Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

Transcription

1 Human Subject Research: HIPAA Privacy and Security Human Research Academy 101

2 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management FY 103, Chafee Avenue Consultation Policy Management and Oversight Auditing & Monitoring Awareness, Training and Education Breach Investigation & Notification Mitigation Corrective Actions Disciplinary Guidance

3 Your Information Security Officer Damon Armour, MBA, CISSP, CISM Information Security Officer Jaguar Collaboration Information Technology Services (ITS) Annex I (HS), Room darmour@gru.edu IT/IS Governance Policy and Compliance Management Information Security Awareness, Education, Training IT/IS Risk Management Continuity of Operations Planning (BCP/DRP) IT/IS Audit Incident Response/Management

4 Goals of the HIPAA Privacy Review To understand which research activities are covered by HIPAA To understand which HIPAA elements are required before human research may begin To understand where to locate specific HIPAA privacy and security policies To understand how the Omnibus Rule removed barriers to research To gain insights for addressing HIPAA and International Research

5 What Research Activities are Covered by HIPAA? Research activities which access, use or disclose directly identifiable health information (PHI) are subject to HIPAA, when each of the following conditions are met: The data include any of the 18 identifiers, AND The data include health information, AND The data are created or received by GRU, GRMC and GRMA, or any other HIPAA covered entity under HIPAA

6 Access, Use, Disclosure of PHI Requires one of the following before research or preparation to research commences: Obtain written authorization for the research, or Obtain IRB approval of a Waiver of HIPAA Authorization, or Eliminate the use of PHI through 1) de-identification or 2) use a Limited Data Set(LDS) with a Data Use Agreement The difference between a LDS and de-identified information is that a LDS may contain dates and certain geographic information associated with an individual that are absent from de-identified information. Contact Associate VP of Research Administration about LDS/DUAs

7 HIPAA Privacy/Security Policies GRU HIPAA Policy Privacy of Health Information Policy This policy will soon be replaced with HIPAA Privacy and Security Policies which mirror GRMC policies. See below. GRMC Policies 6.01: Safeguards to Protect Protected Health Information 6.02: De-Identification of Protected Health Information 6.04: Patient's Right to Amend Protected Health Information 6.05: Use & Disclosure of Protected Health Information Via Electronic Media

8 HIPAA Privacy/Security Policies GRMC 6.09: Patient s Right to Request Access & Copy Protected Health Information 6.1: Patient s Right to Confidential Communications 6.11: Patient Confidentiality & Privacy 6.12: The Rights of a Patient s Personal Representative Regarding Protected Health Information 6.13: Mitigation for Improper Use & Disclosure of Protected Health Information Breach Notification PHI (6.0 section)

9 HIPAA Privacy/Security Policies GRMC 6.14: Non-Waiver of Rights as a Condition of Treatment 6.17: Use and Disclosure of Protected Health Information for Research Purposes 6.18: Individual's Right to Request an Accounting of Disclosure of Protected Health Information 6.19: Identification of Business Associates and Requirement for Contract 6.22: Use and Disclosure of Protected Health Information To Persons Involved in Patient's Care

10 HIPAA Privacy/Security Policies GRMC 6.23: Maintaining Appropriate Documentation Regarding Compliance with HIPAA Privacy Requirements 6.24: Use and Disclosure of PHI 6.24.a: Authorization to Disclose Health Information 6.24.b: HIPAA Authorization Requirements 6.24.c: HIPAA Policy Companion 6.25: Minimum Necessary Use, Disclosure and Request for Protected Health Information 6.31: Consent and Authorization for Patient Photography, Videotaping and Other Imaging for Treatment and Operations

11 Omnibus Rule Removes Barriers Research on Decedents After 50 years, health records are no longer PHI Compound Authorizations Allowed For example, if a study involves research-related treatment and banking tissue samples in a bio-repository for future research, the Final Rule now permits authorization for the research-related treatment (a conditioned authorization) and the bio-banking (an unconditioned authorization) to be combined into a single authorization Future Research Permissible to seek subjects' consent to future research so long as the future uses are described in sufficient detail to allow an informed consent

12 HIPAA and International Research The extent to which HIPAA applies to international research is currently a matter of debate. However, once identifiable health information is received by a covered entity, that information becomes PHI (with a narrow exception for overseas foreign nationals receiving health care from US agencies). This means when a researcher sends identified health information collected internationally across a secure GRU network, or stores such information on a secure GRU R drive, the information becomes PHI.

13 HIPAA and International Research Because HIPAA concepts can be difficult to translate in international studies, researchers have several options: Ask the IRB to approve an altered or simpler form of the required Authorization language, and/or to approve the obtaining of Authorization in oral form. Another option, where cultural barriers are significant, is for the IRB to waive the requirement of HIPAA Authorization entirely. To grant any of these requests, the IRB must determine that the request meets all of the waiver criteria in the HIPAA Privacy Rule.

