Is Box HIPAA compliant? The easy answer here is, “It can be.” However, there are specific criteria to consider prior to choosing a Cloud provider for your confidential HIPAA materials. Compliance is multi-faceted, and failure to follow proper protocol has some very significant ramifications. Therefore, it is important to understand the options, specifically pertaining to Box.com and other providers, like eFileCabinet.
Formerly Box.net, Box.com is a cloud-based file storage and content management service. It provides a free 10GB of memory storage for personal use. Users can determine how their content is made available to other members. They can invite other users to add, edit, view, and upload files to their shared spaces.
There are three account options provided by Box.com: personal, business, and enterprise. Each of the three options comes with its own services, like branding, unlimited memory storage capacity, and various administrative controls. Additionally, in 2014, Box.com became the proud owner of MedXT.
Box.com Compliance with HIPAA
In 2013, Box.com announced its ability to be able to comply with HIPAA and HITECH rules and regulations. They also proclaimed their ability to sign BAAs (Business Associate Agreements), which is a feat of its own, as there are only a handful of Cloud-based companies capable of doing so.
Box.com does meet the HIPAA and HITECH obligations, including the Omnibus ruling. Be advised that a BAA must be signed (on an Enterprise or Elite account) prior to any uploading and storing of Protected Health Information (PHI). However, Box.com customers are held responsible for organizing and designing their Box to meet the HIPAA compliance requirements. In essence, Box.com is a cloud storage platform that has sufficient security protocols to assure HIPAA compliance. Manipulation of the information and usage of the storage software within an organization must be self-regulated to adhere to HIPAA standards. Is Box HIPAA compliant? It is if HIPAA guidelines are adhered to in its implementation.
HIPAA Security Requirements for Cloud Storage of Patient Records
The Health Insurance Portability and Accountability Act (or HIPAA) is the baseline for protecting confidential patient information. All companies that deal with this sensitive topic must adhere to HIPAA’s rules and regulations. Covered Entities (CE) and Business Associates (BA) will be held responsible for being compliant with these requirements.
There are physical safeguards and technical safeguards that must be adhered to. The physical safeguards incorporate limited access, policies, and authorizations surrounding workstations. The technical safeguards are all about authorized access to electronic PHI. This includes things like unique user IDs and automatic logout, encryptions, and decryptions. Moreover, security certifications are advisable for all cloud storage companies.
There are actually 6 things to look for when considering document management software (DMS):
- Secure Databases: Good DMS will have its own encryption software and will not allow any backdoor entry into the documents; logins will be required for viewing.
- Data Backup: HIPAA requires backups be stored at a separate location; good DMS will offer that in its package.
- Client Portals: These are better than emails because they require clients to log in to share, view, or edit documents.
- Automatic Retention: HIPAA requires the retention of employee and patient records, and automatic retention will ensure the records do not get accidentally deleted.
- Position-Based Security: Individuals should only have access to documents required for their roles. This security provides access on a need-to-know basis.
- Usage Transparency: Only top-tier administrators should have access and therefore all document interactions, and who was involved, will be readily traceable. None of these actions should be alterable in any way.
Box.com Security vs. eFileCabinet
Deciding between these 2 Cloud-based entities might prove an interesting endeavor. We discussed Box.com’s design and amenities. eFileCabinet came about as a means of enabling an accounting firm to go paperless. The concept then was to allow any business that had an actual file cabinet on-site (slammed full of paper and computer disks) to move those documents to a cloud storage drive.
File Sharing and Storage
eFileCabinet has repositories that meet the HIPAA regulatory necessities. They offer a storage space that provides a worry-free sense of safety and privacy, as there are no code-breaking concerns. While Box.com also offers storage space, eFileCabinet appears to be a safer option, with 256-bit encryption and SAS 70 Type II certified servers. eFileCabinet has security parameters in place which are designed specifically as a business application, not just a personal one, like Box.com. This allows the users to cut through the red tape and focus more on their clients rather than strict adherence to HIPAA.
While Box.com requires users to design their own Box to make it HIPAA compliant, eFileCabinet does some of these things for you. There are management systems installed that alert users when a document is in need of attention, whether it be for a signature or approval. Workflow is easier to manage because everything is done electronically. It is constantly monitoring the accounts for any security threats. Ultimately, eFileCabinet meets all six of the HIPAA DMS recommendations.
Certainly, there are a number of Cloud-based storage companies available to consumers. Unfortunately, many of these are simply consumer-grade storage entities and will not fit the HIPAA compliance requirements in a way that will ensure user and patient safety. Is Box HIPAA compliant? Yes. Hoewever, if you are looking for a HIPAA-compliant document management system, eFileCabinet might be the best choice for you. To see how eFileCabinet can help your business, let’s talk.