Home > Servcies > Information Security > Sensitive Data
Sensitive Data
As stated in Penn's Computer Security Policy, confidential or sensitive data includes:
- Sensitive Personally Identifiable Information: Any information relating to an individual that reasonably identifies the individual, and if compromised, could cause significant harm to that individual or to Penn.
Examples may include, but are not limited to:
- Social Security Numbers
- Credit Card Numbers
- Bank Account Information
- Student Grades or Disciplinary Information
- Salary or Employee Performance Information
- Donations
- Patient Health Information (see ePHI below)
- Information Penn has promised to keep confidential
- Account Passwords or Encryption Keys used to protect access to confidential University Data
- Proprietary Information: Data, information or intellectual property in which the University has an exclusive legal interest or ownership right, which if compromised, could cause significant harm to Penn.
Examples may include, but are not limited to:
- Business Planning
- Financial Information
- Trade Secrets
- Copyrighted Material
- Software or comparable material from a third party when the University has agreed to keep such material confidential
- Other Data: Other data whose disclosure would cause significant harm to Penn or its constituents.
* * * * * * * * * * * * * * * * * * * * * * * * * * *
If you require any of the above to be stored on your machine you MUST take the necessary steps to ensure its security.
Check out the SOMIS Encryption page for information about getting Whole Disk Encryption software for your machine.
What is HIPAA and how does it apply to Penn?
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) law regulates the use of health information on campus by covered components at Penn - including UPHS and the School of Medicine among others.
HIPAA lists 18 identifiers that qualify as Personal Health Information, ePHI:
- Names
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/License numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier)
Questions or concerns? Email medsecurity@mail.med.upenn.edu
