Beyond HIPAA Regulations Inside the Research Quadrant

1
Beyond HIPAA Regulations Inside the Research
Quadrant
NCHICA
NCHICA Conference AMC Security Privacy
Progress Prospects
Sept 26 - 28, 2005
Gregg Fromell, MD Office of Human
Research University of Pennsylvania
Lowrie Beacham, PhD Duke Clinical Research
Institute Duke University
2
HIPAA Re-cap

• HIPAA Privacy Rule
• Effective date April 2003
• Identifies protected health information (PHI)
• Applies to information in any form, paper or
  electronic
• HIPAA Security Rule
• Effective date April 2005
• Applies to PHI in electronic form

3
HIPAA Security Rule

• Three main areas of focus
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

4
HIPAA Security Rule

• Administrative safeguards
• Security Management process (risk analysis
  risk management)
• Assigned Security Responsibility
• Work force security (method to grant and revoke
  access)
• Security awareness training
• Security incidents procedures (includes
  sanctions)
• Contingency planning (back-up disaster
  recovery)
• Evaluation (independent assessment of
  compliance)
• Business associate contracts

5
HIPAA Security Rule

• Physical Safeguards
• Facility access controls
• Work station use
• Work station security
• Device Media controls

• Technical Safeguards
• Access control
• Audit control
• Integrity controls
• Person or entity authentication
• Transmission security

6

• HIPAA the NIH

Lowrie Beacham, PhD Duke Clinical Research
Institute
6
7
HIPAA influencing the NIH or vice versa?

• Precursors
• Computer Security Act of 1987
• DHHS AISSP Handbook (1994)
• Automated Info Systems Sec. Program
• OMB A-130, Appendix III (2000)
• Security of Fed. Automated Info Systems

8
Case in Point NIH - the first sighting

• TADS RFP, April 2002
• the proposal must present a detailed outline of
  its proposed IT systems security program
• Lists the three references as resources
• Page 49 of the RFP, so

9
NIH - the serious sighting

• Roadmap contract, August 2004
• Page 30 of 34
• Same language but
• this time we mean it!
• Now, theres a template

10
The Template Hey! These folks are serious!

• One of the items called for by DHHS Info.
  Security Program CA Guide (August 2003)
• 22 Pages of requirements
• System Identification
• Management Controls
• Operational Controls
• Technical Controls

11
Deja HIPAA View

• HIPAA Security 164 Subpart C
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

• DHHS Info. Security Program
• Management Controls
• Operational Controls
• Technical Controls

12
NIH Plan Security Template Contents

• Management Controls
• Risk Assessment and Management
• Review of Security Controls
• Rules of Behavior
• Planning for Security in the Life Cycle
• Certification and Accreditation

13
NIH Plan Security Template Contents

• Operational Controls
• Personnel Security
• Physical and Environmental Protection
• Contingency Planning and Disaster Recovery
• Security Awareness and Training
• System Configuration Mgmt. Controls

14
NIH Plan Security Template Contents

• Technical Controls
• Identification and Authentication
• Logical Access Controls
• Public Access Controls
• Audit trails

15

• FDA Data Security

Gregg Fromell, MD University of Pennsylvania
15
16
FDA 21CFR 11

• Title 21 of the Code of Federal Regulations, part
  11 governs
• Electronic records
• Electronic signatures
• Handwritten signatures executed to electronic
  records

17
FDA 21CFR 11
History of Part 11

• March 1997, first release
• establish criteria for the acceptance of
  electronic records as trustworthy, reliable and
  equivalent to paper records.
• 1997 - 2002
• Significant industry feedback on large cost
  burdens and restrictions on technology
  development
• 2002 - 2003
• FDA withdrew draft guidance for a rewrite
• August 2003
• Guidance revised Electronic Records Electronic
  Signatures Scope and Application
• September 2003
• Guidance Computerized Systems Used in Clinical
  Trials

18
21CFR 11

• 21CFR312 predicate rule -- research data that
  must be maintained
• 312.62 (b) An investigator is required to
  prepare and maintain adequate and accurate case
  histories that record all observations and other
  data pertinent to the investigations
• 21CRF 11 addresses research data that are
  maintained in electronic format
• in place of paper format
• in addition to paper format, and that are relied
  on to perform regulated activities
• Medical record data also affected by 21CFR312
  21CFR11
• When medical records contain data used as source
  documentation for FDA-regulated human research

19
FDA 21CFR 11

• Validation
• Ability to create accurate copies
• Audit trail
• Documentation of system access data change
• Computer-generated date time stamp
• Common additional interpretation
• Maintain old response new response
• Access to records record retention
• Authority Device checks (security)
• Physical access
• Electronic access

• Operational checks (QA/QC)
• Personnel training
• Persons supporting system
• Persons entering/editing data
• Written policies
• Responsibilities of those with access
• Accountability
• Controls over system documentation
• Open system control
• Only applies if access is beyond internal
  electronic network
• Electronic Signature standards

20
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?

• Validation
• Ability to create accurate copies
• Audit trail
• Access to records record retention
• Authority Device checks (security)

• Operational checks
• Personnel training
• Written policies
• Controls over system documentation
• Open system control
• Electronic signature standards

21
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?

• Validation
• Ability to create accurate copies
• Audit trail
• Access to records record retention
• Authority Device checks (security)

• Operational checks
• Personnel training
• Written policies
• Controls over system documentation
• Open system control
• Electronic signature standards

• Operational checks
• Personnel training
• Written policies
• Controls over system documentation
• Open system control

• Audit trail
• Access to records record retention
• Authority Device checks (security)

22

• Approaches to Compliance

Lowrie Beacham, PhD Duke Clinical Research
Institute
22
23
How are we going to comply?
Two approaches

• A. System-atically
• In one (large) document, cover any and all
  applications that will be used in fulfilling the
  contract.
• B. Environmentally
• Treat the entire IT environment as one system,
  since most security measures are so directed.

24
One from Column A weve done both

• Approach A 41 pages
• Its complex
• Its repetitive
• Its comprehensive!
• Approach B 18 pages
• Its cleaner
• Its leaner
• But it may not always sell

25
Why not?

• Inter-agency acceptability
• Moving target

26
Interagency Acceptability Example

• NIH and CDC
• Both DHHS agencies
• Both require System Security Plans
• Buttheyre not (exactly) the same template

27
The moving target

• Everyone is working on Information Security
• The latest (as of this writing)
• NIST Special Publication 800-53

28
NIST SP 800-53
Recommended Security Controls for Federal
Information Systems

• Fresh off the presses, May 2005
• 116 scintillating pages best being
• Security Control Catalog pp. 40-105

29
NIST SP 800-53

• Security Control Catalog
• 162 items covering (among others)
• Access control
• Training
• Assessments and certification
• Contingency planning
• Physical and environmental protection
• Personnel Security
• Risk Assessment
• Communications protection
• and, (buried under System Services Acquisition)

30
SA-9 Outsourced Information System Services

• Third party providers are subject to the same
  information system security policies and
  procedures of (sic) the supported organization,
  and must conform to the same security control and
  documentation requirements as would apply to the
  organizations internal systems.

31
SA-9 Outsourced Information System Services

• The NIH is the supported organization
• The contractor is the third-party provider
• If you want to play, you use their ball.

32
Have fun!
But

• Arent you glad you did such a thorough job of
  complying with HIPAA Security?
• -)