Box Security

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal mandate that requires safeguards for protected health information (PHI). Discover why Apex uses the Box platform to receive sensitive data such as PHI and personal identifiable information (PII)

Why Box?

To meet the requirements set by HIPAA, Apex cannot acquire data via email, flash drive, or post mail. The Box platform and associated products have been compliant with HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), and the final HIPAA Omnibus rule since November 2012. All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud. Box ensures HIPAA compliance through several important features and organizational policies:

• Data encryption (in transit and at rest)

• Restricted physical access to production servers

• Strict logical system access controls

• Reporting and audit trails of account activities (on both users and content)

• Training of employees on security policies and controls

• Highly restricted employee access to customer data files

• Mirrored, active-active data center facilities to mitigate disaster situations

These controls are reviewed as part of Box’s annual SOC 2 audit, and Box has received the Avertium and ISO 27001 certifications. Box continuously updates products, policies, and procedures to ensure continuous HIPAA compliance. The platform has also been evaluated by a third-party auditor, who issued a report affirming that Box has controls in place to meet HIPAA requirements for privacy and data security.

How does Apex use Box?

To ensure that Apex remains compliant and secure in the gathering of data, Apex limits the access to files within Box to individuals uploading the files and those who have been given access via a Business Associate Agreement (BAA) signed by the evaluation team and the site. This agreement also protects the data and ensures that Apex only uses the data for the agreed upon purposes. Document upload is performed by site staff who already have access to the documents that Apex is requesting as well as by the project team. Site staff upload to a secure folder limited to those on the project team within Apex and the site staff themselves. Site staff will not have access to any other documents except the ones that they uploaded to the secure Box folder or that the Apex team uploads into the folder for the site staff to view. Site staff will not have access to any other site’s data except their own. Apex has a HIPAA/FERPA Compliance Officer who checks that the data collection processes remain HIPAA compliant and secure. Apex uses strict protocols and security processes to ensure that only those who need access to the data receive it through the granular permissions within Box.

Still have questions? We’re here to help. Reach out to us at support@apexeval.org.