1

Storage and Security ofResearch Data

IRB Continuing Education 2007

Sheila Moore, CIPDirector, Office of the IRB

Terrell Herzig UAB/UABHS HIPAA Security Officer

2

“The Good Old Days”

“All research files will be stored in a locked file cabinet in a locked office.”

The above may still be true, but more than likely there will be some sort of electronic storage of data.

3

Paper and Electronic Storage The IRB is concerned with

ensuring that the confidentiality of participant’s research records is maintained whether it be paper and/or electronic storage.

Each protocol needs to adequately address confidentiality of participant records.

4

Internet/Web

The IRB is concerned with ensuring that the confidentiality of participant’s research records is maintained when data is sent via the internet as well.

This includes use (transfiguring) of

data on outside groups – e.g., Google

5

Human Subjects Protocol (HSP)Confidentiality Q#22

Describe the manner and method for storing research data and maintaining confidentiality. If data will be stored electronically anywhere other than a server maintained centrally by UAB, identify the departmental and all computer systems used to store protocol-related data, and describe how access to that data will be limited to those with a need to know.

If data stored electronically anywhere other than a server maintained centrally by UAB – contact HIPAA security for guidance.

6

HSP – Confidentiality (continued)

Will any information derived from this study be given to any person, including the subject, or any group, including coordinating centers and sponsors? Yes No

If Yes, complete i-iii.i. To whom will the information be given?      ii. What is the nature of the information?      iii. How will the information be identified, coded,

etc.?      

7

Electronic Storage of Data The IRB must review

process/research in which Data maintained electronically for

storage and data analysis Databases used to collect/store

information for current research or for future research use

Will be asking about storage of data on final report form

8

Database Research—Clinical and/or Research Where the purpose/intent of the research is

to generate and maintain a database for research purposes

Researcher is gathering information about human subjects to populate a research database

Database may have a dual intent. If research is an intent – must have IRB review

9

Dual Intent

Database for Clinical use and Research use

Database for clinical use – review for compliance with HIPAA security standards

Intent includes research must have IRB review

No laptop storage – access a secure server where database is securely stored

10

Research Data

Data collected for a protocol may not be released to others (including other researchers or students, at UAB or elsewhere) without first obtaining UAB IRB approval This includes data from terminated protocols

11

Electronic Storage

If there has been a change in storage process and data are now stored electronically, submit revision to IRB for review.

12

Rule of Thumb!

DON’T

use thumb

drive for storage of

research data!

13

Describe to IRB

The security measures for data Coding Encryption No data taken off-campus

14

HIPAA and

The UAB Researcher

Terrell W. Herzig, MSHI

UAB/UABHS HIPAA Security Officer

HSIS Data Security Officer

15

A Recent Scenario Background:

A computer external hard drive, used to backup a clinical research database, contains protected health information.

It is of average size for such devices, 2”x8”x6”.

It is in a locked private office.

If this external hard drive goes missing, how much would it cost?

16

Choose only one answer:

A. $104 B. 1.8 million x $30 C. Lost productivity for an entire entity

while cooperating with an investigation (estimated at $23 million)

D. Research is shut down E. All of the above

17

And the answer is…

A. $104 B. 1.8 million x $30 C. Lost productivity for an entire entity

while cooperating with an investigation (estimated at $23 million)

D. Research is shut down E. All of the above

18

How much would the same drive have cost if proper safeguards

had been in place?

Answer:

$127

$104 for the drive

$23 for the encryption software

19

Other interesting numbers5

Number of hours the person who lost the drive spent hooked to a polygraph

2Number of federal agents on campus conducting the investigation

12Number of weeks of man hours spent

by the organization cooperating with the agents<1

Number of blocks from UAB/UABHS this facility lies9

Number of joint UAB/VA research projects under investigation by the VA’s IRB and Chief Information Security Officer

20

VA Recommendations

Take administrative sanctions against: IT Specialist Birmingham REAP Director Birmingham REAP Associate Director Medicare Analysis Center Director VA Information Resource Center Director Birmingham Medical Center Director Associate Chief of Staff for Research

Develop Government Risk Criteria for determining need to notify.

Require encryption on portable devices

21

VA Recommendations (cont.) Re-evaluate position sensitivity levels and background

investigations. Institute release of information practices for research. Develop access policies for programmer access for

research. Require data security plan before IRB approval. Audit for waiver compliance. Enforce access policies for National Data Centers. Prohibit storage of VA information on non-VA systems.

Discontinue receiving VA email at UAB. Assess alignment of REAP management structure. Correct

dysfunctional management structure.

22

“Oh, that can’t happen here…”

23

Recent Examples of Incidents Impacting UAB/UABHS Research

Research database with protected health information stolen from a locked office

Thumb drive containing research database lost

Laptop with research database stolen

24

What are the risks associated with a breach in security?

