Regulatory and organizational requirements

In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Yale collect many different types of information, including financial, academic, health, human resources information, and personally identifiable information. Federal and state laws impose many obligations on Yale to protect the confidentiality of information about students, employees, and patients.

In addition to regulatory requirements, there are also requirements stipulated by other organizations when the University requests use of those organizations’ data sets.  In turn, every member of the University has the obligation to implement appropriate safeguards to meet these requirements. These requirements include:

• Health Insurance Portability and Accountability Act (HIPAA)
  • Security Rule
  • HITECH breach notification for unsecured Protected Health Information (PHI)
  • De-identification checklist
• Yale University & FISMA (Federal Information Security Management Act) requirements
• The Family Educational Rights and Privacy Act (FERPA), which protects student records
• U.S. Department of Veterans Affairs regulations, which protect VA patient and research data
• Food and Drug Administration (FDA) 21 CFR Part 11
• The Connecticut personnel file statute, which protects employee records
• The Connecticut statute on the security of confidential electronic information, which protects Social Security numbers and financial account numbers.
• DoD rule (pending) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a contract clause requiring a contractor to notify DoD if the contractor is required to report its activities under the U.S.-International Atomic Energy Agency Additional Protocol.
• Foreign data privacy and security laws:
  • European Union Data Protection Directive
  • Yale’s International Operations and Compliance Committee (IOCC)
• dbGaP - database of Genotypes and Phenotypes - NCBI
• National Longitudinal Study of Adolescent Health (Add Health) –University of North Carolina requires a security plan for restricted-use data.
• New Immigrant Restricted Data (NIS) Restricted Data Protection Plan.
• U.S. Bureau of Labor Statistics National Longitudinal Surveys Children and Young Adults (NLSY geocode data) requires application documentation, including data security content.
• National Science Foundation (NSF) Data Management Plan Requirements.

Appropriate protections (security controls) for the confidentiality, integrity and availability of data must be implemented to comply with regulations, contracts and other agreements. Implementation of required administrative, technical & physical security controls varies, but implementation may involve substantial resources – including financial, IT and human resources. Many researchers and departments may not have the required resources and/or IT support to implement security controls, so it is critical that that there is a clear understanding of IT and information security roles and responsibilities, well in advance of entering into an agreement, grant or contract.

Next →  Protected personal information

---

Related topics

• Yale University data classification levels
• 3-Lock data requirements
• Data self-scanning
• Glossary & A-Z index
• Compliance with PCI requirements

Related University Policies & Procedures

• University HIPAA web site

Related online resources

• Federal Government HHS HIPAA site
• Veterans Affairs Research Data Security site
• Interim Guidance on Human Subjects Research Data Security [PDF]