Box: Cloud Service Guidelines

WUSTL Box is an enterprise-strength, cloud-based storage and collaboration service available to all active faculty, staff and students of all Washington University in St. Louis campuses, including the School of Medicine.

WUSTL Box may be used to manage the following content:

  • Protected health information (HIPAA)
  • Attorney/Client privileged information
  • IT Security information
  • Protected identifiable human subject research data (HIPAA & Common Rule)
  • Student education records (FERPA)
  • Student loan application information (GLBA)

WUSTL Box may not be used to manage the following content:

  • Credit card or payment card industry (PCI) information
  • Export controlled research – export administration regulations (EAR)
  • Federal Information Security Management Act (FISMA)
  • Radiation and hazardous chemical information (NRC & DHS)
  • Social Security Numbers (47 state privacy laws)

Please review the following guidelines for sharing and downloading information classified as protected or regulated (e.g. HIPAA Protected Health Information) to non-Washington University entities or devices.

Sharing
The sharing of ePHI folders and documents from within your WUSTL Box environment should limited only to those to whom it is critical to access that patient information.

Downloading
WUSTL Box provides tools that can enable document editing without having to download to a local device. It is recommended that you use this feature when editing and/or reviewing ePHI content and other materials of a sensitive nature.

If you find it is absolutely necessary to download or sync ePHI content to a personal device (e.g. mobile device or home computer) that device must meet our policies for protection, including password protection and encryption.

It is the WUSTL Box account owner’s responsibility to understand what information has been uploaded to that account and to ensure additional protections are enabled if that information is shared or downloaded outside the Washington University approved locations.

Policy References
Information Security Policies
– Including Computer Use Policy