IRB Policy for Security and Integrity of Human Research Data

Transcription

1 IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology

2 Overview of Presentation Regulatory Background Revised IRB Policy Investigator Responsibilities Requirements for Data Security and Integrity Investigator Resources REDCap

3 Regulatory Background

4 Regulatory Background 45 CFR Part 46 and 21 CFR Part 56 Criteria for IRB approval - When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. HIPAA Privacy Rule Privacy Rule Establishes national standards to protect individuals medical records and other personal health information and sets limits and conditions on the uses and disclosures of this information Breach Notification Rule Requires entities to provide notification following a breach of unsecured PHI Security Rule Establishes standards for security of e-phi HITECH Enforcement Rule Establishes categories of violations and penalties

5 Regulatory Background Institutional policies PSU and HMC PSU-AD20 Computer and Network Security PSU-AD23 Use of Institutional Data PSU-AD71 Data Categorization PSU ADG07 Data Categorization Examples HAM C-08 Confidentiality Disposal of Information, Sanitizing of Electronic Media, and Destruction of Hard Copy Documents HAM C-37 Confidentiality Electronic Storage of Sensitive Data IRB SOP Addendum: Security and Integrity of Human Research Data

6 Revised IRB Policy Addendum IRB SOP Addendum: Security and Integrity of Human Research Data

7 Revised IRB Policy IRB SOP Addendum: Security and Integrity of Human Research Data Became effective January 2012 Revision will be effective December 1, 2014 SOP is available on IRB website Under Resources/Investigator Resources

8 Revised IRB Policy What are the main changes: Defines Penn State Hershey researchers and external researchers Defines 2-level categorization for data Includes a new process for submitting plan Provides revised requirements for electronic and paper data storage Provides requirements for data transfer Requires data transfer agreements if data are transferred to and/or from any third party

9 Revised IRB Policy Penn State Hershey researcher: Employee, faculty or student of the PSU College of Medicine (COM) and/or Hershey Medical Center (HMC) External researcher: If the research uses/discloses protected health information (PHI): any researcher who is not an employee, faculty, or student of COM and/or HMC If the research does not use/disclose PHI: any researcher who is not an employee, faculty or student of Penn State University, COM, HMC

10 Revised IRB Policy Protected health information (PHI) Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate Individually identifiable health information Health information, including demographic information Relates to an individual s physical or mental health or the provision of or payment for health care Identifies the individual Personally Identifiable information (PII) Information that can be used to uniquely identify a single person or group of individuals

11 Revised IRB Policy Policy defines 2 levels for human research data Level 1 De-identified research data about people De-identified data collected for a research study, such as an anonymous survey Publicly available datasets Level 2 Data about individually identifiable people Research data that include identifiable health information (PHI) collected for a clinical trial Research data that include identifiable non-health information (PII), such as test scores or student record information or employee records Research data that include identifiable non-health, non-sensitive information collected as part of a research study

12 18 HIPAA Identifiers Names All geographic subdivisions smaller than a State All elements of dates (except year) Telephone numbers Fax numbers addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers Device identifiers Web URLs Internet Protocol (IP) Biometric identifiers, finger and voice prints Full face photographic image Any other unique identifying number/characteristic/code Identifier added as part of SOP: Whole genomic sequence data

13 Revised IRB Policy Procedure: IRB Chair or designee reviews data security-integrity plan by expedited review process New studies plan reviewed during pre-review Reviewer determines if plan fulfills requirements for applicable security category If plan does not meet policy requirements, it is reviewed by the IT Security Group Provides guidance to IRB regarding changes needed to approve plan May recommend IRB approve of a variance Compliance is monitored by Research Quality Assurance Office as part of routine or directed postapproval reviews

14 Revised IRB Policy For research involving transfer of PHI or PII to and/or from any third party* IT Security must approve method of data transfer Ancillary review process in CATS IRB Written transfer agreements required for projects involving transfer of human research data to and/or from any third party* Agreements negotiated by OTD or ORA Ancillary review process in CATS IRB Written transfer agreements needed if PI is leaving PSH and plans to take data *Third party = external sponsor or external researcher

15 Investigator Responsibilities

16 Investigator Responsibilities Investigators are responsible for: Disclosing nature of data to be collected Submitting data security/integrity plan at initial review using Application Supplement Research Data Plan Review Form **NEW** Implementing & monitoring the plan upon IRB approval Ensuring all research personnel trained and signed confidentiality agreement Reporting breaches of confidentiality to IRB as RNI Contacting ORA or OTD to negotiate transfer agreements if applicable

17 Investigator Responsibilities New studies Submit Application Supplement-Research Data Plan Review Form with CATS IRB Upload form on Basic Information page question #7 along with protocol/psa Form will be stored in CATS IRB Library under Templates To avoid redundancy, do not include data security/integrity plan in protocol or protocol site addendum (PSA) State See the Research Data Plan Review Form in the Confidentiality, Privacy and Data Management section of protocol or PSA Section 10 of the protocol templates (HRP-591 and HRP-592) and Section 4 of the PSA (HRP-595) Ongoing active studies No action necessary Approved data security/integrity plan is in protocol

18 Investigator Responsibilities Research Data Plan Review Form Form format 15 questions What identifiers are recorded? Are data collected by mobile devices or internet? How are data stored? What is process for data integrity? Are data being transferred to/from PSH? If data transferred, how and what identifiers are being sent/received?

