To outline the policy regarding remote access to SHCS systems and databases containing restricted information in accordance with federal and state laws and UC and UC Davis policies.
Policy:
Access to restricted information is limited to authorized Student Health and Counseling Services (SHCS) personnel who have a legitimate business need to edit or view the data. It is the responsibility of the user and owner to protect the data and release of information at all times. SHCS does not require nor expect staff to access databases outside of normal SHCS workplace locations and scheduled hours.
SHCS personnel are responsible for security of restricted information. Any SHCS employee who accesses or releases restricted information without proper authorization or authority may be subject to disciplinary or legal action. Depending on the severity and impact of an unauthorized access or release of information, SHCS and the employee may be subject to liability. It is, therefore, extremely important that each employee take seriously the responsibility for maintaining the security of data.
Any SHCS employee who requests remote access permission completes the Request forRemote Access Form (Attachment 1), which states the employee’s role and business need for remote access. The form is submitted to the supervisor for approval, and then to the Information Systems Group for review and remote access activation. SHCS employees granted remote access are required to have completed annual HIPAA training and to read and sign the Remote Access Confidentiality Agreement (Attachment 2) regarding the confidential nature of and responsibilities for safeguarding restricted information. Signed Request and Agreement forms are filed in Administration with IMSC documents.
Remote access to SHCS systems and databases makes use of 2-Factor authentication. Employees who wish to make use of SHCS remote access must accept the use of a token or application on their cell phone, or by submitting a home or cell phone number that can be used to contact them for authentication purposes.
Remote access to SHCS systems and databases should not be attempted in insecure locations where somebody other than the user may be able to view data on screen. It is the responsibility of the user to ensure that all data viewed or edited remotely is not visible or accessible to others.
Printing data from SHCS systems and databases is prohibited while utilizing remote access from non-SHCS work locations.
All SHCS employees are required to have annual HIPAA training.
Remote access to databases maintained by SHCS, which contain restricted information, is governed by the same security policies utilized at SHCS. These include but are not limited to:
Strict user authentication and clearance procedures are required
User training is required prior to granting remote access.
Access levels in OpenSuite are identified specific to the employee’s role and business need for viewing information. Access levels for remote access to OpenSuite are the same as in-house access.
Users do not leave devices accessing restricted information unattended. The same session termination (time-out) rules apply to remote access as to in-house access.
Restricted information is not transmitted via email.
Restricted information: When it comes to law, restricted information generally refers to Personal Information (PI) covered under California Civil Code, Section 1798 (SB1386); Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act; and educational information covered under the Family Educational Rights and Privacy Act (FERPA). University policies are covered under UC BFB IS-3 and UCD Cyber-safety Policy (PPM 310-22).
Personal Information (PI): Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Social security number.
Driver's license number or California Identification Card number.
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Protected Health Information (PHI): Individually identifiable health information, including demographic information collected from an individual that is created or received by a health care provider and relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for provision of health care to an individual and identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Owner: Ownership of data is University of California Davis Student Health and Counseling Services.
SHCS Work Locations include all the locations on campus where SHCS staff are routinely located. This includes the Student Health and Wellness Center, North Hall, and several other locations on campus.