1 Storage and Security of Research Data IRB Continuing Education 2007 n Sheila Moore, CIP Director, Office of the IRB n Terrell Herzig UAB/UABHS HIPAA

Download 1 Storage and Security of Research Data IRB Continuing Education 2007 n Sheila Moore, CIP Director, Office of the IRB n Terrell Herzig UAB/UABHS HIPAA

Post on 14-Dec-2015

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1

1 Storage and Security of Research Data IRB Continuing Education 2007 n Sheila Moore, CIP Director, Office of the IRB n Terrell Herzig UAB/UABHS HIPAA Security Officer Slide 2 2 The Good Old Days n All research files will be stored in a locked file cabinet in a locked office. n The above may still be true, but more than likely there will be some sort of electronic storage of data. Slide 3 3 Paper and Electronic Storage n The IRB is concerned with ensuring that the confidentiality of participants research records is maintained whether it be paper and/or electronic storage. n Each protocol needs to adequately address confidentiality of participant records. Slide 4 4 Internet/Web n The IRB is concerned with ensuring that the confidentiality of participants research records is maintained when data is sent via the internet as well. This includes use (transfiguring) of data on outside groups e.g., Google Slide 5 5 Human Subjects Protocol (HSP) Confidentiality Q#22 n Describe the manner and method for storing research data and maintaining confidentiality. If data will be stored electronically anywhere other than a server maintained centrally by UAB, identify the departmental and all computer systems used to store protocol-related data, and describe how access to that data will be limited to those with a need to know. n If data stored electronically anywhere other than a server maintained centrally by UAB contact HIPAA security for guidance. Slide 6 6 HSP Confidentiality (continued) Will any information derived from this study be given to any person, including the subject, or any group, including coordinating centers and sponsors? Yes No If Yes, complete i-iii. i. To whom will the information be given? ii.What is the nature of the information? iii.How will the information be identified, coded, etc.? Slide 7 7 Electronic Storage of Data n The IRB must review process/research in which u Data maintained electronically for storage and data analysis u Databases used to collect/store information for current research or for future research use u Will be asking about storage of data on final report form Slide 8 8 Database Research Clinical and/or Research n Where the purpose/intent of the research is to generate and maintain a database for research purposes n Researcher is gathering information about human subjects to populate a research database n Database may have a dual intent. If research is an intent must have IRB review Slide 9 9 Dual Intent n Database for Clinical use and Research use n Database for clinical use review for compliance with HIPAA security standards n Intent includes research must have IRB review n No laptop storage access a secure server where database is securely stored Slide 10 10 Research Data n Data collected for a protocol may not be released to others (including other researchers or students, at UAB or elsewhere) without first obtaining UAB IRB approval n This includes data from terminated protocols Slide 11 11 Electronic Storage n If there has been a change in storage process and data are now stored electronically, submit revision to IRB for review. Slide 12 12 Rule of Thumb! DONT use thumb drive for storage of research data! Slide 13 13 Describe to IRB n The security measures for data u Coding u Encryption u No data taken off-campus Slide 14 14 HIPAA and The UAB Researcher Terrell W. Herzig, MSHI UAB/UABHS HIPAA Security Officer HSIS Data Security Officer Slide 15 15 A Recent Scenario n Background: u A computer external hard drive, used to backup a clinical research database, contains protected health information. u It is of average size for such devices, 2x8x6. u It is in a locked private office. If this external hard drive goes missing, how much would it cost? Slide 16 16 Choose only one answer: n A. $104 n B. 1.8 million x $30 n C. Lost productivity for an entire entity while cooperating with an investigation (estimated at $23 million) n D. Research is shut down n E. All of the above Slide 17 17 And the answer is n A. $104 n B. 1.8 million x $30 n C. Lost productivity for an entire entity while cooperating with an investigation (estimated at $23 million) n D. Research is shut down n E. All of the above Slide 18 18 How much would the same drive have cost if proper safeguards had been in place? Answer: $127 $104 for the drive $23 for the encryption software Slide 19 19 Other interesting numbers 5 Number of hours the person who lost the drive spent hooked to a polygraph 2 Number of federal agents on campus conducting