In a Fog about the Cloud?

Patrick Phelan's picture

Recently, a UCSF patient discovered their protected health information on the internet for all to see. A former UCSF resident used an online presentation tool called Prezi and inadvertently made the presentation publicly available.

While there are many useful free or low-cost cloud services, it is not acceptable to use them with restricted or confidential UCSF data (i.e., patient health information, student information, etc.). When you agree to the service provider’s terms of use, you are putting UCSF data in the provider’s hands without the necessary UCSF contractual assurances or a federally required HIPAA Business Associate Agreement. If you agree to the terms of a “click-through agreement” without consulting the appropriate internal department(s), you may be held personally responsible for the terms of the agreement. The fines levied for inappropriate disclosures of patient health information can be as high as $1.5 million.

We understand that Prezi and other online tools offer attractive features that visually enhance your presentations. UCSF has a sanctioned suite of services and software including Box, PowerPoint, or Keynote for you to use. Additionally, PowerPoint has added two features, “Zoom and “Morph,” that will enable you to make more interactive, compelling presentations. This tutorialwill show you how to use the supported tool, PowerPoint to achieve comparable results.

If you are using Prezi or a similar service, discontinue its use and remove any UCSF data from the service immediately. When dealing with patient health information, follow HIPAA’s “minimum necessary” requirement. Minimum necessary means limiting the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose (i.e. remove names, MRNs, and other identifiers that are not needed).

We understand the appeal of free and low-cost cloud services, but the risks to UCSF data and the privacy of our student and patients’ health information outweigh the perceived benefits of such services.


Written by: Tom Poon, Interim Chief Privacy Officer

Patrick Phelan, Chief Information Security Officer