Security and Privacy
Is Stanford Medicine Box approved for storing PHI and PII?
Yes. Stanford Medicine Box is approved for storing PHI (Protected Health Information – aka information protected by HIPAA regulations) and PII (Personally Identifiable Information).
Where can I store PHI or PII in Box?
Folders that have green “Safe for PHI & PII” tags are approved to store PHI (Protected Health Information) or PII (Personally Identifiable Information).
The tag looks like this:
What requirements must be met for me to share PHI or PII with another Stanford Medicine User?
Both of you need Stanford Medicine Box accounts. Files with PHI or PII can only be placed in folders marked as “Safe for PHI & PII”.
Stanford Medicine Box relies on you to determine if PHI or PII should be shared (and with whom). Each folder in Box lists the other people able to access the files in that folder (collaborators). Before placing a file (especially one with PHI or PII) in any folder, it is important that you verify all collaborators in the folder are appropriate.
Storing or sharing Stanford Medicine PHI or PII in personal Box accounts, Box accounts with other organizations, or via other cloud platforms such as Dropbox or Google Drive is not permitted.
With whom can I share files?
Files containing PHI or PII may only be shared with other Stanford Medicine Box users. All other files may be shared globally. Please see this link for details.
Can I share files outside Stanford Medicine?
Only in folders not marked as “Safe for PHI & PII”. You can only collaborate with external users on documents which do not contain PHI or PII.
What requirements must be met for me to access Stanford Medicine Box?
Please review Stanford Medicine Box requirements for details.
Can I access PHI or PII from a mobile device?
You can view your files (including those containing PHI and PII) via the Box for EMM app.
For security reasons, saving files from Stanford Medicine Box to your mobile device is not currently allowed.
This functionality will be enabled in January for all Stanford Medicine Box users.
What requirements must be met for me to share PHI or PII with another Stanford Medicine User?
Both of you need Stanford Medicine Box accounts. Files with PHI or PII must be under your personal, non-external folder.
Storing or sharing Stanford Medicine PHI or PII in personal Box accounts, Box accounts with other organizations or via other cloud platforms such as Dropbox is not permitted.
What requirements must be met for me to share PHI with people outside Stanford Medicine?
Stanford Children's Health and Stanford School of Medicine: A Business Associates Agreement (BAA) must be in place. If the non-Stanford Medicine recipient wants to access/ download the information, their system must meet HIPAA safe harbor requirements:
- Full disk encryption in place (AES-256 preferred)
- User Logon ID with password
Stanford Health Care: This capability doesn’t exist.
Why can Stanford Health Care and Stanford Children's Health users only use Box, but no other cloud storage solutions?
Other cloud solutions do not currently meet the HIPAA and HITEC requirements.
How is PHI or PII flagged and quarantined?
When PHI or PII is discovered in a folder not marked as Safe for PHI & PII, it is quarantined to a temporary vault folder that is accessible to the owner of that folder. Please review this link for more details.