the investigation 12 Number of weeks of man hours spent by the organization cooperating with the agentsSlide 20 20 VA Recommendations n Take administrative sanctions against: u IT Specialist u Birmingham REAP Director u Birmingham REAP Associate Director u Medicare Analysis Center Director u VA Information Resource Center Director u Birmingham Medical Center Director u Associate Chief of Staff for Research n Develop Government Risk Criteria for determining need to notify. n Require encryption on portable devices Slide 21 21 VA Recommendations (cont.) n Re-evaluate position sensitivity levels and background investigations. n Institute release of information practices for research. n Develop access policies for programmer access for research. n Require data security plan before IRB approval. n Audit for waiver compliance. n Enforce access policies for National Data Centers. n Prohibit storage of VA information on non-VA systems. Discontinue receiving VA email at UAB. n Assess alignment of REAP management structure. Correct dysfunctional management structure. Slide 22 22 Oh, that cant happen here Slide 23 23 Recent Examples of Incidents Impacting UAB/UABHS Research n Research database with protected health information stolen from a locked office n Thumb drive containing research database lost n Laptop with research database stolen Slide 24 24 What are the risks associated with a breach in security? n Risks to Individual whose PHI is compromised: u Embarrassment, misuse of personal data, victim of fraud or scams, identify theft n Risks to the Institution: u Loss of information and equipment, trust of constituencies, reputation, future grant awards; negative publicity; penalties, fines, litigation n Risks to Research: u Loss of data or data integrity, funding in jeopardy u If serious and/or continuing noncompliance is determined by the IRB, then possible suspension or termination could result as well as report to the Office for Human Research Protections, other federal agencies, research sponsors, and other institutional officials as appropriate. n Risks to Investigator or Employee: u Loss of data, time, funding, reputation; embarrassment; disciplinary action, prosecution, fines, civil and criminal penalties Slide 25 25 At UAB, HIPAA affects n More than 12,000 employees, which is approximately 67% of the UAB/UABHS workforce n More than 5,000 students n Over 44,000 hospital discharges annually n Over 400,000 outpatient visits annually n $450 million awarded in grants and contracts involving human subjects n Physical plant of approximately 80 blocks Slide 26 26 Final Jeopardy Answer: The 18 elements that can be used to identify an individual as documented in the HIPAA Regulations. Slide 27 27 What is protected health information? Protected health information (PHI) is any information, including demographic information, that is TRANSMITTED or MAINTAINED in any MEDIUM (electronically, on paper, or via the spoken word) that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present, or future physical or mental health or condition of an individual or past, present, or future payment for the provision of healthcare to the individual, and that can be used to identify the individual. ePHI is often used to designate electronic PHI. Slide 28 28 PHI Data Elements The following identifiers of the individual, or of relatives, employers, or household members of the individual, are considered PHI: 1. Names 2. Geographic subdivisions smaller than a state (street address, city, county, precinct, zip, equivalent geo-codes) 3. All elements of dates (except year) including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age. 4. Telephone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers Slide 29 29 PHI Data Elements (continued): 10. Account numbers 11. Certificate/License numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique identifying number, characteristic, code, except as allowed under the ID specifications (164.514c) Slide 30 30 So that means Linking any one of these 18 PHI data elements to an identified diagnosis or medical condition, whether the diagnosis comes from a medical record or is self-reported by the participant, means that PHI is being maintained. Example: A database entitled Liver Transplant Recipients containing only individuals names is linking 1 PHI data element with a medical condition. The database contains PHI. Do you have PHI as part of your research data? Slide 31 31 Types of Data Protected by HIPAA n Written documentation and all paper records n Spoken and verbal information including voice mail messages n Electronic databases and any electronic information containing PHI stored on a computer, PDA, memory card, USB drive, or other electronic media Slide 32 32 Research: A Use n Sharing of PHI among UAB/UABHS covered entities for research is considered a use of PHI. n New requirement for researcher