650-16 Information Security and Confidentiality

Effective Date:     January 24, 2005 (revised January 4, 2007)

Office of Origin: Office of Academic and Administrative Information Systems (OAAIS)

I.        Purpose

The purpose of this policy is to provide for compliance with federal and state laws and regulations and university policies that govern the security and confidentiality of electronic information.

II.       Definitions

Access Control: The policies and procedures that control access to or provide Authorized Users with the ability or means necessary to read, write, modify, or communicate data or information or otherwise use any Electronic Information Resource (EIR).

Authorized User: Any UCSF faculty, staff, student, or other individual affiliated with UCSF who has been granted authorization to access an Electronic Information Resource or invokes or accesses an Electronic Information Resource for the purpose of performing his or her job duties or other functions directly related to his or her affiliation with UCSF. The authorization granted is for a specific level of access to the Electronic Information Resource in accordance with University policy. An example of an Authorized User is someone who handles business transactions and performs data entry into a business application or someone who gathers information from an application or data source for the purposes of analysis and management reporting.

Confidentiality: The degree to which data or information is not available or disclosed to unauthorized persons or processes. The degree of confidentiality afforded to different types of information will vary as required by federal and state laws, University policy, contract, or community practice. (See Information Classifications)

Compromise:  Unauthorized (actual or suspected) access, use, disclosure, modification, or destruction of an Electronic Information Resource in violation of University policies.

Covered Entity: Federal law and the Health Insurance Portability and Accountability Act (HIPAA) require HIPAA-defined covered entities to protect and secure personally identifiable health and financial information. HIPAA-covered entities are: (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. The UCSF enterprise is a HIPAA-covered entity and subject to the requirements of the HIPAA Privacy and Security Rules. (See Section V)

Electronic Information Resource (EIR): A resource used in support of UCSF activities that involve the electronic storage, processing, or transmitting of data as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, and data – in raw, summary, and interpreted form – and associated computer server, desktop, communications, and other hardware used in support of UCSF activities. Personally owned systems are included in this definition if they connect to the UCSF network or are used to process or store UCSF information.

Information Classifications: The following classifications define information by categories according to their unique protective requirements and provide guidance for identifying appropriate users or recipients. UCSF departments and units should determine in advance the extent to which information should be disclosed to specific users. Determinations should be made based on the nature of the information and the duties of department employees.

Public Information – Information accessible under the Public Records Act is available to any person notwithstanding their status or interest. Examples of public information include information made available to patient access via UCSF's public web sites.

• Restricted Data – Information, which is not public information, but can be disclosed to or used by UCSF representatives to carry out their duties providing there is no legal bar to disclosure. Examples of restricted information include individual workforce members’ own e-mail.
• Confidential Information – Information that may or may not be protected by law but which is desired to be treated as confidential and protected accordingly. Access to confidential information is prohibited unless permitted by policy or exception to the law. In the case of legally confidential data, the exception may be contained within the law or regulation, or by court order or subpoena for the information. An example of confidential information is patients’ lab records viewed on Summary Time Oriented Record (STOR) System by their physicians.
• Personal Information – An individual's first name or first initial and last name, in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:  Social Security number; driver's license number or California Identification Card number; or an account, credit, or debit card number in combination with any required security code or password that would permit access to the account.
• Protected Health Information (PHI) – PHI is an individual’s health information or data collected from an individual that is created or received by a health care provider, plan, or clearinghouse related to the past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; identifies or could reasonably identify the individual; and is transmitted or maintained in electronic or any other form or medium. 
• Licensed Information – Campus Community members are obligated to prevent the misuse of access privileges to licensed information resources.

Minimum Security Standards for Electronic Information Resources: The UCSF Minimum Security Standards for EIRs are required to protect all UCSF EIRs. Development of these standards is the responsibility of the Information Security Committee. Implementation of these standards is the joint responsibility of Technical Support Providers and Authorized Users. Departmental Officials, OAAIS and other Central IT Organizations are responsible for assuring that the minimum standards are implemented within their sphere of influence. The minimum standards will be reviewed and modified by the Information Security Committee as needed to respond to emerging technologies and organization changes, but no less frequently than once a year. (Addendum B)

Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of an Electronic Information Resource in violation of University policies.

Security Threat: Any action by an individual or application that could result in a security incident that could compromise the confidentiality, integrity, or availability of data. Threats that could breach confidentially include, but are not limited to, unauthorized intrusions, malicious misuse, inadvertent compromise, viruses, or the loss or theft of a computing device that contains confidential or restricted information, or any incident in which a user either directly or by using a program performs functions for which they do not have authorization.

UCSF Users/Workforce Members: UCSF students, faculty, staff, and others affiliated with the University (including those in program, contract, or license relationships with the University) who need to access restricted or confidential information and have authorization to use University Electronic Information Resources and services for purposes in accordance with The Electronic Communications Policy, "Section III.D, Allowable Uses. (See Authorized User)

III.      Policy

UCSF will protect the confidentiality, integrity, and availability of restricted or confidential information, including personal information and protected health information (PHI), when such information is created, received, transmitted, and/or stored in any medium, including electronic or paper format, and will ensure that the handling of such information is consistent with federal and state laws and regulations and university policies.

Each member of the campus community is responsible for the security and protection of EIRs over which he or she has control. Addendum B: UCSF Minimum Security Standards for Electronic Information Resources has been published to help departments and individuals protect their computing devices. Likewise, within the UCSF distributive computing environment, the IT Governance Committee and Information Security Committee have identified specific roles and responsibilities for securing EIRs Addendum A: UCSF Roles and Responsibilities for Securing Electronic Information Resources.

UCSF data that is lost, stolen, compromised, or suspected of being compromised must be reported and investigated according to Addendum C: UCSF Incident Investigation.

IV.     Responsibility

Contact Office of Origin (above) with any questions.

V.      Related Policies

•  California SB 1386 – Personal Information: Privacy
•  Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Policies, Procedures and Guidelines
•  HIPAA Business Associates (Policy 200-28)
• UC Electronic Communication Policy
• UC IS-3 Bulletin, Electronic Information Security
• UCSF Medical Center Policy: 5.01.04: “Information Security and Confidentiality”
• Family Educational Rights and Privacy Act (FERPA)

VI.     References

• UCSF HIPAA Handbook
• UCSF HIPAA Web Site
• UCSF Office of Academic and Administrative Information Systems web site
• University of California HIPAA web site
• UCOP Information Resources and Communications web site
• Addendum A, UCSF Roles and Responsibilities for Securing Electronic Information Resources
• Addendum B, UCSF Minimum Security Standards for Electronic Information Resources
• Addendum C, UCSF  Incident Investigation