Welcome to the UAB IT Compliance website. The purpose of this site, and its associated content, is to provide a high-level introduction to a number of topics related to information technology compliance and risk management. Where possible, additional guidance and links for users seeking more information are provided.

Subjects that are addressed on this site include:

  • Researchers’ guidelines for HIPAA compliance
  • Researchers’ guidelines for FISMA compliance
  • An intro to the PCI DSS and UAB’s requirements for conducting payment card transactions
  • An intro to FERPA compliance at UAB
  • An intro to GLBA compliance and how it applies to UAB
  • An intro to risk management

According to UAB policy and standards, data tied to HIPAA, FISMA, PCI, GLBA,and FERPA are considered personally identifiable information (PII) or protected health information (PHI) and must be protected. UAB classifies FERPA as Sensitive data, while HIPAA, FISMA, PCI, and GLBA data are classified as Restricted/PHI. For additional guidance regarding how UAB policies and standards apply to the compliance frameworks above and how Sensitive and Restricted/PHI data must be protected, please refer to the UAB Data Classification Rule and the Data Protection Rule, which can be found on the UAB IT Policies and Guidance page.

If you have additional questions regarding IT compliance or any of the subjects above, feel free to pose those questions to the UAB Enterprise Information Security Office’s Risk Management and IT Compliance team at riskmgt@uab.edu.