Purpose

To establish requirements for the development, approval, hosting, and maintenance of websites and web-based services representing the University of Tennessee Health Science Center (UTHSC). The goal is to promote security, consistency, accessibility, and brand alignment across the university’s web presence. It is also designed to reduce reputational risk to the University and better manage the use of our brand by limiting such use to approved public-facing websites under the official domain.

This practice is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This practice applies to all faculty, staff, students, departments, centers, research labs, and affiliated units that create, manage, or sponsor a website or web-based service using UTHSC resources or branding. It applies to public and internal-facing sites, including:

• Academic and administrative websites
• Research project and lab websites
• Departmental blogs, microsites, and portals
• Third-party services used for official university purposes
• Any web property using a uthsc.edu subdomain or referencing UTHSC in its content

Definitions

Accessibility – the concept that people with disabilities are able, including with the help of assistive technologies, to access and use a product or system. For example, an “accessible” website may be designed so that the text can be enlarged by the user, rather than having a fixed font size, or may be designed so that it can be interpreted and “read aloud” by screen reader software used by individuals who are blind or have low vision.

Website – a set of related web pages that are prepared and maintained as a collection in support of a single purpose.

Responsibilities

Information Security Technology (ITS) approves hosting, ensures security and accessibility, and provides support to the users.

Communications & Marketing oversees branding, approves content design, and offers guidance on web structure.

Web Content Owners are responsible for maintaining content accuracy and ensuring compliance.

Departments and Units are responsible for assigning personnel to manage sites and follow the approved process.

Practice

1. Hosting Requirements
   1. All official UTHSC websites must be hosted on UTHSC-managed infrastructure. Exceptions (e.g., cloud or third-party platforms) require written approval from Information Technology Services (ITS), subject to risk assessment and compliance review.
   2. Websites not hosted by ITS without an approved exception may be subject to deactivation.
2. Domain Name Registration and Use
   1. All domain names representing UTHSC or any of its units (departments, labs, centers, research projects, etc.) must be registered and managed through ITS. Use of third-party domain names (e.g., .com, .org, or alternate .edu domains) for UTHSC-related activities is strongly discouraged and must be pre-approved in writing by ITS and Communications & Marketing.
3. Approval Process
   1. Prior to development or publication, all new or significantly revised UTHSC websites must be submitted for review and approval by:
      • ITS – for technical security, accessibility, and hosting standards
      • Communications & Marketing – for branding, content structure, and visual design
4. Design and Branding
   1. Websites must follow the UTHSC Brand Guidelines, including appropriate use of university colors, fonts, logos, and editorial tone. Communications & Marketing provides templates and consulting for compliant design.
5. Accessibility
   1. All websites must comply with the current version of Web Content Accessibility Guidelines (WCAG) Level AA at a minimum, and UT’s Digital Accessibility Policy. This ensures content is accessible to users with disabilities and meets legal requirements.
6. Security and Data Privacy
   1. Websites must adhere to UTHSC IT security policies, especially when handling data covered by HIPAA, FERPA, or other regulatory standards. Forms collecting data must include approved privacy notices and use secure protocols (HTTPS).
   2. Web services must also align with:
      • IT0002 – Acceptable Use of IT Resources
      • IT0005-HSC-A-Data & System Categorization
7. Ongoing Maintenance
   1. Each website must have a designated content owner responsible for:
      • Keeping information current
      • Removing or archiving outdated pages
      • Coordinating with ITS for technical issues
      • Participating in periodic review cycles led by Communications & Marketing

Policy History

Version #	Effective Date
1	08/01/2025

References

1. UTHSC Branding Guidelines
2. IT0002-Acceptable Use of Information Technology Resources
3. IT0002-HSC-A-Acceptable Use of IT Resources
4. IT0005-HSC-A-Data & System Categorization
5. IT0006-Accessibility