Background

Federal and state laws and regulations require that confidential electronic data, such as protected health information (PHI), personnel information, financial information, and personally identifiable information (PII) must be protected when stored on a computer, to reduce the impact of a computer loss or security breach.

Such regulations include but are not limited to:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Family Education Rights and Privacy Act (FERPA)
• California Health and Safety Code Section 1280.1
• California Information Practices Act (Civil Code Section 1978)
• Confidentiality of Medical Information Act (CMIA)

In addition, UCSF 650-16 Information Security and Confidentiality Policy, which requires UCSF compliance with federal and state laws and regulations as well as University policy, sets forth the minimum security standards for electronic information resources. In order to comply with University policy and the federal and state laws and regulations, the University of California, San Francisco, requires that all laptops used for UCSF work, whether UCSF-owned or non-UCSF-owned, must be encrypted.

Computer encryption waiver

The computer encryption waiver is for laptop and desktop computers that do not store or process Restricted (PLC P4) or Sensitive (PLC P3) data. For example, protected health information (PHI) and personally identifiable information (PII) are classified as PLC P4. Other types of data are also considered Sensitive or Restricted; see the UCSF Data Classification Standard for details.

You can request a waiver for a computer that cannot be encrypted because of a software or hardware incompatibility with encryption or if encryption would interfere with UCSF research or business activities. This does not apply to mobile devices such as a mobile phone or tablet.

Click here for the Computer Encryption Waiver form.

The computer encryption waiver form requires the following:

• Providing the computer name, serial number, MAC address
• Specifying if you use PHI or PII
• Selecting which exemption you are requesting (Encryption)
• Providing a business justification for the exemption

Departments that have a large number of computers needing encryption exceptions: Use the security exception request form.

Mobile device encryption exceptions

For mobile device encryption waivers, use the generic security exception request form.