OIS Security Bytes - PHI Identifiers (Byte 2 of 2)

UNC’s Office of Information Systems is posting bite-sized IT Security tips for our users. As IT security concerns become more a part of our everyday life, awareness is one of our best allies. Read more about Protected Health Information and what you can do to protect patient privacy.

OIS Security Bytes - PHI Identifiers (Byte 2 of 2) click to enlarge Storing PHI

A Vital Part of Our Job

Our community trusts us with their most sensitive data (financial, personal, and medical).  Therefore, a vital part of our job must be protecting that data from accidental exposure or unauthorized access.

Whether storing data for medical or research purposes, accessing or entering data in University financial systems, generating payments for visiting scholars, handling employment records for current or former employees, or even developing a new App to assist in clinical trials, we must be aware that we are working with sensitive information. Security has to be considered in all of these instances (and many others not listed). 

Acceptable Storage Locations

  1. The main repository for sensitive information should be departmental SAI server space. These are servers which have been designated as hosting sensitive data or being mission-critical and are subject to guidelines and oversight specifically designed to mitigate risk. Each department within UNC has an Information Security Liaison (ISL) who will be able to point you to the server space specific to your department.

NOT Acceptable Storage Locations

  1. Your local desktop/workstation IS NOT considered a safe repository for University-owned sensitive data. Project SIR, currently underway, is designed to ensure that our local systems do not inadvertently store this type of data.
  2. Mobile devices such as unencrypted USB Drives, Phones, or Tablets SHOULD NOT store University-owned sensitive data. These devices are high risk due to their inherent qualities of mobility and ease of access.
  3. Unencrypted laptops SHOULD NEVER store University-owned sensitive data.
  4. The Cloud (Dropbox, iCloud, Google Drive, etc…) IS NOT an acceptable location for University-owned sensitive data. Outside entities need to sign Data Use Agreements or Business Associate Agreements to be contractually obligated to secure our data at the necessary levels.


There are other requirements regarding the hosting or processing of University-owned sensitive data as well as PHI and PII. Please see UNC’s security policy at the following link: http://its.unc.edu/files/2014/08/Information-Security-Policy.pdf (pgs. 19-23)

Lastly, if you have specific concerns regarding the handling or storage of sensitive data, please do not hesitate to contact your local ISL or OIS Security and we will be glad to help.

Read Part I of this Security Byte about PHI. 

UNC’s Office of Information Systems will be posting bite-size IT Security tips for our users. As IT security concerns become more a part of our everyday life, awareness is one of our best allies. For more information, contact your local IT Support or chat with us at help.med.unc.edu.