Data Use and Storage

Requirements and procedures are in support of governing CU Policies and CUIMC Information Security Procedures.

Computers and any other devices that access information electronically will store it in some manner, whether permanent or temporarily, in locations that may not be obvious to the average user. This can include:


Adequately protect data according to its classification level

Columbia University's Data Classification Policy covers requirements for types of data based on its level of sensitivity. This is regardless of the format, and applies to any data being processed, stored and/or transmitted.

Common examples are listed below for convenience only and are not all-inclusive. Be sure to read and understand the full policy as well as any appendixes. Files containing mixed levels of data must be treated at the highest level of sensitivity.

NOTE: Data provided by the U.S. Centers of Medicare and Medicaid Services (CMS) must follow additional procedures.

Protection of Data

Data must be protected according to its level of classification regardless of where/how it is stored. The following policies detail specific requirements such as password protection, encryption, updates, backups and more:

Storage providers

OneDrive for Business at CUIMC may be used as outlined. Other commercial hosting services (i.e. Dropbox, Apple iCloud, etc.) do not have a signed Business Associates Agreement with CUIMC to protect data containing PHI as required by policy. Allowing a non-approved vendor to store, transfer, process or access data containing this type of information is strictly prohibited.