Frequently Asked Questions

I want to use nonstandard computer equipment or programs/applications for my research. From a security standpoint, what am I required to do to before using this nonstandard equipment?

Vetting Non-standard Systems & Software

Before a new application (or a new version of an existing application) or Software as a Service (SaaS) can be implemented or used by the research community, Information Security (the IT Data Security, IT Disaster Recovery (DR), and IT Risk Management teams) must review and approve security, disaster recovery, and risk information about the proposed implementation.

If the application or SaaS… ​Then email to request this document…
Contains any of the following:

  • Protected Health Information (PHI)
  • Personal Identifiable Information (PII)
  • Any other confidential Health System data (such as legal documents, strategic plans, or schematics)​
Information Security Questionnaire
(Rev. 4/24/2015)
(previously known as the HIPAA Questionnaire)
Contains credit card or other forms of electronic payment information
(the Health System complies with the Payment Card Industry (PCI) Data Security Standards (DSS) for securing credit card, debit card, and payment information)​
IT PCI Service Provider Evaluation Form
(Rev. 4/9/2015)
Is hosted internally (in a Health System data center)​ BC/DR Internally Hosted Application Questionnaire
(Rev. 3/16/2015)
​Is hosted externally (outside the Health System) Business Continuity, Disaster Recovery, and Security ASP Questionnaire
(Rev. 4/23/2015)

How do I request sponsor monitor access to an Electronic Medical Record (EMR)?

Contact RIS at to discuss access to the EMR for external monitors and auditors.

What is an ePHI drive and how do I get one?

PHI and Confidential information must not be saved on local hard drives except when necessary. Your “C:” drive is your local drive which is in your computer. Local drives have:

  • Less physical security
  • Are not backed up
  • May be accessible to others that use your computer

PHI may be stored on your “U:” drive or, if you need to share the data with other, you may request a “ePHI shared drive. Note that an ePHI shared drive must have an owner. The owner of the PHI data on a network share is the person responsible for approving and/or removing access to the data for users.

To request an ePHI shared drives please follow the following steps: