Transmission of Sensitive Information Standard

Title

University of North Carolina at Chapel Hill Standard on Transmission of Sensitive Information

Introduction

Purpose

Protected Health Information (PHI) and Sensitive Information (SI) that is transmitted or received on behalf of the University of North Carolina at Chapel Hill by any Constituent must be encrypted in accordance with this Standard, which details required minimum encryption standards for University Tier 2 and Tier 3 information. Particular transmissions may require a heightened encryption requirement or consideration of additional legal or policy requirements. University Units may also require more stringent transmission protocols.

Scope of Applicability

All University Constituents transmitting Tier 2 or 3 information on behalf of the University.

Standard

Protected Health Information (PHI) and other Sensitive Information (SI) (data classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard) that is transmitted on behalf of the University by any Constituent must be encrypted in accordance with this Standard. This means either a secure connection (VPN, HTTPS, SFTP, etc.) between each endpoint or encryption of the file/information, unless an exception applies.

Questions and requests for deviations from this Standard in special cases may be referred to your unit Information Security Liaison or to the Information Security Office.

Examples of when data encryption is required include, but are not limited to:

  • Any transmission of PHI or other SI over a non-University-managed network such as a home network, or from any external or unsecured wireless network. Transmission by any University employee, student, contractor, or vendor (Constituent) that is not wholly inside of a University managed and monitored network.
  • Any vendor transmissions of PHI or SI sent over the Internet.
  • Eduroam used anywhere other than at the University or UNC Health.
  • Use of a smartphone or tablet to transmit SI.
  • Email of SI from an Office365 unc.edu email account to any outside recipient must be encrypted using built-in encryption mechanisms or file encryption.
  • Texting of SI must use a University-approved secure method of texting that complies with applicable procurement, Privacy, and Information Security policies, unless an exception applies.

Situations where requirements may be ambiguous:

  • A demonstrably-encrypted file may be sent to or from a non-University-managed network without the use of VPN or TLS.
  • Email of SI from an Office365 unc.edu email account to another Office365 unc.edu email account does not require additional encryption under this Standard. However, the likelihood of misdirecting email or other mishap makes file encryption or use of a mechanism more secure than email (such as OneDrive/Teams) strongly recommended. See current Office365 help information on how to send an encrypted email.

Encryption Standards

Acceptable encryption methods for the transmission of PHI/SI must use NIST-approved security functions/algorithms and include Transport Layer Security (TLS) (currently version 1.2 or higher is acceptable), Internet Protocol Security (IPsec), and other Internet Engineering Task Force (IETF) specified/proposed protocols. In addition, individual documents may be transmitted if encrypted using any of the NIST- approved algorithms for encryption. Keys should be generated using either UNC's password policy or by using NIST-recommended key generation methods.

If you have any questions about compliance with this Standard or the encryption of PHI/SI, or have a special case which may justify an exception to any part of this Standard (which may be issued by the Chief Information Security Officer or their delegate), please contact the University's Information Security Office via 919-962-HELP.

Compliance

Due to possible financial risk and legal consequences associated with the loss of PHI and SI, failure to comply with this Standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this Standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this Standard may face termination of their business relationships with UNC-Chapel Hill.

Actions violating this Standard may also carry the risk of civil or criminal penalties.

Questions of concerns about specific circumstances should be directed to the Office of Information Security via 919-962-HELP.

Exceptions

Transmissions occurring entirely within the managed and monitored University network are excepted from the encryption requirement. For example, transmissions between systems residing in University data centers, or between a campus workstation and a University data center do not require encryption under this Standard. Remote networks managed by the University may also be excepted. Please contact the Information Security Office for assistance determining whether this exception applies. Information Security Liaisons may assist with this process.

Research or clinical activities performed under the auspices of UNC Health must meet applicable UNC Health privacy and security requirements. If the individual/group has documentation that UNC Health affirmatively takes responsibility for the privacy and security requirements of the activity, this Standard may not apply.

Use of a secure texting system provided by UNC Health satisfies the requirement of this Standard to use a University-approved method.

Texting of Tier 2 information is exempted from this Standard, though Privacy, Security Controls, and other requirements may apply. Care must be taken to protect Tier 2 information. Exception from this Standard only recognizes the challenges inherent in encrypted transmission by text. For Tier 2 information, this Standard should be considered strong guidance.

