Check here for the appropriate storage and transmission of Health Insurance Portability and Accountability Act (HIPAA), Social Security Number (SSN) and Family Educational Rights and Privacy Act (FERPA) data.
1. All applications, IT systems and services involving the storage or transmission of PHI (Protected Health Information) outside the official medical records system must be approved by the CIS Committee.
2. Department contact is required to answer questions and present system to the CIS committee for review. CIS committee meets every 3rd Friday, 7:30 a.m., Brody 3E-120A.
3. A Business Associates Agreement (BAA) must be signed in conjunction with CIS approval if a business associate is part of the implementation.
4. If PHI is stored by the application or IT system, it must be registered with the HIPAA Security Office for compliance tracking. A named HIPAA administrator is responsible for managing compliance with the HIPAA Security Rule.
5. If system is not approved by CIS, department completes a Security Risk Acceptance and seeks approval from data owner and University approver.
1. No local storage of SSN.
2. No use or storage of SSN without data owner and ITPC approval.
3. Must be transmitted in encrypted form.
4. Truncation is not allowed as a ruling of the Identity Theft Committee.
1. Users must have authorized use of data.
2. Information must remain confidential and not exposed.
|Note||If a device is not secured in the ECU IT Data Center, appropriate precautions must ensure that only authorized persons have access. For questions regarding the physical protection of your electronic devices, contact the IT Help Desk @ 252.328.9866.||No outsourcing services allowed unless specifically approved by ITPC and data owner.|
|Risk||If unencrypted PHI is exposed to unauthorized persons, ECU may be required to issue a breach notification. A data breach can result in fines, penalties and lawsuits. Criminal charges may be filed in some circumstances.||In the event of a breach of unencrypted data, notification may be required. A data breach can result in fines, penalties and lawsuits.||FERPA Violations could result in loss of accreditation, loss of institutional federal funding (e.g. Federal Financial Aid, grants, other federal subsidies/monies) and breach notification.|
|Where to Start for
|Central Project Office
||Central Project Office||Central Project Office|
|Where to Start for Data Owner/Compliance Information?
|Who is Data Owner/
|CIS Committee/Nicholas Benson, MD, MBA
||ITPC Committee/ITPC Committee||Registrar/Amanda Fleming|
see below for MS OneDrive
|Data owner and CIS Committee approval required
||No||Data owner approval required|
|CrashPlan||No||No||Data owner approval required|
|DatAnywhere||Data owner approval required
||No||Data owner approval required|
|iTunes (SODM course content)
|Lync (Skype for Business)
||No||No||Yes; Exchanges of confidential student information become part of the educational record for current and prospective students. Lync can be used for discussion of student data considered part of FERPA if certain safeguards are implemented.|
|Mediasite||No||No||Yes; Media consent forms required. No copyrighted or sensitive data allowed.|
||No||No||Yes; Users should cautiously control access to any uploaded content. Media consent forms required.|
|No||No||Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. Office 365 Web applications can be used for instruction, sharing and collaboration with students. PirateID authorization required and special consideration should be given to understanding permissions and how to manage access. No other types of sensitive data are allowed.|
|OneDrive* for Business|
Part of ECU Office 365 subscription
|No||No||Exchanges of confidential student information becomes part of the educational record for former and current students.|
|Qualtrics||No||No||Yes; Exchanges of confidential student information become part of the educational record for current and prospective students. Data owner approval required.|
|REDCap||IRB or department chair approval required
||No||Yes; Data owner approval required|
|SabaMeeting||No||No||Yes; No copyrighted or sensitive data allowed.|
|SharePoint||No||No||Data owner approval required|
|Tegrity||No||No||Yes; Media consent forms required. No copyrighted or sensitive data allowed.|
|Turning Technologies - Blackboard Building Block
||No||No||Yes; PirateID authorization required.|
|University Encrypted Storage Device (hard drive, data file, USB)
||Yes||Yes||Data owner approval required|
||No||No||Yes; Follow video guidelines. PirateID authorization required. Streaming required. All media releases signed. No copyrighted or sensitive data allowed.|
|WordPress||No||No||Yes; No copyrighted or sensitive data allowed.|
|WordPress for Courses
||No||No||Yes; Course work: faculty may have blogs limited to viewing by students in courses using ECU-hosted WordPress.|
|Other||Generally, PHI should be stored on a separate server from a HIPAA application server.
||Applications with appropriate ITPC approval must be stored in encrypted database on enterprise class system without web apps. Must not be stored in database with other users or non-associated data.||Banner, SharePoint. Must have authorization via FERPA.|