To state Student Health and Counseling Services (SHCS) policy regarding use and storage of Restricted Information in accordance with UCD PPM 310-22 Cyber-Safety Program Policy.
Policy:
SHCS routinely stores all data (regardless of restriction) on networked file or database servers. Laptops may be configured so that authorized users have encrypted remote access to data stored on SHCS servers to enable them to work on data while away from SHCS main locations. Restricted Information may not be stored on any device other than networked servers. Restricted Information is not permitted to be stored on laptop computers, home computers, non-server storage media (including USB Flash drives), PDAs, smart phones or other devices.
Restricted Information should not be included in email communications. Users are responsible for deleting any Restricted Information received through email communications or other acquisition routes from their local computer. Restricted Information may be transferred to storage on SHCS networked servers prior to deletion.
ISG stores backup copies of SHCS data on encrypted external storage media for disaster recovery purposes. Backups are kept for a maximum of 6 months under normal circumstances.
Use of Copy Machines with internal hard drives; SHCS staff are not allowed to copy or print confidential data (student records or any other HIPAA protected information) on copiers or copier/printers with internal hard drives that are not under an SHCS maintenance contract. Larger copiers and copier/printer devices frequently contain internal hard drives that store images of all documents printer or copied on them. The data is stored indefinitely. SHCS maintenance contracts specify proper disposal or wiping of hard drives in copiers when they are repaired or replaced.
Definitions:
Restricted Information: In accordance with state and federal law and University Policy, Restricted Information generally refers to Personal Information (PI) covered under California Civil Code, Section 1798 (SB1386); Protected Health Information (PHI) and Electronic Health Information (ePHI) covered under the Health Insurance Portability and Accountability Act and Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act); Medical Information covered under California Civil Code, Section 56-56.35, California Confidentiality of Medical Information Act (CMIA); and educational information covered under the Family Educational Rights and Privacy Act (FERPA). University policies are covered under UC Business and Finance Bulletin (IS-3) and UCD Cyber-safety Policy (PPM 310-22).
Medical Information: Medical Information means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment.
Personal Information (PI): Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Social security number.
Driver's license number or California Identification Card number.
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Protected Health Information (PHI): Individually identifiable health information, including demographic information collected from an individual that is created or received by a health care provider and relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for provision of health care to an individual and identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Electronic Protected Health Information (ePHI): Protected Health Information in electronic form.
Owner: Ownership of data is University of California Davis Student Health and Counseling Services.
Non-Server Storage Media: Any device not physically connected to SHCS servers that can be used for storage of electronic files, including but not limited to hard drives, USB flash (“thumb”) drives, holographic storage devices, CDs and DVDs.