Documented Consent Exception

Transmission of Sensitive Information is exempted from this Standard if documented consent is obtained from the subject of the SI or someone with authority to consent on their behalf (e.g. patient or research subject consent). Other security controls, IRB or other research requirements, or privacy requirements may apply in your specific situation. This Standard does not take the place of guidance from those authorities.

For Texting or Email with an Individual Regarding SI Personal to Them

For texting or email with an individual regarding SI personal to them (students, research subjects, patients), consent must be obtained first if encryption is not used, and must be for more than mere convenience of the responsible UNC entity. Note: you may have specific forms or more rigorous requirements depending on your specific scenario. This represents the minimum requirements. To qualify for a consent exception to this Standard, consent documentation must include:

Tier 2 (Guidance only)

Any form of documented consent that indicates approval by the affected individual is sufficient for this exception. This may include a text or email from the individual, or a more formal consent document. The consent should be retained in accordance with applicable retention requirements. Keep in mind that other policies, standards, laws, or other constraints may apply to your specific situation. This exception does not supersede or except other applicable requirements. When communicating SI, appropriate precautions include minimizing the amount and narrowing the type of information sent in an unencrypted message (e.g. appointment reminders vs. survey questions or grades) to the least risk necessary for the communication.

Tier 3

A formal consent document is required that includes at least the following elements:

  • Name of the consenting individual (additional relevant information if consent is on behalf of another person such as a child).
  • Information about the responsible unit/study/individual/clinic clearly identifying the area involved.
  • If the form must be used as part of a medical record, key identifier such as study participant ID or patient ID. (Note: SSN is not an appropriate identifier for this type of documentation!)
  • Phone or email address to which consented communication will be sent.
  • A description of the authorization and its purpose including a general description of the communication content involved.
  • A clear indication that consent is informed, including unambiguous description that the content will not be encrypted or otherwise protected.
  • Any selections appropriate to the situation, if options about what communications content will or will not be allowed.
  • An unambiguous attestation that the individual consents, that they understand the risks, and that their consent is voluntary. (Note: participation in the study or other activity may not be contingent upon consent unless the study is intended to examine communication methods.)
  • The right to revoke authorization, which must be respected.
  • Any applicable constraints (liability release, risks, applicable time periods…).
  • Authentication that the document is provided by the individual it purports to be from. Unless a wet-ink signature or its equivalent is required by another authority, any University-accepted method of authenticating a form is appropriate.

Note: at all times, transmitting only the minimum necessary Tier 3 information is required. Consider the type of communication carefully (e.g. sending an appointment reminder vs. questions about a patient's specific condition).

Your department may have additional requirements or a standard form which may exceed these requirements. Such forms intended for this purpose and reviewed by an appropriate authority (IRB, Office of University Counsel, Institutional Privacy Office, or similar) are considered sufficient to also qualify for this exception. This Standard does not supersede other review and approval processes, such as IRB approval, which may be required in your specific situation.

Other exceptions may be authorized in writing by the Chief Information Officer, Chief Information Security Officer, or designee of either officer.

Definitions

  • University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.
  • Encryption: The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge; often referred to as a key or password.
  • HTTPS: HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
  • Internet Protocol Security (IPsec): Suite of protocols for securing Internet Protocol (IP) communications at the network layer by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
  • Protected Health Information (PHI): Tier 3 information covered by the Health Insurance Portability and Accountability Act (HIPAA).
  • Sensitive Information (SI): Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
  • Transport Layer Security (TSL): An authentication and security protocol widely implemented in browsers and web servers.
  • Virtual Private Network (VPN): A virtual network, built on top of existing physical networks, which provides a secure communications tunnel for data and other information transmitted between networks.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Helpful references

  • UNC Safe Computing for information on best practices and guidance from the Information Security Office
  • See help.unc.edu for information on encrypting email, VPN, University secure wi-fi options, and other related topics

Contact Information

Primary Contacts

  1. ITS Policy Office
    Unit: ITS
    Email: its_policy@unc.edu
    Phone: 919-962-HELP
  2. Information Security Office
    Unit: ITS
    Online: help.unc.edu
    Phone: 919-962-HELP
100% helpful - 1 review

Details

Article ID: 131260
Created
Thu 4/8/21 9:05 PM
Modified
Wed 7/14/21 10:58 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
10/26/2020 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor and Chief Information Security Officer
Last Review
Date on which the most recent document review was completed.
10/05/2020 2:39 PM
Last Revised
Date on which the most recent changes to this document were approved.
10/05/2020 2:39 PM
Origination
Date on which the original version of this document was first made official.
10/20/2015 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services