Beyond HIPAA Regulations Inside the Research Quadrant - PowerPoint PPT Presentation

1 / 32

About This Presentation

Title:

Beyond HIPAA Regulations Inside the Research Quadrant

Description:

Title: Testing Author: Gregg Fromell Last modified by: Gregg Fromell Created Date: 9/12/2005 8:59:46 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:179

Avg rating:3.0/5.0

Slides: 33

Provided by: GreggF3

Category:

more less

Transcript and Presenter's Notes

Title: Beyond HIPAA Regulations Inside the Research Quadrant

1
Beyond HIPAA Regulations Inside the Research
Quadrant
NCHICA
NCHICA Conference AMC Security Privacy
Progress Prospects
Sept 26 - 28, 2005
Gregg Fromell, MD Office of Human
Research University of Pennsylvania
Lowrie Beacham, PhD Duke Clinical Research
Institute Duke University
2
HIPAA Re-cap

HIPAA Privacy Rule
Effective date April 2003
Identifies protected health information (PHI)
Applies to information in any form, paper or
electronic
HIPAA Security Rule
Effective date April 2005
Applies to PHI in electronic form

3
HIPAA Security Rule

Three main areas of focus
Administrative Safeguards
Physical Safeguards
Technical Safeguards

4
HIPAA Security Rule

Administrative safeguards
Security Management process (risk analysis
risk management)
Assigned Security Responsibility
Work force security (method to grant and revoke
access)
Security awareness training
Security incidents procedures (includes
sanctions)
Contingency planning (back-up disaster
recovery)
Evaluation (independent assessment of
compliance)
Business associate contracts

5
HIPAA Security Rule

Physical Safeguards
Facility access controls
Work station use
Work station security
Device Media controls

Technical Safeguards
Access control
Audit control
Integrity controls
Person or entity authentication
Transmission security

HIPAA the NIH

Lowrie Beacham, PhD Duke Clinical Research
Institute
6
7
HIPAA influencing the NIH or vice versa?

Precursors
Computer Security Act of 1987
DHHS AISSP Handbook (1994)
Automated Info Systems Sec. Program
OMB A-130, Appendix III (2000)
Security of Fed. Automated Info Systems

8
Case in Point NIH - the first sighting

TADS RFP, April 2002
the proposal must present a detailed outline of
its proposed IT systems security program
Lists the three references as resources
Page 49 of the RFP, so

9
NIH - the serious sighting

Roadmap contract, August 2004
Page 30 of 34
Same language but
this time we mean it!
Now, theres a template

10
The Template Hey! These folks are serious!

One of the items called for by DHHS Info.
Security Program CA Guide (August 2003)
22 Pages of requirements
System Identification
Management Controls
Operational Controls
Technical Controls

11
Deja HIPAA View

HIPAA Security 164 Subpart C
Administrative Safeguards
Physical Safeguards
Technical Safeguards

DHHS Info. Security Program
Management Controls
Operational Controls
Technical Controls

12
NIH Plan Security Template Contents

Management Controls
Risk Assessment and Management
Review of Security Controls
Rules of Behavior
Planning for Security in the Life Cycle
Certification and Accreditation

13
NIH Plan Security Template Contents

Operational Controls
Personnel Security
Physical and Environmental Protection
Contingency Planning and Disaster Recovery
Security Awareness and Training
System Configuration Mgmt. Controls

14
NIH Plan Security Template Contents

Technical Controls
Identification and Authentication
Logical Access Controls
Public Access Controls
Audit trails

FDA Data Security

Gregg Fromell, MD University of Pennsylvania
15
16
FDA 21CFR 11

Title 21 of the Code of Federal Regulations, part
11 governs
Electronic records
Electronic signatures
Handwritten signatures executed to electronic
records

17
FDA 21CFR 11
History of Part 11

March 1997, first release
establish criteria for the acceptance of
electronic records as trustworthy, reliable and
equivalent to paper records.
1997 - 2002
Significant industry feedback on large cost
burdens and restrictions on technology
development
2002 - 2003
FDA withdrew draft guidance for a rewrite
August 2003
Guidance revised Electronic Records Electronic
Signatures Scope and Application
September 2003
Guidance Computerized Systems Used in Clinical
Trials

18
21CFR 11

21CFR312 predicate rule -- research data that
must be maintained
312.62 (b) An investigator is required to
prepare and maintain adequate and accurate case
histories that record all observations and other
data pertinent to the investigations
21CRF 11 addresses research data that are
maintained in electronic format
in place of paper format
in addition to paper format, and that are relied
on to perform regulated activities
Medical record data also affected by 21CFR312
21CFR11
When medical records contain data used as source
documentation for FDA-regulated human research

19
FDA 21CFR 11

Validation
Ability to create accurate copies
Audit trail
Documentation of system access data change
Computer-generated date time stamp
Common additional interpretation
Maintain old response new response
Access to records record retention
Authority Device checks (security)
Physical access
Electronic access

Operational checks (QA/QC)
Personnel training
Persons supporting system
Persons entering/editing data
Written policies
Responsibilities of those with access
Accountability
Controls over system documentation
Open system control
Only applies if access is beyond internal
electronic network
Electronic Signature standards

20
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?

Validation
Ability to create accurate copies
Audit trail
Access to records record retention
Authority Device checks (security)

Operational checks
Personnel training
Written policies
Controls over system documentation
Open system control
Electronic signature standards

21
Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?

Validation
Ability to create accurate copies
Audit trail
Access to records record retention
Authority Device checks (security)

Operational checks
Personnel training
Written policies
Controls over system documentation
Open system control
Electronic signature standards

Operational checks
Personnel training
Written policies
Controls over system documentation
Open system control

Audit trail
Access to records record retention
Authority Device checks (security)

Approaches to Compliance

Lowrie Beacham, PhD Duke Clinical Research
Institute
22
23
How are we going to comply?
Two approaches

A. System-atically
In one (large) document, cover any and all
applications that will be used in fulfilling the
contract.
B. Environmentally
Treat the entire IT environment as one system,
since most security measures are so directed.

24
One from Column A weve done both

Approach A 41 pages
Its complex
Its repetitive
Its comprehensive!
Approach B 18 pages
Its cleaner
Its leaner
But it may not always sell

25
Why not?

Inter-agency acceptability
Moving target

26
Interagency Acceptability Example

NIH and CDC
Both DHHS agencies
Both require System Security Plans
Buttheyre not (exactly) the same template

27
The moving target

Everyone is working on Information Security
The latest (as of this writing)
NIST Special Publication 800-53

28
NIST SP 800-53
Recommended Security Controls for Federal
Information Systems

Fresh off the presses, May 2005
116 scintillating pages best being
Security Control Catalog pp. 40-105

29
NIST SP 800-53

Security Control Catalog
162 items covering (among others)
Access control
Training
Assessments and certification
Contingency planning
Physical and environmental protection
Personnel Security
Risk Assessment
Communications protection
and, (buried under System Services Acquisition)

30
SA-9 Outsourced Information System Services

Third party providers are subject to the same
information system security policies and
procedures of (sic) the supported organization,
and must conform to the same security control and
documentation requirements as would apply to the
organizations internal systems.

31
SA-9 Outsourced Information System Services