it.ucsf.edu

Why Privacy and Security Training Matter

Dawn Jackson-Freyman's picture

In FY2014, UCSF experienced three major breaches involving stolen, unencrypted laptops and desktops. Each breach affected thousands of patients and required time and energy to ensure notifications to each person, as well as multiple regulatory agencies and media outlets. The incidents drew the attention of:

  • Office for Civil Rights (OCR)
  • Centers for Medicare and Medicaid Services (CMS)
  • California Department of Public Health (CDPH)
  • Department of Education (DOE)
  • Office of Human Research Protection (OHRP)
  • The media

Not only do security breaches impact the University’s reputation, but they also incur investigation and data breach response expenses as well as potential fines and penalties.

Our Obligation to Improve

In addition to amendments to HIPAA regulations made last year, UCSF has an obligation to take action to address these breaches, and train our workforce on current privacy, security, and encryption requirements and best practices.

Your Role

The training period began August 1, 2014 and the training must be completed by February 13, 2015. Visit the UC Learning Center and search for “Privacy and Security Briefing” to complete the course, or call 415-353-2750 for more information.

The 10-15 minute Training Module can be completed at your desk and will cover the following:

  • Encryption Requirements for Electronic Devices
  • Recent Privacy Regulatory Changes
  • Privacy and Security Resources

Campus-Specific Encryption Attestation

At the end of the course, the user will be required to click on an attestation indicating that he/she will encrypt all devices used for UCSF business. However, the attestation makes no mention of approved encryption exceptions which, in some limited cases, will be necessary. Therefore, for Campus workforce only, a campus-specific attestation will apply in lieu of the attestation in the course. Click here to view the campus-specific attestation.