Sensitive and Protected Information

UNM data owners/ stewards must approve any transaction involving the data types listed below. For questions regarding data owners/ stewards, please see the UNM Data Governance site located at SPI includes, but is not limited to:


  • SSN* (regulated by Federal Privacy Act of 1974);

  • Credit Card Number* (regulated by Payment Card Industry (PCI);

  • Direct Deposit information* (regulated by Federal Trade Commission (FTC);

  • Student Loan information* (regulated by Gramm Leach Bliley Act (GLBA);

  • Student Grades and other academic records* (regulated by Family Educational Rights and Privacy Act (FERPA);

  • Protected Health Information within UNM's ERP (regulated by Health Insurance Portability and Accountability Act (HIPAA); the Health Information Technology for Economic and Clinical Health (HITECH) Act; and the HIPAA Omnibus Rule;

  • Institutional Review Board (IRB);

  • Banner ID.

*Transactions that require a legal agreement to enforce compliance, or to bind third parties to UNM’s obligations for SPI cannot be completed using a PCard.

Once data owner/ steward approval is granted, the HSC or The UNM Information Security & Privacy Office must review the request per the procedures listed below.

UNM Information Security & Privacy Office

To request a review, please follow the instructions at this link for opening a Help.UNM ticket, and for the most current versions of the questionnaires that must be completed:

Healthcare/HIPAA related requests for the Health Sciences System are reviewed by the HSC Information Security Office. Please follow the procedures below for such requests.


HSC Security Office

Complete the Preliminary Security Review Form and submit it to the HSC Information Security Office using the email address below. Please indicate the nature of the information that the vendor will access, modify, store or transmit (i.e., confidential data or data subject to HIPAA, FERPA, PCI, or other security requirements).

The HSC Information Security Office will assess the submitted information and advise you with regard to IT security requirements that apply. When the identified security requirements have been met the HSC Information Security Office will notify you along with the PCard Office of the outcome of the completed IT security review.

UNM Health Sciences Center Information Security Office

*             Website:

*             HSC Information Security Office:

*             HSC ISO: Michael W Meyer

Note: Purchases involving the sharing of UNM/HSC data with third parties may require an agreement, for example, a Data Use Agreement (DUA), to define responsibilities, allowed data uses and disposal of data at the end of the contract period. Purchases that require legal agreements are not supported using a PCard.

If all other Purchasing requirements have been met your request will be processed.