Risks to Individual whose PHI is compromised: Embarrassment, misuse of personal data, victim of fraud or scams, identify

theft Risks to the Institution:

Loss of information and equipment, trust of constituencies, reputation, future grant awards; negative publicity; penalties, fines, litigation

Risks to Research: Loss of data or data integrity, funding in jeopardy If serious and/or continuing noncompliance is determined by the IRB, then

possible suspension or termination could result as well as report to the Office for Human Research Protections, other federal agencies, research sponsors, and other institutional officials as appropriate.

Risks to Investigator or Employee: Loss of data, time, funding, reputation; embarrassment; disciplinary action,

prosecution, fines, civil and criminal penalties

25

At UAB, HIPAA affects…

More than 12,000 employees, which is approximately 67% of the UAB/UABHS workforce

More than 5,000 students Over 44,000 hospital discharges annually Over 400,000 outpatient visits annually $450 million awarded in grants and

contracts involving human subjects Physical plant of approximately 80 blocks

26

Final Jeopardy

Answer:

The 18 elements that can be used to identify an individual as documented in the HIPAA Regulations.

27

What is protected health information?Protected health information (PHI) is any information, including demographic information, that is TRANSMITTED or MAINTAINED in any MEDIUM (electronically, on paper, or via the spoken word) that is created or received by a health care provider, health plan, or health care clearinghouse that relates to or describes the past, present, or future physical or mental health or condition of an individual or past, present, or future payment for the provision of healthcare to the individual, and that can be used to identify the individual.“ePHI” is often used to designate electronic PHI.

28

PHI Data ElementsThe following identifiers of the individual, or of relatives, employers, or household members of the individual, are considered PHI:

1. Names2. Geographic subdivisions smaller than a state (street address,

city, county, precinct, zip, equivalent geo-codes)3. All elements of dates (except year) including birth date,

admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age.

4. Telephone numbers5. Fax numbers6. Electronic mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary numbers

29

PHI Data Elements (continued):10. Account numbers11. Certificate/License numbers12. Vehicle identifiers and serial numbers13. Device identifiers and serial numbers14. Web Universal Resource Locators (URLs)15. Internet Protocol (IP) address numbers16. Biometric identifiers, including finger and voice prints17. Full face photographic images and any comparable

images18. Any other unique identifying number, characteristic,

code, except as allowed under the ID specifications (164.514c)

30

So that means…Linking any one of these 18 PHI data elements to an identified diagnosis or medical condition, whether the diagnosis comes from a medical record or is self-reported by the participant, means that PHI is being maintained.

Example: A database entitled “Liver Transplant Recipients” containing only individuals’ names is linking 1 PHI data element with a medical condition. The database contains PHI.

Do you have PHI as part of your research data?

31

Types of Data Protected by HIPAA Written documentation and all paper

records Spoken and verbal information

including voice mail messages Electronic databases and any

electronic information containing PHI stored on a computer, PDA, memory card, USB drive, or other electronic media

32

Research: A Use Sharing of PHI among UAB/UABHS

covered entities for research is considered a “use” of PHI.

New requirement for researchers: All databases containing PHI must adhere to the UAB/UABHS information privacy and security standards as required by the federal HIPAA regulations.

33

How Researchers Can Use or Disclose PHI in Compliance with HIPAA If the Institutional Review Board (IRB) has

approved the research and One or more of the following conditions exists:

1. The activity is preparatory to research.2. The research involves only decedent PHI.3. The research uses a “limited data set” and data use

agreement.4. The patients or participants have signed an

authorization to use the PHI for the research.5. The IRB has granted a waiver for the required

patient/participant signed authorization.

34

Recruiting and Screening Research recruitment techniques must meet HIPAA standards

for privacy and confidentiality. Investigators must separate the roles of researcher and

clinician. Investigators must not use their clinical access privileges to

search patient records for potential research participants. Physicians may contact only their own patients to recruit for

research studies. If investigators receive data from a covered entity to complete

their research, then the principal investigators or designated researchers must provide a copy of the fully executed IRB approval form to the covered entity holding the data before the data can be released for research.

A covered entity may require that the investigators complete its own HIPAA compliant Authorization for Use/Disclosure of Health Information form in addition to providing the IRB approval form.

35

De-Identified Data and HIPAA

De-identified data means that all 18 PHI data elements have been removed prior to receipt by the researcher, no further action is required to meet HIPAA compliance. De-identified data are not PHI.

See “HIPAA Handbook for Researchers” regarding statistical methods to de-identify data and re-identifying codes. This UAB handbook is available at www.uab.edu/irb/hipaa/hipaa-handbook.pdf.

