University Protected Health Information (PHI) Policy for Learning Applications

University Protected Health Information (PHI) Learning Applications Policy Statement Purpose:

This policy outlines the appropriate handling of Protected Health Information (PHI) within the university's Learning Management System (LMS) and learning applications to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable university data protection standards.

Scope:
This policy applies to all students, faculty, staff, and other authorized users who access, use, or store PHI within the LMS environment.

Policy Statement:
The university is committed to protecting the privacy and security of individuals’ health information. PHI must not be uploaded, transmitted, or stored within the LMS  or learning apps unless it is specifically authorized and properly safeguarded under HIPAA and university policy.

Key Guidelines:

  1. Do Not Upload PHI:
    Users must not upload or share any documents, images, discussion posts, assignments, or other materials containing PHI unless authorized and appropriate safeguards are in place.
  2. De-identify Data:
    When using health-related data for educational purposes, ensure all personal identifiers are removed. This includes names, addresses, dates of birth, medical record numbers, and any other identifiable information.
  3. Faculty Responsibilities:
    Faculty must ensure that course content does not require students to disclose PHI and must not request, collect, or distribute PHI in assignments or discussions.
  4. Student Responsibilities:
    Students must avoid including PHI in any coursework or submissions within the LMS unless explicitly directed to do so in compliance with HIPAA and under faculty supervision.
  5. Secure Alternatives:
    If PHI must be shared for educational or research purposes, it must be done through secure, university-approved platforms designed for HIPAA compliance, not through the LMS.

Violations:
Failure to comply with this policy may result in disciplinary action in accordance with university policies and may include reporting to appropriate regulatory authorities.

Questions or Concerns:
For questions regarding the use of PHI in academic settings, please review University of Illinois System Privacy Statement - EVPAA