HIPAA Device Security Update for HCC
Upcoming changes to increase security will affect users in the UMN Health Care Component (HCC)
At the University of Minnesota, we are committed to helping keep our users and data as secure as possible.
In an effort to comply with security requirements of both University-owned and personally-owned mobile devices that may access protected health information (PHI), an upcoming change will affect all users working within the UMN Health Sciences who potentially has access to PHI or HIPAA data, otherwise known as Health Care Component (HCC).
The HIPAA Device Security Update for HCC project includes two primary changes that will ensure that the University stays current and in compliance with HIPAA guidelines.
What to do
Before making these changes, review these recommendations and make sure your data and device(s) are ready for the update, especially if you have an older phone or are running an old version of your operating system.
Install and use the Gmail and Google Calendar applications to access University email and calendars on your University and personal devices
Alternatively, use your web browser to access University email using Gmail at mail.umn.edu or calendar at calendar.umn.edu
Access to University mail or calendars via other channels (such as Apple Mail, Mac Mail, iPhone calendar, Samsung calendar, Outlook, Thunderbird, Samsung mail, or other email or calendar clients) will be disabled on personal and University devices (smartphones, tablets, laptops, desktop computers)
Install the Google Device Policy app on personal and University mobile devices and tablets
Install Google Device Policy application via the App Store
Use managed applications to access University information
Install the Google Apps Device Policy application via the Play store
Set up a “work profile” when prompted and use managed applications in the work profile to access University information
What is the University using the policy for?
In order to maintain compliance with HIPAA, these policies prevent data from being shared between University and personal apps. These policies will only allow you to copy or back up any work-related data in the Work Profile to a work-related storage solution (Google Drive or Box). This will prevent the leak of PHI (Protected Health Information) to any personal storage. The University is requiring personal devices to have a PIN or password, a screen lock, and be encrypted in order to have access to University resources. Automatically syncing Google Calendar to any calendar app on devices has been disabled to prevent calendar invites with PHI from showing with personal use.
What can the Google Apps Device Policy application access or restrict?
- Enforce policies
- Separation of data, enforce security settings
- Configure settings
- Enforce device PIN or password and encryption
- Remotely wipe data
- Limited to University data
- Collect personal data, but only the following:
- Names of apps installed on the device
- Where those apps were installed from (Google/Apple app store, or unknown)
- Device owner name and primary email address
- Phone technical data, including make/model, OS/firmware version, and serial number
- Add/remove accounts and restrictions
- The University will not be adding or removing accounts
- Install, manage, and list apps
- The University will only install or manage applications that download University data, like Gmail, Calendar, Docs, etc.
Please note: These changes are for personal mobile devices that download University data. Browser-based access from personal mobile devices is not affected by any of these changes.
Proposed rollout schedule
Please note: This schedule is subject to change.
Frequently Asked Questions
The University is not requiring anyone to access their University Google Apps through their personal mobile device.
If you would prefer to not use the managed Google Apps on your device, or if your device does not have access to the Google Mobile Apps, you can still access your Gmail and Google Apps on your device through a web browser, even on a mobile device. Here are the addresses for the most common Google Apps. Just enter your UMN email address at the Google login prompt and you will be redirected to the University Login page to sign in with your internet ID and password.
These email programs use less secure methods to access your email account. Additionally, these apps can migrate data out of them without any means of control. In order to maintain HIPAA compliance we need a way to prevent information from being moved out of Google Apps, and that is possible with Gmail.
You can set up your Gmail inbox to look similar to these email programs by turning on Preview Pane.
The short answer is no, you shouldn’t, but some older devices do not support encryption as well as newer devices and will force you to factory reset the device as part of the encryption process. To ensure that you are not affected by this, before you encrypt your device, we recommend you back up your device's data and contacts, especially if you have an Android device version older than Android 7.0.
The Device Policy App’s download page mentions that administrators have access to “Application Auditing.” What does this mean?
The Google Device Policy App does collect some information about the status of your device.
This does include the ability to see which apps are installed on the device and their version, which apps are installed from sources other than the Play/iTunes stores, and whether the camera is active or not.
The Device Policy App cannot be used to monitor or record content displayed on the screen or stored within personal apps, the video/audio that cameras/microphones may be capturing, data that is stored on the device, nor what apps are in use on the device.
This information is only available to University of Minnesota Google Apps administrators and will only be used in the context of supporting access to your Google Apps Account.
Phone/tablet encryption in both iOS and Android devices relies on a device passcode for part of the encryption key that unlocks the data on that device. The passcode will only be asked for the first time after powering on, or restarting your device. Further unlocks after that can be done with other methods if you prefer until the device is powered off or restarted again.
For modern devices designed to support encryption (generally, devices released in 2016 and after) you should not notice any difference in functionality on your device apart from the changes required by the Device Policy App.
For devices that may not have been designed to support encryption (generally, devices released in 2015 and earlier) you may also notice decreased performance and battery life on the device after encrypting it. This can range from slight to severe, depending on the device.