Storage and Security of Research Data

1
Storage and Security ofResearch Data

• IRB Continuing Education 2007
• Sheila Moore, CIP
• Director, Office of the IRB
• Terrell Herzig
• UAB/UABHS HIPAA Security Officer

2
The Good Old Days

• All research files will be stored in a locked
  file cabinet in a locked office.
• The above may still be true, but more than likely
  there will be some sort of electronic storage of
  data.

3
Paper and Electronic Storage

• The IRB is concerned with ensuring that the
  confidentiality of participants research records
  is maintained whether it be paper and/or
  electronic storage.
• Each protocol needs to adequately address
  confidentiality of participant records.

4
Internet/Web

• The IRB is concerned with ensuring that the
  confidentiality of participants research records
  is maintained when data is sent via the internet
  as well.
• This includes use (transfiguring) of data on
  outside groups
• e.g., Google

5
Human Subjects Protocol (HSP)Confidentiality Q22

• Describe the manner and method for storing
  research data and maintaining confidentiality. If
  data will be stored electronically anywhere other
  than a server maintained centrally by UAB,
  identify the departmental and all computer
  systems used to store protocol-related data, and
  describe how access to that data will be limited
  to those with a need to know.
• If data stored electronically anywhere other than
  a server maintained centrally by UAB contact
  HIPAA security for guidance.

6
HSP Confidentiality (continued)

• Will any information derived from this study be
  given to any person, including the subject, or
  any group, including coordinating centers and
  sponsors?
• Yes No
• If Yes, complete i-iii.
• i. To whom will the information be given?      
• ii. What is the nature of the information?      
• iii. How will the information be identified,
  coded, etc.?      

7
Electronic Storage of Data

• The IRB must review process/research in which
• Data maintained electronically for storage and
  data analysis
• Databases used to collect/store information for
  current research or for future research use
• Will be asking about storage of data on final
  report form

8
Database ResearchClinical and/or Research

• Where the purpose/intent of the research is to
  generate and maintain a database for research
  purposes
• Researcher is gathering information about human
  subjects to populate a research database
• Database may have a dual intent. If research is
  an intent must have IRB review

9
Dual Intent

• Database for Clinical use and Research use
• Database for clinical use review for compliance
  with HIPAA security standards
• Intent includes research must have IRB review
• No laptop storage access a secure server where
  database is securely stored

10
Research Data

• Data collected for a protocol may not be
  released to others (including other researchers
  or students, at UAB or elsewhere) without first
  obtaining UAB IRB approval
• This includes data from terminated protocols

11
Electronic Storage

• If there has been a change in storage process and
  data are now stored electronically, submit
  revision to IRB for review.

12
Rule of Thumb!

• DONT
• use thumb
• drive for storage of research data!

13
Describe to IRB

• The security measures for data
• Coding
• Encryption
• No data taken off-campus

14
HIPAA and

• The UAB Researcher
• Terrell W. Herzig, MSHI
• UAB/UABHS HIPAA Security Officer
• HSIS Data Security Officer

15
A Recent Scenario

• Background
• A computer external hard drive, used to backup a
  clinical research database, contains protected
  health information.
• It is of average size for such devices, 2x8x6.
• It is in a locked private office.
• If this external hard drive goes missing, how
  much would it cost?

16
Choose only one answer

• A. 104
• B. 1.8 million x 30
• C. Lost productivity for an entire entity while
  cooperating with an investigation (estimated at
  23 million)
• D. Research is shut down
• E. All of the above

17
And the answer is

• A. 104
• B. 1.8 million x 30
• C. Lost productivity for an entire entity while
  cooperating with an investigation (estimated at
  23 million)
• D. Research is shut down
• E. All of the above

18
How much would the same drive have cost if
proper safeguards had been in place?

• Answer
• 127
• 104 for the drive
• 23 for the encryption software

19
Other interesting numbers

• 5
• Number of hours the person who lost
• the drive spent hooked to a polygraph
• 2
• Number of federal agents on campus conducting the
  investigation
• 12
• Number of weeks of man hours spent
• by the organization cooperating with the agents
• lt1
• Number of blocks from UAB/UABHS this facility
  lies
• 9
• Number of joint UAB/VA research projects under
  investigation
• by the VAs IRB and Chief Information Security
  Officer

20
VA Recommendations

• Take administrative sanctions against
• IT Specialist
• Birmingham REAP Director
• Birmingham REAP Associate Director
• Medicare Analysis Center Director
• VA Information Resource Center Director
• Birmingham Medical Center Director
• Associate Chief of Staff for Research
• Develop Government Risk Criteria for determining
  need to notify.
• Require encryption on portable devices

21
VA Recommendations (cont.)

• Re-evaluate position sensitivity levels and
  background investigations.
• Institute release of information practices for
  research.
• Develop access policies for programmer access for
  research.
• Require data security plan before IRB approval.
• Audit for waiver compliance.
• Enforce access policies for National Data
  Centers.
• Prohibit storage of VA information on non-VA
  systems. Discontinue receiving VA email at UAB.
• Assess alignment of REAP management structure.
  Correct dysfunctional management structure.

