Data Storage Policy

Individuals in the dental school who manage data from patients, students, faculty, or other groups of individuals need to be aware of several legal requirements and guidelines for securing this data.  A summary of these laws and guidelines is listed below:

  1. Personal data from patients, students, faculty, or other groups of individuals should be maintained only on dental school network drives.  These drives require log-in access, are backed up and are protected from outside intrusion.
  2. Personal data from patients, students, faculty, or other groups of individuals should not be maintained on desktop computers, laptop computers, USB drives, or other portable media.
  3. California Law SB 1386 requires an institution to notify people of potential loss of their personal data.  Specifically this law states that if a) the computer has possibly been compromised, b) there is the possibility no matter how remote that private data about individuals may have been compromised as a result, and c) the information includes the person's name along with their social security number, driver's license number or financial account information, each affected individual must be contacted and informed.  This law covers all machines including personal desktop machines and laptops.  The process of informing individuals could be expensive, potentially embarrassing and could incur additional liability.
  4. The HIPAA laws also mandate that individuals protected health information (PHI) must not be disclosed.  Therefore release of this information, even if unintended, through loss or compromise of a computer or removable media could constitute a HIPAA violation.
  5. In addition to storing personal data only on school network drives, individuals in the dental school need to protect access to their desktop or laptop computers.  This means locking the door to the office when the computer is unattended if possible.  It also means turning off or locking the computer when it is unattended.  This can be done manually or by setting a password protected screensaver to come on after a short idle time.  When leaving for the evening or weekend, individuals should power down their computers unless they have a specific reason to leave them and the computer is left in a locked state.
  6. If anyone has reason to suspect that data on a desktop or laptop computer or network drive has been compromised or if they have questions or concerns about these guidelines, they should contact: