Box for Restricted Data – Health

Baylor University offers Box for Restricted Data – Health as a HIPAA-compliant resource designed to meet the security requirements for electronic Protected Health Information (ePHI).  Using the standard Baylor University Box platform is not suitable for storing ePHI.

To gain access to Box for Restricted Data – Health, go to helpdesk.baylor.edu using a web browser. Click Service Catalog, select the Box for Restricted Data – Health Folder request option. Or, you can simply use the Request Access button above. Complete the form fields and submit the form. Information Technology Services will process the request and provide a confirmation once complete.

Data considered as electronic Protected Health Information (ePHI) may be stored in Box for Restricted Data – Health. Examples of ePHI include patient records, lab results, electronic communications related to patient information, appointment reminders, identifiable patient information such as date of birth and home address, pathology reports, insurance information, and many more examples. Use of Box for Restricted Data – Health is also suitable for storing data from research associated with human subjects, external research agreements, and federal funders that provide ePHI. 

ITS does not recommend storing personal documents in Box for Restricted Data – Health. Storing personal files is permitted in the Baylor Box instance through the Incidental personal use reference in BU-PP-025. Storing personal files, if desired, should be placed outside of Box for Restricted Data – Health in the standard Baylor Box platform.

Yes, you can collaborate with people outside of Baylor by inviting a person to be a Collaborator within a folder. You may assign a permission level of “Editor” or below. View the Understanding Collaborator Permission Levels document for additional information.

When working with human subjects at Baylor University, you must gain approval for the access of external collaborators or collaborating Institutions through the Baylor University – Institution Review Board (IRB) before inviting a collaborator. The IRB provides review and determination of human subjects research protocols. It is your responsibility to identify Key Research Personnel, collaborate with the Baylor IRB to review and receive approval, and to only add those approved personnel as external collaborators in the Box for Restricted Data – Health platform. Visit the Baylor University IRB Resource website for more information.

No, it is not necessary to set up a Bear ID for a person collaborating with you from outside of Baylor University. You may invite the person using their non-Baylor email address. The non-Baylor person collaborating with you will need to set up two-factor authentication and have a strong password to access content stored in Baylor’s Box environment. If their current password does not meet Box’s strong password requirement, they will be required to change their password to access content in Box for Restricted Data – Health. 

Account setup requirements for external collaborators are available in this document. Instructions are included for two-factor authentication options. 

Yes, when naming files and folders, avoid using patient names in file or folder names. If necessary, use a pseudonym or identifier in the file name. Avoid including address, dates of birth, or other demographic information in file or folder names.

Good Examples of HIPAA-Compliant File Naming Conventions:

• ProjectName_Date_Version (e.g. ProjectHealthyBear_Feb-15-2025_v1.doc)
• Identifer_Type_Description_Date-MMDDYYYY (e.g. 12345_SummaryReport_06022025.pdf)
• Folder_Name_Description_Date-MMDDYYYY (e.g. PatientRecords_06022025.xls)

Bad/Non-Compliant Examples of HIPAA-Compliant File Naming Conventions:

• John_Smith_MRI Results.png
• Patient SSN 123-45-6789_Medical Record.doc 
• Jane_Smith_HypertensionTreatmentPlan.pdf

No. Baylor licenses Box for Restricted Data – Health for current faculty, staff, and students only. It is provided to be used primarily for storing electronic Protected Health Information (ePHI) in cases where files must be stored in alignment with HIPAA security controls. By using Box for Restricted Data – Health, faculty and staff who serve as the primary account holder agree to store records for the period of time required by the external agreement, research grant, Institutional Review Board, or other governing authority that applies to storing ePHI which warranted your use of Box for Restricted Data – Health. Additional information on record retention and archival may be found in the Baylor University Records Retention and Archival Policy.

Box for Restricted Data – Health supports the most recent major release of web browsers and Operating Systems. Additional information on supported web browsers and Operating Systems are available from Box. 

If choosing to download files from Box for Restricted Data – Health, you may only download files to a Baylor University-managed computer that has encryption applied to the local hard drive of the computer. Downloading files to personal computing devices, including mobile phones, is prohibited. Collaborators who are provided access to Box for Restricted Data – Health outside of Baylor University may only access files online and are not allowed to download files.

How Do I Know If My Computer is Encrypted?

For macOS Ventura and later:

1. Click the Apple menu () in the top-left corner of your screen.
2. Select System Settings.
3. In the sidebar, click Privacy & Security.
4. Scroll down until you find FileVault.
5. If it says "FileVault is On", your hard drive is encrypted. If it says "FileVault is Off," it's not encrypted. You'll also see the option to turn it on or off.

For Windows 11:

1. Open the Start menu and type "Control Panel", then open it.
2. Click on BitLocker Drive Encryption.
3. You will see a list of your drives. Next to each drive, it will clearly state if BitLocker is On, Off, or Encrypting. If BitLocker is listed as on, the drive is encrypted.

For assistance enabling encryption on a computer that is not encrypted, please contact HelpDesk+.

Look for the green shield label “Box for Restricted Data – Health Folder” in Box on the web. It will appear in these places:  1 - Next to the name of a file or folder, 2 - In the Details tab of the right-side pane on a file or folder.

Sponsors are assigned the Editor permission level and are able to assign the permission levels listed below to collaborators.

Link to Full Permissions Matrix

Editor

An editor has full read/write access to a folder or file. Once invited to a folder or file, the editor is able to view, download, upload, edit, delete, copy, move, rename, generate and edit shared links, make comments, assign tasks, create tags, and invite/remove collaborators. The editor is not able to copy, delete, or move root level folders. Downloads should only occur on Baylor-issued computers with encrypted drives (see FAQ #9).

Viewer Uploader

This access level is a combination of Viewer and Uploader. A viewer uploader has full read access to a folder and limited write access. They are able to preview, edit (online only), add comments, generate shared links, and upload content to the folder. They are not able to download, add tags, invite new collaborators, or delete items in the folder. To update a file, people with this permission must edit documents using online editing tools only. For example, Word online can be used to edit a Word document, but they cannot download the file and edit it with the desktop version of Word.

Viewer

A viewer has read access to a folder or file. Once invited to a folder, the viewer is able to preview, make comments, and generate shared links. The viewer is not able to download, add tags, invite new collaborators, edit shared links, upload, edit files, or delete items in the folder.

Previewer Uploader

This access level is a combination of Previewer and Uploader. A previewer uploader has limited read and write access to a folder. They are able to preview, add comments, add tasks, and upload content to the folder. They are not able to download, add tags, generate shared links, invite new collaborators, edit or delete items in the folder.

Previewer

A previewer has limited read access. The previewer is able only to preview the items in the folder using the integrated content viewer. The previewer is not able to share, upload, edit, or delete any content.

Uploader

An uploader has limited write access. The uploader is able only to upload and see the names of the items in a folder. The uploader is not able to download or view content.

Additional FAQ’s and usage information may be found on the Baylor Box Helpdesk+ page. Many frequently asked questions such as using the Box Drive feature, Box Edit, or finding Training videos are available. Box for Restricted Data – Health contains mostly the same functionality as the Baylor Box platform. The Acceptable Use Agreement that is provided when you request access to Box for Restricted Data – Health outlines your unique responsibilities that are separate from using the Baylor Box platform.