22

• Oh, that cant happen here

23
Recent Examples of Incidents Impacting UAB/UABHS
Research

• Research database with protected health
  information stolen from a locked office
• Thumb drive containing research database lost
• Laptop with research database stolen

24
What are the risks associated with a breach in
security?

• Risks to Individual whose PHI is compromised
• Embarrassment, misuse of personal data, victim of
  fraud or scams, identify theft
• Risks to the Institution
• Loss of information and equipment, trust of
  constituencies, reputation, future grant awards
  negative publicity penalties, fines, litigation
• Risks to Research
• Loss of data or data integrity, funding in
  jeopardy
• If serious and/or continuing noncompliance is
  determined by the IRB, then possible suspension
  or termination could result as well as report to
  the Office for Human Research Protections, other
  federal agencies, research sponsors, and other
  institutional officials as appropriate.
• Risks to Investigator or Employee
• Loss of data, time, funding, reputation
  embarrassment disciplinary action, prosecution,
  fines, civil and criminal penalties

25
At UAB, HIPAA affects

• More than 12,000 employees, which is
  approximately 67 of the UAB/UABHS workforce
• More than 5,000 students
• Over 44,000 hospital discharges annually
• Over 400,000 outpatient visits annually
• 450 million awarded in grants and contracts
  involving human subjects
• Physical plant of approximately 80 blocks

26
Final Jeopardy

• Answer
• The 18 elements that can be used to identify an
  individual as documented in the HIPAA
  Regulations.

27
What is protected health information?

• Protected health information (PHI) is any
  information, including demographic information,
  that is TRANSMITTED or MAINTAINED in any MEDIUM
  (electronically, on paper, or via the spoken
  word) that is created or received by a health
  care provider, health plan, or health care
  clearinghouse that relates to or describes the
  past, present, or future physical or mental
  health or condition of an individual or past,
  present, or future payment for the provision of
  healthcare to the individual, and that can be
  used to identify the individual.
• ePHI is often used to designate electronic PHI.

28
PHI Data Elements

• The following identifiers of the individual, or
  of relatives, employers, or household members of
  the individual, are considered PHI
• Names
• Geographic subdivisions smaller than a state
  (street address, city, county, precinct, zip,
  equivalent geo-codes)
• All elements of dates (except year) including
  birth date, admission and discharge dates, date
  of death, and all ages over 89 and all elements
  of dates (including year) indicative of such age.
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers

29
PHI Data Elements (continued)

• Account numbers
• Certificate/License numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, code, except as allowed under the
  ID specifications (164.514c)

30
So that means

• Linking any one of these 18 PHI data elements to
  an identified diagnosis or medical condition,
  whether the diagnosis comes from a medical record
  or is self-reported by the participant, means
  that PHI is being maintained.
• Example
• A database entitled Liver Transplant Recipients
  containing only individuals names is linking 1
  PHI data element with a medical condition. The
  database contains PHI.
• Do you have PHI as part of
• your research data?

31
Types of Data Protected by HIPAA

• Written documentation and all paper records
• Spoken and verbal information including voice
  mail messages
• Electronic databases and any electronic
  information containing PHI stored on a computer,
  PDA, memory card, USB drive, or other electronic
  media

32
Research A Use

• Sharing of PHI among UAB/UABHS covered entities
  for research is considered a use of PHI.
• New requirement for researchers All databases
  containing PHI must adhere to the UAB/UABHS
  information privacy and security standards as
  required by the federal HIPAA regulations.

33
How Researchers Can Use or Disclose PHI in
Compliance with HIPAA

• If the Institutional Review Board (IRB) has
  approved the research and
• One or more of the following conditions exists
• The activity is preparatory to research.
• The research involves only decedent PHI.
• The research uses a limited data set and data
  use agreement.
• The patients or participants have signed an
  authorization to use the PHI for the research.
• The IRB has granted a waiver for the required
  patient/participant signed authorization.

34
Recruiting and Screening

• Research recruitment techniques must meet HIPAA
  standards for privacy and confidentiality.
• Investigators must separate the roles of
  researcher and clinician.
• Investigators must not use their clinical access
  privileges to search patient records for
  potential research participants.
• Physicians may contact only their own patients to
  recruit for research studies.
• If investigators receive data from a covered
  entity to complete their research, then the
  principal investigators or designated researchers
  must provide a copy of the fully executed IRB
  approval form to the covered entity holding the
  data before the data can be released for
  research.
• A covered entity may require that the
  investigators complete its own HIPAA compliant
  Authorization for Use/Disclosure of Health
  Information form in addition to providing the IRB
  approval form.

35
De-Identified Data and HIPAA

• De-identified data means that all 18 PHI data
  elements have been removed prior to receipt by
  the researcher, no further action is required to
  meet HIPAA compliance. De-identified data are
  not PHI.
• See HIPAA Handbook for Researchers regarding
  statistical methods to de-identify data and
  re-identifying codes. This UAB handbook is
  available at www.uab.edu/irb/hipaa/hipaa-handbook.
  pdf.

