Skip to content

Other ways to search: Events Calendar | UTHSC News

Know Your Data's Classification

High ranking data/information, C-3 for example, has restrictions regarding the storage, transmission and use of said data. Examples of this data type are sensitive information such as social security numbers, patient information, and student grades. UTHSC has regulatory and compliance obligations to protect this data under different laws, standards and regulations; such as Health Insurance Portability and Privacy Act of 1996 (HIPAA), Family Educations Rights and Privacy Act (FERPA), Health Information Technology for Economic and Clinical Health (HITECH), Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI-DSS). 

Strict security controls are required when handling data with a high ranking. The Office of Cybersecurity has established standards to guide users on classifying the data in use as well as the security needed for that data.

The Office of Cybersecurity has also established guidelines on sharing this type of material.

PHI and ePHI

PHI is an acronym for Protected Health Information. PHI is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. UTHSC is a covered entity. 

ePHI is Protected Health Information in electronic form that is stored, transmitted, or somehow used electronically.

Examples of PHI are below.


PII is an acronym for Personally Identifiable Information. PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Examples of PII include, but are not limited to:

  • Name, such as full name, maiden name, mother‘s maiden name, or alias
  • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number
  • Address information, such as street address or email address
  • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)

Examples of PHI, ePHI, HIPAA, and HITECH Information

  • Name
  • Address – street address, city, county, zip code (more than 3 digits) or other geographic codes
  • Dates directly related to patient (except year), including DOB, admission or discharge date
  • Telephone Number
  • Driver’s License Number
  • Email addresses & fax numbers
  • Social Security Number
  • Medical Record Number
  • Health Plan Beneficiary Number
  • Account Number
  • Certificate/License Number
  • Any vehicle or device serial number, including license plates
  • Web Addresses (URLs)
  • Internet Protocol (IP) Address
  • Finger or voice prints
  • Photographic images
  • Any other unique identifying number, characteristic, or code
  • Age greater than 89 (as the 90 year old and over population is relatively small)

Examples of FERPA Information

  • Grades
  • Social security number
  • Passport number
  • Driver’s license number
  • Account balance


Security Requirements for Researchers

Aligning with the UTHSC mission and goals, researchers conduct various types of research. The data is often collected from human subjects and requires strict levels of protection. The Office of Cybersecurity provides security requirements for researchers to reduce the risk to the data, yhour research, the researchers, and UTHSC. 

Sensitive/Protected Storage Policy

Read the UTHSC Guidance on Storing Sensitive/Protected Data in UT’s Microsoft Office 365 for Education before storing sensitive or protected data on OneDrive.

Refer to the University of Tennessee IT0110 – Acceptable Use of Information Technology Resources policy and GP-004-Acceptable Use of IT Resources for more information on the approved way to use IT Resources.

Sending Sensitive Information Guidelines

Method Can I use this method? If I can, how do I do it?
Email Yes

Yes, but it must be encrypted. UTHSC's emails can be encrypted by typing the word encrypt in the subject line.  More on encrypting an email

Mail (USPS, FedEx, etc.) Yes

The file needs to be wrapped or sealed in an envelope or pouch in such a manner that the PHI cannot be identified during the transportation process. The outside of the container should contain clear information regarding the addressee, which includes the name, address and telephone number where he/she can be reached. Covered entities should ensure that transported PHI be delivered only to the appropriate individuals who are authorized to receive the information. Implement a tracking method by which the sender and the recipient can sign and verify delivery and receipt of the information.

Live Phone or In-Person Conversation Only with extreme care

When talking with a patient or another medical professional ALWAYS use common sense, medical ethics, and take precautionary measures. Be aware of your surroundings and pay close attention to the information you are giving the patient or fellow medical professional. Ask the patient or medical professional if they are on speaker phone or if they are in a crowded area to prevent others from hearing the conversation. 

Voicemail Only with extreme care

When leaving a voicemail with a patient or medical professional, make sure that you have dialed the correct number. Listen for the patient or fellow medical professional’s name during their voicemail greeting. Please, be very broad, advise them to return your call, and give details to patient or medical professional when they become available.

Fax Maybe

Faxing is a secure way of communication, used often in hospitals, clinical settings, and pharmacies as long as it is done over a secured fax/phone line.

Text Message Maybe

There are applications available which allow for secure transmission of text as long as all communication stays within the application. The user must make sure that the application used is complicate with local, state, federal regulations and the university’s policies. SMS (Short Message Service) or "normal texting" is not allowed. 

Social Media No

Using social media accounts and social media messaging tools when exchanging sensitive information is prohibited unless authorized by written consent.

May 7, 2024