Is Box HIPAA Compliant?

Box is a cloud content management platform used for document storage, sharing, and collaboration. Clinics use it for storing scanned paper records, managing compliance documentation, and coordinating administrative files.

Box offers a BAA on qualifying plans, but the plan requirement is only the starting point. PHI cannot enter Box until deliberate admin configuration is in place.

Note: Box’s product tiers, pricing, and BAA terms change periodically. All information in this guide reflects publicly available information as of the verification date above. Verify current eligibility and terms at box.com/security before evaluating Box for a PHI environment.

Does Box Offer a HIPAA BAA?

Yes. Box makes a Business Associate Agreement available to customers on qualifying plans. As of this verification date, BAA eligibility applies to Business Plus, Enterprise, and Enterprise Plus plans. The standard Business plan is not eligible.

Box’s standard BAA covers the core content management platform. Customers with a signed BAA can store and process PHI in Box within the agreement’s scope.

Action step: Before using Box for any PHI, confirm you are on a BAA-eligible plan and request or execute the BAA with Box. A general subscription agreement does not cover HIPAA. The BAA is a separate agreement.

Compliance Features on BAA-Eligible Plans

Box includes features that address the HIPAA Security Rule:

Encryption. AES 256-bit encryption at rest; TLS in transit. Verify current specifications at Box’s Trust Center.

Access controls. Granular folder and file permissions allow administrators to limit access to PHI-containing folders to only authorized users. Role-based access can be configured at the workspace or folder level.

Audit logging. Admin-level audit logs track user activity: who accessed which files, when, and from where. These logs support the HIPAA Security Rule’s audit control requirement (45 CFR § 164.312(b)).

Data residency. Box offers data residency controls on higher enterprise tiers, allowing organizations to specify where data is stored geographically.

Admin controls. The enterprise admin console covers MFA enforcement, session timeout, device trust, and integration management.

HIPAA Risks That Remain With Box

A signed BAA with Box is not sufficient on its own. Several risk areas require deliberate action:

Default Sharing Settings

Box’s default behavior is designed for broad collaboration. Users can create shared links accessible to anyone with the URL. A staff member who shares a folder of patient documents via a public Box link has disclosed PHI to anyone who obtains that URL.

What to do: In the Box Admin Console, configure the organization-wide default for external sharing to restrict public link creation. Require admin approval for external sharing requests. Test these settings before onboarding PHI.

Box Integrations

Box’s App Center includes hundreds of third-party integrations — electronic signature tools, CRM connectors, automation platforms, AI tools. When these integrations access Box content, they may process PHI. Each integration that touches PHI-containing folders is a potential business associate and may require its own BAA.

What to do: Review which Box integrations are active in your environment. Disable any that are not necessary. For integrations that do access PHI-containing folders, confirm their HIPAA posture and BAA availability.

AI Features

Box has introduced AI features (Box AI) for content summarization, search, and analysis. If Box AI processes PHI-containing documents, the processing must be covered under the BAA terms. Verify with Box whether AI features are included in HIPAA BAA coverage before enabling them.

Clinical Use Cases for Box

Appropriate uses with BAA:

• Compliance documentation storage (policies, training records, BAA archive, risk analysis)
• Scanned paper records archive (with access controls limiting to authorized staff)
• Administrative file collaboration (scheduling templates, operational procedures)
• Policy distribution and version control

Uses that require additional assessment:

• Patient records requiring EHR-level audit trails (Box audit logs differ from EHR-specific audit requirements)
• Real-time clinical communication (Box is not designed for clinical messaging)
• DICOM image storage (possible technically, but specialized PACS systems are better suited)

Box is a reasonable choice for administrative document management. It is not a replacement for an EHR’s clinical record management.