Data Security

It is the policy of the College that all confidential and other sensitive information be safeguarded from unauthorized access, use, modification or destruction. All members of the College community share in the responsibility for protecting the confidentiality and security of data.

This policy particularly pertains to confidential and sensitive information, including Personally Identifiable Information (PII) and those data elements protected by the Family Educational Rights and Privacy Act (FERPA) and the The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as relevant WACs and RCWs and Security Directives as issued by the Washington State Office of the Chief Information Officer (OCIO).  For purposes of HIPAA, South Puget Sound Community College is a hybrid covered entity because it conducts covered and non-covered functions.  Protected Health Information (PHI) is generated in the Campus Dental Clinic and covered functions are conducted in various departments within the college to support the Campus Dental Clinic.

Data Classification

All information covered by this policy are to be classified among one of three categories, according to the level of security required. In descending order of sensitivity, these categories or “security classifications” are

Confidential information - includes sensitive personal and institutional information, and must be given the highest level of protection against unauthorized access, modification or destruction. Unauthorized access to personal Confidential information may result in a significant invasion of privacy, or may expose members of the College community to significant financial risk. Unauthorized access or modification to institutional Confidential information may result in direct, materially negative impacts on the finances, operations, or reputation of SPSCC. Examples of personal Confidential information include information protected under privacy laws (including, without limitation, the Family Educational Rights and Privacy Act and the Health Information Portability and Accountability Act), information concerning the pay and benefits of College employees, personal identification information or medical / health information pertaining to members of the College community, and data collected in the course of research on human subjects. Institutional Confidential information may include College financial and planning information, legally privileged information, and other information.

Without limiting the generality of the foregoing, Confidential information shall include “personal information” as defined by RCW 42.56.100 -  Protection of public records - public access  and  RCW 42.56.420 - Security  with any one or more of the following:

                   (a) social security number;

                   (b) driver’s license number or state –issued identification number;

                   (c) financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the resident’s financial account and Confidential information also includes “customer information,” defined by the safeguards rule under the Gramm-Leach-Bliley Act to mean any information containing personally identifiable information that the College obtains in the process of offering a financial product or service.

Internal Use Only information includes information that is less sensitive than Confidential information, but that, if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal interests, or on the finances, operations, or reputation of SPSCC. Examples of this type of data from an institutional perspective include internal memos meant for limited circulation, or draft documents subject to internal comment prior to public release.

Public information is information that is generally available to the public, or that, if it were to become available to the public, would have no material adverse effect on individual members of the College community or upon the finances, operations, or reputation of SPSCC.

All Information Resources, whether physical documents, electronic databases, or other collections of information, are to be assigned to a security classification level according to the most sensitive content contained therein.

Where practicable, all data is to be explicitly classified, such that Users of any particular data derived from an Information Resource are aware of its classification.

In the event information is not explicitly classified, it is to be treated as follows: Any data that includes any personal information concerning a member of the College community (including any health information, financial information, academic evaluations, social security numbers or other personal identification information) shall be treated as Confidential. Other information is to be treated as Internal Use Only, unless such information appears in form accessible to the public (i.e., on a public website or a widely distributed publication) or is created for a public purpose.

Electronic Protected Health Information (ePHI) and HIPAA

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form. 

ePHI is contained in two applications within the Dental Clinic at SPSCC. Access to patient data is limited by secure login controlled by Dental Clinic management. Only those with a need to know have access to patient data. This includes dental staff and management, as well as students. 

All who are granted access to these applications sign an affidavit stating that they have been trained in HIPAA requirements in the protection of patient data. Employees’ and Students’ access to these applications is revoked immediately upon separation from the College.  Privileges are disabled by Dental Clinic staff and management who are the first to know of separation.  IT Services is also notified to disable access to other applications and systems immediately upon separation. Event logs on the server are reviewed regularly by Dental Office staff and management, as well as by IT Services, to detect irregular access to patient data.