MENU

Sensitive Data Storage and Transmission

Check here for the appropriate storage and transmission of Health Insurance Portability and Accountability Act (HIPAA), Social Security Number (SSN) and Family Educational Rights and Privacy Act (FERPA) data.

Data Type
HIPAA SSNFERPA
Requirements

1. All applications, IT systems and services involving the storage or transmission of PHI (Protected Health Information) outside the official medical records system must be approved by the CIS Committee.

2. Department contact is required to answer questions and present system to the CIS committee for review. CIS committee meets every 3rd Friday, 7:30 a.m., Brody 3E-120A.

3. A Business Associates Agreement (BAA) must be signed in conjunction with CIS approval if a business associate is part of the implementation.

4. If PHI is stored by the application or IT system, it must be registered with the HIPAA Security Office for compliance tracking. A named HIPAA administrator is responsible for managing compliance with the HIPAA Security Rule.

5. If system is not approved by CIS, department completes a Security Risk Acceptance and seeks approval from data owner and University approver.

1. No local storage of SSN.

2. No use or storage of SSN without data owner and ITPC approval.

3. Must be transmitted in encrypted form.

4. Truncation is not allowed as a ruling of the Identity Theft Committee.

 

1. Users must have authorized use of data.

2. Information must remain confidential and not exposed.

 
Note If a device is not secured in the ECU IT Data Center, appropriate precautions must ensure that only authorized persons have access. For questions regarding the physical protection of your electronic devices, contact the IT Help Desk @ 252.328.9866. No outsourcing services allowed unless specifically approved by ITPC and data owner.  
Risk If unencrypted PHI is exposed to unauthorized persons, ECU may be required to issue a breach notification. A data breach can result in fines, penalties and lawsuits. Criminal charges may be filed in some circumstances. In the event of a breach of unencrypted data, notification may be required. A data breach can result in fines, penalties and lawsuits.
FERPA Violations could result in loss of accreditation, loss of institutional federal funding (e.g. Federal Financial Aid, grants, other federal subsidies/monies) and breach notification.
Where to Start for
Assessment Process?
Central Project Office
Central Project Office
Central Project Office
Where to Start for Data Owner/Compliance Information?
HIPAA ITPCFERPA
Who is Data Owner/
Current Approver?
CIS Committee/Nicholas Benson, MD, MBA
ITPC Committee/ITPC Committee
Registrar/Amanda Fleming
Blackboard No NoYes
Cloud Hosted
see below for MS OneDrive
Data owner and CIS Committee approval required
NoData owner approval required
CommonSpot No NoNo
CrashPlan No NoData owner approval required
DatAnywhere Data owner approval required
NoData owner approval required
iTunes (SODM course content)
No NoNo
Lync (Skype for Business)
No NoYes; Exchanges of confidential student information become part of the educational record for current and prospective students. Lync can be used for discussion of student data considered part of FERPA if certain safeguards are implemented.
Mediasite No NoYes; Media consent forms required. No copyrighted or sensitive data allowed.
MyWeb.ecu.edu (faculty)
No NoNo
MyWeb.ecu.edu (students)
No NoYes; Users should cautiously control access to any uploaded content. Media consent forms required.
Office 365
Web Apps
NoNoYes; Exchanges of confidential student information becomes part of the educational record for former and current students. Office 365 Web applications can be used for instruction, sharing and collaboration with students. PirateID authorization required and special consideration should be given to understanding permissions and how to manage access. No other types of sensitive data are allowed.
OneDrive* for Business

Part of ECU Office 365 subscription

NoNoExchanges of confidential student information becomes part of the educational record for former and current students.

Piratedrive Yes YesYes
Qualtrics No NoYes; Exchanges of confidential student information become part of the educational record for current and prospective students. Data owner approval required.
REDCap IRB or department chair approval required
NoYes; Data owner approval required
SabaMeeting No NoYes; No copyrighted or sensitive data allowed.
Second Life No NoNo
Sedona No NoNo
SharePoint No NoData owner approval required
 TeamDynamixNo No No 
Tech Excel
No NoNo
Tegrity No NoYes; Media consent forms required. No copyrighted or sensitive data allowed.
Turning Technologies - Blackboard Building Block
No NoYes; PirateID authorization required.
University Encrypted Storage Device (hard drive, data file, USB)
Yes YesData owner approval required
Winmedia Server
No NoYes; Follow video guidelines. PirateID authorization required. Streaming required. All media releases signed. No copyrighted or sensitive data allowed.
WordPress No NoYes; No copyrighted or sensitive data allowed.
WordPress for Courses
No NoYes; Course work: faculty may have blogs limited to viewing by students in courses using ECU-hosted WordPress.
Yammer No NoYes
Other Generally, PHI should be stored on a separate server from a HIPAA application server.
Applications with appropriate ITPC approval must be stored in encrypted database on enterprise class system without web apps. Must not be stored in database with other users or non-associated data.
Banner, SharePoint. Must have authorization via FERPA.