Perelman School of Medicine at the University of Pennsylvania


Sensitive Data

As stated in Penn's Computer Security Policy, confidential or sensitive data includes:

  • Sensitive Personally Identifiable Information: Any information relating to an individual that reasonably identifies the individual, and if compromised, could cause significant harm to that individual or to Penn.

    Examples may include, but are not limited to:

    • Social Security Numbers
    • Credit Card Numbers
    • Bank Account Information
    • Student Grades or Disciplinary Information
    • Salary or Employee Performance Information
    • Donations
    • Protected Health Information (see ePHI below)
    • Information Penn has promised to keep confidential
    • Account Passwords or Encryption Keys used to protect access to confidential University Data
  • Proprietary Information: Data, information or intellectual property in which the University has an exclusive legal interest or ownership right, which if compromised, could cause significant harm to Penn.
    Examples may include, but are not limited to:
    • Business Planning
    • Financial Information
    • Trade Secrets
    • Copyrighted Material
    • Software or comparable material from a third party when the University has agreed to keep such material confidential
  • Other Data: Other data whose disclosure would cause significant harm to Penn or its constituents.

If you require any of the above to be stored on your machine you MUST take the necessary steps to ensure its security.

Check out the PMACS Encryption page for information about getting Whole Disk Encryption software for your machine.

What is HIPAA and how does it apply to Penn?

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) law regulates the use of protected health information on campus by covered components at Penn - including UPHS and the School of Medicine among others.

Protected Health Information –  

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."  EPHI refers to electronic protected health information and is covered by the HIPAA Security Rule.

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Any of the above health information becomes identifiable when it is associated with an individual using identifiers such as the following.

18 HIPAA Identifiers:

  • Names
  • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Phone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/License numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier)

For more information, contact .

Penn Medicine Academic Computing Services (PMACS) at the Perelman School of Medicine

Links of Interest

Job Opportunities