Handling Patient Data General Security Guidelines

Data Office
Nov 22, 2017 12:00 pm

To minimize the risk of unauthorized disclosure of patient data and other sensitive information, data security must be a top priority for all. Research performed at the University of Michigan is governed by related institutional policies.


    1. First rule of data security: Never e-mail files with PHI.

    •  E-mail is not a secure means of transmitting PHI, use MiShare to move data.

    2. All data should be stored on a secured shared drive or within an approved UMHS environment, not on your desktop or personal server.

    3. All data/research files must be encrypted.

    4. All data collection and storage devices must be password protected with a strong password.

    5. For analysis, subject identifiers (medical record numbers, names, addresses, etc.) data, and keys should be placed in separate, password protected/encrypted files and each file should be stored in a different secure location from the data file.

    6. PHI may never be stored or transmitted on an unauthorized/unencrypted portable USB flash drive or portable hard drive.

    7. The PI should consult with their departmental IT Security Liaison to discuss how to correctly configure desktop computers, laptops, and other external devices for safe use in the collection and storage of research data.

    *The #1 cause of disclosure of PHI reported by the US Center of Medicaid and Medicare is data stored on stolen or lost portable devices.

  • Offices that govern these policies


Contact us at or (734) 615-2100 

North Campus Research Complex, Building 400, 1600 Huron Parkway, Ann Arbor, MI 48105

A list of Data Office contacts is available in the Personnel Directory.

Edited By:
Last Updated: June 29, 2018 2:00 PM