Huntsman Cancer Institute - Computer and Technology Group
Interim HCI Data Protection Procedure
Prepared for: HCI and ISO
Prepared by: Mark Oberg, HCI Computing and Technology Group
Overview
This procedure is intended to protect data within Huntsman Cancer Institute, in accordance with the University of Utah revised Information Security Policy 4-004, as well as applicable U.S. Health and Human Services (HHS) regulations under the Health Insurance Privacy and Accountability Act (HIPAA), as well as the Health Information Technology for Economic and Clinical Health Act (HITECH).
With the momentum from HHS to include human genome data as identifying information to be protected under the HIPAA and HITECH regulatory frameworks, the boundaries of data to be protected is only increasing, through time.
Additionally, due to recent and ongoing data espionage incidents involving research data, in research university environments and other types of organizations, the policies, procedures, controls and mechanisms used to ensure compliance for patient data are increasingly appropriate for proprietary research and administrative data within HCI.
Scope
This procedure is applicable to all systems used to access clinical, research and / or organizational data within HCI, including Huntsman Cancer Hospital, Huntsman Cancer Research (HCR), HCI Clinical Trials, HCI Population Sciences, the Oncological Sciences department and various administrative, research and clinical groups within HCI.
- This applies to organization owned systems (HCI, HCH, UHC, School of Medicine, etc)
- This applies to individually owned systems that are used to directly access clinical, research, administrative and other types of data owned or hosted by HCI.
o "Direct access" means to be able to view or modify files, email, protected web pages (such as Sharepoint portal-based data) without use of a remote access technology, such as Citrix or Remote Desktop Protocol software.
o "Individually owned" systems that can directly access HCI owned or hosted data include personal laptops brought onsite for use in research labs, or other work contexts.
o This also includes laptop systems, desktop systems that access the HCI network via VPN (Virtual Private Network) technologies, such as the Cisco AnyConnect VPN accessed at https://hci-vpn.hci.utah.edu
o The "Direct Access" stipulation does *not* include individually owned laptops or desktop systems used remotely (ie, not on site) to access systems, data or resources via the Remote Desktop Gateway, or U of U Citrix Web Interface.
Exceptions to Policy
There are likely to be reasonable exceptions to this policy, for particular types of work performed at HCI, such as research labs involved in basic research that does not involve human subjects or tissue or DNA data for human subjects. Examples include research labs that are confined to Zebra Fish research, or other types of work that has essentially no chance of involving protected data.
Exceptions to the Policy must be approved by CATG and will be cataloged as documentation to adherence to the policy.