Box for Clinical Record

The big HIPAA news last week was that Box (formerly Box.net, then Box.com — now Box seems to be acceptable) is now HIPAA compliant. In the world of HIPAA news, this is a nice break from the steady stream of stories about laptops being stolen or patients suing over breaches. Mr. HIStalk covered the Box story briefly earlier this week in a news post. This is potentially interesting news for consumers and providers.

If you search for "Box.com HIPAA," you find a Box support page that says the company actually was deemed HIPAA-compliant — presumably from an audit — back in November of last year. I assume this was delayed for Box to integrate several key health app launch partners and secure an investment in iPad EMR drcrhono. I use MediCam, one of the apps that was listed in the Box release, and noticed Box was added as a storage option in the last update of the MediCam, so I figured this announcement was in the works.

One point I wanted to clarify, and I’m hoping somebody can help with this. The article references many healthcare organizations that are using Box. My bet — and this seemed to be the consensus with several friends I asked about it — was that Box at most healthcare organizations today is more of a tool for admin and business functions instead of anything clinical or HIPAA-related. I have friends that use Box to share and comment journal articles, but not for patient records. Anybody out there at a healthcare org that uses Box who can tell me specifically how it’s used?

In all the press about Box and HIPAA, there’s another article by Missy Krasner (formerly Google Health and now helping Box) about Box taking over where Google left off. I don’t think comparison’s to Google’s PHR is very strong positioning for Box, but the article makes some good points about Box and how it could be used in healthcare, especially by patients.

The use case goes something like this. Box can become a trusted partner, through something like DirectTrust or some other trust anchor to systems that produce CCDA data, enabling it to both receive and transmit clinical summary data. Patients can then have records pushed directly to and from Box (I’m still a bit confused if the "from Box" part is real or will ever be). Presumably, people who store records on Box can then use secure sharing features of Box to share those records with selected individuals. Since the data would be standardized or mostly standardized and hopefully CCDA, Box could integrate technology to make it interactive, like the soon to be open sourced health record viewers from the recent HHS challenge.

That’s very cool. It’s not exactly easy. In fact, it’s extremely hard. Box needs to either work directly with all of the systems to access data or it needs enough partner apps to do it.

But I see what Box is pushing for with the HIPAA announcement and the press about sharing medical records on Box. The piece that Box doesn’t talk about is just how valuable it would be to be the repository of aggregate patient data, even if that data is just clinical summaries and CCDAs (not full EMR data). There is obviously the very clear individual value from the extreme pain most people experience sharing medical records.  I, for example, wish I could do what I described in the last paragraph.

But if Box allows users to grant access to different apps or researchers or whomever to access data, sometimes anonymized and sometimes not, that’s extremely valuable. As long as Box isn’t making money directly from those relationships and is just adding value as a place to store records, that gets around the issues in the new HIPAA rule related to marketing (read this about CVS and pharma-sponsored refill notices.)

There are some big risks. Just because Box is HIPAA compliant, or was as of November, doesn’t mean that vendors and apps that use Box for storage are. Box should be careful about partners making claims based solely on integration with Box.

Overall I think this is great news. We’re going to see similar offerings from new and old vendors, but Box has such a strong presence on the enterprise side that it will be interesting to see how quickly it can get traction as a place to store records. Personal storage is all well and good, but it’s the linkage and integration with existing systems that will determine if this is really valuable.

Travis Good is an MD/MBA involved with health IT startups.  More about me.

↑ Back to top

Founding Sponsors

Platinum Sponsors