36

Minimum Necessary Standard

HIPAA requires that a covered entity limits the PHI it releases/discloses to a researcher to the “information reasonably necessary to accomplish the purpose.” A covered entity relies on the researcher’s request and the documentation from the IRB to describe the minimum PHI necessary to accomplish research goals.

A signed authorization from the research patient or participant supersedes the minimum necessary restriction.

37

A Business Associate Agreement (BAA)…

Is required before you contract with a third party individual or vendor to perform research activities involving the use or disclosure of PHI.

Binds the third party individual or vendor to the HIPAA regulations when performing the contracted services.

Must be approved in accordance with UAB/UABHS policies and procedures.

Additional information about BAAs can be found on the UAB/UABHS HIPAA Website at www.hipaa.uab.edu.

38

Patient RightsHIPAA guarantees certain rights of privacy to patients.

If PHI is released or disclosed to a researcher, then the researcher becomes responsible for ensuring that the use and disclosure of PHI complies with HIPAA regulations as outlined in the UAB/UABHS HIPAA standards.

39

The HIPAA Security Rule

Confidentiality Integrity

Availability

40

The Researcher must…

Provide and maintain database security, including physical security and access.

Control and manage the access, use, and disclosure of the PHI.

41

The Researcher’s Role in Information Security Store PHI in locked areas, desks, and

cabinets. Control access to research areas. Obtain lock down mechanisms for devices

and equipment in easily accessible areas. Challenge persons without badges in

restricted areas. Verify requests of maintenance, IT, or

delivery personnel.

42

Desktop/Workstation Security Arrange computer screen so that it is not visible by

unauthorized persons. Log off before leaving the workstation. Configure the workstation to automatically log off and

require user to login if no activity for more than 15 minutes.

Set a screensaver with password protection to engage after 5 minutes of inactivity.

Manage your research data. Store documents and databases with ePHI securely on a network file server. Do NOT store ePHI on the workstation (C: drive).

Do not allow coworkers to use your computer without first logging off.

43

Portable Device SecurityPortable devices include hand-held, notebook, and laptop computers, personal digital assistants, cell phones, and pocket or portable memory devices such as thumb and jump drives.

Do not use a portable device for storing ePHI. Use password protection. Delete ePHI when it is no longer needed. Keep your application software up-to-date. Back-up critical software and data on a secured network. Follow all of the recommendations for workstation security. Use only VPN for remote wired and wireless connectivity. Check with IT representatives for other security safeguards. Use encryption when transporting ePHI on any mobile computing

device. Be sure to backup encryption keys.

44

What is encryption?

The process of transforming data to an unintelligible form in such a way that the original data can not be obtained without using the inverse decryption process.

45

Email Use General Rule: Do NOT send emails containing

PHI. At UAB/UABHS, do NOT email ePHI except

between Groupwise and Central Exchange email addresses. Confirm Central Exchange addresses with AskIT.

Email with ePHI to addresses outside the Groupwise/Central Exchange systems must be encrypted. Ask your IT representative to assist you with encryption.

Do not FORWARD your UAB emails to outside email systems, i.e. AOL, hotmail, yahoo, gmail.

46

Internet Use

Do not use web-based personal file and backup media, i.e. Google docs, spreadsheets, personal backup sites, etc.

Do not surf the web if using an account with administrator rights.

47

Account Management Do not share your user account, password, token, or other system

access. Use strong passwords that are at least 6 or 8 characters long,

depending on the minimum required by your system. Include upper and lower case letters, numbers, and special characters such as #, %, ?, and $.

Do not use pet names, birthdates, or words found in the dictionary. If you must write down your password, keep it locked up or in your

wallet protected like a credit card. Do not enable your browser to remember your password. Only access PHI/ePHI for business related purposes. Do not use your system access to look up medical information on

yourself, family, friends, or coworkers. Notify IT support immediately if you believe your system access has

been compromised.

48

What if an incident occurs? Call the appropriate helpdesk: HSIS at 934-8888 or

AskIT at 996-5555. Contact the IRB office at 934-3789. Gather as much information regarding the incident as

possible. Document information on the appropriate incident

reporting form. Do not delete anything. If information or equipment is stolen, contact the UAB

Police Department and file a report. Cooperate with investigators (both internal and

external). Refer external inquiries regarding the incident to UAB

Media Relations.

49

Others That Can Help

AskIT Help Desk at 996-5555 HSIS Help Desk at 934-8888 Your Entity Privacy Coordinator or

your Entity Security Coordinator UAB HIPAA Security Officer, Terrell

Herzig, at 975-0072

50

Remember the HIPAA Mantra

Everyone is responsible for the privacy and security of protected health information.