All employees are responsible for the security of sensitive and confidential information [i.e., Electronic Protected Health Information (EPHI), Personally Identifiable Information (PII), and Protected Credit Information (PCI)] at the Medical Center.


To ensure that proper security responsibilities are defined for employees and other Health Information and Technology (HIT) customers.


This standard applies to all Medical Center employees/customers who access EPHI, PII and PCI.



All employees/customers with access to Medical Center Information Systems are responsible for the protection and security of EPHI per Health System Policy IT-002: Use of Electronic Information and Systems.

HIT Security Department

The Chief Information Security Officer (CISO) has been designated by the Chief Information Technology Officer (CITO) to oversee the development and implementation of HIT Security Program for the University of Virginia Medical Center.

The CISO and the HIT Security Office are responsible for:

  1. Develop and Implement Information Security Policy
  2. Organizing Information Security (Internal and External Organizations)
  3. Asset Management
  4. Human Resources Security
  5. Physical and Environmental Security
  6. Communications and Operations Management
  7. Access Control
  8. Information Systems Acquisition, Development, and Maintenance
  9. Information Security Incident Management/Response
  10. Information Security Aspects of Business Continuity Management
  11. Information Systems Risk Assessments (Health System)
  12. Compliance (Legal requirements, Security Policies, Standards, and Technical Compliance; Information Systems Audit Considerations)

Document Supporting Resources