Use of Personal Device Volunteer Parameters

Definitions:

• "Protected health information" or "PHI" is any individually identifiable health information, in any form or media, whether electronic, paper or oral (includes identifiable information that pertains to any patient or study participant). 
• "VPN" is virtual private network.

Volunteers and/or UCLA SRP students who will be using their Personal Device (i.e. laptop, mobile device/phone, etc.) for their assignment as approved by their supervisors and the Volunteer Office, must ensure that usage are within the following parameters:

COVID-19 UPDATE:  In accordance and support with the campus and health sciences guidelines, all in-person and onsite volunteering are temporarily PAUSED.

• Remote Volunteering with the use of a personal device (restrictions and other approvals apply, see below) are optional for those eligible and have completed the clearance process. (VPN access is NOT permitted)

NOTE: VPN is NOT permitted to be granted to Volunteers or UCLA SRP students. You do NOT need VPN to perform any of the outlined appropriate remote volunteer duties as listed on this webpage.

Usage, Proof of Encryption, and Anti-Virus/Anti-Malware Software (must be up-to-date) Installation of a personal Laptop must be indicated on your Volunteer Personal Device Form and sent to the designated program coordinator. Proof can be sent in the form of one of the following:

• Email Confirmation from UCLA Health IT
• Screenshot/Photos of Encryption and Anti-Virus/Anti-Malware Software installed and active
• Physical Confirmation from UCLA Health IT

To Encrypt Your Personal Device (VPN is NOT PERMITTED): https://mednet.uclahealth.org/device-security-toolkit/

For UCLA Students (ONLY), you may Install Anti-Virus Software (Sophos): https://www.it.ucla.edu/bol/software-downloads/sophos-antivirus

HS 9453-C  Device and Removable Media Encryption: https://www.uclahealth.org/compliance/guidance-policies

Airwatch (Intelligent Hub) installation is required for use of a personal Mobile Device to access Mednet Outlook:

• Departments must ensure Airwatch is properly installed before volunteer/student uses the device for Mednet access.
• NOTE: Having Airwatch does NOT mean the volunteer/students are permitted to access identifiable information of patients or study participants.
• The UCLA Health Sciences Volunteer Office can provide Airwatch licenses for approved volunteers/students. 

What are NOT permitted even if personal device is properly UCLA Health encrypted and anti-virus software (i. .Sophos, etc.) installed?

1. Volunteers/SRP Students are NOT permitted to access or store any clinical data, "identifiable information", or restricted information (deemed by the department) on personal devices OR remotely.
   • "Identifiable information" includes PHI, Care Connect/EPIC, UCLA Health BOX with PHI, full-face images or video calls, communications and correspondents by phone or email, information which can identify or trace back to the individual, etc.
   • Zoom meetings with study participants/patients are considered identifiable information. 
   • For more details on "identifiable" information or data, please see: https://ohrpp.research.ucla.edu/hipaa/
2. Volunteers/SRP Students are NOT permitted to be granted VPN or remote access to Health Sciences (Mednet) server. 
3. Volunteer/SRP Students are NOT permitted to share login information, passwords, or any restricted or UCLA-owned data/information to outsiders or each other.
   • Sharing de-identified UCLA-owned research data requires PI's consent. 

UCLA Health IT encrypted and anti-virus software (i.e. Sophos, etc.) installed personal devices (Airwatch for mobile devices) can be used for the following purposes:

1. Non-Clinical and de-identified (non-PHI) data access and storage.
   1. Data and information must be removed from device once your assignment officially ends.
2. Access to non-Clinical and de-identified (non-PHI) databases and systems which requires Mednet ADlogin such as Redcap, UCLA Health BOX, etc.
3. Non-Clinical and de-identified (non-PHI) university related business such as accessing Mednet through the web browser (https://mednet.uclahealth.org/), UCLA Health BOX documents and forms, etc. 

UCLA Health IT Encryption is not required if the volunteer/student is using their personal device for non-UCLA Health Sciences related purposes such as:

1. Browsing the internet
2. Searching through public libraries
3. Conducting publically accessible literature review
4. Creating presentations, writings, or reports using publically accessible data or information.