8.2.2.15 Category A Data Protection Standard

Tags CategoryA

Category A Data Protection Standard

Category A data includes data that is legally regulated by the Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and Children’s Online Privacy Protection Act (COPPA). Category A data is also subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).

Data Collection and Use

  1. Limited to authorized uses as outlined in the University HIPAA Policies.
  2. A Notice of Collection that describes the purpose for which personal data is collected must be specified at, or prior to, the time of collection (also known as the Right to be informed).  Data collected must only be used in accordance with the Notice of Collection.
  3. Departments/Colleges that collect and/or use Category A data must participate in the Information Security Program by reporting Category A servers to OU IT through an OU IT Security Assessment.
  4. University web pages that are used to collect Category A data must include a link to the OU Privacy Policy, the HIPAA Notice of Privacy Practices, and University HIPAA Policies.
  5. Use of clinical research data for IRB-approved or IRB-waived studies must be approved by the Clinical Research Informatics Oversight Committee.
  6. Social Security Numbers shall not be used as a username or password.
  7. Social Security Numbers shall not be collected on unauthenticated individuals.

Granting Access or Sharing

  1. Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined in University HIPAA Policies.
  2. Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved by the Office of Legal Counsel.
  3. Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
  4. Access to Category A data must require multi-factor authentication, in accordance with the Identity and Access Management Policy.
  5. Staff, faculty, or student accounts must authenticate to Category A data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
  6. Data Owners and Stewards must review access to Category A data in accordance with the Identity and Access Management Policy.
  7. All interfaces used for sharing Category A data must be registered in the IT Asset Inventory, in accordance with the IT Asset Management Policy

Disclosure or Posting

  1. Disclosure or public posting of Category A data is not permitted unless required by law or with patient or participant authorization.

Electronic Display

  1. Category A data shall be displayed or accessible only to authorized and authenticated users of a system.
  2. Identifying numbers or account number shall be, at least partially, masked or redacted.

Open Records Request

  1. Category A data is typically not subject to open records disclosure.  However, some open records requests can be fulfilled by redacting the sensitive portions of records.
  2. Data can be readily provided upon request with approval from the OU Open Records Office. 

Exchanging with Third Parties, Service Providers, or Cloud Services

  1. A contractual agreement outlining security responsibilities shall be in place and approved by the Office of Legal Counsel before exchanging data with the third party or service provider.
  2. A Business Associate Agreement must be in place for all third-parties or services providers accessing, storing, processing, or transmitting Category A data.
  3. An IT Security Assessment must be completed before the purchase or integration of new hardware, software, or third-party technology services that collect, store, transmit, or process Category A Data. 
  4. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
  5. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Storing or Processing: Server Environment

  1. Servers or data classified as Category A must be stored in one of OU's designated enterprise data centers and be placed in the business network zones.
  2. Category A data shall be encrypted in storage and in transit, where available.  Where encryption is not available, it must be captured in the IT Risk Assessment and the risk accepted by the appropriate party.
  3. Servers that connect to the OU network shall comply with IT Security Policies and Standards.
  4. Servers that store, process, or transmit Category A Data shall comply with University HIPAA policies.

Storing or Processing: Endpoint Environment (e.g., laptop, phone, desktop, tablet, etc.)

  1. Category A data must not be stored on an Endpoint unless encrypted in accordance with the Encryption Standard.
  2. Asset Administrators must create procedures to transfer Category A data from endpoints to an approved enterprise data center location on a nightly basis.
  3. Endpoints that connect to the OU network shall comply with IT Security Policies and Standards.
  4. Endpoints that are used to access, create, store, process, or transmit Category A Data shall comply with University HIPAA policies.

Storing on Removable Media (e.g., USB drives, flash drives, CDs, DVDs, etc.)

  1. Category A data shall only be stored on removable media if encrypted in accordance with the Encryption Standard.

Electronic Transmission

  1. Secure, authenticated connections or secure protocols shall be used for transmission of Category A data.

Email and other Messaging

  1. Messages shall only be sent to authorized individuals with a legitimate need to know.
  2. Messages shall be transmitted in an encrypted format by placing [SECURE] or [ENCRYPT] in the subject line.

Copying and Printing

  1. Data should only be printed when there is a legitimate need.
  2. Paper copies of data must be limited to individuals authorized to access the data.
  3. Paper copies should be labeled 'Confidential'.
  4. Paper copies should not be left unattended where others may see them.
  5. Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.

Retention and Disposal

  1. Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges Section 8: Medical Clinic.
  2. Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
  3. Printed materials shall be destroyed in accordance with University HIPAA Policies.

Revision, Review, and Approval History

  • October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
  • January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
  • January 2024: Office of Compliance: Standard reviewed, comments submitted
  • February 2024: OU IT Governance, Risk, and Compliance:Added University HIPAA Policies to the Data Collection and Use section.  Included the term "accessible" to Electronic Display.  Added "accessing" to Exchanging with Third Parties.  Added "in transit" to Storing or Processing: Service Environment.  Revised Storing or Processing: Endpoint Environment.  Revised Disposal.  
  • March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements.  Added Exchanging with Third Parties statements.  These statements align with the Identity and Access Management Policy.
  • March 2024: OU IT Governance, Risk, and Compliance:  Added Storing or Processing: Server Environment statements from the OUHSC Information System Storage and Data Sharing Policy.  Added Storing or Processing: Endpoint Environment statements from the OUHSC Information System Storage and Data Sharing Policy.
Print Article

Details

Article ID: 3088
Created
Mon 10/23/23 3:26 PM
Modified
Tue 4/2/24 9:14 AM

Related Articles (1)

8.2.1.17 Data Governance Policy - Pending President Approval
The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of institutional data, privacy of data subjects, and security of institutional d