Security & Usage Practices

In the Spring 2014, Duke entered into a Business Associates Agreement (BAA) with Box that enables HIPAA-compliant usage. Box complies with the security and privacy protections for ePHI (protected health information) mandated for HIPAA compliance.

Duke faculty, staff, students and affiliates can receive Duke Box accounts. Users are subject to the types of data-sharing restrictions outlined by the Duke University & Duke Medicine security policies. In accordance with the Acceptable Use Policy, Duke may be required to access information to diagnose and correct technical problems.

Use of Duke’s Box service indicates user acceptance of the following:

Box Training: The Use of Box with Sensitive Data

Duke Medicine: All Duke Medicine users of Duke’s Box service are strongly encouraged to complete an online training module.

To complete the training:

  1. Visit the learning management system (LMS) and log in with your NetID and password.
  2. On the home page, go the Catalog Search box, enter “box” and click Search. Click the blue Register link for the course entitled “Using BOX for Sensitive Data.”
    Saba Screenshot
  3. Click the blue Register link for the course entitled “Using BOX for Sensitive Data.”
  4. The course should auto launch, if not click the Launch Content link.
  5. View all the slides and pass with 80 percent or above to complete the course.
  6. If you don’t finish the course in one session, you can complete it at a later time. When you log back into the LMS, look for In-Progress Learning, and click on the Launch button next to the class title to restart where you left off.

How Box protects your data

Box protects your data using encryption and access controls. All communication with Box from your computer and/or mobile device is encrypted using SSL. Data is encrypted in storage using 256-bit AES encryption. Access to your Duke Box account is controlled using your Duke NetID and password, and access to files in your Box account is controlled by permissions you set. By default, access is set to private on Duke Box accounts.

For additional information or questions about policies, security, or use of Sensitive and/or Restricted data, email the Security Office security@duke.edu.
Example Data Types & Use in Duke’s Box Environment

Data Type Example Permitted?
Non-confidential or general
business
YES
De-identified human
subject research
Data that does not include any information which could be used to identify the individuals involved in the research YES
Sensitive identifiable
human subject research
Any individually identifiable research data containing sensitive information about mental health, genetics, alcohol & drug abuse, or illegal behaviors. Contact Security Office: security@duke.edu
Export controlled
research (ITAR, EAR)
Technical data related to military or space applications, including military electronics and devices, such as high-tech processing equipment and FLIR cameras.  Additional examples include information related to explosives detection, encryption software, high-tech lasers, nuclear technologies, and advanced transportation technologies. NO

Contact Security Office for alternatives: security@duke.edu

Student educational
records (FERPA)
Grades, student transcripts, degree information, disciplinary records, and class schedule. YES
Medical Record
Numbers (MRN)
Contact Security Office:

security@duke.edu

Protected health
information (ePHI-HIPAA)
Any unique identifying attribute, characteristic, code, or combination that allows identification of an individual, and that is combined with medical or health information. Contact Security Office:

security@duke.edu

FISMA data Government data that is regulated by the Federal Information Management and Security Act, including VA data, FDA data, and Medicare data. Contact Security Office:

security@duke.edu

Social Security Numbers 123-45-6789 Contact Security Office:

security@duke.edu

Gramm Leach Bliley (GLBA)
student loans application
information
Student loan information, payment history, and student financial aid data. Contact Security Office:

security@duke.edu

Payment card
information (PCI)
Cardholder name, account number, expiration date, verification number, security code. NEVER Permitted