Beyond HIPAA Regulations Inside the Research Quadrant - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Beyond HIPAA Regulations Inside the Research Quadrant

Description:

Title: Testing Author: Gregg Fromell Last modified by: Gregg Fromell Created Date: 9/12/2005 8:59:46 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:179
Avg rating:3.0/5.0
Slides: 33
Provided by: GreggF3
Category:

less

Transcript and Presenter's Notes

Title: Beyond HIPAA Regulations Inside the Research Quadrant


1
Beyond HIPAA Regulations Inside the Research
Quadrant
NCHICA
NCHICA Conference AMC Security Privacy
Progress Prospects
Sept 26 - 28, 2005
Gregg Fromell, MD Office of Human
Research University of Pennsylvania
Lowrie Beacham, PhD Duke Clinical Research
Institute Duke University
2
HIPAA Re-cap
  • HIPAA Privacy Rule
  • Effective date April 2003
  • Identifies protected health information (PHI)
  • Applies to information in any form, paper or
    electronic
  • HIPAA Security Rule
  • Effective date April 2005
  • Applies to PHI in electronic form

3
HIPAA Security Rule
  • Three main areas of focus
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards

4
HIPAA Security Rule
  • Administrative safeguards
  • Security Management process (risk analysis
    risk management)
  • Assigned Security Responsibility
  • Work force security (method to grant and revoke
    access)
  • Security awareness training
  • Security incidents procedures (includes
    sanctions)
  • Contingency planning (back-up disaster
    recovery)
  • Evaluation (independent assessment of
    compliance)
  • Business associate contracts

5
HIPAA Security Rule
  • Physical Safeguards
  • Facility access controls
  • Work station use
  • Work station security
  • Device Media controls
  • Technical Safeguards
  • Access control
  • Audit control
  • Integrity controls
  • Person or entity authentication
  • Transmission security

6
  • HIPAA the NIH

Lowrie Beacham, PhD Duke Clinical Research
Institute
6
7
HIPAA influencing the NIH or vice versa?
  • Precursors
  • Computer Security Act of 1987
  • DHHS AISSP Handbook (1994)
  • Automated Info Systems Sec. Program
  • OMB A-130, Appendix III (2000)
  • Security of Fed. Automated Info Systems

8
Case in Point NIH - the first sighting
  • TADS RFP, April 2002
  • the proposal must present a detailed outline of
    its proposed IT systems security program
  • Lists the three references as resources
  • Page 49 of the RFP, so

9
NIH - the serious sighting
  • Roadmap contract, August 2004
  • Page 30 of 34
  • Same language but
  • this time we mean it!
  • Now, theres a template

10
The Template Hey! These folks are serious!
  • One of the items called for by DHHS Info.
    Security Program CA Guide (August 2003)
  • 22 Pages of requirements
  • System Identification
  • Management Controls
  • Operational Controls
  • Technical Controls

11
Deja HIPAA View
  • HIPAA Security 164 Subpart C
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • DHHS Info. Security Program
  • Management Controls
  • Operational Controls
  • Technical Controls

12
NIH Plan Security Template Contents
  • Management Controls
  • Risk Assessment and Management
  • Review of Security Controls
  • Rules of Behavior
  • Planning for Security in the Life Cycle
  • Certification and Accreditation

13
NIH Plan Security Template Contents
  • Operational Controls
  • Personnel Security
  • Physical and Environmental Protection
  • Contingency Planning and Disaster Recovery
  • Security Awareness and Training
  • System Configuration Mgmt. Controls

14
NIH Plan Security Template Contents
  • Technical Controls
  • Identification and Authentication
  • Logical Access Controls
  • Public Access Controls
  • Audit trails

15
  • FDA Data Security

Gregg Fromell, MD University of Pennsylvania
15
16
FDA 21CFR 11
  • Title 21 of the Code of Federal Regulations, part
    11 governs
  • Electronic records
  • Electronic signatures
  • Handwritten signatures executed to electronic
    records

