Responsible Office: Office of Cybersecurity	Last Review: 12/15/2023 Next Review: 12/15/2025
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To establish acceptable practices for using the University of Tennessee Health Science Center’s phone system.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This practice applies to all members of the UTHSC community that use the Ring Central phone system.

Definitions

Payment Card Industry Data Security Standard (PCI-DSS) – an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data. PCI data is commonly known as credit card data.

Short Message Service (SMS) – a text messaging service to send text-only messages of up to 160 characters between phone lines.

Softphone – a type of software-based phone that allows for making phone calls using an application on a computer or mobile device.

Voice Over Internet Protocol (VoIP) – a technology that uses a broadband Internet connection to make voice calls instead of an analog phone line.

Responsibilities

Information Security Technology (ITS) Unified Communications Team is responsible for procuring and maintaining a VoIP system.

Department Heads / Business Managers are responsible for approving exceptions allowing for physical phones and the purchasing of said phones.

UTHSC Workforce is responsible for complying with the Practice.

Practice

1. All UTHSC workforce members have the opportunity to be assigned an official UTHSC phone number.
2. The default device for making and receiving UTHSC phone calls is the RingCentral software application. Users can install the software application for the RingCentral “softphone” on their UTHSC-owned devices and/or personal devices, i.e. cell phones, where they would like to receive calls.
3. Physical phones, also known as “hard phones,” are deployed under the following specific conditions only:
   1. The user handles PCI-DSS information.
   2. To address safety-related concerns, i.e. having a physical phone in a laboratory setting in case of emergencies.
   3. To assist with technical difficulties, as determined by the Unified Communications team
   4. When a business manager approves payment for a hard phone. A request for a physical device should be made through TechConnect.
4. SMS (texting) service is allowed only if a business need is proven.
   1. If SMS is used as part of the phone service, users must provide documentation through TechConnect to address the following:
      1. How will the service be used?
         1. Will this be used for private communication only? (Example: between employees)
         2. Will this be used for official UTHSC communications? (Example: clinical or research appointment reminders)
      2. If SMS is being used for mass communications from UTHSC, the sender of said texts must provide and keep documentation on:
         1. How will customer consent be collected (opt-in to receive texts)?
         2. How will opt-out requests be managed (out-out of receiving texts)?
   2. The Federal Communications Commission (FCC) can fine organizations that violate the Telephone Consumer Protection Act (TCPA) when they deliver messages to people who have not opted-in to receive them.

References

1. GP-004-Acceptable Use of IT Resources