Use of Personal Device Volunteer Parameters

Definitions:

  • "Protected health information" or "PHI" is any individually identifiable health information, in any form or media, whether electronic, paper or oral (includes identifiable information that pertains to any patient or study participant). 
  • "VPN" is virtual private network.

Volunteers and/or UCLA SRP students who will be using their Personal Device (i.e. laptop, mobile device/phone, etc.) for their assignment as approved by their supervisors and the Volunteer Office, must ensure that usage are within the following parameters:

NOTE: VPN is NOT permitted to be granted to Volunteers or UCLA SRP students. You do NOT need VPN to perform any of the outlined appropriate remote volunteer duties as listed on this webpage.

Usage, Proof of Encryption, and Anti-Virus/Anti-Malware Software (must be up-to-date) Installation of a personal Laptop must be indicated on your Volunteer Personal Device Usage Waiver and uploaded to your Volunteer Dashboard.

  • Proof can be sent in the form of one of the following:
    • Email Confirmation from UCLA Health IT
    • Screenshot/Photos of Encryption and Anti-Virus/Anti-Malware Software installed and active
    • Physical Confirmation from UCLA Health IT
  • To Encrypt Your Personal Device (VPN is NOT PERMITTED): https://mednet.uclahealth.org/device-security-toolkit/
  • To Install an Anti-Virus Software (freely available antivirus products): 
  • HS 9453-C  Device and Removable Media Encryption: https://www.uclahealth.org/compliance/guidance-policies
  • Airwatch (Intelligent Hub) installation is required for use of a personal Mobile Device to access Mednet Outlook:
    • Departments must provide and ensure Airwatch is properly installed before volunteer/student uses the device for Mednet access.
    • NOTE: Having Airwatch does NOT mean the volunteer/students are permitted to access identifiable information of patients or study participants.
  • According to UCLA Health Sciences Policy (Minimum Security Standards, HS 9457), ALL Devices used to access UCLA Health Sciences Electronic Information Resources, whether owned by UCLA or others, and including but not limited to PCs, laptops, workstations, servers, smart phones, and tablets, must:
    1. Be kept up to date on application and operating system supported versions and up to date on security patches: Devices shall run versions of operating systems and application software for which security patches are made available in a timely manner.
    2. Use anti-malware software and keep it up to date: Devices shall be continually executing approved malware-scanning software with current definitions.
    3. Use a password-protected screen saver or lock screen that comes up after 15 minutes of inactivity: Devices must be secured with a password-protected screen saver or lock screen with the automatic activation feature set at 15 minutes or less or by automatic log off after 15 minutes of inactivity.
    4. Use the host-based firewall: Devices that include native host-based firewall software in the operating system should have the firewall activated and properly configured.

    What are NOT permitted even if personal device is properly UCLA Health encrypted and anti-virus software (i. e.Sophos, etc.) installed?

    1. Volunteers/SRP Students are NOT permitted to access or store any clinical data, "identifiable information", or restricted information (deemed by the department) on personal devices OR remotely.
      • "Identifiable information" includes PHI, Care Connect/EPIC, UCLA Health BOX with PHI, full-face images or video calls, communications and correspondents by phone or email, information which can identify or trace back to the individual, etc.
      • Zoom meetings with study participants/patients are considered identifiable information. 
      • For more details on "identifiable" information or data, please see: https://ohrpp.research.ucla.edu/hipaa/
    2. Volunteers/SRP Students are NOT permitted to be granted VPN or remote access to Health Sciences (Mednet) server. 
    3. Volunteer/SRP Students are NOT permitted to share login information, passwords, or any restricted or UCLA-owned data/information to outsiders or each other.
      • Sharing de-identified UCLA-owned research data requires PI's consent. 

    UCLA Health IT encrypted and anti-virus software (i.e. Sophos, etc.) installed personal devices (Airwatch for mobile devices) can be used for the following purposes:

    1. Non-Restricted Non-Clinical and de-identified (non-PHI) data access and storage.
      1. Data and information must be removed from device once your assignment officially ends.
    2. Access to non-restricted non-Clinical and de-identified (non-PHI) databases and systems which requires Mednet ADlogin such as Redcap, UCLA Health BOX, etc.
    3. Non-Restricted Non-Clinical and de-identified (non-PHI) university related business such as accessing Mednet through the web browser (https://mednet.uclahealth.org/), UCLA Health BOX documents and forms, etc. 

    UCLA Health IT Encryption is not required if the volunteer/student is using their personal device for non-UCLA Health Sciences related purposes such as:

    1. Browsing the internet
    2. Searching through public libraries
    3. Conducting publically accessible literature review
    4. Creating presentations, writings, or reports using publically accessible data or information. 

    Health Sciences Policies Referenced (available on PolicyStat):

    • Use of Electronic Mail (Email), HS 9453-A
    • Device and Removable Media Encryption, HS 9453-C
    • Volunteer Computer Access and Usage Policy HS 0362

    For any additional questions NOT listed in our FAQs, please contact the UCLA Health Sciences Volunteer Office.