Transmission of Sensitive Information Standard

Title

University of North Carolina at Chapel Hill Standard on Transmission of Sensitive Information

Introduction

Purpose

Protected Health Information (PHI) and other Sensitive Information (SI) sent or received on behalf of the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") must be encrypted. There are minimum encryption standards for University Tier 2 and Tier 3 information. Some transmissions need more encryption or other legal or policy requirements. Some University Units apply more stringent transmission protocols.

Scope

Anyone transmitting Tier 2 or 3 information on behalf of the University.

Standard

You must encrypt Tier 2 or Tier 3 that you transmit on behalf of the University. This includes Protected Health Information (PHI) and any other Sensitive Information (SI) data shown in the UNC-Chapel Hill Information Classification Standard. Establish a secure connection. Use VPN, HTTPS, SFTP, and others as described below between each endpoint or encrypt the file/information before you send it, unless you have an approved exception.

Contact your unit Information Security Liaison or Information Security Office for questions. They also manage requests for exceptions to this Standard.

Examples of when data encryption is required include:

  • Transmission of PHI or other SI over a non-University-managed network. This includes home networks and other external or unsecured wireless networks.
  • Any data that is not inside of a University managed and monitored network.
  • Any vendor transmissions of PHI or SI sent over the Internet.
  • Eduroam used anywhere other than at UNC-Chapel Hill or UNC Health.
  • Use of a smartphone or tablet to send SI.
  • Use a built-in email encryption feature when you send email with SI to any outside recipient from your University account. Or if the SI is in files, you may encrypt the files before sending.
  • Use a University-approved secure method for texting SI. The texting method must follow related procurement, Privacy, and Information Security policies. There are some exceptions. See the “Exceptions” section below for more details.

Situations where requirements may be unclear: 

  • You can send files to or from a non-University-managed network without the use of VPN or TLS if the files are shown to be encrypted with a sufficient passphrase or key following National Institute of Standards and Technology (NIST) guidance and tested before use with SI.
  • Emailing SI between two University Office365 unc.edu email accounts does not need more encryption. But we do recommend file encryption or other secure methods like OneDrive or Teams to avoid misdirecting email or other mishaps. See current Office365 help information on how to send an encrypted email.
  • Follow UNC Health guidance if sending SI between University and UNC Health systems.

Encryption Standards

  • Acceptable encryption methods for the transmission of PHI/SI must use NIST-approved security functions/algorithms in implementations like include Transport Layer Security (TLS) (currently version 1.2 or higher is acceptable),
  • Internet Protocol Security (IPsec), or
  • other Internet Engineering Task Force (IETF) specified/proposed protocols.

You can send individual documents if they are encrypted using any of the NIST-approved algorithms for encryption (like AES-256). Generate keys using either UNC-Chapel Hill's password policy, or by using NIST-recommended key generation methods.

Compliance

Due to potential financial risk and legal consequences associated with the loss of PHI and other Tier 2 or 3 information, failure to follow this Standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment.

  • Students who do not adhere to this Standard may be referred to the UNC-Chapel Hill Office of Student Conduct.
  • Contractors, vendors, and others who do not adhere to this Standard may face termination of their business relationships with UNC-Chapel Hill.

Actions violating this Standard may also carry the risk of civil or criminal penalties.

Questions or concerns about specific circumstances should be directed to the Office of Information Security via 919-962-HELP.

Exceptions

The encryption requirement does not apply if a transmission occurs within the managed and monitored University network. For example, transmissions between two systems within the University data centers do not need encryption. Encryption is also not needed when transmissions occur between a campus workstation and a University data center. Exceptions may also apply to remote networks managed by the University. Please contact the Information Security Office for help deciding whether this exception applies. Information Security Liaisons may help with this process.

UNC Health privacy and security requirements apply to research or clinical activities performed under the backing of UNC Health. The Standard may not apply if the individual or group has documentation that UNC Health has agreed to take privacy and security responsibility for the activity.

Using a secure texting system provided by UNC Health satisfies the requirement to use a University-approved method.

Texting of Tier 2 information is exempted from this Standard, though Privacy, Security Controls, and other requirements may apply. Care must be taken to protect Tier 2 information. Exception from this Standard only recognizes the challenges inherent in encrypted transmission by text. For Tier 2 information, this Standard should be considered strong guidance.

Documented Consent Exception

If you receive and document consent from the subject of the SI, or someone with authority to consent on their behalf (e.g., patient or research subject consent), the Standard does not apply. Other security controls, IRB (Institutional Review Board) or other research requirements, or privacy requirements may apply in your specific situation. This Standard does not take the place of guidance from those authorities.

