{"id":729,"date":"2018-05-02T08:50:54","date_gmt":"2018-05-02T08:50:54","guid":{"rendered":"https:\/\/az.research.umich.edu\/medschool\/document\/handling-patient-data-general-security-guidelines\/"},"modified":"2025-12-08T09:50:35","modified_gmt":"2025-12-08T14:50:35","slug":"handling-patient-data-general-security-guidelines","status":"publish","type":"document","link":"https:\/\/az.research.umich.edu\/medschool\/informational\/handling-patient-data-general-security-guidelines\/","title":{"rendered":"Handling Patient Data General Security Guidelines"},"template":"","categories":[58],"tags":[],"content-type":[5],"topic":[45,66],"update-type":[],"class_list":["post-729","document","type-document","status-publish","hentry","category-data-office-for-clinical-translational-research","content-type-informational","topic-hipaa-protected-health-information","topic-investigator-study-team-responsibilities"],"acf":{"use_legacy_editor":true,"updated_date":"2025-12-05 14:00:00","update_notice":false,"author":"Data Office","summary":"Use of patient health data for research is a distinct privilege \u2013 not a right. To minimize the risk<\/a> of unauthorized disclosure of patient data and other sensitive information, data security must be a top priority for\u00a0all.\u00a0Research<\/a> performed at the\u00a0University of Michigan is governed by related institutional and federal policies.","button_links":null,"related_content":"","legacy_path":"handling-patient-data-general-security-guidelines","legacy_node_id":258,"legacy_related_nids":"","legacy_content_section":[{"legacy_section_type":"heading","legacy_heading":"Guidance For Safe Data Handling","legacy_subheading":"","legacy_section_text":"","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area","legacy_heading":"","legacy_subheading":"","legacy_section_text":"\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
DO'S<\/strong><\/span><\/td>\r\nDONT'S<\/strong><\/span><\/td>\r\n<\/tr>\r\n
Use a secure file share solution like DropBox<\/a><\/td>\r\nEver e-mail files with\u00a0PHI<\/a>, even if using a secure Michigan Medicine Outlook e-mail account<\/td>\r\n<\/tr>\r\n
All data should be stored on a secured shared drive or within an approved\u00a0MM<\/a> environment<\/td>\r\nSave files to your desktop<\/td>\r\n<\/tr>\r\n
All data files must be encrypted<\/td>\r\nRemove password protection<\/td>\r\n<\/tr>\r\n
Place participant identifier (MRNs names, addresses) data, and crosswalk key in separate, password-protected files<\/td>\r\nShare the crosswalk of identifiers<\/td>\r\n<\/tr>\r\n
Know the details of the IRB approval<\/td>\r\nCollect more data than approved or share data with individuals not listed as research team members in the IRB.<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\nIMPORTANT:<\/strong><\/span> The #1 cause of disclosure of PHI is Cyber Attacks, so do not rely on the MM firewall to protect sensitive data \u2013 take additional precautions.","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"heading","legacy_heading":"Offices that Govern These Policies","legacy_subheading":"","legacy_section_text":"","legacy_media_position":"","legacy_media_file":"","legacy_media_url":"","legacy_glossary_term":"","legacy_glossary_nids":"","legacy_resource":"","legacy_resource_nids":"","legacy_buttons":null},{"legacy_section_type":"text_area","legacy_heading":"","legacy_subheading":"","legacy_section_text":"