Huntsman Cancer Institute - Computer and Technology Group

HCI Computer Account Procedure

Prepared for: HCI and ISO

Prepared by:  Mark Oberg, HCI Computing and Technology Group

Overview

This procedure is intended to protect data within Huntsman Cancer Institute, in accordance with the University of Utah revised Information Security Policy 4-004, as well as applicable U.S. Health and Human Services (HHS) regulations under the Health Insurance Privacy and Accountability Act (HIPAA), as well as the Health Information Technology for Economic and Clinical Health Act (HITECH).

Scope  

This procedure is applicable to all systems used to access clinical, research and / or organizational data within HCI, including Huntsman Cancer Hospital, Huntsman Cancer Research (HCR), HCI Clinical Trials, HCI Population Sciences, the Oncological Sciences department and various administrative, research and clinical groups within HCI.

-         This applies to organization owned systems (HCI, HCH, UHC, School of Medicine, etc)
-         This applies to individually owned systems that are used to directly access clinical, research, administrative and other types of data owned or hosted by HCI.
o   "Direct access" means to be able to view or modify files, email, protected web pages (such as Sharepoint portal-based data) without use of a remote access technology, such as Citrix or Remote Desktop Protocol software.
o   "Individually owned" systems that can directly access HCI owned or hosted data include personal laptops brought onsite for use in research labs, or other work contexts.
o   This also includes laptop systems, desktop systems that access the HCI network via VPN (Virtual Private Network) technologies, such as the Cisco AnyConnect VPN accessed at https://hci-vpn.hci.utah.edu
o   The "Direct Access" stipulation does *not* include individually owned laptops or desktop systems used remotely (ie, not on site) to access systems, data or resources via the Remote Desktop Gateway, or U of U Citrix Web Interface.

​Exceptions to Policy

There are likely to be reasonable exceptions to this policy, for particular types of work performed at HCI, such as research labs involved in basic research that does not involve human subjects or tissue or DNA data for human subjects.  Examples include research labs that are confined to Zebra Fish research, or other types of work that has essentially no chance of involving protected data.

Exceptions to the Policy must be approved by CATG and will be cataloged as documentation to adherence to the policy.