- Sensitive Data
- Avoid storage of identifiable and potentially confidential/sensitive data on mobile devices or unsanctioned cloud storage providers. See UM Data Classification policy for definitions of non-public data.
- Research Studies
- For research studies, please follow the data management section of the study protocol
- De-Identified Data
- Especially relevant are requirements for retaining only de-identified data if specified, including removing identifiers as soon as feasible. Particularly sensitive identifiers include SSN, MRN, and health insurance policy numbers as well as email addresses, telephone numbers, complete addresses and full facial photographs.
- Storage Acess
- Securely store data sets and restrict access to appropriate members of the research team, for e.g. one group may have access to a UM provided/controlled secure location where identifiable data is retained and another group can have access to the de-identified or coded data set.
- Portable Devices
- For portable devices such as laptops – either university supplied laptops or laptops that have University IT approved full disk encryption software installed should be used. Encryption is now generally enabled for on-premises workstations. Consult the applicable IT group.
- Anti-Malware
- An anti-malware application (e.g. CrowdStrike) should be installed and updated regularly on all University workstations. Confirm with IT, if necessary.
- Mobile Devices
- Protected Health Information (PHI) should NOT be stored on mobile phones or tablets. Consult the appropriate IT group for current, best practices and solutions for mobile devices, including approved apps e.g. EPIC Haiku and Canto. Pay attention to new advisories from IT as these practices are dynamic and being constantly updated.
- Mobile Storage
- For mobile storage (USB Flash, hard drives) – avoid storing identifiable or confidential/sensitive data. If you absolutely must, then such devices MUST be encrypted. IT (at Medical 305-243-5999, https://miamiedu.sharepoint.com/sites/umedinsider-uhealth-it , help@med,miami.edu ; at Gables/RSMAS, 284-6565, help@miami.edu, https://www.it.miami.edu/ ) can provide assistance on encryption services for laptops, selection of appropriate mobile devices, secure remote access and other specific, current, secure practices.
- Physical Storage and Documents
- Physical controls (locked, file cabinet, card key restricted office area etc.) should be used for paper/printouts with identifiable or sensitive information.
- Paper/printouts with identifiable or sensitive information that need to be disposed of, should be shredded or placed in the approved University provided Shred-It bins (current vendor) for such information – NOT in the regular trash.
- Home Locations
- Avoid use of sensitive or identifiable paper documents at home, including printing of such documents.
- Be aware of your surroundings when discussing Protected Health Information (PHI) to prevent inadvertent disclosure to unauthorized individuals nearby
- Unavoidable and Approved Use Case
- If you have an unavoidable and approved use case i.e. explicit approval from your business unit leadership, then a plan/practice for proper disposal of such information is critical.
- Best practice is use of a crosscut or microcut shredder which is the preferred solution.
- Again, AVOID use unless absolutely needed. NEVER dispose of University documents with identifiable or confidential/sensitive information in the regular trash.