Rules of Behavior for Emory Box

By Logging into Emory Box, You are agreeing to each of the statements below:

General Requirements

1) I agree that my use of Box for Emory must be conducted in manner which complies with all applicable laws, regulations, and Emory policies, procedures, and agreements.  These include, but are not limited to the following:

  • Box for Emory Rules of Behavior
  • Emory HIPAA Security and HIPAA Privacy Policies
  • Emory IT Conditions of Use Policy
  • Emory Smart Device Security Policy
  • Emory Disk Encryption Policy
  • Emory University Code of Conduct
  • EHC Confidentiality Statement
  • HIPAA Security and Privacy Rules (HIPAA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Box Terms of Service
    http://it.emory.edu/box/terms.html

2) I agree that I may be sanctioned and/or disciplined, up to and including termination, for noncompliance with or violations of applicable laws, regulations, or Emory policies and procedures.

3) I agree that any client system or device (system) used to access Box for Emory, including personally owned systems, must have appropriate security safeguards in place to protect the system from compromise or misuse.  These include but are not limited to the following:

  • The system and all applications on the system must be kept up-to-date with the most recent security updates and patches.  This includes firmware updates for smart devices.
  • The system must have anti-virus software installed and the software and virus signature files must be kept up-to-date.1
  • The system must be protected by personal firewall software at all times and the firewall must be configured to block all unsolicited inbound connections.1

4) I agree that I have been instructed on the proper selection, use, and protection of passwords, including but not limited to the following:

  • My obligation to select a strong password
  • Prohibitions against sharing my password or using the passwords of others
  • Prohibitions against writing down passwords, or otherwise storing passwords in an insecure manner
  • My obligation to report to Emory Information Security staff any suspected compromise or any use of my user identifier and password by other individuals

5) I agree to promptly log and report any incidents of noncompliance with or violations of applicable laws, regulations, or Emory policies and procedures, as enumerated in #1 above, to Emory management, Emory’s Chief Information Security Officer, and the Emory University and/or Emory Healthcare Privacy Officers.

6) I agree to cooperate fully with any authorized internal Emory investigations (e.g. security incident investigations, data breach investigations, fraud investigations, etc.) and routine auditing/monitoring activities.  I acknowledge that this may require me to produce any Emory or personal systems, devices, or media to authorized Emory staff for examination and/or analysis required by the investigation.

Additional Requirements for Sensitive Data

1) I agree that the term “sensitive Emory data” as used throughout this document refers to any Emory data that would be classified as “confidential” or “restricted” according to the data classification definitions documented in Emory’s Disk Encryption Policy (http://policies.emory.edu/5.12).  

2) I agree that my Box for Emory enterprise account is the only Box account I am authorized to use for storing sensitive Emory data, and that my use of any other Box accounts (e.g. Personal, Starter, Business, etc.) for storing sensitive Emory data is prohibited. 

3) I agree that I am prohibited from using any similar Internet-based file sharing systems (such as Dropbox, Google Docs, OneDrive, etc.) for storing sensitive Emory data, unless the system has been formally approved by Library and Information Technologies executive leadership.

4) I agree that I am prohibited from storing in Box for Emory any data subject to the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA).

5) I agree that Box for Emory must not to be utilized as an official medical record.

6) I agree that I am prohibited from downloading or syncing sensitive Emory data (including electronic Protected Health Information) stored in Box for Emory to non-Emory systems or devices.

7) I agree that any system I use to sync files with Box for Emory must have reasonable and appropriate safeguards in place to protect sensitive Emory data residing on the device.  These include but are not limited to the following: 

  • Systems used to store sensitive Emory data must not be shared with other users, unless appropriate access and audit controls are in place to ensure that sensitive data cannot be accessed inappropriately. 
  • Smart devices storing sensitive Emory data must maintain full compliance with Emory’s Smart Device Security Policy by implementing the following security safeguards:
    • A non-trivial 4 digit or longer PIN
    • A 15 minute inactivity timeout
    • Data storage encryption
    • Automatic data wiping after 10 consecutive failed login attempts
    • Ability to remotely wipe the device
    • Users are prohibited from modifying or disabling security safeguards (including jail breaking)
  • Systems must utilize encryption to protect sensitive Emory data as required by Emory’s Disk Encryption Policy.
  • I agree that upon my separation, termination, or non-affiliation with Emory, I must delete any and all sensitive Emory data stored on any personal systems and/or media devices or otherwise in my possession, and will provide written confirmation upon request.

8) I agree that the collaborative sharing functions within Box for Emory require that I take additional precautions to adequately protect sensitive Emory data shared with others via these mechanisms.  Additional required safeguards include but are not limited to the following:

  • Sensitive Emory data may only be shared with authorized individuals via uniquely identifiable Box accounts that are associated with an official Emory email address or an official institutional email address at their current place of employment or affiliation.  Sharing sensitive Emory information with individuals via Box accounts associated with personal email accounts is prohibited.  For example, sharing sensitive Emory information with john.doe@emory.edu, john.doe@emoryhealthcare.org, or john.doe@employer.com would be acceptable while sharing information with john.doe@gmail.com or john.doe@yahoo.com would not be acceptable.
  • Sharing Sensitive Emory data with group, departmental, or other shared accounts not associated with a single unique individual is prohibited.  For example, sharing sensitive Emory information with a Box.com account associated with the email address dept@emory.edu, dept@emoryhealthcare.org, or dept@company.com would not be acceptable.
  • Sensitive Emory data may only be shared with individuals via uniquely identifiable Box accounts that have been confirmed as being associated with the intended individuals.
  • It is the responsibility of the individual sharing sensitive Emory data to maintain awareness of all individuals with whom sensitive Emory data has been shared and to review and modify as appropriate the permissions granted to these individuals, at periodic intervals no less frequent than every 6 months.
  • Sensitive Emory data, including ePHI, proprietary research information, data, and other organizational information, may only be shared for research purposes with individuals who are covered by an appropriate research authorization or an IRB waiver of authorization for the research being conducted.
  • Sensitive Emory data, including ePHI, proprietary research information, data, and other organizational information, may only be shared with external parties after coordinating with the appropriate Emory authorizing authority to ensure that the appropriate Data Transfer and other agreements are in place (e.g. Data Use Agreements, IRB waivers, patient HIPAA Authorizations, etc.) between Emory the external party.  Instructions regarding the required Data Transfer Agreements can be found at the following locations:

Note: Box for Emory must not be utilized for release of information to outside parties for the purpose of medical record access to third parties pursuant to a record release request.

9) I agree that I have taken/retaken all appropriate HIPAA security and privacy training modules within the last 12 months.

1 - This requirement does not apply to smart devices such as iPhones, iPads, and tablets running operating systems other than Windows and OS X. 

      Note: The Box for Emory Rules of behavior may change at any time as needs evolve.