36
Minimum Necessary Standard

• HIPAA requires that a covered entity limits the
  PHI it releases/discloses to a researcher to the
  information reasonably necessary to accomplish
  the purpose. A covered entity relies on the
  researchers request and the documentation from
  the IRB to describe the minimum PHI necessary to
  accomplish research goals.
• A signed authorization from the research patient
  or participant supersedes the minimum necessary
  restriction.

37
A Business Associate Agreement (BAA)

• Is required before you contract with a third
  party individual or vendor to perform research
  activities involving the use or disclosure of
  PHI.
• Binds the third party individual or vendor to the
  HIPAA regulations when performing the contracted
  services.
• Must be approved in accordance with UAB/UABHS
  policies and procedures.
• Additional information about BAAs can be found on
  the UAB/UABHS HIPAA Website at www.hipaa.uab.edu.

38
Patient Rights

• HIPAA guarantees certain rights of privacy to
  patients.
• If PHI is released or disclosed to a researcher,
  then the researcher becomes responsible for
  ensuring that the use and disclosure of PHI
  complies with HIPAA regulations as outlined in
  the UAB/UABHS HIPAA standards.

39
The HIPAA Security Rule
40
The Researcher must

• Provide and maintain database security, including
  physical security and access.
• Control and manage the access, use, and
  disclosure of the PHI.

41
The Researchers Role in Information Security

• Store PHI in locked areas, desks, and cabinets.
• Control access to research areas.
• Obtain lock down mechanisms for devices and
  equipment in easily accessible areas.
• Challenge persons without badges in restricted
  areas.
• Verify requests of maintenance, IT, or delivery
  personnel.

42
Desktop/Workstation Security

• Arrange computer screen so that it is not visible
  by unauthorized persons.
• Log off before leaving the workstation.
• Configure the workstation to automatically log
  off and require user to login if no activity for
  more than 15 minutes.
• Set a screensaver with password protection to
  engage after 5 minutes of inactivity.
• Manage your research data. Store documents and
  databases with ePHI securely on a network file
  server. Do NOT store ePHI on the workstation (C
  drive).
• Do not allow coworkers to use your computer
  without first logging off.

43
Portable Device Security

• Portable devices include hand-held, notebook,
  and laptop computers, personal digital
  assistants, cell phones, and pocket or portable
  memory devices such as thumb and jump drives.
• Do not use a portable device for storing ePHI.
• Use password protection.
• Delete ePHI when it is no longer needed.
• Keep your application software up-to-date.
• Back-up critical software and data on a secured
  network.
• Follow all of the recommendations for workstation
  security.
• Use only VPN for remote wired and wireless
  connectivity.
• Check with IT representatives for other security
  safeguards.
• Use encryption when transporting ePHI on any
  mobile computing device. Be sure to backup
  encryption keys.

44
What is encryption?

• The process of transforming data to an
  unintelligible form in such a way that the
  original data can not be obtained without using
  the inverse decryption process.

45
Email Use

• General Rule Do NOT send emails containing PHI.
• At UAB/UABHS, do NOT email ePHI except between
  Groupwise and Central Exchange email addresses.
  Confirm Central Exchange addresses with AskIT.
• Email with ePHI to addresses outside the
  Groupwise/Central Exchange systems must be
  encrypted. Ask your IT representative to assist
  you with encryption.
• Do not FORWARD your UAB emails to outside email
  systems, i.e. AOL, hotmail, yahoo, gmail.

46
Internet Use

• Do not use web-based personal file and backup
  media, i.e. Google docs, spreadsheets, personal
  backup sites, etc.
• Do not surf the web if using an account with
  administrator rights.

47
Account Management

• Do not share your user account, password, token,
  or other system access.
• Use strong passwords that are at least 6 or 8
  characters long, depending on the minimum
  required by your system. Include upper and lower
  case letters, numbers, and special characters
  such as , , ?, and .
• Do not use pet names, birthdates, or words found
  in the dictionary.
• If you must write down your password, keep it
  locked up or in your wallet protected like a
  credit card.
• Do not enable your browser to remember your
  password.
• Only access PHI/ePHI for business related
  purposes.
• Do not use your system access to look up medical
  information on yourself, family, friends, or
  coworkers.
• Notify IT support immediately if you believe your
  system access has been compromised.

48
What if an incident occurs?

• Call the appropriate helpdesk HSIS at 934-8888
  or AskIT at 996-5555.
• Contact the IRB office at 934-3789.
• Gather as much information regarding the incident
  as possible.
• Document information on the appropriate incident
  reporting form.
• Do not delete anything.
• If information or equipment is stolen, contact
  the UAB Police Department and file a report.
• Cooperate with investigators (both internal and
  external).
• Refer external inquiries regarding the incident
  to UAB Media Relations.

49
Others That Can Help

• AskIT Help Desk at 996-5555
• HSIS Help Desk at 934-8888
• Your Entity Privacy Coordinator or your Entity
  Security Coordinator
• UAB HIPAA Security Officer, Terrell Herzig, at
  975-0072

50
Remember the HIPAA Mantra

• Everyone is responsible for the privacy and
  security of protected health information.