Q: I work in a research lab that does not involve patient data, at all. Am I still required to use an encrypted laptop?
A: Yes, all areas of U of U Health Sciences are covered under this new policy, including research-only areas and other parts of the organization that do not have anything to do with HIPAA or patient data. This involves all areas of Huntsman Cancer, HCR, HCH, administrative areas, parking attendant computer usage, facilities.... everything.
Q: What if I do not agree with this policy or wish to "attest" to my own compliance with this new policy?
A: At some point before September 30, 2013, your user account will be disabled until you complete the new HIPAA training and attest that you are in compliance with the new policy.
Q: I've been using my own laptop for HCI work for years, and now I understand it needs to be full-disk encrypted. What do I need to do?
A: Laptops (organization owned or personal) need to be encrypted and accounted for by CATG before September 15.
Huntsman CATG will be able to offer assistance in getting personal laptops made compliant with the new policy. More information is coming on how to encrypt your laptop.
Q: What are the ramifications if I don't use an encrypted laptop?
A: You're assuming personal responsibility for violating the policy, the ramifications for which are both policy (see document "Sanctions Matrix Nov 2010.docx" as well as potentially financial penalties for Huntsman Cancer, up to $1.5 Million.
Q: Can we use personal USB thumb drives for personal information?
A: Only the approved HCI-logo'd encrypted thumb drives are allowed for use on systems at HCI.
Q: This policy seems to be arbitrary. So, I can use an unencrypted desktop system at home to access HCI data, but not a laptop system? What gives?
A: This is Phase I of the endpoint device encryption project. In future phases, desktops, tablets and cell phones will be covered.
