What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that identifies an individual AND relates to at least one of the following: The individual s past, present or future physical or mental health. The provision of health care to the individual. The past, present or future payment for health care. HIPAA details 18 items that render PHI identifiable including: 1. Names; 2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code Updated Jan 2016 Northwell Health Page 1 of 8
What regulations apply to research data containing ephi? The HIPAA Security Rule requires protection of ephi that is created, received, processed, transmitted, or maintained by a covered entity. It requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ephi. The Health Information Technology for Economic and Clinical Health (HITECH) Act was intended to be used to increase the use of Electronic Health Records (EHR) by physicians and hospitals. 1 This regulation requires HIPAA covered entities (and business associates) to promptly notify affected individuals of a breach and the media when more than 500 individuals are affected. This act amended the HIPAA privacy and security rules increasing the penalties for breach of patient information up to $1.5 million. The Omnibus Final Rule that went into effect in September 2013 updated the HIPAA Privacy and Security Rules as well as HITECH Act for breach notification. This update puts the burden of proof on covered entities to prove that a breach did not occur and also emphasizes the importance of encryption, audit logs, and monitoring of system activity. What safeguards should I have in place? According to the HIPAA Security Rule, the following must be in place: Technical safeguards: the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 2 Administrative safeguards: administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. 3 Physical safeguards: physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 4 Note: All the safeguards are required to be administered by either individual or the health system. How do I ensure HIPAA compliance for my application or database containing ephi? The PI is responsible for ensuring security of ephi used in the research study, which is usually maintained in databases (i.e. applications that manage data and allow fast storage and retrieval of that data). PIs can obtain information about secure, internally hosted systems and resources from the Research IS. PIs using a system or application containing PHI that is hosted externally (e.g. by collaborator, sponsor, 3 rd party vendor, etc.) must submit appropriate documentation of security controls from the application and hosting facility. This document provides guidance for PIs to answer the security safeguard questions listed on the HRPP application as well as the OCIO HIPAA Security and ASP Application forms. For more information and institutional requirements related to HIPAA security, please refer to Information Security and Corporate Compliance policies available on the Intranet or contact Research Information Systems at ResearchIS@nshs.edu. Updated Jan 2016 Northwell Health Page 2 of 8
Planning Your Study 1. What ephi should be collected for the study? 2. What should I consider when planning for collection, maintenance and management of ephi? 3. What do I need to know about collecting sensitive information, such as Social Security Numbers (SSNs) and Medicare numbers? ephi collected should contain only the individual identifiers that are minimally necessary to support the research purpose. Tip: Avoid collecting identifiers if not necessary. For example, instead of recording date of birth, you can record age (however, ages over 89 are still considered PHI). Instead of service dates, you can record length of stay. Contact the HRPP for help when you submit your study for approval. Choose the best type of database required for your data. Simple studies may only require simple spreadsheets (if no HIPAA identifiers are being collected), but more complex studies require larger databases. Databases with ephi need to meet HIPAA compliance standards. Various electronic capture systems tools are available for researchers: o HIPAA compliant SurveyMonkey & Research Electronic Data Capture (REDCap) are survey/database solutions that can be used for most research studies. See Research IS website for information and email ResearchIS@nshs.edu. o Biostats Unit Database Designed for You (BUDDY) Custom databases for more complex trials contact Biostats Unit (516) 562 0300. Set up appropriate network shared folders to store files with limited access for research team members. ephi shared folders or PHI sharepoint can be set up for files containing ephi. Avoid storing files on local workstations or laptop desktops without proper encryption. For data analysis that will be done outside of your research team, (e.g. through Biostatistics or external vendor), ensure that you send the information in a de identified or coded manner. Budget appropriately if your research involves storage of large amounts of data or requires database development. Tip: Contact Research IS to discuss your data management or storage needs in advance of study initiation. These steps should be outlined in your protocol or standard operating procedures. Do not collect SSNs/Medicare numbers unless it is necessary for the study (such as for tax requirements). If you require collection and storage of this information ensure that you have appropriate measures in place to safeguard this information. HS policy 800.11 Identity Theft Prevention Program outlines the appropriate steps to redact sensitive information. Updated Jan 2016 Northwell Health Page 3 of 8
