During the course of contracting for goods and services, the transaction may involve protected “UCSF data” with UCSF sharing such data externally with a Vendor/Supplier or a Vendor/Supplier having access to such UCSF data. Common categories of sensitive UCSF data include but are not limited to the following:
 

• Protected Health Information (PHI)

• Personally identifiable information (PII)

• Payment Card Industry (PCI)

• Research Health Information (RHI)

• Student information protected by Family Educational Rights and Privacy Act (FERPA)

• Other restricted or sensitive data such as UCSF intellectual property, financial information, student/employee/donor information, etc.
   

Depending on the type of UCSF data, UCSF categorizes such data accordingly under 4 Data Classification protection levels.

 

 

 

 

 

 

 

 

 

 

For assistance in determining what protection level the UCSF data falls under or other questions about your data, please contact IT Security at datasecurity@ucsf.edu and/or Privacy at privacy@ucsf.edu.  

 

Depending on the nature of the transaction, the following may be required:

​

​

​

​

​

What is a BAA?

A BAA is a contract required by federal law, the Health Insurance Portability and Accountability Act (“HIPAA”) between a Business Associate (BA) and Covered Entity (CE) when the BA performs a service that requires access to a CE's protected health information (“PHI”). A BAA contains the obligations of both parties with regards to safeguarding PHI and the pre-agreed upon process and procedure in the event of a breach, as required by law and each party’s operations.

​

When is a BAA required?

A BAA is generally required whenever UCSF’s PHI will be involved in a transaction. In the Procurement context, UCSF is a CE contracting with a Vendor/Supplier, the BA, with a Vendor/Supplier handling (i.e. access, receive, process, use, disclose, etc.) UCSF’s PHI during the course of providing a service.

​

Does UCSF have its own BAA template?

YES – A UCSF or UC BAA template must be used. Per UC policy, UC generally does not sign a Vendor/Supplier’s template. UCSF’s BAAs have limited signature authority and must be signed by an appropriate UCSF signatory.

UCSF’s BAA template can be found here.

​

How do I find out whether UCSF or another UC already has a BAA with a specific Vendor/Supplier?

1. Check with Vendor/Supplier – often, if there is an existing UC or UCSF BAA, a Vendor/Supplier should have it on file and may be able to produce it during the course of initial engagement. If the Vendor does produce a BAA, please send it to our procurement office for review to determine if it is valid.

2. Check with UCSF Health - Procurement Services or the contracting group handling the transaction

​

If there is already a BAA with a specific Vendor/Supplier, how do I know if it is valid?

Generally, if a BAA is on a UC or UCSF template and is dated 2014 and after, it should be valid. However, please consult with your respective procurement office or contracting group.

​

​

 

​

​

​

​

What is an Appendix – DS?

An Appendix - Data Security is a standard procurement contract addendum that may be incorporated into an underlying agreement with a supplier in order to specify cybersecurity and risk management responsibilities when a supplier has access to institutional information and/or IT resources. The supplier will need to provide a commercially acceptable cybersecurity and risk management plan to protect such information, comply with pertinent contractual and regulatory responsibilities, and keep UC informed with timely updates on risks, vulnerabilities, security incidents, and breaches. Please find the latest template - UC Appendix - Data Security.

​

When is an Appendix DS required?

An Appendix DS is generally required when a Supplier/Vendor will be accessing, handling, storing, or using UCSF “Institutional Information” or UCSF IT resources when providing services. UC defines “Institutional Information” in its standard UC Terms and Conditions of Purchase as “means any information or data created, received, and/or collected by UC or on its behalf, including but not limited to application logs, metadata and data derived from such data.”

​

What is the difference between an Appendix DS and BAA?

Unlike a BAA which is specific to the protection of PHI required under HIPAA, the Appendix DS contains broader data security protections by specifying the Vendor/Supplier’s obligations to protect UC Institution Information/UC Data, which is categorized under 4 Data Classification protection levels. Therefore, there may be situations where an Appendix DS is needed in addition to a BAA.  Exhibit 1 of the Appendix DS specifies the classification of the UCSF data that the Vendor/Supplier will host or otherwise have access to.  Applicable regulatory requirements may also be identified in Exhibit 1.

​

​

 

​

​

​

 

What is an IT Security Risk Assessment?

An IT Security Risk Assessment is a standardized process by which UCSF IT Security assesses and measures the security of a system to determine whether there are sufficient technical protections built into the system that will safeguard UCSF data in accordance with applicable law and UC policy (UCOP Policy BFB-IS-3 (Electronic Information Security).

 

When do I need to get an IT Security Risk Assessment?

An IT Security Risk Assessment is required when UCSF is contracting (i.e. license, subscribe, purchase, etc.) with a Vendor/Supplier for a system that will handle UCSF data outside of UCSF.

​

Examples include:

• Email system

• Research application

• Clinical care solution

​

In the Procurement and contracting context, if the transaction involves a software product, Software as a Service (SaaS), or cloud service that handles (i.e. creates, stores, processes, or transmits) UCSF data, an IT Security Risk Assessment will be required.

If you are unsure whether an IT Security Risk Assessment is required, please contact UCSF IT Security with any questions at datasecurity@ucsf.edu

​

What do I need to prepare for an IT Security Risk Assessment?

Please review requirements and prepare accordingly: https://it.ucsf.edu/services/risksonar-it-security-risk-assessment

Please ensure that you understand how the system works and will be used including:

• Completing the UCSF minimum security standards checklist - https://it.ucsf.edu/sites/it.ucsf.edu/files/650-16_minimum_security_standards_checklist-v5.pdf​ 

• Completing a data flow diagram -

  • For help, please work with the Customer Solutions Management group by submitting an IT Consultation Request at https://ucsf.service-now.com/ess/consulting_planning.do 

• Determining who “owns” the system within your Department in conjunction with your IT Specialist

• Completing a Business Impact Analysis (“BIA”) - http://itsm.ucsf.edu/business-impact-analysis-bia-0

 

How do I initiate the IT Security Risk Assessment?

Once the system is in final design, and there is a data flow diagram that shows what ports are used, and the resource owner and system name are known - then please use the following link to submit a request for system risk assessment:  https://ucsf.service-now.com/ess/sec_risk_assessment.do

 

For other resources and information on privacy and data security, please see:

 

UCSF Data Resources at https://data.ucsf.edu/

​

UCSF Privacy at https://hipaa.ucsf.edu/

​

UCSF IT Security at https://it.ucsf.edu/security