HIPAA Device Security Update Project
Upcoming changes to increase security will affect users in the UMN Health Care Component (HCC) and the University of Minnesota Foundation (UMF)
At the University of Minnesota, we are committed to helping keep our users and data as secure as possible.
In an effort to comply with security requirements of both University-owned and personally-owned mobile devices that may access protected health information (PHI) and donor information, an upcoming change will affect all users working within the UMN Health Sciences who potentially has access to PHI or HIPAA data, otherwise known as Health Care Component (HCC), and the University of Minnesota Foundation (UMF).
The HIPAA Device Security Update project includes two primary changes that will ensure that the University stays current and in compliance with HIPAA guidelines.
What to do
Before making these changes, review these recommendations and make sure your data and device(s) are ready for the update, especially if you have an older phone or are running an old version of your operating system.
Install and use the Gmail and Google Calendar applications to access University email and calendars on your University and personal devices
Alternatively, use your web browser to access University email using Gmail at mail.umn.edu or calendar at calendar.umn.edu
Access to University mail or calendars via other channels (such as Apple Mail, Mac Mail, iPhone calendar, Samsung calendar, Outlook, Thunderbird, Samsung mail, or other email or calendar clients) will be disabled on personal and University devices (smartphones, tablets, laptops, desktop computers)
Install the Google Device Policy app on personal and University mobile devices and tablets
Install Google Device Policy application via the App Store
Use managed applications to access University information
Install the Google Apps Device Policy application via the Play store
Set up a “work profile” when prompted and use managed applications in the work profile to access University information
What is the Google Device Policy app for?
In order to maintain compliance with HIPAA, the University must ensure that University data is protected when downloaded to or accessed from personal devices. Apple iPhones/iPads and Android devices are both capable of creating an isolated "work container" that separates University applications from personal apps and data on your device. IT has no access to personal apps or data on your device.
Upon installation, the Google Device Policy app sets the minimum security requirements to enable the "work container." Your phone checks the minimum security requirements and asks you to make any necessary updates. When your device meets the minimum security requirements, the "work container" will be created, and you can install Gmail, Google Calendar, and Google G-Suite applications. The Google Policy App does not affect your personal apps.
For example, the “work container” requires that devices be encrypted. If your device is not encrypted, the device prompts you to enable encryption. Once your device is encrypted, your device creates the “work container” and you can install your applications. Regardless of encryption status, your personal apps are not affected and will continue to operate.
If University policy or process requires (i.e. an employee leaves the University), IT can remove the "work container.” Uninstalling the Google Device Policy app from your phone will automatically remove the “work container” and you will still be able to access University email and calendar via your browser
Note: On Android devices, the “work container” is called a “Work Profile.” On Apple iPhone/iPad devices, the “work container” is called “Managed Apps.”
What can the Google Apps Device Policy application access or restrict?
The Google Device Policy app sets the minimum security requirements for the "work container" that your phone creates to isolate work apps from personal apps and shield your personal information. Some of the minimum security requirements apply to your entire device, including that devices must have a PIN or password, a screen lock, and use encryption. You can uninstall the Google Device Policy app at any time and you will still be able to access University email and calendar via your browser.
For support and troubleshooting, Apple and Google share limited technical details about your device through the Google Device Policy app. The technical details consist of hardware type (such as iPhone X or Galaxy S9), iOS or Android hardware versions, iOS or Android software versions, and the names of apps in the "work container." No personal data is shared, collected, or accessible to anyone but you.
Frequently Asked Questions
The University is not requiring anyone to access their University Google Apps through their personal mobile device.
If you would prefer to not use the managed Google Apps on your device, or if your device does not have access to the Google Mobile Apps, you can still access your Gmail and Google Apps on your device through a web browser, even on a mobile device. Here are the addresses for the most common Google Apps. Just enter your UMN email address at the Google login prompt and you will be redirected to the University Login page to sign in with your internet ID and password.
These email programs use less secure methods to access your email account. Additionally, these apps can migrate data out of them without any means of control. In order to maintain HIPAA compliance we need a way to prevent information from being moved out of Google Apps, and that is possible with Gmail.
You can set up your Gmail inbox to look similar to these email programs by turning on Preview Pane.
The short answer is no, you shouldn’t, but some older devices do not support encryption as well as newer devices and will force you to factory reset the device as part of the encryption process. To ensure that you are not affected by this, before you encrypt your device, we recommend you back up your device's data and contacts, especially if you have an Android device version older than Android 7.0.
The University cannot see any personal data or applications. When you install the Google Device Policy App, the policy that you approve requires that work data and apps are stored in a separate “container” from your personal data and app. The University never has direct access to this container or your phone but is able to remotely remove the container. If you install additional applications in the work container then they could also be removed by the University. The “work container” is called a “Work Profile” on Android or “Managed Apps” on iOS.
In earlier documentation, this question was incorrectly answered. We apologize if the earlier response caused any concern.
Phone/tablet encryption in both iOS and Android devices relies on a device passcode for part of the encryption key that unlocks the data on that device. The passcode will only be asked for the first time after powering on, or restarting your device. Further unlocks after that can be done with other methods if you prefer until the device is powered off or restarted again.
For modern devices designed to support encryption (generally, devices released in 2016 and after) you should not notice any difference in functionality on your device apart from the changes required by the Device Policy App.
For devices that may not have been designed to support encryption (generally, devices released in 2015 and earlier) you may also notice decreased performance and battery life on the device after encrypting it. This can range from slight to severe, depending on the device.