Data Handling Guidelines

It is important to adequately safeguard and secure any sensitive or confidential information e.g. Protected Health Information – PHI, Personally Identifiable Information – PII of employees, research participants, students and job applicants as well as non-public University information including salary details, internal plans, University intellectual property (IP) etc. Below are some reminders for employees. Please note many items outlined here are basic good security practices that will protect your own personal and confidential information.

It is required that all UM employees with access to protected health information (PHI), complete HIPAA Privacy & Security Awareness training in the University’s Learning Management System, ULearn.

Open All Tabs
  • Storage

    • Be especially careful with storage of identifiable and potentially sensitive data on mobile devices or unsanctioned cloud storage providers.
    • For research studies, please follow the data management section of the study protocol once data collection is complete and/or prior to analysis.
    • Especially relevant are requirements for retaining de-identified data if specified, including removing identifiers as soon as feasible
    • Securely storing data sets and restricting access to appropriate members of the research team, for e.g. one group may have access to a location where identifiable data is retained and another group can have access to the de-identified or coded data set.
    • For portable devices such as laptops – either university supplied laptops or laptops that have university IT approved full disk encryption software installed should be used.
    • An anti-malware application (e.g. Carbon Black) should be installed and updated regularly on all portable devices.
    • Protected Health Information (PHI) should not be stored on mobile phones or tablets.
    • For mobile storage (USB Flash, hard drives) – avoid storing identifiable or sensitive data. If you absolutely must, then such devices MUST be encrypted. IT (at Medical 243-5999,, can provide assistance on encryption services for laptops, selection of appropriate mobile devices, secure remote access and other specific secure practices, etc..
    • Physical controls (locked, file cabinet, card key restricted office area etc.) should be used for paper/printouts with identifiable or sensitive information.
    • Paper/printouts with identifiable or sensitive information that need to be disposed of, should be shredded or placed in the approved University provided Shred-It bins for such information – NOT in the regular trash.
    • Avoid use of sensitive or identifiable paper documents at home, including printing of such documents.
    • If you have an unavoidable and approved use case i.e. explicit approval from your business unit leadership, then proper disposal of such information is critical. Some individuals do have a home crosscut shredder which is the preferred solution. At the very minimum, destroy, (e.g. cutting up via scissors), all areas with identifiable information such as name, address, telephone number, email address, MRN or other identifiable information. Again, avoid use unless absolutely needed.

  • Cloud Storage

    • If any information must be stored in the cloud, use ONLY University supplied Boxor OneDrive accounts (accessible via your UM email address – NOT your personal Cloud accounts).
    • Be careful to only share with those involved in the project for the time period necessary to accomplish the purpose. Do not share any type of sensitive data out to “Everyone”.
    • Make sure individuals have the minimum appropriate user access (i.e., view only, cannot share/print/download, etc.) to accomplish the purpose.
    • Individuals who no longer need access should have their access disabled/removed.
    • For Redcap projects please contact the RedCap team to remove access for individuals who have separated, transferred to another business unit or are otherwise no longer authorized for such access.
    • Be sure to remove the data when feasible and no longer required (subject to any data retention requirements) at the end of the project.

  • Access

    • Do not share your University of Miami credentials for accessing University of Miami systems with anyone.
    • Only Remote access methods approved by UM IT should be used. This is particularly important if travelling, telecommuting, working from home, or otherwise using non-UM networks (wired and wireless). For more information, please refer to this UM IT article.
    • For more information on Telecommuting and Remote Operations, please refer to this UHealth Privacy Office document as well as the Data Broker page.
    • If mobile devices such as mobile phones or tablets are being used for access, these devices must utilize a PIN with a timeout/autolock. For more details, please refer to this UM IT link.

  • Data Transfer

    • Do not use public email accounts (Gmail, Hotmail etc.) to send PHI, other sensitive data or conduct other University business.
    • To encrypt e-mails from your UM Outlook account, type [secure] in the subject line. Make sure there is a space in between [secure] and other text in the subject line. See this document as well as this document for more information from IT.
    • If there is a need for regular, authorized transfers of data, including especially to external recipients, but including inter and intra-campus, please contact the appropriate IT group, either UM IT (305-284-6565, or UHealth IT (305-243-5999, They will be able to recommend and implement appropriate solutions, including VPN tunnels or SFTP methods.
    • Do not send PHI or other sensitive data to unauthorized individuals (i.e.  individuals who have no business/clinical reason, no approved involvement in project etc.) or to individuals with non or email addresses.
    • Do not share any sensitive information with individuals outside UHealth unless an appropriate agreement, approved by department/business unit leadership is in place.

  • Data Disclosure

    For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. Here is a pdf version of the form. For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with patient names and MRN.