Data Security Tips

Any device (e.g., desktop, laptop, tablet) used to access, process, or store HIPAA data or individually identifiable human subject research data, unless otherwise designated by the IRB, must have the following:

  1. Operating System is supported and updated
  2. Anti-Malware set to auto update and scan
  3. Disk encryption
  4. Auto screen lock (15 min max) to password/code

Follow our guidance on securing your devices and use HIPAA approved Data Storage and Research Apps


HIPAA Limited Data Sets can be processed on our Shared Computing Cluster (SCC4).  SCC staff or the data provider (e.g., BMC Clinical Data Warehouse) can help you limit the data to that allowed by law: city, zip code, dates of birth, death, or treatment (partial de-identification)

A completely de-identified data set requires removal of these identifiers as well.  See U.S. Department of Health and Human Services, Office for Civil Rights guidance on de-identification.

  • If data is completely de-identified it is classified as Public Data.


Reminders and Updates

BU HIPAA Security Reminder July 2017 (PHI and email)

BU HIPAA Security Update August 2017 (Office 365)

BU HIPAA Security Reminder December 2017 (delete files you don’t need)

HIPAA Security Update April 2018 (Workstation and Device Use Procedure CRC)

HIPAA Security Update April 2018 (Workstation and Device Use Procedure GSDM)

HIPAA Security Update May 2018 (2FA for Office 365 and remote access)