JOHNSHOPKINSPERSONALLYIDENTIFIABLEINFORMATIONPOLICYApplicationofPolicyThe Johns Hopkins Personally Identifiable Information Policy (“PII Policy”) sets forth theminimum standards for the Johns Hopkins University (“JHU” or the “University” ) and theJohnsHopkinsHealth SystemCorporation (“JHHS”) (JHU and JHHS are “Hopkins” or “JohnsHopkins”) toprotect personally identifiable information (“PII”). These standards are cast aspracticesherein;theyrepresentthesetofexpectationsagainstwhichpolicycompliancewillbeassessed.Furtherobligations imposedby law, regulations,contractorother institutionalpoliciesalsoapply.All members of the Hopkins community, including without limitation, Hopkins students,faculty,staff,employees,volunteersandcontractors,arerequiredtoadheretothisPIIPolicy.PolicyIt isJohnsHopkinspolicytoprotecttheprivacyofpersonallyidentifiableinformationthatiswithinHopkins’control.PIIisinformationthatcanbeusedtoidentifyanindividual,whetheronitsownorincombinationwithotherpersonaloridentifyinginformationthatis linkedorlinkable to an individual. PII can be that of current and prospective workforce members,students, alumni, donors, trustees, advisory committee members, vendors, visitors, andpayors, among others. Privacy requirements regarding minors may require additionalconsiderationregardinginformationclassificationand/orhandling.Protectedhealthinformation(PHI)isgovernedunderthefederalHIPAAlaw(seebelow)andHopkins has a comprehensive set of policies, standards and practices for this law. It isthereforenotgovernedunderthispolicy.PIIofpatients,clinicalresearchstudysubjectsandworkforcemembersashealthplanparticipantsconstitutesPHI.FederalandstateinformationprivacylawsrequireHopkinstoprotectcertainelementsofPII,often because of the sensitivity of the data and/or its potential for misuse for fraudulentactivitiesorother formsof identity theft. These lawsmay requireHopkins to self-report tothestateorfederalgovernmentand/orprovidenoticetoaffected individuals if thesecurityofcertainPIIisbreached.ThefollowingtableprovidesexamplesofdifferenttypesofPII:

2

ExamplesofPIIthatmayrequire

legalnotificationofbreachExamplesofOtherLegallyProtected

PIIthatisconsideredSensitive/Confidential

ExamplesofOtherFormsofPIIwiththepotentialformisuse

SocialSecuritynumbers StudentEducationRecords DateofBirthCreditcardnumbers Grades,Transcripts,Schedules UsercredentialsFinancialaccountinformation Banking and personal financial

information related to studentfinancial aid that does not includeaccount information (e.g. creditscores)

Partially redacted PII (e.g., last 4digitsofSSN)

Driver’slicensenumbers Employee records (e.g. humanresources)

EmployeeIDnumbers

Recordsofadministrativehearing AgivenelementofPIImaybeprotectedundermorethanonefederalorstatelaworHopkinspolicy.Hopkinshasadoptedother informationprivacypoliciesgoverningspecificcategoriesof information, as set forth in thenext section. The third columnabove includesPII that issensitivebutmaybeanappropriatesubstituteforotherlegallyprotectedPIIelements.ThePIIelementsbelowarenotnecessarilyconsideredprivate,butcombiningtheseelementswithotherPIImayhaveprivacyimplications.ExamplesofOtherPIIthatmaybemisusedif

combinedwithotherPIIoraggregatedAddressPhonenumberEmailaddressJHEDIDStudent directory information in which thestudenthasnotoptedout(likethatabove,butalsodatesandphotos)HopkinsInformationPrivacyPoliciesIfanyspecificHopkinspolicy,includingwithoutlimitationtheoneslistedbelow,conflictwiththisgeneralprivacypolicy,thatpolicywillcontrol.

1. StudentRecords -- The JohnsHopkinsUniversityPolicyonFamily EducationalRightsand Privacy (http://pages.jh.edu/~news_info/policy/ferpa.html) addresses studentprivacy rightswith respect to their education records, as requiredunder the federalFamily Educational Rights and Privacy Act (“FERPA”). The Hopkins Registrars haveprimary responsibility forestablishingpolicies andprocedures related to compliancewithFERPA.

