Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Information Security Laws and Regulations Related to Handling Sensitive Data

Law/Regulation/ Standard Definition Examples Data Steward/ Manager Resources
Electronic Protected health Information (ePHI) or HIPAA
ePHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA)

The Privacy and Security Rules apply only to covered entities in their role as a Health Care Provider, Health Plan, or Health Care Clearinghouse.

Protected health information excludes individually identifiable health information in:

  • Education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g(a)(4)(B)(iv)
  • Employment records held by a covered entity in its role as an employer

The following individually identifiable data elements, when combined with health information about that individual, make such information protected health information (PHI):

  • Names
  • All geographic subdivisions smaller than a State
  • All elements of dates (except year) for dates directly related to an individual including birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/License numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs
  • IP addresses
  • Biometric identifiers
  • Full face photographic images and any comparable images
  • and any other unique identifying number, characteristic, code, or combination that allows identification of an individual.

See the Sensitive Data Guide: Protected Health Information (HIPAA) for more examples.

Health System Compliance Officer

Export Control Research or ITAR, EAR
International Traffic in Arms Regulation (ITAR); Export Administration Regulations (EAR)

Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation.

  • Chemical and biological agents
  • Scientific satellite information
  • Certain software or technical data sent to foreign persons
  • Military electronics....
  • Nuclear Physics
  • Work on new formula for explosives - this kind of data cannot be stored on systems outside the United States nor can non-U.S. citizens work on this type of project.

See the Sensitive Data Guide: Export Control Research (ITAR or EAR) for more examples.

Export Controls Compliance
Office of the Vice President for Research

Federal Information Security Management Act

FISMA requires federal agencies, and those providing services on their behalf to develop, document, and implement security programs for IT systems and store the data on U.S. soil. FISMA applies generally to federal "contracts" as opposed to grants.

If you work with data provided by the federal government under contract and exchange data with government systems, then you may be subject to FISMA compliance regulations to protect the data.

See the Sensitive Data Guide: FISMA Data for more examples.


GLBA (Student Loan Information)
Gramm-Leach-Bliley Act

GLBA includes provisions to protect consumers personal financial information held by financial institutions and higher education organizations.

  • Loan information
  • Student financial aid data
  • Payment History

You may need to be concerned about GLBA if your department runs its own student financial Aid program.

See the Sensitive Data Guide: Student Loan Application Information (GBLA) for more examples.

Executive Director and University Registrar

Sensitive Identifiable Human Subject Research
Federal Policy for the Protection of Human Subjects ('Common Rule')

A human subject is a living individual about whom an investigator (whether professional or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained.

Sensitive Human Subject Research is as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation"

  • Individually-identifiable research data containing sensitive information about human subjects, such as information about:
    • illegal behaviors
    • drug or alcohol abuse
    • sexual behavior
    • mental health
    • other sensitive health or genetic information

Any data collected under an NIH Certificate of Confidentiality is considered to be sensitive.

See the Sensitive Data Guide: Sensitive Identifiable Human Subject Research for more examples.

Human Research Protection Program (HRPP)

PCI or Credit Card Information
Payment Card Industry Data Security Standards

Information related to credit card holder information as defined by the Payment Card Industry Data Security Standards. If you have to keep some record of the card used in transactions, use the last 4 digits of the number.

  • Cardholder name
  • Account number
  • Expiration date
  • Verification number
  • Security code...

University of Michigan Treasurer's Office specifically states: "... Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives."

See the Sensitive Data Guide: Credit Card or Payment Card Industry (PCI) Information for more examples.

University Treasurer

Social Security Numbers

Michigan Identity Theft Protection Act, MCL 445.63 (applies to additional personal private information)

The SSN is a primary target for identity thieves, and falls into the category of sensitive private protected information (PPI). If you have to keep some record of the card used in transactions, use the last 4 digits of the number.

  • 123-45-6789


Student Educational Records or FERPA
Family Educational Rights and Privacy Act

Records that contain information directly related to a student and which are maintained by an educational agency or institution.

  • Grades
  • Student Transcripts
  • Degree Information
  • Class Schedule
  • Advising and Disciplinary records....

See the Sensitive Data Guide: Student Education Records (FERPA) for more examples.

Executive Director and University Registrar