Skip to content. | Skip to navigation

Personal tools

Home > Health System Policies > Information Technology > Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources

policy IT-001 : Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources

Policy establishes requirements and processes to govern how IT-enabled resources (computing hardware, data storage, software, telecommunications and services) are to be acquired in order to ensure that the Health System's IT resources are protected and appropriately maintained.

File Attachment Downloads

view  |  PDF document icon IT-001TechnologyAcquisition08012017.pdf — PDF document, 118 KB (120867 bytes)

  1. effective date:

    August 1, 2017
  2. content:


    Applies To:                         The Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office/UVA Health Foundation (“Health System Development Office”), and the University of Virginia Physicians Group (“UPG”)                                                           

    Reason for Policy:           Systematic and thoughtful acquisition of IT-enabled resources, with input from key consumers and IT subject matter experts, provides for stable, secure and efficient management of information, including patients’ Protected Health Information (PHI) and other highly sensitive data.  


    Definition of Terms:      

    UVA Health System Secure Clinical Network (“SCN;” also referred to as the Health System Data Network ) – a web of connected devices exchanging data on a private, restricted wired and wireless network both at Health System physical locations and at remote sites.  Data exchanged via the SCN includes PHI and other highly sensitive data which must be transmitted and stored securely and in full compliance with all state and federal requirements.

    The SCN uses a private addressing scheme making it impossible for devices outside of the SCN to access resources on it directly; outside requests must be routed through a network gateway which monitors and restricts traffic. Some devices can connect to the SCN from an external network by means of a Virtual Private Network (VPN), which thereupon integrates such devices into the SCN. 

    IT-Enabled Resources - any medical device, computer system, data storage, software or service requiring connection to the SCN                                                              

    Requesting Department - a department, unit or service within the Health System seeking to acquire an IT-Enabled Resource; this department, unit or service shall also be responsible for the costs of acquisition of the Resource, implementation and adherence to security standards as required by HIT, and any ongoing operational expenses associated with the IT-Enabled Resource.


    Policy Statement:            Health Information & Technology shall establish standards for the acquisition of computing hardware, data storage, software, telecommunications and services. These standards shall reflect the Health System’s overall commitment to its Tripartite Mission and its ASPIRE values, as well its commitment to the  security of sensitive information, strategic opportunity, consideration of total cost of ownership (acquisition, implementation and ongoing operation costs), current technology standards and required institutional approval for such acquisitions. Only devices, software, and services sourced and acquired in compliance with this policy shall be connected to the SCN.    



    1. INITIATION Prior to purchase of an IT-Enabled Resource, the Requesting Department must complete the Health IT Service Request Form. This form must be completed prior to purchase regardless of whether the funding is capital or operational, and regardless of whether the resource is to be acquired through University, Medical Center or UPG procurement processes.   
    2. REVIEW
      1. Following completion of the service request, Health IT shall contact the Requesting Department and bring together an ad hoc team of relevant subject matter experts such as Medical Center Procurement or University Procurement as applicable, Medical Center Information Security, Clinical Engineering, or Health Information Services.  This team will determine any requirements for the acquisition such as a security risk assessment, implementation plan or expected standards of performance and guide the Requesting Department through fulfilling those requirements (“Analysis”).
      2. Any IT-enabled resource request in conflict with Health IT guidelines or strategies shall be resolved by the Chief Information and Technology Officer and appropriate senior leadership representatives. 
    3. APPROVAL                               
      1. Once funding has been approved, the Requesting Department shall submit results of the Analysis to Medical Center, UPG or University Procurement, as may be applicable, for issuance of an RFP or initiation of a pilot or purchase process.  All acquisitions processed through Medical Center Procurement shall comply with Medical Center Policy 0189 “Medical Center Procurement Guidelines.”  Acquisitions processed through the University or UPG shall likewise follow all applicable procurement policies and procedures.  If an acquisition occurs via University or UPG processes, the results of any security risk assessment determined to be necessary as a result of the Analysis, must also be provided to HIT, and reviewed and approved by HIT, before connection can occur in order to ensure that the newly acquired system meets HIPAA security requirements. 
      2. Hardware, software and information security standards and policies are available on the Health IT website.  
      3. Devices to be used in patient care will comply with Medical Center Policy 0076 “Management of Medical Devices Used in Patient Care.”                              
      4. Clinical systems with electronic signature capability will comply with Medical Center Policy 0218 “Definition, Characteristics, Authentication and Maintenance of the Medical Record and Designated Record Set.”
      5. This policy shall apply to the acquisition of all devices, software and services connecting to the SCN.  For IT resources not connecting to the SCN, the applicable purchasing guidelines for that Entity shall apply, e.g., the School of Nursing, School of Medicine and Claude Moore Health Sciences Library follow University policies, and UPG policies apply to UPG acquisitions.
  3. signature(s):

    Richard P. Shannon, MD, Executive Vice President, Health Affairs