19 Requirements for Data Security and Integrity

20 Policy Recommendations Level 1 Data Hardcopy Stored securely in controlled environment Disposal in regular trash Electronic Good computer use practice (complex passwords, not sharing accounts, limiting access, etc.) Portable media secured when not in use (locked office or lock-down cables) Servers should have access controls Electronic devices may be disposed of following deletion of research data files

21 Policy Recommendations Level 1 Data Data transfer/sharing Requires a written agreement between PSH and the external institution Hardcopy Data may be transferred double-wrapped using secure chain of possession Electronic Data may be transferred by unprotected

22 Policy Requirements Level 2 Data Hardcopy Stored securely in controlled environment (e.g. at PSU/HMC) Data forms/code lists stored in locked file cabinets or limited access storage areas PI must maintain lists of staff with access to data Disposal by shredding

23 Policy Requirements Level 2 Data Electronic Stored on Secure file server supported and maintained by IT or PHS Secure database server supported and maintained by IT or PHS (such as REDCap or Oncore) Device not listed above is deemed unacceptable for storage of Level 2 information unless a variance is granted by the IRB based on recommendation of the IT Security Group Removable media (tracked, inventoried and physically managed) may only be used for either long-term archival storage or conveyance to another party

24 Policy Requirements Level 2 Data Electronic (cont.) Desktops and devices physically secured (locked offices and/or locked facilities with access restricted to study personnel and their guests) Electronic devices set to automatically log-off and lock after defined periods of inactivity Access controls PI keeps list of people with access to data Access must be removed if individual has no reason for access Access must be logged (identity of user, time & function) Data routinely backed up and the back-up copy physically secured if applicable

25 Policy Requirements Level 2 Data Electronic (cont.) Devices must undergo secure deletion of the disc at the end of life of the device or prior to recycling Data may not be stored, temporarily cached or otherwise accessed in a way that creates a local copy of the data on personal devices (PDAs, USB portable devices), or non-psu owned devices of any kind (home computers, personal laptops or public computers) Remote displaying permitted for remote access using applications where there are no persistent data copies when programs are remotely displayed (Citrix or Remote Desktop)

26 Policy Requirements Level 2 Data Data transfer/sharing Data must be de-identified before sharing with PSH study team members whenever the identifying information is not necessary Data must be de-identified or date shifted before transfer to external entities unless subjects have given authorization to disclose identifiers to external entities Requires data transfer agreement Mechanism of transfer must be approved by IT Security Group

27 Policy Requirements Level 2 Data Data transfer/sharing (cont.) No PHI or PII may leave PSH unless subjects have given authorization to disclose their PHI/PII or the data are a limited data set Requires written agreement Electronic transmission data must be encrypted C-37 HAM Transfer of portable media use a secure chain of possession Hardcopy double-wrapped using secure chain of possession Commercial carrier or hand-delivered by research team member

28 Policy Requirements Data Integrity Ensures that data are of high quality, correct, and consistent Examples of measures to ensure data integrity Data entry performed twice by two different people Edit checks Random, internal quality and assurance auditing PI must ensure that backup copies of human research data are made and stored If data stored on IT or PHS supported server backups can be assumed For others, backup copies maintained in a secure location

29 Investigator Resources

30 Investigator Resources For more information HMC/COM applications Call IT Helpdesk at x6281 PHS applications Call PHS Helpdesk at x7682 Contact

31

32 REDCap REDCap (Research Electronic Data Capture) Web-based application Supports data capture and management for research studies Designed to build and manage research data and surveys De-identification tools to protect PHI A build-it-yourself, intuitive user interface that allows study team members to create data collection forms without prior knowledge of database design

33 REDCap Data Security REDCap at PSU has been designed to respond to the PSU Audit of 2010 and to support this Data Security and Integrity policy. The application has been thoroughly: Scanned for security threats Evaluated for the probability and impact of risks Extra measures have been put in place to ensure the data is safe from potential attacks and data is stored in our internal network

34 REDCap HIPAA Compliance HIPAA compliant by providing: SOPs for role-based user access at the project level to insure minimum access necessary to perform the task User accounts that are centrally managed by IT Accounts Management Audit trails for every action to ensure proper alteration or destruction of data User training requirements A secure data center where the project data is easily available by a web application and backed up to a remote location, nightly. A dashboard showing users for each project on the Project Home page

35 REDCap Data Integrity Features addressing correctness of data entry Allows for stages of form completion (incomplete, unverified, complete, locked, e- signed) Data type validation and range checks Data Quality tool that supplies rules to search the data for missing, out of range, invalid values and also the ability for the user to create rules themselves. Double Data Entry module

36 REDCap Data Integrity (continued) Features addressing threats to data validity Access - Role-based access monitored by IT Accounts Management & the REDCap Systems Analyst Modify/Alter/Destroy Data - every interaction with data is logged in an easily accessible audit trail Automated data import and export procedures with de-identification tools Upgrade and testing SOPs

37 Data Migration from Excel to REDCap REDCap Build REDCap forms to match your existing Excel database. Download the REDCap Data Import template to Excel. Excel Copy and Paste existing data into columns of the Data Import template. REDCap Import data from Data Import template in Excel to REDCap. For a complete description of how to migrate your data from Excel to REDCap, please visit the REDCap Training webpage on our site at

38 For more information about REDCap View REDCap tutorials on the Vanderbilt University website: Visit our website at and select REDCap. Training offered biweekly on Tuesday afternoons (next session 8/28/12). Register for training by ing