2. Electronic Informationthat isRestricted,Confidentialor Internal-Use-Only --Hopkins

requires protection, in compliancewith theHopkins information technology policies

3

(http://it.jhu.edu/policies/itpolicies.html),ofelectronicinformationthatiscategorizedasrestricted,confidentialorinternal-use-only.

3. Health Information of Patients, Health Information of Health Plan Members and

Health Information of Human Subjects Participating in Clinical Research with aCoveredEntity -- The confidentiality of patients, clinical research study subjects andhealthplanmembers information iscoveredunderseparateJohnsHopkinsMedicinepoliciesaddressingprotectedhealth information (HIPAAProviderpolicyavailableathttps://hpo.johnshopkins.edu/enterprise/policies/170/12134/policy_12134.pdf?_=0.950377349296 and HIPAA Health Plan policy available athttps://hpo.johnshopkins.edu/enterprise/policies/181/12226/policy_12226.pdf?_=0.277344938423),andisthusnotaddressedinthispolicy.TheHopkinsPrivacyOfficehasprimary responsibility forestablishingpolicies andprocedures related to compliancewiththeHealthInsurancePortabilityandAccountabilityActof1996(“HIPAA”)fortherelevantdivisionsofHopkins.

4. Human Subjects Research -- In addition to HIPAA and other laws safeguarding the

privacyofhealthinformation,theFederalPolicyfortheProtectionofHumanSubjects(the“CommonRule”)containsprotectionsfortheprivacyofresearchparticipantsandthe confidentiality of their information. Confidentiality and privacy with respect tonon-medicalhumansubjects research isaddressedby theappropriate JHUdivisionalInstitutionalReviewBoard(“IRB”)policiesandprocedures.

5. Identity Theft Prevention Policy -- The U.S. Federal Trade Commission requires

organizations that routinely deal with consumer accounts to maintain a policyregarding “red flags” thatmight indicate consumer identity theft.While these flagsmay not involve PII, unusual account activity may be an indicatory for detection.http://pages.jh.edu/~news_info/policy/identity_theft.html

ProtectionandHandlingofPIIThe following requirements apply to PII in paper records, electronic records and in oralcommunications, as well as any aggregation of PII in an electronic format (e.g., databases,webpages,e-mail,spreadsheets,tablesandfilesharingservicessuchasJHBox,Sharepoint).

1. General -- In addition to complying with all applicable legal requirements, Hopkinsfurther limits thecollection,use,disclosure, transmission, storageand/ordisposalofPIItothatwhichfulfillstheJohnsHopkinsmission.

2. Safeguards -- To protect PII against inappropriate access, use, disclosure, ortransmission, Hopkins requires appropriate administrative, technical and physicalsafeguards. Divisional and entity leadership is responsible for documenting securitycontrols and safeguards and risk management consistent with the Hopkins policy.Examplesofphysical safeguards include storingdocuments containingPII in secured

4

cabinetsorroomsandensuringthatdocumentscontainingPIIarenotleftondesksorinotherlocationsthatmaybevisibletoindividualsnotauthorizedtoaccessthePII.

3. Collection–CollectionofPIIshouldbedoneinawaythatisconsonantwiththeotherprovisionsofthissection(e.g.,Minimization).Collecteddatashouldbeappropriateforthe intended authorized use, and collection should be conducted according to bestpracticeand legal requirements for the typeandpurposeofdata collected. Since thecollectionprocessitselfcanpotentiallyleadtounintendedPIIdisclosure,considerationsofconfidentialityincollectionandrecordingshouldbeexplicitlyaddressed.

4. Minimization -- All members of the Hopkins community (e.g. employees, staff,contractors and volunteers) are responsible for minimizing the use of PII (includingredaction of financial account information, use of less sensitive substitutes such aspartialSSNandtheHopkinsUnique Identifier)andminimizingaggregationsofPII.TheriskofunauthorizeddisclosureoforaccesstoPIIincreaseswiththeamountofdata.AllmembersoftheHopkinscommunityareresponsibleforensuringthatthenumberandscopeofphysicalandelectroniccopiesandrepositoriesofPIIarekepttotheminimumnecessaryandonlyforthetimeperiodwhereavalidbusinessneedfortheinformationexists.

5. Permitted Use within Hopkins -- Only individuals within Hopkins who are permittedunder law, regulation andHopkinspolicies andhavea legitimate "need to know"areauthorized to access, use, transmit, handle or receive PII, and that authorizationonlyextends to the specific PII forwhich the relevant individual has a legitimate “need toknow”forthepurposesofperforminghisorherHopkinsjobduties.

