Sensitive Data Storage and Transmission

Check here for the appropriate storage and transmission of Health Insurance Portability and Accountability Act (HIPAA), Social Security Number (SSN) and Family Educational Rights and Privacy Act (FERPA) data.

 

Data TypeHIPAASSNFERPA
Requirements1. All applications, IT systems and services involving the storage or transmission of PHI (Protected Health Information) outside the official medical records system must be approved by the CIS Committee.

2. Department contact is required to answer questions and present system to the CIS committee for review. CIS committee meets every 3rd Friday, 7:30 a.m., Brody 3E-120A.

3. A Business Associates Agreement (BAA) must be signed in conjunction with CIS approval if a business associate is part of the implementation.

4. If PHI is stored by the application or IT system, it must be registered with the HIPAA Security Office for compliance tracking. A named HIPAA administrator is responsible for managing compliance with the HIPAA Security Rule.

5. If system is not approved by CIS, department completes a Security Risk Acceptance and seeks approval from data owner and University approver.
1. No local storage of SSN.

2. No use or storage of SSN without data owner and ITPC approval.

3. Must be transmitted in encrypted form.

4. Truncation is not allowed as a ruling of the Identity Theft Committee.
1. Users must have authorized use of data.

2. Information must remain confidential and not exposed.
NoteIf a device is not secured in the ECU IT Data Center, appropriate precautions must ensure that only authorized persons have access. For questions regarding the physical protection of your electronic devices, contact the IT Help Desk @ 252.328.9866.No outsourcing services allowed unless specifically approved by ITPC and data owner.
Risk If unencrypted PHI is exposed to unauthorized persons, ECU may be required to issue a breach notification. A data breach can result in fines, penalties and lawsuits. Criminal charges may be filed in some circumstances. In the event of a breach of unencrypted data, notification may be required. A data breach can result in fines, penalties and lawsuits.FERPA Violations could result in loss of accreditation, loss of institutional federal funding (e.g. Federal Financial Aid, grants, other federal subsidies/monies) and breach notification.
Where to Start for
Assessment Process?
Central Project OfficeCentral Project OfficeCentral Project Office
Where to Start for Data Owner/Compliance Information?HIPPA ITPC FERPA
Who is Data Owner/
Current Approver?
CIS Committee/Nicholas Benson, MD, MBAITPC Committee/ITPC CommitteeRegistrar/Amanda Fleming
BlackboardNoNoYes
Cloud Hosted
(see below for MS OneDrive)
Data owner and CIS Committee approval requiredNoData owner approval required
CommonSpot NoNoNo
CrashPlanNoNoData owner approval required
DatAnywhereData owner approval requiredNoData owner approval required
iTunes (SODM course content)NoNoNo
Lync (Skype for Business)NoNoYes; Exchanges of confidential student information become part of the educational record for current and prospective students. Lync can be used for discussion of student data considered part of FERPA if certain safeguards are implemented.
MediasiteNoNo Yes; Media consent forms required. No copyrighted or sensitive data allowed.
MyWeb.ecu.edu (faculty)NoNoNo
MyWeb.ecu.edu (students)NoNoYes; Users should cautiously control access to any uploaded content. Media consent forms required.
Office 365
Web Apps
NoNo Yes; Exchanges of confidential student information becomes part of the educational record for former and current students. Office 365 Web applications can be used for instruction, sharing and collaboration with students. PirateID authorization required and special consideration should be given to understanding permissions and how to manage access. No other types of sensitive data are allowed.
OneDrive* for Business
Part of ECU Office 365 subscription
NoNo Exchanges of confidential student information becomes part of the educational record for former and current students.
PiratedriveYesYesYes
QualtricsNoNo Yes; Exchanges of confidential student information become part of the educational record for current and prospective students. Data owner approval required.
REDCapIRB or department chair approval requiredNoYes; Data owner approval required
SabaMeetingNoNoYes; No copyrighted or sensitive data allowed.
Second LifeNoNoNo
SedonaNoNoNo
SharePointNoNoData owner approval required
TeamDynamixNo No No
Tech ExcelNoNoNo
TegrityNoNoYes; Media consent forms required. No copyrighted or sensitive data allowed.
Turning Technologies - Blackboard Building BlockNoNoYes; PirateID authorization required.
University Encrypted Storage Device (hard drive, data file, USB)YesYesData owner approval required
Winmedia ServerNoNo Yes; Follow video guidelines. PirateID authorization required. Streaming required. All media releases signed. No copyrighted or sensitive data allowed.
WordPressNoNoYes; No copyrighted or sensitive data allowed.
WordPress for CoursesNoNoYes; Course work: faculty may have blogs limited to viewing by students in courses using ECU-hosted WordPress.
YammerNoNoYes
OtherGenerally, PHI should be stored on a separate server from a HIPAA application server.Applications with appropriate ITPC approval must be stored in encrypted database on enterprise class system without web apps. Must not be stored in database with other users or non-associated data.Banner, SharePoint. Must have authorization via FERPA.