Check here for the appropriate storage and transmission of Health Insurance Portability and Accountability Act (HIPAA), Social Security Number (SSN) and Family Educational Rights and Privacy Act (FERPA) data.
To Payment Card Industry (PCI) and other sensitive data types...
1. All applications, IT systems and services involving the storage or transmission of PHI (Protected Health Information) outside the official medical records system must be approved by the CIS Committee.
2. Department contact is required to answer questions and present system to the CIS committee for review. CIS committee meets every 3rd Friday, 7:30 a.m., Brody 3E-120A.
3. A Business Associates Agreement (BAA) must be signed in conjunction with CIS approval if a business associate is part of the implementation.
4. If PHI is stored by the application or IT system, it must be registered with the HIPAA Security Office for compliance tracking. A named HIPAA administrator is responsible for managing compliance with the HIPAA Security Rule.
5. If system is not approved by CIS, department completes a Security Risk Acceptance and seeks approval from data owner and University approver.
1. No local storage of SSN.
2. No use or storage of SSN without data owner and ITPC approval.
3. Must be transmitted in encrypted form.
4. Truncation is not allowed as a ruling of the Identity Theft Committee.
1. Users must have authorized use of data.
2. Information must remain confidential and not exposed.
Part of ECU Office 365 subscription