In the Spring 2014, Duke entered into a Business Associates Agreement (BAA) with Box that enables HIPAA-compliant usage. Box complies with the security and privacy protections for ePHI (protected health information) mandated for HIPAA compliance.
Duke faculty, staff, and students receive Duke Box accounts. Users are subject to the types of data-sharing restrictions outlined by the Duke University & Duke Health security policies. In accordance with the Acceptable Use Policy, Duke may be required to access information to diagnose and correct technical problems.
Use of Duke’s Box service indicates user acceptance of the following:
Box Training: The Use of Box with Sensitive Data
Duke Health: All Duke Health users of Duke’s Box service are strongly encouraged to complete an online training module, but it is not required for access.
To complete the training:
- Visit the learning management system (LMS) and log in with your NetID and password.
- On the home page, go the Catalog Search box, enter “box” and click Search. Click the blue Register link for the course entitled “Using BOX for Sensitive Data.”
- Click the blue Register link for the course entitled “Using BOX for Sensitive Data.”
- The course should auto launch, if not click the Launch Content link.
- View all the slides and pass with 80 percent or above to complete the course.
- If you don’t finish the course in one session, you can complete it at a later time. When you log back into the LMS, look for In-Progress Learning, and click on the Launch button next to the class title to restart where you left off.
How Box protects your data
Box protects your data using encryption and access controls. All communication with Box from your computer and/or mobile device is encrypted using SSL. Data is encrypted in storage using 256-bit AES encryption. Access to your Duke Box account is controlled using your Duke NetID and password, and access to files in your Box account is controlled by permissions you set. By default, access is set to private on Duke Box accounts.
For additional information or questions about policies, security, or use of Sensitive and/or Restricted data, email the Security Office email@example.com.
Example Data Types & Use in Duke’s Box Environment
|Non-confidential or general
|Data that does not include any information which could be used to identify the individuals involved in the research||YES|
human subject research
|Any individually identifiable research data containing sensitive information about mental health, genetics, alcohol & drug abuse, or illegal behaviors.||Contact Security Office: firstname.lastname@example.org|
research (ITAR, EAR)
|Technical data related to military or space applications, including military electronics and devices, such as high-tech processing equipment and FLIR cameras. Additional examples include information related to explosives detection, encryption software, high-tech lasers, nuclear technologies, and advanced transportation technologies.||NO
Contact Security Office for alternatives: email@example.com
|Grades, student transcripts, degree information, disciplinary records, and class schedule.||YES|
|Contact Security Office:|
|Any unique identifying attribute, characteristic, code, or combination that allows identification of an individual, and that is combined with medical or health information.||Contact Security Office:|
|FISMA data||Government data that is regulated by the Federal Information Management and Security Act, including VA data, FDA data, and Medicare data.||Contact Security Office:|
|Social Security Numbers||123-45-6789||Contact Security Office:|
|Gramm Leach Bliley (GLBA)
student loans application
|Student loan information, payment history, and student financial aid data.||Contact Security Office:|
|Cardholder name, account number, expiration date, verification number, security code.||NEVER Permitted|