6. PermittedDisclosuretoThirdParties--HopkinsmayreleasePIItothirdpartiesonlyaspermitted by law/regulation and Hopkins policy. Third party contractors to whomHopkinsisdisclosingPIImustbeboundbyagreementswithappropriatePIIsafeguardinganduseprovisions.

7. OralCommunications--Onlyauthorizedindividualsmayengageinoralcommunications

involving PII. Caution is required in all oral communications involving PII, and oralcommunications involving PII may not take place in any location where thecommunicationmaybeoverheardbyanindividualnotauthorizedtoaccessthePII.

8. StorageofPII--PIImaybestoredonlyasnecessaryfortheJohnsHopkinsmissionandpermitted under the Hopkins policy. Divisional and Departmental leadership isresponsible forprovidingguidelinesaroundwhere informationcanbescanned/stored(e.g.inhardcopy,onshareddrives,onothermedia/devices)andhowlonginformationmaybe retainedbefore requiringdeletionordestruction). In addition, divisional andentity leadership is responsible for maintaining an up-to-date inventory of stored ormaintaineddocuments,files,databasesanddatasetscontainingPII,andtheircontents;

5

andrequiringencryptionofPIIstoredonmobiledevices,mediaorotherat-riskdevicessuchaspublicworkstations.

9. Transmission of PII -- PIImay not be transmitted to external parties outside Hopkins

(e.g.viamail,fax,e-mail,FTP,instantmessaging)withoutappropriatesecuritycontrols.Generally, such controls include encryption and authentication of recipients (e.g.,passwordprotectionoffiles;verifyingfaxnumbers;coversheets;markingdocumentsasconfidential).Greatcareistobetakentoensurethate-mailsaresentonlytointendedrecipients.

10. Disposal -- PII must be destroyed and rendered unreadable prior to disposal. Forexample,thismayincludeshreddingpapersorwipingelectronicfiles.

11. Training -- Each Hopkins division, entity and department is responsible for ensuring

that itspersonnel completeappropriate trainingon theHopkins informationprivacypoliciesandsignconfidentialityagreementstotheextentnecessaryandappropriate,beforeaccessing,using,transmitting,handlingorreceivingPII.

EnforcementandExceptionsEachHopkinsdivision,entity,anddepartment is responsible forensuring that itsPIIhandlingpractices are consistent with the practices described in this PII Policy. This responsibilityincludestheentiresetofactivitieswithinenforcement,includingsurveillanceanddetectionofnon-compliance with the Policy, the identification and implementation of individual- andorganizational-levelcorrectiveactions,and(whereappropriate)theimpositionofsanctions.Asapracticalmatter,itmaybeoccasionallynecessaryandappropriatetodivergefromthesebestpractices inordertoadvancethe institution’smission. Insuchcases, it istheresponsibilityoftheheadof the relevant division, entity, or department to ensure that suchdivergences areapproved,documented,andcommunicatedtostakeholders.BreachesofthePrivacyofPIIKnownorsuspectedviolationsofthispolicyshouldbereportedpromptly.Anyincidentsthathave the potential to damage departmental and/or Hopkins network operations should bereportedimmediately.Violatorsofthispolicymaybesubjecttocriminaland/orcivilpenaltiesandtodisciplinaryaction,uptoandincludingtermination.Intheeventofaknownorsuspectedprivacybreach,contactfortheUniversity,theOfficeoftheGeneralCounsel,at(410)516-8128andforJHHS,JHHSLegalDepartment,410-955-7949.RelatedLaws,RulesandStandards:FamilyEducationalRightsandPrivacyActandassociatedregulationsGramm-Leach-BlileyActandtheFTC’sInformationSafeguardingRule

6

HealthInsurancePortabilityandAccountabilityAct(HIPAA)andassociatedregulationsHealth InformationTechnology for EconomicandClinicalHealthAct (HITECH)andassociatedregulationsFairandAccurateCreditTransactionsActandtheFTC’s“RedFlags”RuleChildren’sOnlinePrivacyProtectionActMarylandConfidentialityofMedicalRecordsActMarylandSocialSecurityNumberPrivacyActMarylandPersonalInformationProtectionActPaymentCardIndustryDataSecurityStandards