Privacy and Security

Information Security Policies for Remote and Hybrid Work

Remote work employees continue to be bound by CU Denver information security polices while working at an alternative worksite. Consistent with the organization’s expectations of information security for employees working at the office, remote work employees will be expected to ensure the protection of proprietary university information accessible from their home office. Security safeguards and document retention policies should be applied at the level as they would when working on-site in order to protect such information from unauthorized disclosure, loss or damage. Steps include the use of locked file cabinets and desks, regular password maintenance, and any other measures appropriate for the job and the environment.

Data and Document Security Practices

Some information (electronic and hard copy) used in work may be deemed confidential or highly confidential by the university. The employee is responsible for protecting and securing regulated information such as FERPA, Payment Card Industry data (PCI) and HIPAA protected health information (PHI), as well as the equipment used to access the information. Except as necessary, an employee should not print PHI, nor PCI data when working remotely. Any PHI or PCI data that must be maintained in printed form should be properly secured and should be securely transferred to the workplace for proper storage or destruction as soon as practical.

It is important to understand that in situations of possible litigation, all pertinent electronic information must be preserved. Although unlikely, the employee must be prepared to provide personally owned equipment used in performing work duties, in accordance with the department's electronic document policy, if the possibility of stored electronic information exists. In cases where the employee leaves the university, the employee must arrange the return of all university owned equipment.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, billing/coding companies, doctors, hospitals and other health care providers. University staff working remotely continue to be responsible for protecting and securing all information including HIPAA protected health information (PH) in the same manner as if you were working on-site. 

Detailed information about how to protect the privacy and security of HIPAA information and tools approved for telehealth during this public health emergency are available on the Office of Regulatory Compliance HIPAA & Coronavirus FAQ webpage. Please reference University HIPAA Policy and University IT Security Program Policy APS-6005 to ensure compliance with university and campus policies while working remotely, as well as university guidance on the secure use of OneDrive.

Protection of Secure Information

The employee agrees to abide by the CU Denver information security requirements with regards to the protection of sensitive university information from unauthorized or accidental access, use, modification, destruction, or disclosure. Only university-provided computers, including mobile computing devices, should be used to access or handle sensitive university information. If you must use a personal computer, it is recommended that you use remote desktop to connect to your university-provided computer. The employee must have, and maintain, VPN connectivity during work hours. Be sure to connect to the VPN on a regular basis and check for GlobalProtect software updates.  

Any suspected information security incident must be reported as soon as possible to the OIT Service Desk Visit the OIT Secure Campus site as well as university and campus policies University IT Security Program Policy APS-6005 and Campus Administrative Policy 5001- Acceptable Use of Information Technology Resources for additional useful information and guidance.