Home
Information for UM Faculty and Staff Security Laws and Regulations Compliance Table| Law/Regulation/Standard | Definition | Examples | Data Steward/Manager | Resources |
|---|---|---|---|---|
| Electronic Protected health Information (ePHI) or HIPAA ePHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA) |
The Privacy and Security Rules apply only to covered entities in their role as a Health Care Provider, Health Plan, or Health Care Clearinghouse. Protected health information excludes individually identifiable health information in: |
The following individually identifiable data elements, when combined with health information about that individual, make such information protected health information (PHI): |
Health System Compliance Officer |
U.S. Dept of Health HIPAA website |
| Export Control Research or ITAR, EAR International Traffic in Arms Regulation (ITAR); Export Administration Regulations (EAR) |
Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation. |
Chemical and biological agents, scientific satellite information, certain software or technical data sent to foreign persons. Military electronics.... Nuclear Physics, work on new formula for explosives - this kind of data cannot be stored on systems outside the United States nor can non-US Citizen's work on this type of project. |
Export Controls Compliance
Office of the Vice President for Research
|
|
| FISMA
Federal Information Security Management Act |
FISMA requires federal agencies, and those providing services on their behalf to develop, document, and implement security programs for IT systems and store the data on U.S. soil. FISMA applies generally to federal "contracts" as opposed to grants. |
If you work with data provided by the federal government under contract and exchange data with government systems, then you may be subject to FISMA compliance regulations to protect the data. |
-- |
|
| GLBA (Student Loan Information)
Gramm-Leach-Bliley Act |
GLBA includes provisions to protect consumers personal financial information held by financial institutions and higher education organizations. |
Loan information, student financial aid data, Payment History. You may need to be concerned about GLBA if your department runs its own student financial Aid program. |
Executive Director and University Registrar |
U-M GLBA Compliance |
| Sensitive Identifiable Human Subject Research Federal Policy for the Protection of Human Subjects ('Common Rule') |
A human subject is a living individual about whom an investigator (whether professional or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. Sensitive Human Subject Research is as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation" |
Individually-identifiable research data containing sensitive information about human subjects, such as information about illegal behaviors, drug or alcohol abuse, sexual behavior, mental health or other sensitive health or genetic information. Any data collected under an NIH Certificate of Confidentiality is considered to be sensitive. |
Human Research Protection Program (HRPP) |
|
| PCI or Credit Card Information
Payment Card Industry Data Security Standards |
Information related to credit card holder information as defined by the Payment Card Industry Data Security Standards. If you have to keep some record of the card used in transactions, use the last 4 digits of the number. |
Cardholder name, Account number, expiration date, verification number, security code... University of Michigan Treasurer's Office specifically states: "... Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives." |
University Treasurer |
|
| SSNs Social Security Numbers Michigan Identity Theft Protection Act, MCL 445.63 (applies to additional personal private information) |
The SSN is a primary target for identity thieves, and falls into the category of sensitive private protected information (PPI). If you have to keep some record of the card used in transactions, use the last 4 digits of the number. |
123-45-6789 |
-- |
SPG 601.14 - Social Security Number Privacy Policy |
| Student Educational Records or FERPA Family Educational Rights and Privacy Act |
Records that contain information directly related to a student and which are maintained by an educational agency or institution. |
Grades, Student Transcripts, Degree Information, Class Schedule, Advising and Disciplinary records.... |
Executive Director and University Registrar |