Information Security Laws and Regulations Related to Handling Sensitive Data

Law/Regulation/Standard Definition Examples Data Steward/Manager Resources
Electronic Protected health Information (ePHI) or HIPAA
ePHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA)

The Privacy and Security Rules apply only to covered entities in their role as a Health Care Provider, Health Plan, or Health Care Clearinghouse.

Protected health information excludes individually identifiable health information in:
Education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g(a)(4)(B)(iv);
Employment records held by a covered entity in its role as an employer.

The following individually identifiable data elements, when combined with health information about that individual, make such information protected health information (PHI):
Names; all geographic subdivisions smaller than a State; all elements of dates (except year) for dates directly related to an individual including birth date, admission date, discharge date, date of death; Telephone numbers; Fax numbers; E-mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/License numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; URLs; IP addresses; Biometric identifiers; Full face photographic images and any comparable images; and any other unique identifying number, characteristic, code, or combination that allows identification of an individual.

Health System Compliance Officer

U.S. Dept of Health HIPAA website

Health and Human Services Information for Covered Entities

UMHS Compliance

Export Control Research or ITAR, EAR
International Traffic in Arms Regulation (ITAR); Export Administration Regulations (EAR)

Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation.

Chemical and biological agents, scientific satellite information, certain software or technical data sent to foreign persons. Military electronics.... Nuclear Physics, work on new formula for explosives - this kind of data cannot be stored on systems outside the United States nor can non-US Citizen's work on this type of project.

Export Controls Compliance Office of the Vice President for Research

U-M ORSP Export Control Regulations and Restrictions

Dept. of Commerce Export Controls

Federal Information Security Management Act

FISMA requires federal agencies, and those providing services on their behalf to develop, document, and implement security programs for IT systems and store the data on U.S. soil. FISMA applies generally to federal "contracts" as opposed to grants.

If you work with data provided by the federal government under contract and exchange data with government systems, then you may be subject to FISMA compliance regulations to protect the data.


NIST FISMA website

GLBA (Student Loan Information)
Gramm-Leach-Bliley Act

GLBA includes provisions to protect consumers personal financial information held by financial institutions and higher education organizations.

Loan information, student financial aid data, Payment History. You may need to be concerned about GLBA if your department runs its own student financial Aid program.

University Registrar

U-M GLBA Compliance
(log-in required)

Federal Standards for Safeguarding Customer Information

Human Subject Research Data (Sensitive)
Federal Policy for the Protection of Human Subjects ('Common Rule')

A human subject is a living individual about whom an investigator (whether professional or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained.

Sensitive Human Subject Research is as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation"

Interviewing cancer survivors about coping techniques, Questionnaires about drug use behaviors among college students, if the research data being studied or gathered had to have Institutional Review Board approval and specific requirements for handling that data were outlined by IRB. Data gathered about subjects that include information on sexual behavior in a non-clinical environment (services are not provided to the patient). If the data requires de-identification based on the 'Common Rule' guidelines.

Human Research Compliance Review Office of the Vice President for Research

HHS Human Subjects website

Common Rule

PCI or Credit Card Information
Payment Card Industry Data Security Standards

Information related to credit card holder information as defined by the Payment Card Industry Data Security Standards. If you have to keep some record of the card used in transactions, use the last 4 digits of the number.

Cardholder name, Account number, expiration date, verification number, security code... University of Michigan Treasurer's Office specifically states: " or debit card numbers cannot be stored in any electronic format without the expressed, written consent of the Treasurer's Office". Departments utilizing website redirection or card swipe/keypads for sales of conference attendance or magazine subscription need to understand this information cannot be stored in Google, for example.

University Treasurer

U-M PCI Compliance
(log-in required)


Social Security Numbers

Michigan Identity Theft Protection Act, MCL 445.63 (applies to additional personal private information)

The SSN is a primary target for identity thieves, and falls into the category of sensitive private protected information (PPI). If you have to keep some record of the card used in transactions, use the last 4 digits of the number.



SPG 601.14 - Social Security Number Privacy Policy

Social Security Number Privacy Act

Michigan Identity Theft Protection Act, MCL 445.63 (applies to additional personal private information)

Student Educational Records or FERPA
Family Educational Rights and Privacy Act

Records that contain information directly related to a student and which are maintained by an educational agency or institution.

Grades, Student Transcripts, Degree Information, Class Schedule, Advising and Disciplinary records....

University Registrar

University Registrar FERPA website

U.S. Dept of Education