Personal Devices

Definitions:

• "Protected health information" or "PHI" is any individually identifiable health information, in any form or media, whether electronic, paper or oral (includes identifiable information that pertains to any patient or study participant).
• "VPN" is virtual private network.

Personally Owned Device Requirements:

Volunteers and UCLA SRP students may use a personal device (laptop, phone, tablet, etc.) only if approved by their supervisor and the Volunteer Office and if the device meets the requirements below.

VPN Access

• VPN access is NOT permitted for Volunteers or UCLA SRP students.
• VPN is NOT required for approved remote volunteer duties.

Required Security Measures

All personal devices used for volunteer work must meet UCLA Health Sciences security standards (HS 9457 – Minimum Security Standards). 

Volunteer Device Waiver

• Personal laptop use must be declared on the Volunteer Personal Device Usage Waiver in your Volunteer Dashboard.

Proof of Security

When completing the Volunteer Personal Device Usage Waiver, you must upload screenshots/photos showing:

• Device encryption enabled
• Anti-virus/anti-malware software installed and active

How to Encryption

• To Encrypt Your Personal Device: https://mednet.uclahealth.org/device-security-toolkit/
• Note: Encryption requirement is separate from VPN. VPN is NOT permitted.

Anti-Virus / Anti-Malware Software

• To Install an Anti-Virus Software (freely available antivirus products):
  • AVG
  • Avast
  • Bitdefender
  • Built-in Windows Defender

Mobile Device Access (Mednet Outlook Only)

If using a personal mobile device to access Mednet Outlook:

• AirWatch (Intelligent Hub) must be installed
• Departments are responsible for ensuring proper installation before use

Important: AirWatch installation does NOT permit access to identifiable or clinical information.

Additional Security Requirements (HS 9457 – Minimum Security Standards)

All devices used to access UCLA Health Sciences electronic resources (whether UCLA Health-owned or personal) must:

• Be updated with supported operating systems and current security patches
• Run active, up-to-date anti-malware software
• Use a password-protected lock screen that activates after 15 minutes or less of inactivity
• Have the host-based firewall enabled and properly configured

What Can Volunteers Do Using a Personal Device?

If the personal device meets all UCLA Health policy requirements, volunteers may:

• Access and store non-restricted, non-clinical, de-identified (non-PHI) data
• Access non-restricted systems requiring Mednet AD login (e.g., REDCap, UCLA Health Box without PHI)
• Access Mednet via web browser (https://mednet.uclahealth.org/)
• Conduct non-clinical university-related business
• Use UCLA Health Box for non-PHI documents
• Perform literature reviews, internet research, and create presentations using publicly available data

Note: All data must be removed from your device when your assignment ends.

What Can They NOT Do Using a Personal Device?

Please refer to the Remote Guidelines for activities that are Not Permitted. 

UCLA Health Encryption is Not Required for:

1. Browsing the internet
2. Searching through public libraries
3. Conducting publicly accessible literature review
4. Creating presentations, writings, or reports using only publicly accessible data or information. 

Health Sciences Policies Referenced (available on PolicyStat):

• Use of Electronic Mail (Email), HS 9453-A
• Device and Removable Media Encryption, HS 9453-C
• Volunteer Computer Access and Usage Policy HS 0362

For any additional questions, please visit our FAQs.