Protecting Patient Privacy -- A Shared Responsibility

January 25, 2018

To:Penn Medicine Faculty, Students, and Staff

From:J. Larry Jameson, MD, PhD
Ralph W. Muller

Re: Protecting Patient Privacy

Protecting patient information is a top priority at Penn Medicine and one that requires all of us to play our part. Indeed, a key component of delivering top quality care to our patients is also taking care to protect the privacy and security of their information. We all must know the “do’s and don’ts” for keeping data secure, the services and tools available to assist, and where to direct any questions or concerns. 

The rules about storing and transmitting personally identifiable information, including patient health information or “PHI,” are straightforward and apply to both clinical and research activities. It is critically important that we adhere to these policies. Information Services has worked diligently to make adherence easy, as well as the right thing to do. To summarize:

PHI must be stored only on: (1) a Penn Medicine managed network drive; (2) a Penn Medicine managed encrypted device; or (3) a Penn Medicine approved third party computing environment.

PHI must be transmitted only using (1) an encrypted portable drive or (2) a secure encrypted file transfer.

Please note that e-mailing outside of the UPHS environment is not secure. Email can be accidentally  misdirected to unintended, including unknown and sometimes untrustworthy, recipients. It’s your responsibility to protect sensitive information. Information Security can assist in providing secure alternatives for your data transmission needs. 

The following tools enable us all to meet these requirements:

  • Penn Medicine network / shared drives
  • Penn Medicine managed remote access computing
  • Penn Medicine managed encrypted portable devices
  • Penn Medicine secure file transfer services
  • Penn Medicine approved third party services 

Violations of policy can result in discipline up to and including termination.

We encourage any questions about these requirements. If you are unsure if your current devices meet the storage requirements above, please contact the Service Desk at 215-662-7474 or utilize the IS Self-Service Portal on the UPHS Intranet. For any additional questions regarding how to operate securely, including secure data transfers and storage methods, please contact the Information Security Office (