Section 26: Electronic PHI

Section 26:  Electronic Protected Health Information

This policy sets the privacy rules for general polices on Electronic PHI.

A. All UT Dallas computers and other devices on which electronic PHI is created or maintained must be encrypted in compliance with The University of Texas System’s information security policies.

B. Passwords to computers and other devices upon which PHI is maintained or created shall not be shared by staff or other Workforce Members and shall not be written down where others can find them.

C. A computer user with access to PHI via the computer shall log off before leaving his or her workstation for any significant period of time and shall not allow someone else to use his or her computer under his or her password in his or her absence.

D. A computer screen or any other device’s screen shall not be positioned such that PHI may be viewed by unauthorized individuals. Computer screen filters are required on computers where viewing by anyone other than the user is possible.

E. Copiers and other devices capable of caching PHI should be cleared of all PHI prior to removal from a department within the University.

F. Before new technologies or devices are adopted or obtained by a department within the Callier Center, that department and other University offices involved in the adoption or acquisition of the technology or device are responsible for determining if PHI is reasonably likely to be created or maintained as the result of the adoption or acquisition and policies and procedures must be adopted for ensuring the security of all PHI created or maintained or Used or Disclosed as a result. This applies to Social Media sites, messaging systems, and smart phone or other personal digital assistant (PDA) applications that a department sponsors or utilizes.

G. PHI may not be created, transmitted, or stored in any form on personal devices or personal accounts outside of UT Dallas. Personal devices include laptops, mobile devices, tablets, etc. Personal accounts include e-mail accounts, text or instant messaging services, cloud storage providers, or other applications outside of UT Dallas. A narrow exception to this rule applies to PHI contained within emails from UT Dallas accessible via personally-owned mobile devices. This restricted access is permitted only if the device complies fully with the Information Security Office’s Mobile Device Standard (e.g., password protection, device wipe after 10 attempted logins or when lost, etc.).

H. Callier Workforce members that receive email messages on personal devices must ensure that the device is password protected. Receipt of unencrypted emails containing PHI cannot be forwarded or replied to in an unencrypted manner unless a Request for Unencrypted Email has been signed by the parent/patient/personal representative and is filed in the patient’s Official Medical Record (OMR).

I. Section 24 of this manual explicitly states that “Employees should routinely review email accounts for emails that should be included in the OMR and delete extraneous emails containing PHI.”

HIPAA Regulatory Citation:  45 CFR § 164.530

Effective: 04/14/2003
Revised: 05/18/2015, 04/13/2013
Reviewed: 03/30/2021, 12/08/2015

Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center