For Texting or Email with an Individual Regarding SI Personal to Them

You need to receive consent if you send an unencrypted text or email to someone containing SI about them. This applies to students, research subjects and patients. You cannot do this only for your own convenience. You should also check to see if there are specific forms or more rigorous requirements for your specific scenario. This is the minimum requirement. To qualify for a consent exception to this Standard, consent documentation must include:

Tier 2 (Guidance only)

Exceptions apply if the affected individual consents in any documented form. This may include a text or email from the individual, or a more formal consent document. Keep the consent documentation under applicable retention requirements. Other policies, standards, laws, or other constraints may apply to your specific situation. This exception does not supersede or except other applicable requirements. Use precautions when communicating SI. Cut the amount and narrow the type of information sent in an unencrypted message. For example, you might just send appointment reminders rather than survey questions or grades. You lower the risk  by including only the least information necessary.

Tier 3

A formal consent document is required that includes at least the following elements: 

  • Name of the consenting individual (other relevant information if consent is on behalf of another person such as a child).
  • Information about the responsible unit/study/individual/clinic clearly naming the area involved.
  • If the form must be used as part of a medical record, key identifier such as study participant ID or patient ID. (Note: SSN (Social Security Number) is not a suitable identifier for this type of documentation!)
  • Phone or email address to which consented communication will be sent.
  • A description of the authorization and its purpose. Include a general description of the communication content involved.
  • A clear sign that you received informed consent voluntarily. Include an unambiguous statement that the content will not be encrypted or otherwise protected.
  • Any selections proper to the situation if options about what communications content will or will not be allowed.
  • A clear attestation that the individual voluntarily consents, understands the risks, and consent is voluntary. (Participation in the study or other activity may not be contingent upon consent unless the study is intended to examine communication methods.)
  • The right to revoke authorization, which must be respected.
  • Any applicable constraints (liability release, risks, applicable time periods, etc.).
  • Authentication that the document is from the individual it is supposed to be from. Any University-accepted method of authenticating a form is proper unless a wet-ink signature or its equivalent is required by another authority.

Always send the least amount of Tier 3 information necessary. Consider the type of communication to decide the amount of Tier 3 information necessary. For example, an appointment reminder is less sensitive than questions about a patient's specific condition.

Your department may have higher requirements or a standard form beyond these requirements. If Those forms serve this purpose, and are reviewed by a proper authority (IRB, Office of University Counsel, Institutional Privacy Office, or similar), they are enough to qualify for this exception. This Standard does not supersede other review and approval processes, such as IRB approval, which may be needed in your specific situation.

If you have questions about compliance with this Standard or the encryption of PHI/SI, please contact the University's Information Security Office via 919-962-HELP. The same is true for questions about unusual cases which may justify an exception to any part of this Standard. (The Chief Information officer, Chief Information Security Officer, or their delegate may issue exceptions in writing.)

Definitions

  • Encryption: The process of transforming information using an algorithm to make it unreadable to anyone except those having special knowledge; often referred to as a key or password.
  • HTTPS: HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
  • Internet Protocol Security (IPsec): Suite of protocols for securing Internet Protocol (IP) communications at the network layer by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
  • Protected Health Information (PHI): Tier 3 information covered by the Health Insurance Portability and Accountability Act (HIPAA).
  • Sensitive Information (SI): Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
  • Transport Layer Security (TSL): An authentication and security protocol widely implemented in browsers and web servers.
  • Virtual Private Network (VPN): A virtual network, built on top of existing physical networks, which supplies a secure communications tunnel for data and other information transmitted between networks.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Helpful references

  • UNC-Chapel Hill Safe Computing for information on best practices and guidance from the Information Security Office
  • See help.unc.edu for information on encrypting email, VPN, University secure wi-fi options, and other related topics

Contact Information

Primary Contacts

ITS Policy Office

  • Phone: 919-962-HELP/4357
  • Email: its_policy@unc.edu
  • Web: help.unc.edu

Information Security Office

  • Phone: 919-962-HELP
  • Web: help.unc.edu​​​​​​​
100% helpful - 1 review

Details

Article ID: 131260
Created
Thu 4/8/21 9:05 PM
Modified
Tue 4/16/24 4:07 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
10/26/2020 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Vice Chancellor and CISO • ITS - VC - CIO
Last Review
Date on which the most recent document review was completed.
12/13/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/05/2020 2:39 PM
Next Review
Date on which the next document review is due.
12/13/2026 12:00 AM
Origination
Date on which the original version of this document was first made official.
10/20/2015 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services

Related Articles (3)

Adams School of Dentistry: Choose Your Own Device Policy
The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.
Information Classification Standard
The Information Classification Standard gives a structure for the University's information. This structure helps us recognize the types of University Information we handle. It makes it easier to keep the information safe. This Standard considers the University's academic culture, which values sharing information. Classifying information the right way gives everyone at the University, at every level, a structure that supports their University activities.
Information Security Controls Standard
This standard defines the minimum security controls for Information Technology systems in use at UNC-Chapel Hill including personal and University-owned devices. Units within the University may apply stricter controls to protect information and systems in their areas of responsibility. The standard applies to each UNC-Chapel Hill Constituent, student, employee, or other for any covered system under their control.