Applications and Cloud Services

Security Assessment

Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.

Third party vendors must:

  • Prevent the loss, theft, unauthorized access and/or disclosure of university data
  • Destroy data when no longer needed per university data owner instructions
  • Have incident response procedures and reporting requirements in case of a breach

Learn more about the assessment process. Reach out to the Risk and Compliance (RAC) team to determine if an application is approved for use. 

Additional Resources: