: HOME  |  Privacy Policies  |  Frequently Asked Questions  |  Training

Privacy Forms - HCCs |  Privacy Information - Patients/Pacientes  
   Additional Information  |  Contact Information


YOU ARE HERE : HOME / HIPAA Frequently Asked Questions /HIPAA COMPLIANT USE OF VDI/VPN

1. What is VDI/VPN?

VDI = Virtual Desktop Infrastructure (commonly called MyDesk)

VPN = Virtual Private Network (commonly called GlobalProtect)

Both are options to connect securely to OU’s network environment to facilitate remote working or teleworking.  OU IT has provided guidance on how and when to use these products as part of the Remote Work Guide:  https://www.ou.edu/ouit/workanywhere/get-started 

Any technology-related questions regarding VDI or VPN should be directed to your Tier 1/Technical Representative or the applicable OU IT Service Desk (Norman: ou.edu/ouit   HSC:  https://it.ouhsc.edu/services/servicedesk/ Tulsa: https://www.ou.edu/tulsa/it  . 

Below you can find FAQs related to HIPAA compliance and the use of VDI/VPN.  If you have any additional HIPAA compliance questions on this topic or would like to set up a training session, please contact the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

 

2. If a Workforce Member is using a personal device and will use VDI, are there encryption requirements?

HIPAA policy requires each Health Care Component (HCC) to have Technical Safeguards in place to protect ePHI maintained on its Information Systems (including devices) from improper or unauthorized alteration or destruction.  If ePHI is downloaded to a device, the device must be encrypted.

If a Workforce Member is going to access ePHI through systems outside of the VDI or anticipates they will need to store ePHI to their device locally, the device will need to be encrypted as previously done before VDI.             

If a Workforce Member is only going to access ePHI through the VDI and will only store ePHI to a secure file share that is saved in OU’s secure data center through VDI, full disk encryption is not required.

If a Workforce Member is not sure of if they should encrypt their device they should reach out to their Tier 1/Technical Representative or the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

       

3.   Can I still check Webmail or Outlook outside of the VDI and not have to encrypt my device?

Access to Webmail and Outlook will be permitted while using VDI services.  Access to Webmail and Outlook outside of the VDI will also be retained.  If you will be accessing Webmail or Outlook outside of the VDI and will download attachments that contain ePHI to store on the device, you are required to encrypt your device.  It is strongly suggested that you only access Webmail or Outlook from the VDI environment to avoid potentially downloading ePHI to an unencrypted device. 

 

4.  What happens if I do not encrypt my device because I plan to only access ePHI from VDI, but I do end up storing ePHI on the device?

HIPAA policy requires that ePHI must be encrypted when stored outside of OU’s secure  data center (such as on local servers or devices). If you access or store ePHI outside the VDI environment and your device is not encrypted, you have violated HIPAA policy.  You would be subject to sanctions from your department, clinic, or program.  Further, if the ePHI was compromised because of the violation, you may be liable for a breach of ePHI, which could result in a monetary penalty from the Office for Civil Rights. 

 

5.    How are users prevented from downloading ePHI to their unencrypted laptops?

While working in the VDI environment, a policy is configured on the VDI Management Server that prohibits the virtual desktops from connecting to local storage, this includes removable media.  Workforce Members are prevented from using the copy and paste functions from their   device in or out of the VDI.  However, the Workforce Member is responsible for ensuring that they are only accessing or storing ePHI while in the VDI environment to avoid a potential HIPAA violation and sanction.  If they are unsure, they should reach out to their Tier 1/Technical Representative or to HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)

 

6.  If I use VDI but still have access to ePHI that can be stored on my personal laptop, does my laptop need to be encrypted too?

Yes, HIPAA compliance requires encryption on devices where the Workforce Member will access or store ePHI outside the VDI environment. 

 

7.  Am I required to report my personally-owned devices that are used for University business to OU management, even if I’m only connecting through VDI or VPN?

All devices that are used to access University data containing ePHI must be reported to your Tier 1/Technical representative or your department/clinic management and tracked on the Health Care Component’s Device Inventory List.

 

8.  Do I have to report a personally-owned device, used for University Business, that is lost or stolen if I I’m only connecting through VDI or VPN?

Loss or theft of any device, including a personally-owned device, that is used for University business must be immediately reported to the departments below:

Information Security Governance – grc@ou.edu

 OU Police Department: Norman - (405)325-1717  ; HSC – (405) 271-4300, Tulsa - (918) 660-3900

If the device was used to access, create, or store ePHI (even through the VDI) you must also notify:

HIPAA Security Officer - Valerie-Golden@ouhsc.edu)

the HIPAA point of contact for your program/department/clinic



 Return to FAQ List

TOP ^  


The University of Oklahoma Health Sciences Center
OUHSC HOME / SEARCH / FEEDBACK

Office of Compliance
P. O. Box 26901
Oklahoma City, OK 73129
Phone: (405) 271-2511, (866) 836-3150
Fax: (405) 271-1076

    
 Copyright © 2014 The Board of Regents of the University of Oklahoma, All Rights Reserved.
Disclaimer | Copyright