1. First rule of data security: Never e-mail files with PHI.
- E-mail is not a secure means of transmitting PHI, use MiShare to move data.
2. All data should be stored on a secured shared drive or within an approved UMHS environment, not on your desktop or personal server.
3. All data/research files must be encrypted.
4. All data collection and storage devices must be password protected with a strong password.
5. For analysis, subject identifiers (medical record numbers, names, addresses, etc.) data, and keys should be placed in separate, password protected/encrypted files and each file should be stored in a different secure location from the data file.
6. PHI may never be stored or transmitted on an unauthorized/unencrypted portable USB flash drive or portable hard drive.
7. The PI should consult with their departmental IT Security Liaison to discuss how to correctly configure desktop computers, laptops, and other external devices for safe use in the collection and storage of research data.
*The #1 cause of disclosure of PHI reported by the US Center of Medicaid and Medicare is data stored on stolen or lost portable devices.