Effective Date: 1/24/05 (revised 2/2/09)
Office of Origin: Office of Academic and Administrative Information Systems (OAAIS)
I. Purpose
The purpose of this policy is to provide for compliance with federal and state law and regulation and university policy governing the security and confidentiality of electronic information.
II. Definitions
Access Control: The policies and procedures that regulate Authorized Users’ ability or means necessary to read, write, modify, or communicate data or information or otherwise use any Electronic Information Resource (EIR).
Authorized User: Any UCSF faculty, staff, student, or other individual affiliated with UCSF who has been granted authorization to access an Electronic Information Resource or invokes or accesses an Electronic Information Resource for the purpose of performing his or her job duties or other functions directly related to his or her affiliation with UCSF. The authorization granted is for a specific level of access to the Electronic Information Resource in accordance with University policy. An example of an Authorized User is someone who handles business transactions and performs data entry into a business application or someone who gathers information from an application or data source for the purposes of analysis and management reporting.
Confidentiality: The degree to which data or information is not available or disclosed to unauthorized persons or processes. The degree of confidentiality afforded to different types of information will vary as required by federal and state laws, University policy, contract, or community practice. (See Information Classifications)
Compromise: Unauthorized (actual or suspected) access, use, disclosure, modification, or destruction of an Electronic Information Resource in violation of University policy.
Covered Entity: “The Administrative Simplification standards adopted by the HHS under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is:
a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider")
a health care clearinghouse
a health plan
An entity that is one or more of these types of entities is referred to as a "covered entity" in the Administrative Simplification regulations.” (See References)
Generally, these transactions concern billing and payment for services or insurance coverage. The UCSF enterprise is a HIPAA-covered entity and subject to the requirements of the HIPAA Privacy and Security Rules. (See Section V)
Electronic Information Resource (EIR): A resource used in support of UCSF activities that involve the electronic storage, processing, or transmitting of data as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, and data – in raw, summary, and interpreted form – and associated computer server, desktop, communications, and other hardware used in support of UCSF activities. Personally owned systems are included in this definition if they connect to the UCSF network or are used to process or store UCSF information.
Information Classifications: The following terms define categories according to their unique protective requirements and provide guidance for identifying appropriate users or recipients. UCSF departments and units should determine in advance the extent to which information should be disclosed to specific users. Determinations should be made based on the nature of the content and the duties of department employees.
Public Information – Information accessible under the Public Records Act is available to any person notwithstanding their status or interest. Examples of public information include information made available to patient access via UCSF's public web sites.
Restricted Data – Information, which is not public information, but can be disclosed to or used by UCSF representatives to carry out their duties providing there is no legal prohibition to disclosure. Examples of restricted information include individual workforce members’ own e-mail.
Confidential Information – Information that may or may not be protected by law but which is desired to be treated as confidential and protected accordingly. Access to confidential information is prohibited unless permitted by policy or exception to the law. In the case of legally confidential data, the exception may be contained within the law or regulation, or by court order or subpoena for the information. An example of confidential information is patients’ lab records viewed on the Summary Time Oriented Record (STOR) System by their physicians.
Personal Information – An individual's first name or first initial and last name, in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver's license number or California Identification Card number; or an account, credit, or debit card number in combination with any required security code or password that would permit access to the account, medical information; or health insurance information.
Protected Health Information (PHI) – PHI is an individual’s health information or data collected from an individual that is created or received by a health care provider, plan, or clearinghouse related to the past, present, or future physical or mental health or condition of the individual; the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; identifies or could reasonably identify the individual; and is transmitted or maintained in electronic or any other form or medium.
Licensed Information Resources – Licensed Information Resources refer to paid online resources (e.g., databases, journals, books) licensed by the UCSF Library for access and use by the UCSF community only
Minimum Security Standards for Electronic Information Resources (EIR): The UCSF Minimum Security Standards for EIRs are required to protect all UCSF EIRs. Development of these standards is the responsibility of the Information Security Committee. Their implementation is the joint responsibility of Technical Support Providers and Authorized Users. Departmental Officials, OAAIS and other Central IT Organizations are responsible for assuring that the minimum standards are implemented within their sphere of influence. The minimum standards shall be reviewed and modified by the Information Security Committee as needed to respond to emerging technologies and organization changes, but no less frequently than annually. (Addendum B)
Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of an Electronic Information Resource in violation of University policies.
Security Threat: Any action by an individual or application that could result in a security incident that could compromise the confidentiality, integrity, or availability of data. Threats that could breach confidentially include, but are not limited to, unauthorized intrusions, malicious misuse, inadvertent compromise, viruses, or the loss or theft of a computing device that contains confidential or restricted information, or any incident in which a user either directly or by using a program performs functions for which they do not have authorization.
UCSF Users/Workforce Members: UCSF students, faculty, staff, and others affiliated with the University (including those in program, contract, or license relationships with the University) who need to access restricted or confidential information and have authorization to use University Electronic Information Resources and services for purposes in accordance with The Electronic Communications Policy, "Section III.D, Allowable Uses. (See Authorized User)
III. Policy
UCSF will protect the confidentiality, integrity, and availability of restricted or confidential information, including personal information and protected health information (PHI), when such information is created, received, transmitted, and/or stored in any medium, including electronic or paper format, and will ensure that the handling of such information is consistent with federal and state laws and regulations and university policies.
Each member of the campus community is responsible for the security and protection of EIRs over which he or she has control. Addendum B: UCSF Minimum Security Standards for Electronic Information Resources has been published to help departments and individuals protect their computing devices. Likewise, within the UCSF distributive computing environment, the IT Governance Committee and Information Security Committee have identified specific roles and responsibilities for securing EIRs Addendum A: UCSF Roles and Responsibilities for Securing Electronic Information Resources.
UCSF data that is lost, stolen, compromised, or suspected of being compromised must be reported and investigated according to Addendum C: UCSF Incident Investigation.
IV. Responsibility
Contact Office of Origin (above) with any questions.
V. Related Policies
Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Policies, Procedures and Guidelines
UCSF Medical Center Policy: 5.01.04: “Information Security and Confidentiality”
VI. References