• Home
  • KUMC Sensitive Information in Electronic and Paper-Based Systems

KUMC Sensitive Information in Electronic and Paper-Based Systems

Policy
Purpose: 

Principle
The University of Kansas Medical Center has a responsibility for securing sensitive information against intentional or unintentional disclosure, alteration or loss of availability.

Purpose
The purpose of this policy is to minimize the risk that sensitive KUMC information is compromised or disclosed inappropriately.

Applies to: 

Resources Covered By This Policy
All electronic and paper information systems including (but not limited to) the central administrative systems (financial, HR/payroll, student); department administrative systems (including "shadow" financial systems and vendor-managed systems); file servers; email servers; web servers; desktop and mobile computers; and all paper-based information storage and retrieval systems.

Individuals and Groups Covered By This Policy
All KUMC faculty, staff, and students, and anyone else accessing, using, or storing sensitive KUMC information.

Responsibilities
Data Owners are responsible fo revaluating and classifying the sensitivity of the data for which they are responsible, defining protection requirements for the data based on legal or regulatory requirements, and defining requirements for access to the data.

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

I. Guidelines for Handling Sensitive Information

When working with sensitive information, you should always:

  • Access and use sensitive data appropriately. KUMC expressly forbids the access and use of sensitive data for any purpose other than the conduct of University business. Approval from the data owner must be obtained before access to sensitive data will be granted.
  • Utilize KUMC's existing central administrative systems (PeopleSoft Student Administration, PeopleSoft Human Resources/Payroll, PeopleSoft Financials, AngelLearning, and all clinical information systems). These systems are always the preferred systems for storing sensitive information.
  • Restrict access rights. Access to sensitive information, in both electronic and paper format, should follow the "minimum necessary" principle: an individual should have access only to the sensitive information necessary to accomplish his or her work. If Employee A needs Social Security Numbers and Employee B needs dates of birth, do not create a spreadsheet with names, SSNs, and DOBs and distribute it to both employees.
  • Avoid the use of "convenience repositories". Copies of sensitive information stored in the central administrative and clinical systems should not be maintained outside of those systems unless the frequency of use of the information is such that disabling the repository would severely impact the ability of the department to conduct its business. If you believe you have a compelling rationale for maintaining such a repository, please contact the Department of Information Security (8-0966) to discuss.
  • Dispose of sensitive information properly. If you are authorized to collect or retain sensitive information, you are obligated to discard it when the information no longer has a legitimate business use. Printed or other physical materials containing sensitive information must be shredded. Computers and other electronic equipment that contain sensitive information or that have been certified by Information Security must be disposed of as outlined in KUMC's Computer Equipment Disposal and Media Sanitization Policy.
  • Protect documents containing sensitive information. Documents (e.g., spreadsheets, databases, word-processing documents) containing sensitive information must be password-protected and should be stored on network drives ("g drives" or "h drives") rather than personal computer drives ("c drives"). If you do not know how to password-protect a document, or if you are uncertain which drive is your network drive, call the Help Desk at 8-7995.
  • In addition, if you cannot avoid storing documents containing sensitive information on your personal computer drives, then the personal computer must be "certified". Contact the Department of Information Security (8-0966) for information about personal computer certification.
  • Physical access to paper documents containing sensitive information should be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.
  • Report any accidental disclosure or suspected misuse of sensitive electronic data immediately to Information Security. Report any accidental disclosure or suspected misuse of sensitive information in paper format to your supervisor.

When working with sensitive information, you should never:

  • Store documents containing sensitive information on laptop or notebook computers unless the computer is certified and the information is encrypted. Call Information Security at 8-0966 for information about personal computer certification and encrypting data.
  • Store documents containing sensitive information on other mobile devices such as Personal Data Assistants (PDAs, Palms, PocketPCs, Windows CE devices, BlackBerries) unless such storage is approved by your department and the PDA is password-protected.
  • Store sensitive information on small portable storage devices such as floppy drives, zip disks, flash memory drives (keychain drives, flash drives, USB memory keys), CDs, or DVDs unless the information is encrypted and the device has been approved by Information Security.
  • Store sensitive University information on a home computer or any other computer not owned by the University.
  • Provide an outside entity with any type of sensitive information without the informed consent of your department chair. Be aggressive in seeking clarification and confirmation that including the sensitive information is essential. While this may seem obvious in the case of (for example) patient information, it applies equally to a spreadsheet containing employee names and dates of birth or SSNs.
  • Send any form of sensitive information off-campus via email using GroupWise or any other email system except KUMC's Secure Email System. For information on the Secure Email System, please visit the secure email website.
  • Post any form of sensitive information on a web server.
  • Transmit files containing sensitive information outside of the KUMC network in a manner that does not utilize encryption to protect the communication (e.g., the SecureFiles system, SSL, VPN, etc).
  • Store sensitive information in third-party online application services, unless a University contract with that vendor is in place which protects sensitive information.
  • Store documents containing sensitive information on third-party online storage services, unless a University contract with that vendor is in place which protects sensitive information.

