1. PURPOSE: To establish policy for entities engaged in administration, education, research, and clinical activities for which portable computing devices and/or portable storage devices (now referred to as portable devices) are used or being considered for use in the future.

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Whitaker Clinics of UAB Hospital, Callahan Eye Hospital and Clinics, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation owned and operated clinics, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time-to-time.  For purposes of this policy UAB/UAB Medicine Enterprise Covered Entities shall be referred to as "UAB".
 
University of Alabama at Birmingham (UAB) and the University of Alabama at Birmingham Medicine Enterprise (UABME) retain ownership of all patient data.  Therefore, use of portable devices within the UAB/UABHS by employees, students, volunteers, and all affiliated individuals, such as third party users of ePHI or other sensitive information, is governed by this policy.  In addition, this policy addresses the use of portable devices in each of, but not limited to, the following device ownership scenarios:

• Originally purchased by and ownership retained by UAB/UABME.
• Originally purchased by UAB/UABME with ownership transferred to a workforce member, student, volunteer, or affiliated individual accepting the device.
• Originally purchased and ownership retained by the individual workforce member, student, volunteer, physician, resident, vendor, or affiliated individual.*

3. Definitions:

3.1  Portable Computing Devices (PCD): Include, but are not limited to, hand held devices, pen pads, cell phones, Smart phones, iPhones, Android devices, iPads, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the Internet, cloud storage, desktop personal computers via some form of interconnection and/or synchronization process.

3.2  Portable Storage Devices (PSD): Include, but are not limited to, removable or external hard disk drives, DVDs, CDs, flash drives, pen drives, USB drives, tapes, cloud storage, and other portable storage devices capable of acting as a transport agent for digital information.

3.3 Sensitive Information:  Any information that should only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

3.4  Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

The following identifiers of an individual or of relatives, employers, or household members of the individual, are considered PHI:

1. Name

2. Geographic subdivisions smaller than a state; (street address, city, county, precinct, zip code, and equivalent geocodes)

3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age

4. Telephone numbers

5. Fax numbers

6. Electronic mail address

7. Social security number

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/License numbers

12. Vehicle identifiers and serial numbers including license plate numbers 

13. Device identifiers and serial numbers

14. Web Universal Resource Locator (URLs)

15. Internet protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code, except as allowed under the re-identification specifications (164.514(c)).

3.5  Electronic Protected Health Information (ePHI): PHI in electronic form.

3.6  Workforce Members: Any individual (physician, resident, employee, student, volunteer, contracted employee, visiting faculty, or clinical or research fellow) who accesses UAB/UABME electronic protected health information or is considered a UAB workforce member within the  HIPAA regulations.

3.7  Senior Management: Persons in the positions of dean, chair, or division or program director, or persons specifically designated by a dean, chair, or division or program director, that make executive decisions and are authorized to accept risks for the administrative unit in the area of information security.

4. POLICY:

4.1. Workforce Member Responsibilities:

4.1.1. In the event prior approval has been granted for downloading ePHI or other sensitive information, workforce members shall be responsible for the protection from improper use or disclosure of all ePHI or other sensitive information contained on their portable device and personal computer.

4.1.1.1. Security of data maintained and stored on such devices is subject to the provisions of relevant local, state, and federal statutes and regulations, including the provisions of the UAB HIPAA core policies and other UAB and UABME policies.

4.1.2. Workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB for routine or special analyses. In addition, the device must be set-up in English.

4.1.3. In the event senior management authorizes the use of a portable device for the transfer or use of ePHI or other sensitive information, the device must be purchased by UAB or receive approval from UAB's or UABME's Information Security Officer prior to operation.

4.1.4. Prior to disposal or transfer to a new owner, all ePHI and other sensitive information on that device must be destroyed. See the UAB HIPAA core security policy, "Media Reallocation and Disposal" regarding media disposal and re-use. 

4.1.5. Portable devices shall not be shared among family members or outside parties.

4.1.6. Removal of portable device hardware and electronic media from a UAB facility shall follow the guidelines below:

4.1.6.1. Workforce members shall promptly (within 2 hours of the discovery of the loss) report the loss or theft of any portable device, hardware, electronic media, or any ePHI or other restricted/sensitive information stored on the portable device or electronic media to their appropriate supervisor, UAB Police, the UAB/UABME HIPAA Security Officer, and the UAB or UABME Information Security Officer.

4.2. System Administrator Responsibilities:

4.2.1. Final Disposal of Electronic sensitive information.

4.2.1.1. System Administrators shall ensure that ePHI or other sensitive information subject to final disposition is disposed of by using a method that ensures the ePHI or other sensitive information cannot be recovered or reconstructed. See the UAB HIPAA security core standard regarding media disposal and reallocation.

4.2.1.2. System Administrators shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce personnel authorizing the destruction, general description of the ePHI or other sensitive information (if available), and the identity of the workforce personnel performing the destruction.

4.2.1.3. System administrators shall report to the UAB/UABMEHIPAA Security Officer (within 2 hours) the loss or theft of any portable device containing or possibly containing ePHI or other sensitive information.

4.2.1.4. Devices containing hard drives shall use UAB/UABME approved encryption technologies.

4.2.1.5. Disposal of the portable device containing a hard drive shall follow UAB/UABME policies.

4.3. Senior Management Responsibilities

4.3.1. If senior management consents to allowing contractors, business associates, or workforce members under contract to copy, download, or remove UAB/UABME ePHI or other sensitive information to any portable device, then senior management shall:

4.3.1.1. Confirm appropriate contract language and Business Associate Agreements are properly executed.

4.3.1.2. Confirm appropriate confidentiality agreements and policy acknowledgements are properly executed and copies are retained within the department.

4.3.1.3 Ensure the device meets UAB/UABME Security requirements.

4.4. Contractor, Business Associates, and other Temporary/Contract Workforce Members Responsibilities:

4.4.1. Contractors, business associates, or workforce members under contract may not copy, download, or remove UAB/UABME ePHI or other sensitive information to any portable device without documented consent from the appropriate UAB/UABME senior management. In the event UAB/UABME senior management consents to allow a contractor or business associate to use ePHI or other sensitive information on a portable device, the consenting party is responsible for the tracking, retrieval, and removal of the ePHI or other sensitive information materials and conformance to the policy statements in this policy.

4.4.2. Contractors, associates, and workforce members under contract shall employ safeguards equivalent to UAB /UABME safeguards prior to removal of any material.

4.4.3. Contractors and associates shall not share ePHI or other sensitive information with other parties or internal to their company without written approval from UAB.

6. REFERENCES: UAB HIPAA Core standards (www.hipaa.uab.edu)

7. ATTACHMENTS: None

To view other HIPAA Core Policies and for more information, please visit the HIPAA website.