewed the HIPAA regulations and updated its product, policies and procedures to support customers around their need to be HIPAA compliant.
  • Box has also been evaluated by an independent, third party auditor who has issued an evaluation report (HIPAA AUP) that details the controls Box has in place to meet HIPAA requirements in regard to data privacy and security.
How do I get a copy of the third-party audit report on Box HIPAA compliance?  
  • RITO could contact dedicated Box representative to get the report for you.
How does Box support HIPAA compliance within its product and platform?  

Box Answer:

In addition to being able to sign HIPAA BAAs, Box has the following features in its product as well as organizational policies:

  • Data encryption in transit and at rest
  • Restricted physical access to production servers
  • Strict logical system access controls
  • Configurable administrative controls available to the UNMC RITO to:
    • Grant explicit authorization to customer files to read, download, edit, lock and password protect files
    • Monitor access
    • Reporting and audit trail of account activities on both users and content
    • Formally defined and tested breach notification policy
    • Training of employees on security policies and controls
    • Employee access to customer data files are highly restricted
    • Mirrored, active-active data center facilities to mitigate disaster situations
    • 99.9% uptime SLA
    • SSAE 16 SOC1 and AT-101 SOC2 Type II Reports
    • Additionally, Box is ISO 27001 certified
What types of customer and administrator controls does Box have that are relevant to HIPAA requirements?  

Box Answer:

  • Controls to provide reasonable assurance that instructions and information provided to Box by the UNMC Box customers are in accordance with the provisions of the Box Service Agreement with the customer, or other applicable governing agreements or documents between Box and its customers.
  • Controls to provide reasonable assurance that only authorized individuals from the user entity are granted the ability to access, modify, and delete information from Box’s application.
  • Controls to provide reasonable assurance that the user entity’s method for accessing Box’s application is configured with proper logical security protocols.
  • Controls to provide reasonable assurance that the confidentiality of the user entity’s sensitive information is not compromised by its users.
  • Controls to provide reasonable assurance for defining and granting access to users permitted by the user entity.
  • Controls to provide reasonable assurance that user accounts and access permissions are correctly specified on an ongoing basis, including revoking accounts.
Has Box signed HIPAA Business Associate Agreements (BAAs) with customers to date?  

UNMC Answer:

  • Yes, Box has signed BAA with UNMC. 
What types of Box accounts can be HIPAA compliant?  

Box Answer:

  • Box applies the same security and privacy controls for all of its customers, whether Personal, Starter, Business, Enterprise or Elite accounts.
  • However, customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must have an Enterprise or Elite account with Box and sign a HIPAA BAA.
Are Box partners automatically HIPAA compliant?  

Box Answer:

  • Box partners that offer a product or service to a HIPAA Covered Entity or another HIPAA Business Associate (BA) and are handling Protected Health Information (PHI) must sign a HIPAA BAA with the UNMC. Please refer to the Box partner’s website for information on their HIPAA compliance.
Can Box sign HIPAA BAA with partners who are doing business with healthcare customers (e.g., Covered Entities or other Business Associates)?  

Box Answer:

  • Yes, Box has the ability to enter into a direct BAA with the partner as well as directly with the partner’s customer as needed. 
What is HIPAA?  
  • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
  • HIPAA is a federal mandate that requires protections regarding security and privacy on Protected Health Information (PHI). More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html       
What is Protected Health Information (PHI)?  
  • Protected Health Information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care.
What is Personally Identifiable Information (PII)?  
  • Personally Identifiable Information (PII) is a subset of Protected Health Information (PHI), and refers to information that is uniquely identifying to a specific individual. Protected Health Information (PHI) is specific to medical and health-related use.
What is a HIPAA Covered Entity?  
  • A HIPAA Covered Entity (CE) stewards Protected Health Information (PHI) and/or Personally Identifiable Information (PII) on patients in the process of providing healthcare care or paying for care.  Examples of HIPAA Covered Entities (CE) are one of the following:
  • Healthcare provider:
  • Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies that transmits any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
  • Health plan:
  • Including health insurance companies, HMOs, company health pans, government programs that pay for healthcare (like Medicare and Medicaid)
  • Healthcare clearinghouses:
  • Including entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
What is a HIPAA Business Associate (BA)?  
  • A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) or Personally Identifiable Information (PII) that the covered entity is stewarding on behalf of the patient.
  • Business Associates (BAs) include those vendors or services that do business with the HIPAA covered entity (CE). Examples are service organizations or vendors that contract with the HIPAA Covered Entity (CE) that may provide: software such as Electronic Health Records (EHRs), claims processing, data analysis, utilization review, billing, legal services, actuarial services, accounting services, consulting services, data aggregation, accreditation services, or financial services. To be a HIPAA Business Associate (BA), the work of an organization must deal directly with the use or disclosure of Protected Health Information (PHI) and/or Personally Identifiable Information (PII).
What is a HIPAA Business Associate Agreement (BAA)?  
  • A HIPAA Business Associate Agreement (BAA) is a legal document that a HIPAA Business Associate (BA) enters into with a HIPAA Covered Entity (CE).
What is the HITECH Act?  
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology in the U.S.
What does the HITECH Act have to do with HIPAA or patient privacy?  
  • Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
What is the final omnibus rule and how does this apply to HIPAA?  
  • The final omnibus rule is based on statutory changes under the HITECH Act, and was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009.  The rule made the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996. 
  • The omnibus rule greatly enhanced a patient’s privacy rights and protections, as well as included support for the Genetic Information Nondiscrimination Act of 2008 (GINA).  It also strengthened the government’s ability to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a HIPAA covered entity (like a health plan, a health care provider or retail pharmacy) or one of their third party contractors that is a HIPAA Business Associate.