Box at U-M Core Apps

Service Description 

Box at U-M is a cloud-based storage solution that allows you to share files with people inside and outside of the university. There are many apps that can be used within Box. U-M users can use any of those apps, but only the Box at U-M Core Apps (Official Box Apps) have been tested and approved by U-M.

Box at U-M will no longer be offered beginning December 1, 2021.

Up until March 22, 2021, U-M Box offered Shared U-M Box Accounts that were set up specifically for protecting sensitive data, and manage the sharing settings appropriately. New shared accounts are no longer available. See Using Box at U-M Securely with Sensitive Data for minimum requirements for using Box securely.


Box at U-M is a contracted-for service obtained through a partnership with a consortium of higher education institutions. The agreement includes non-disclosure agreements (NDA) and security provisions. Box at U-M Core Apps (Official Box Apps) provide a secure environment in which to maintain or share the university's sensitive unregulated data, as well as some kinds of sensitive regulated data.

Be sure to use a Shared Account in U-M Box for sensitive university data. See Using Box at U-M Securely with Sensitive Data for minimum requirements when using U-M Box for sensitive university data.

As of March 22, 2021, new Box Shared Accounts are no longer available. Consider a Dropbox Team Folder for new team-based work instead. If you already have a Box Shared Account, you can use it with the data types listed here as permitted;  it will be migrated to a Dropbox Team Folder later in 2021.

Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)

U-M's agreement with Box for Box at U-M Core Apps includes a Business Associate Agreement. This means individuals may use this service to maintain Protected Health Information (PHI) regulated by HIPAA. Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in U-M Box are responsible for complying with HIPAA safeguards, including:

  • Using and disclosing only the minimum necessary PHI for the intended purpose.
  • Obtaining all required authorizations for using and disclosing PHI.
  • Ensuring that PHI is seen only by those who are authorized to see it.
  • Obtaining all necessary data-sharing agreements and Business Associate Agreements for using and disclosing PHI.
  • Following any additional steps required by your unit to comply with HIPAA.