Title: Beyond HIPAA Regulations Inside the Research Quadrant
1Beyond HIPAA Regulations Inside the Research
Quadrant
NCHICA
NCHICA Conference AMC Security Privacy
Progress Prospects
Sept 26 - 28, 2005
Gregg Fromell, MD Office of Human
Research University of Pennsylvania
Lowrie Beacham, PhD Duke Clinical Research
Institute Duke University
2HIPAA Re-cap
- HIPAA Privacy Rule
- Effective date April 2003
- Identifies protected health information (PHI)
- Applies to information in any form, paper or
electronic - HIPAA Security Rule
- Effective date April 2005
- Applies to PHI in electronic form
3HIPAA Security Rule
- Three main areas of focus
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
4HIPAA Security Rule
- Administrative safeguards
- Security Management process (risk analysis
risk management) - Assigned Security Responsibility
- Work force security (method to grant and revoke
access) - Security awareness training
- Security incidents procedures (includes
sanctions) - Contingency planning (back-up disaster
recovery) - Evaluation (independent assessment of
compliance) - Business associate contracts
5HIPAA Security Rule
- Physical Safeguards
- Facility access controls
- Work station use
- Work station security
- Device Media controls
- Technical Safeguards
- Access control
- Audit control
- Integrity controls
- Person or entity authentication
- Transmission security
6Lowrie Beacham, PhD Duke Clinical Research
Institute
6
7HIPAA influencing the NIH or vice versa?
- Precursors
- Computer Security Act of 1987
- DHHS AISSP Handbook (1994)
- Automated Info Systems Sec. Program
- OMB A-130, Appendix III (2000)
- Security of Fed. Automated Info Systems
8Case in Point NIH - the first sighting
- TADS RFP, April 2002
- the proposal must present a detailed outline of
its proposed IT systems security program - Lists the three references as resources
- Page 49 of the RFP, so
9NIH - the serious sighting
- Roadmap contract, August 2004
- Page 30 of 34
- Same language but
- this time we mean it!
- Now, theres a template
10The Template Hey! These folks are serious!
- One of the items called for by DHHS Info.
Security Program CA Guide (August 2003) - 22 Pages of requirements
- System Identification
- Management Controls
- Operational Controls
- Technical Controls
11Deja HIPAA View
- HIPAA Security 164 Subpart C
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- DHHS Info. Security Program
- Management Controls
- Operational Controls
- Technical Controls
12NIH Plan Security Template Contents
- Management Controls
- Risk Assessment and Management
- Review of Security Controls
- Rules of Behavior
- Planning for Security in the Life Cycle
- Certification and Accreditation
13NIH Plan Security Template Contents
- Operational Controls
- Personnel Security
- Physical and Environmental Protection
- Contingency Planning and Disaster Recovery
- Security Awareness and Training
- System Configuration Mgmt. Controls
14NIH Plan Security Template Contents
- Technical Controls
- Identification and Authentication
- Logical Access Controls
- Public Access Controls
- Audit trails
15Gregg Fromell, MD University of Pennsylvania
15
16FDA 21CFR 11
- Title 21 of the Code of Federal Regulations, part
11 governs - Electronic records
- Electronic signatures
- Handwritten signatures executed to electronic
records
17FDA 21CFR 11
History of Part 11
- March 1997, first release
- establish criteria for the acceptance of
electronic records as trustworthy, reliable and
equivalent to paper records. - 1997 - 2002
- Significant industry feedback on large cost
burdens and restrictions on technology
development - 2002 - 2003
- FDA withdrew draft guidance for a rewrite
- August 2003
- Guidance revised Electronic Records Electronic
Signatures Scope and Application - September 2003
- Guidance Computerized Systems Used in Clinical
Trials
1821CFR 11
- 21CFR312 predicate rule -- research data that
must be maintained - 312.62 (b) An investigator is required to
prepare and maintain adequate and accurate case
histories that record all observations and other
data pertinent to the investigations - 21CRF 11 addresses research data that are
maintained in electronic format - in place of paper format
- in addition to paper format, and that are relied
on to perform regulated activities - Medical record data also affected by 21CFR312
21CFR11 - When medical records contain data used as source
documentation for FDA-regulated human research
19FDA 21CFR 11
- Validation
- Ability to create accurate copies
- Audit trail
- Documentation of system access data change
- Computer-generated date time stamp
- Common additional interpretation
- Maintain old response new response
- Access to records record retention
- Authority Device checks (security)
- Physical access
- Electronic access
- Operational checks (QA/QC)
- Personnel training
- Persons supporting system
- Persons entering/editing data
- Written policies
- Responsibilities of those with access
- Accountability
- Controls over system documentation
- Open system control
- Only applies if access is beyond internal
electronic network - Electronic Signature standards
20Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?
- Validation
- Ability to create accurate copies
- Audit trail
- Access to records record retention
- Authority Device checks (security)
- Operational checks
- Personnel training
- Written policies
- Controls over system documentation
- Open system control
- Electronic signature standards
21Deja HIPAA View All Over Again
HIPAA - 21CFR11, wheres the overlap?
- Validation
- Ability to create accurate copies
- Audit trail
- Access to records record retention
- Authority Device checks (security)
- Operational checks
- Personnel training
- Written policies
- Controls over system documentation
- Open system control
- Electronic signature standards
- Operational checks
- Personnel training
- Written policies
- Controls over system documentation
- Open system control
- Audit trail
- Access to records record retention
- Authority Device checks (security)
22Lowrie Beacham, PhD Duke Clinical Research
Institute
22
23How are we going to comply?
Two approaches
- A. System-atically
- In one (large) document, cover any and all
applications that will be used in fulfilling the
contract. - B. Environmentally
- Treat the entire IT environment as one system,
since most security measures are so directed.
24One from Column A weve done both
- Approach A 41 pages
- Its complex
- Its repetitive
- Its comprehensive!
- Approach B 18 pages
- Its cleaner
- Its leaner
- But it may not always sell
25Why not?
- Inter-agency acceptability
- Moving target
26Interagency Acceptability Example
- NIH and CDC
- Both DHHS agencies
- Both require System Security Plans
- Buttheyre not (exactly) the same template
27The moving target
- Everyone is working on Information Security
- The latest (as of this writing)
- NIST Special Publication 800-53
28NIST SP 800-53
Recommended Security Controls for Federal
Information Systems
- Fresh off the presses, May 2005
- 116 scintillating pages best being
- Security Control Catalog pp. 40-105
29NIST SP 800-53
- Security Control Catalog
- 162 items covering (among others)
- Access control
- Training
- Assessments and certification
- Contingency planning
- Physical and environmental protection
- Personnel Security
- Risk Assessment
- Communications protection
- and, (buried under System Services Acquisition)
30SA-9 Outsourced Information System Services
- Third party providers are subject to the same
information system security policies and
procedures of (sic) the supported organization,
and must conform to the same security control and
documentation requirements as would apply to the
organizations internal systems.
31SA-9 Outsourced Information System Services
- The NIH is the supported organization
- The contractor is the third-party provider
- If you want to play, you use their ball.
32Have fun!
But
- Arent you glad you did such a thorough job of
complying with HIPAA Security? - -)