Applications and Cloud Services

Security Assessment

Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI., the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.
Third party vendors must:

  • Prevent the loss, theft, unauthorized access and/or disclosure of university data
  • Destroy data when no longer needed per university data owner instructions
  • Have incident response procedures and reporting requirements in case of a breach

Please use the link below to reach out to the Risk and Compliance (RAC) team to determine if an application is approved for use. 

Learn more about the assessment process.

Data and Risk Classifications

Public (Low Risk)

  • University website information available without authentication
  • Information freely available in print
  • Directory information


Confidential (Moderate Risk)

  • Faculty and staff personnel records, benefits, salaries, and employment applications
  • Admissions applications
  • University insurance records
  • Donor contact information and non-public gift amounts
  • Fundraising information
  • Non-public policies
  • Internal memos and email, and non-public report
  • Purchase requisitions, cash records, budgetary plans
  • Non-public contracts
  • University and employee ID numbers
  • Level 2 and 3 of Student Data


Highly Confidential (High Risk)

  • Protected Health Information
  • Social security numbers
  • Payment card numbers
  • Financial account numbers
  • Driver's license numbers
  • Health insurance policy ID numbers
  • Level 4 and 5 of Student Data