14 Goals of the Information Security Review To gain a mutual understanding of the protections that will be used to safeguard protected health information and intellectual property for your individual protocol To advise the PI and SC on recommended practices to employ concerning the management of their data To protect the institution s reputation as a safe place to share confidential information To protect the institution from fines and penalties To protect the institution from litigation

15 Researcher Attestation Form: Affirm Data Security Protections Protocol Title: PI Name: Faculty Sponsor (if applicable): Principal Investigators please review, confirm the following data security requirements, and mark acceptance where indicated. Upon submission, GRU requires that you, the Principal Investigator, request secure electronic data storage/transmission for confidential/regulated research protocol data (including, but not limited to PHI, FERPA, or Personally Identifiable) to protect it from a breach of confidentiality, loss or theft, or inappropriate modification. You are required to adhere to the following requirements: 1. You must authorize requests for changes to data folder access. 2. You should only grant access to study team members formally listed on your protocol. 3. You agree to remove access to the research information of anyone that changes job duties or leaves the University and no longer requires access. 4. At no time, should you store unencrypted confidential or regulated data on a workstation, mobile device including but not limited to USB (thumb) drive, external hard drive, CD-ROM, DVD, or SD Chip. 5. A secure transmission method must be used (https or secure ftp) when protocol data is entered into clinical trial ecrfs, commercially sponsored trial sites, or investigator initiated multicenter trials. 6. You agree to comply with all GRU policies to include, but not limited to, Mobile Device Policy, Remote Access Policy, and Acceptable use of Information Technology. 7. If a storage device is lost or stolen and you have reason to believe it to contain confidential or regulated data, you must immediately file a report with GRU Public Safety, notify the IRB, and the Information Security Office. The Information Security Officer will contact the Enterprise Privacy Officer as necessary. 8. You agree to report a possible breach of confidential or regulated data within 24 hours to the IRB and the Information Security Office. Upon IRB approval of your protocol, the Principal Investigator and/or lead Study Coordinator may request new storage or access changes by submitting an ITS Service Request. Storage space is allocated based upon the Protocol number which must be provided as part of your request. In signing this attestation, I agree to accept primary responsibility for ensuring the data security protections requirements listed in this document will be followed for this protocol Signature of Principal Investigator Printed name Date Signature of Faculty Sponsor (if applicable) Printed name Date Submit Your IRB Space Request Here Knowledgebase Article ITS Service Desk Public Safety - (706)

16 Methods for Data Protection De-identification Server storage of research data Encryption Password protection Antivirus software Personal firewall/host intrusion prevention (IPS)

17 Secure Server Storage Provides centralized and sharable access for the study team Includes data backup processes free-of-charge Includes advanced security protections that are superior to those available on a personal computer

18 IRB Space Request Service-Now: In order to assist research Investigators and Study Coordinators with meeting GRU human research data security protection requirements, IRB secure storage may be requested through an online submission. Human research data protection requirements: GRU requires secure electronic data storage/transmission for confidential/regulated research protocol data (including, but not limited to PHI, FERPA, or Personally Identifiable) to protect it from a breach of confidentiality, loss, theft, or inappropriate modification. Knowledgebase article for this procedure:

19 Data Security Leave PHI and/or confidential information in the system of record. For example, do not export PHI from the electronic health record system (EHR) unless authorized and absolutely necessary. Do not PHI and/or other confidential information outside of the GRU environment. It is recommended that you restrict ing even within GRU to only what is absolutely necessary.

20 Data Security Do not store PHI and/or other confidential information on cloud-based storage offerings such as Dropbox, Google Docs, Google Drive, etc. If there is a need to store PHI and/or other confidential data elements on portable media device (portable hard drive and/or flash drive), seek approval and assistance from the Information Security Office.

21 Collecting/Storing/Transmitting Confidential Electronic Data GRU requires that confidential/regulated data (Patient Health Information, Student Records, Personally Identifiable Information, etc.) be stored in an approved location that would protect it from unauthorized access, loss/theft, or inappropriate modification. You must request secure electronic data storage for your research team to store data containing confidential/regulated data.

22 Collecting/Storing/Transmitting Confidential Electronic Data The Principal Investigator and Study Coordinator are solely responsible for managing appropriate access to the study s data folder. As the Security Authority for the study s data folder, you are required to approve and submit requests for changes to folder access. You should only grant access to study team members formally listed on your protocol.

23 Encryption of Data at Rest/Transmission Encryption - makes data unreadable without a special key Credant is the enterprise encryption solution for data at rest A weak encryption key (password) is almost as bad as no encryption at all How will the data be transmitted? Secure web site, specify: (Note: Notify ISO if sponsor will not provide until the study is approved) Citrix client Secure FTP transfer, specify: Secure VPN Move-IT ( Encrypted

24 Report Breaches of Security Suspected breach of security, must be reported to the appropriate resource owner and the GRU Information Security Officer. It includes, but is not exclusive to: Unauthorized access to protected information Physical destruction Loss or theft of computer or storage medium Inappropriate use of data or information systems Note: certain extreme cases may involve additional levels of review and could call for disciplinary action, up to and including dismissal, or civil or criminal penalties.

25 ITS Policies GRU ITS Policies Acceptable Use of Information Technology Password Protection Policy Electronic Data Storage Backup Policy Remote Access Policy Information Technology Standard Configuration Policy Historical GHSU ITS Policies Mobile Device and Remote Access Policy

26 Mobile Device Policy Configure all laptops, smartphones and tablet computers for which you are responsible to require a PIN, passcode or password to unlock the device. This code should be at least 4 characters in length and the device should be configured to automatically lock itself after 10 minutes (or less) of inactivity. Ensure that all laptops, smartphones and tablet computers for which you are responsible use data encryption to prevent unauthorized disclosure of sensitive or confidential information.

27 Mobile Device Policy Lost or stolen laptops, smartphones and tablet computers used for official GRU business should be reported immediately to Public Safety and the IT Service Desk. In some cases, the IT Service Desk may be able to remotely erase your lost device to prevent the disclosure of sensitive or confidential information. The new security requirements do not apply to personally-owned devices that are only used to view information rather than storing it (e.g. Citrix and Outlook Web Access).

28 Questions