Any user signing into UNC School of Medicine Webex will be assumed to understand and agree with the user agreement and PHI Video Conferencing Policy.
UNC School of Medicine IT
Academic Technology Services
User Agreement and Acceptable Usage Policy for UNC School of Medicine Webex
Effective January 1, 2021
Acceptance of Agreement
Webex is a web and video conferencing service provided by the UNC School of Medicine IT (SOM IT), Academic Technology Services (ATS). This agreement governs the use of the Webex service and is in place to ensure compliance with all applicable University of North Carolina At Chapel Hill (UNC) security policies and standards.
ANY USER SIGNING INTO WEBEX WILL BE ASSUMED TO UNDERSTAND AND AGREE WITH THIS USER AGREEMENT AND ACCEPTABLE USAGE POLICY.
Any User who does not understand or agree with the policy should not login to the system. For clarification of policies, please submit a ticket to Academic Technology Services (select “Report a Video Conferencing Issue” from the “How can we help you?” field) or call 919-843-9086.
Updates to Agreement
ATS may update this User Agreement at any time and without notification to reflect its organizational needs.
Webex is a service provided by ATS for the UNC School of Medicine.
Services to be provided include:
- Secure web and video conferencing and telepresence.
- Prescheduled conference set up and support.
- Password protected meetings.
- Permanent personal Webex rooms, which are always open and do not require prescheduling of conferences.
- Meeting recording and secure streaming playback.
Acceptable Usage Policy
- Use of Webex is for the purpose of university business only.
- User will not use or present any content that is in violation of state or federal laws or UNC policies.
- When recording, it is the responsibility of the User to make all attendees aware in advance of any conference being recorded.
- Inclusion and sharing of Protected Health Information (PHI) must adhere to all HIPAA policies and guidelines.
- User must obtain authorization from appropriate parties prior to including, recording, or sharing any content containing sensitive information (e.g. protected health information (PHI), intellectual property, copyright material).
- Any use of this service is the responsibility of the User. SOM IT will not assume responsibility for the misuse of content.
- User agrees to comply with all applicable UNC security policies and procedures.
- SOM IT will not assume responsibility for content that is reported or discovered to be in violation of any aforementioned policies or laws. Any recorded content will be removed pending review, and appropriate action taken if necessary.
Limitation of Liability
SOM IT will have no liability or responsibility in the event of any loss or interruption of the services and/or media content described within this agreement due to causes beyond its reasonable control or ability to foresee.
Denial or Termination of Service
While generally available to all UNC affiliates, the following are potential conditions that may require the denial or termination of service.
- Denial of service will be at the discretion of SOM IT Management based on the following:
- The intended use of the service by the client is not for university business.
- The intended use of the service by the client causes a situation where SOM IT resources are overwhelmed technically, in terms of necessary staffing or otherwise.
- The intended use of the service by the client does not match the services that ATS is approved to support.
- The client has not followed through with the proper procedure for requesting the necessary service.
- The client has been previously found to be in violation of any IT policy within the university such that the action could be repeated.
- Any other reason agreed to be appropriate by SOM IT management.
- Termination of service will be at the discretion of SOM IT management based on the following:
- Violation of the effective User Agreement or any Service Level Agreement (SLA) in place.
- It has been determined that the client’s use of the service is matching circumstances that would have ordinarily caused a denial of service.
- The client’s use of the service is directly causing a negative impact on the quality of service for other users.
- Any other reason agreed to be appropriate by SOM IT management.
Policy for Including Protected Health Information (PHI)
Within a Video Conference
When including patient Protected Health Information (PHI) in a video conference, you must adhere to the following measures to ensure the security of the information:
- You must have patient consent to share their information and be able to provide consent documentation if requested.
- You may not invite or include anyone in the conference with whom you do not have permission to share the patient information.
- The ability to join the conference cannot be made publicly available.
- You may not include PHI in the meeting title or in the email invitation.
- Limit your data! Only include patient information relevant to the conference meeting.
- Computers used to access conferences containing PHI should be encrypted.
- PHI will not be used for research without appropriate authorization from the Institutional Review Board.
- Emails sent to and from unc.edu email addresses are considered secure, as well as HIPAA and FERPA compliant.
- PHI, excluding scheduling information, sent to a non unc.edu email must be encrypted via the following: https://help.unc.edu/help/unc-encrypted-email/ .
- If the conference is recorded, the recording must be treated as patient record and can only be shared with anyone who has permission to view the patient information. Please make sure recipients understand that the link and password may not be forwarded.
- When sharing a recording, your Recorded Meeting Access Security Settings must be set to:
- Require users to sign in
- Prevent downloading
- Require password protection
- If you reassign your recording to another user, the user must have permission to view the patient information and be responsible for managing the recording as stated in 10 and 11 above.
Platforms Approved for Sharing Protected Health Information (PHI)
- School of Medicine Webex – Approved for transmitting and recording PHI. Recordings are securely stored in and streamed from the cloud.
- Zoom HIPAA Sub-Account* – Users whose primary affiliation is with the School of Medicine should be placed into a Zoom account approved for the transmission of PHI. Local recording only. When PHI is involved, you can only record to a School of Medicine managed computer that has been set up for PHI use. Participant reporting is not available in the Zoom HIPAA sub-account.
- Zoom Webinar HIPAA Sub-Account* – Users whose primary affiliation is with the School of Medicine should be placed into a Zoom account approved for the transmission of PHI. For webinars, you must use the default Zoom Webinar settings (or settings described in Zoom’s documentation as protecting PHI. See Zoom’s HIPAA Documentation as of April 20, 2020.
*If you are not sure if you have a Zoom HIPAA Sub-Account, you can visit your Account Profile page to determine if you have one. The account name will display “School of Medicine – HIPAA” and the account alias will display “SOM – HIPAA Enabled.”
- Microsoft Teams – Microsoft Teams chats and calls are HIPAA compliant. Please refer to this link for Office 365 Sensitive Information Guidelines.
Sharing Tier 3 Information Other Than PHI – Before sharing Tier 3 information other than PHI (e.g. Social Security numbers, payment card information), please consult with the School of Medicine Information Security and Privacy Office.
Virtual Care Operations should be performed under the guidance of UNC Health. Please refer to the VCC intranet site for updates and resources.
As a reminder, a platform being HIPAA compliant does not mean your specific use of it is appropriate for sharing or protecting PHI. You still need to consider all HIPAA guidelines and policies for sharing PHI. Here is a link to the UNC Chapel Hill Privacy of Protected Health Information Policy.
For more information, please contact the School of Medicine Information Security and Privacy Office.
UNC Security Policies and Procedures
- UNC School of Medicine, UNC Healthcare, UNC ITS Information Security & Privacy Policies
- UNC ITS Policies, Procedures and Guidelines
- UNC ITS Information Security Policy Summaries
- UNC-Chapel Hill Standard on Transmission of PHI and SI over an External Network or an Unsecure Medium
- UNC-Chapel Hill Information Security Controls Standard
- UNC-Chapel Hill Privacy of Protected Health Information Policy
- UNC-Chapel Hill Standard on HIPAA Sanctions
- UNC-Chapel Hill Employee Policies & Procedures
- UNC School of Medicine IT, Information Security & Privacy, HIPAA Security Policies
- UNC School of Medicine IT, Information Security & Privacy, HIPAA Online Training
- UNC Libraries Scholarly Communications Office – Copyright and Fair Use
- UNC School of Medicine Recording Release Form