II. Guidelines for Identifying Individuals in Electronic Systems

The Employee Identification Number (EmplID) generated by the PeopleSoft Human Resources/Payroll systems is the preferred unique identifier for all KUMC employees including affiliated groups not paid from state sources (Research Institute, Endowment Association, Student Union Corporation, KUPI employees in the context of state-related activities). Affiliated groups will be put into the Human Resources/Payroll system as appropriate in order to create an EmplID (and, thus, to facilitate identity-driven processes such as account creation and termination, portal access, and library access).

The PeopleSoft Human Resources/Payroll system is the authoritative source of employee Social Security Numbers and the only system in which an individual employee's name, EmplID, and SSN should be associated.

The KUID is the preferred unique identifier for all KUMC students. The PeopleSoft Student Administration System is the authoritative source of student Social Security Numbers and the only system in which an individual student's name, EmplID, and SSN should be associated.

When the EmplID and KUID cannot be used (as, for example, in a purely numeric field), the University Employee Badge ID number is a satisfactory replacement.

No new information systems that use the SSN for personal identification will be acquired, developed, or implemented unless that use is mandated by federal or state regulation. Existing information systems reliant on the Social Security Number for personal identification will be modified or replaced in the context of a logical system of priorities (to be developed by the Department of Information Resources) and resource availability.

The SSN should be removed from all University online and paper forms and reports except where required by federal or state regulation.

Exclusions or Special Circumstances: 

This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.

Consequences: 

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

  • Loss of individual computing privileges.
  • Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Disconnection of non-compliant systems from the KUMC network

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies.

Contact: 

For information on this policy, please contact:

Eric Walters
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Michael Harmelink
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4900

Karen Blackwell
Director, HIPAA Compliance and Human Research Protection Program
University of Kansas Medical Center
G006 Sudler, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0942

Vince Loffredo 
Vice Chancellor of Student Services
University of Kansas Medical Center
3001 Student Center, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4698

Approved by: 
Executive Vice Chancellor
Approved on: 
Monday, October 9, 2006
Effective on: 
Monday, October 9, 2006
Review Cycle: 
Annual (As Needed)
Definitions: 

Data owner: is the person(s) or department identified with and widely recognized as having primary authority and decision responsibility over a collection of University data. The data owner may be responsible for an entire database or a segment of the database. For example, the Registrar is responsible for all student data, while the Director of Financial Aid is only responsible for the financial aid data within the records. Data owners are frequently referred to as data stewards.

Personal identity information (PII): includes Social Security Numbers, credit card numbers, bank and credit union account numbers, health insurance plan identification numbers, drivers license numbers, dates of birth, and other similar information associated with an individual student or employee that, misused, might enable assumption of that individual's identity ("identity theft") to compromise that person's personal or financial security.

Protected health information (PHI): includes health information that is associated with at least one of eighteen identifiers that make the information "individually identifiable." The eighteen identifiers include name, address, SSN, date of birth, date of health care, and other elements listed in Appendix A of the KUMC's HIPAA Policy on Research using Electronic Protected Health Information. Health information about groups of people (population data, mean and median data, aggregate data, etc.) that cannot be related to individuals is not PHI.

Student educational record information: includes records that are based on student status and maintained by the University or a party acting for the University. Access to student records is governed by the KU Student Records Policy and the Family Educational Rights and Privacy Act (FERPA). Sole possession records, medical or psychological records, alumni records, employment records, and law enforcement records are not considered student educational records and not subject to FERPA.

Other sensitive information: includes any information that has been designated by the University to be non-public information but is not protected by law or regulation. Examples include personnel records (including performance appraisal information and records of disciplinary action); information about KUMC security systems; computer passwords; and information about the configuration of KUMC electronic systems.

For a detailed guide on the specific information that is considered to be sensitive information, refer to the guideline document titled "What is Sensitive Information?"

Keywords: 
sensitive, PHI, PII, SSN, FERPA, HIPAA
Review, Approval & Change History: 

2014-07-17:  Updated contact information.

2014-02-28: Updated contact info for Student Services and moved into KU Policy Library.

2013-04-18: Reviewed with no changes.

2012-04-27: Reviewed with no changes.

2011-03-13: Reviewed with no changes.

Information Access & Technology Categories: 
Privacy & Security

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times