17
FDA 21CFR 11
History of Part 11
  • March 1997, first release
  • establish criteria for the acceptance of
    electronic records as trustworthy, reliable and
    equivalent to paper records.
  • 1997 - 2002
  • Significant industry feedback on large cost
    burdens and restrictions on technology
    development
  • 2002 - 2003
  • FDA withdrew draft guidance for a rewrite
  • August 2003
  • Guidance revised Electronic Records Electronic
    Signatures Scope and Application
  • September 2003
  • Guidance Computerized Systems Used in Clinical
    Trials

18
21CFR 11
  • 21CFR312 predicate rule -- research data that
    must be maintained
  • 312.62 (b) An investigator is required to
    prepare and maintain adequate and accurate case
    histories that record all observations and other
    data pertinent to the investigations
  • 21CRF 11 addresses research data that are
    maintained in electronic format
  • in place of paper format
  • in addition to paper format, and that are relied
    on to perform regulated activities
  • Medical record data also affected by 21CFR312
    21CFR11
  • When medical records contain data used as source
    documentation for FDA-regulated human research

19
FDA 21CFR 11
  • Validation
  • Ability to create accurate copies
  • Audit trail
  • Documentation of system access data change
  • Computer-generated date time stamp
  • Common additional interpretation
  • Maintain old response new response
  • Access to records record retention
  • Authority Device checks (security)
  • Physical access
  • Electronic access
  • Operational checks (QA/QC)
  • Personnel training
  • Persons supporting system
  • Persons entering/editing data
  • Written policies
  • Responsibilities of those with access
  • Accountability
  • Controls over system documentation
  • Open system control
  • Only applies if access is beyond internal
    electronic network
  • Electronic Signature standards

20
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?
  • Validation
  • Ability to create accurate copies
  • Audit trail
  • Access to records record retention
  • Authority Device checks (security)
  • Operational checks
  • Personnel training
  • Written policies
  • Controls over system documentation
  • Open system control
  • Electronic signature standards

21
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?
  • Validation
  • Ability to create accurate copies
  • Audit trail
  • Access to records record retention
  • Authority Device checks (security)
  • Operational checks
  • Personnel training
  • Written policies
  • Controls over system documentation
  • Open system control
  • Electronic signature standards
  • Operational checks
  • Personnel training
  • Written policies
  • Controls over system documentation
  • Open system control
  • Audit trail
  • Access to records record retention
  • Authority Device checks (security)

22
  • Approaches to Compliance

Lowrie Beacham, PhD Duke Clinical Research
Institute
22
23
How are we going to comply?
Two approaches
  • A. System-atically
  • In one (large) document, cover any and all
    applications that will be used in fulfilling the
    contract.
  • B. Environmentally
  • Treat the entire IT environment as one system,
    since most security measures are so directed.

24
One from Column A weve done both
  • Approach A 41 pages
  • Its complex
  • Its repetitive
  • Its comprehensive!
  • Approach B 18 pages
  • Its cleaner
  • Its leaner
  • But it may not always sell

25
Why not?
  • Inter-agency acceptability
  • Moving target

26
Interagency Acceptability Example
  • NIH and CDC
  • Both DHHS agencies
  • Both require System Security Plans
  • Buttheyre not (exactly) the same template

27
The moving target
  • Everyone is working on Information Security
  • The latest (as of this writing)
  • NIST Special Publication 800-53

28
NIST SP 800-53
Recommended Security Controls for Federal
Information Systems
  • Fresh off the presses, May 2005
  • 116 scintillating pages best being
  • Security Control Catalog pp. 40-105

29
NIST SP 800-53
  • Security Control Catalog
  • 162 items covering (among others)
  • Access control
  • Training
  • Assessments and certification
  • Contingency planning
  • Physical and environmental protection
  • Personnel Security
  • Risk Assessment
  • Communications protection
  • and, (buried under System Services Acquisition)

30
SA-9 Outsourced Information System Services
  • Third party providers are subject to the same
    information system security policies and
    procedures of (sic) the supported organization,
    and must conform to the same security control and
    documentation requirements as would apply to the
    organizations internal systems.

31
SA-9 Outsourced Information System Services
  • The NIH is the supported organization
  • The contractor is the third-party provider
  • If you want to play, you use their ball.

32
Have fun!
But
  • Arent you glad you did such a thorough job of
    complying with HIPAA Security?
  • -)
Write a Comment
User Comments (0)
About PowerShow.com