Is Box HIPAA Compliant?

Is the cloud storage service Box HIPAA compliant? Box is a cloud data storage and management service that allows users to access data from different devices. However, before it can be utilized in a healthcare setting to manage and store protected health information (PHI), Covered Entities must ensure Box is HIPAA compliant. 

There are a number of features of Box that make it attractive for users. Once information is uploaded to its servers, it can be edited, shared, or viewed by multiple collaborators. If it is to be used by HIPAA-covered entities (CEs; healthcare providers, clearinghouses, or health plans) or their business associates (BAs), they must ensure that they use a business, enterprise, or elite account. Personal accounts cannot be used by businesses.

The Conduit Exception Rule means that business associate agreements (BAAs) are not required between CEs and a narrow range of organizations. This depends on the service provided by the third party, but the rule can cause much confusion for CEs. Internet service providers, for example, are exempt, as they act as a conduit of information.

Cloud service providers, such as Box, are not exempt. Even if Box itself can never access PHI, CEs and their BAs must ensure that they enter into a BAA with Box before using its service. Box has been entering such agreements since 2013, but only if the client has an enterprise or elite account.

Box states that it has implemented the necessary safeguards to ensure that any PHI uploaded to its service is protected both in transit and at rest. This helps it to comply with the HIPAA Security Rule, which stipulates the minimum security standards needed to maintain the integrity, confidentiality, and accessibility of healthcare information. This includes ensuring that only authorized individuals can ever access the data, helping to prevent any breaches. CEs must also maintain logs of who has access to the data and when it was accessed. Box services have been audited by an independent body to ensure that the platform supports HIPAA compliance.

The Box for Healthcare Service was launched specifically to support CE’s use of Box in a HIPAA-compliant manner. It integrates with other common technologies such as Microsoft, Apple, IBM, TigerText, EDCO Health apps, and eHealth Technologies. This eases workflows and allows the secure transfer of information.

So, is Box HIPAA compliant? As long as a BAA has been obtained by the CE or BA using Box’s services before any PHI is uploaded to the platform, Box is HIPAA compliant. Even so, the CE and BA must ensure that employees are trained in the proper use of their service to avoid inadvertent HIPAA violations.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of