4. Can I transfer ephi to an external source? 5. When is a Business Associate Agreement (BAA) necessary? (administrative safeguard) During Your Study 1. Who should have access to the database and how do I manage this? (administrative safeguard) 2. How do research personnel obtain individual usernames and passwords for the database? 3. What type of password should be used? ephi transmitted outside of the Health System must be encrypted, password protected and sent only through secure channels. Such transmission should occur only if required for the study. Contact Research IS for further assistance Subject s authorization, waiver from the IRB or other agreements must be obtained before identifiable information is shared outside your research team A BAA is required when any external individual or organization, such as a vendor providing services, will create, receive, maintain, store, use or transmit ephi. Please follow Health System policy (#800.19) and contact Procurement when you request a BAA or for further questions. BAAs may also be executed through the Grants Management Office as contracts with research sponsors are processed. Tip: See BAA guidance and map. Limit access only to authorized personnel required for the study project. For technical issues regarding authorizing different levels of access, monitoring access history, or terminating access when study personnel no longer require it, please contact the database administrator to manage access. For any research PI who is coming in or leaving the health system, please follow policy GR088 Researcher Onboarding and Exit Process for additional procedures. For research staff leaving the health system, the PI is responsible for notifying the database administrator and others as necessary (e.g. 3 rd party collaborator, sponsor, vendor) about terminating the staff s access to PHI. All individuals must use their own unique usernames and passwords to access the database. Never share log in IDs and passwords. Follow policies 900.00 Computer Usage Policy and 900.10 User Password. Please contact the database administrator or Research IS (researchis@nshs.edu) if you need to obtain or change a password. Strong passwords must be used and changed every 90 days. Unique usernames and passwords that meet the following standards must be at least 6 characters and new passwords must be different from the previous 12 passwords. For more details please refer to the policy 900.10 User Password, and contact Research IS for further assistance. Updated Jan 2016 Northwell Health Page 4 of 8
4. How do I ensure research data is saved and backed up properly? (administrative safeguard) 5. What technical safeguards are needed for databases? 6. How do I transfer ephi to an external source safely? 7. How do I encrypt and secure mobile devices (e.g. laptops, tablets, removable portable hard drives, USB/thumb drives, smart phones, etc.) containing ephi? (technical safeguards) Research data should be saved and backed up on a health system shared drive/server or a secure external server. It should never be left unsecured. Contact Research IS (researchis@nshs.edu) for further assistance. Depending on the request, they may escalate it to data back up team. An automatic logoff (at least after every 15 minutes of inactivity) must be implemented. The activity logs of the database must be reviewed, recorded and examined at least quarterly and a record kept of the log review. Any abnormal conditions occurring on the network where the database is stored must be recorded and reported to OCIO Security. A disaster recovery and emergency mode operation plan must be developed. Contact researchis@nshs.edu for guidance. ephi must be transferred through a secure, encrypted method that meets Health System policies and standards (e.g secure File Transfer Platform, encrypted USB or system email, etc.). Do not use unapproved cloud based storage (e.g. Google Drive/Docs, Dropbox, OneDrive, etc.) for storing PHI. The health system will soon be offering a cloud storage solution please contact Research IS for more information. To email ephi, only use the health system s email account and encrypt the email according to policy 900.11 E mail Encryption Standards by doing the following: o Adding the words secure or PHI in the subject line or clicking on the Encrypt and Send (Zixmail) button when you send an email. For questions or help with encryption contact Research IS for assistance (researchis@nshs.edu). These devices must be encrypted (Follow policy 900.25 Data Encryption and Integrity) Policy and open a ticket with IS if you are unsure if your device is encrypted. Ensure portable computing devices are physically secure and not damaged, and never left unattended and unlocked (e.g. if in car stored securely away from view in the trunk, but not left overnight). Do not create, store, access, transmit or receive ephi on personally owned computers, laptops or portable hard drives. Encryption software should be available on health system desktops and laptops, which will allow you to encrypt Updated Jan 2016 Northwell Health Page 5 of 8
8. What controls do I need to eliminate or minimize unauthorized access/viewing of PHI on workstations? (physical safeguards) 9. What other physical safeguards do I need in place to protect ephi from unauthorized access or theft? 10. How can I clean media (e.g. hard drive, disks, etc.) that has PHI? 11. How do I develop a disaster recovery plan for a simple document or file based database? (administrative safeguard) 12. How do I develop a disaster recovery plan for a more complex or custom database (e.g. MS Sql Server, Oracle)? (administrative safeguard) Closing Out Your Study 1. How do I develop a plan for final disposition of my database and/or hardware it resides on? portable media Note that all mobile devices used to access Health System network and resources must be properly encrypted Encrypted Password Protected Contact the IS Helpdesk if you require encryption or DLP software for your mobile device or any personal devices used for work. Follow policy 900.00 Computer Usage and contact IS for assistance. You may use privacy screens, automatic logoff, password protected screen savers, position the monitor away from public view, cubicle walls, or place workstations in private or locked rooms, etc. Remember to log out of the database before you leave the workstation. Follow Policy 100.99 Facility Access Controls Physical safeguards include having locked doors, use of access badges, surveillance cameras, alarms, security checks, sign in sheets for visitors & providing escorts, etc. Files, hard drives and devices with PHI must be stored securely. Follow Policy 900.26 Device and Media Usage and contact IS. There should be a proper sanitization process for the media and written notification that the media has been cleaned appropriately. If your database has been saved on the HS server, it is covered. If not the Disaster Recovery Plan would be evaluated as part of the assessment please follow policy 900.24 Disaster Planning and Operations, and contact IS if you need assistance. Ensure that you have a copy of the data and a backup plan (such as on the health system servers). Tip: Disaster Recovery SOP guidance and templates can be obtained from Research IS. Unique applications, such as custom databases require a Disaster Recovery Plan in place according to policy 900.24. SOPs should also be written to detail how the DR Plan will be supported. Contact IS or CRS for guidance on how to complete this plan. Follow Policy 800.47 Protected Health and Confidential Information Disposal Policy and open a ticket with IS. Prior to destroying or disposing of any storage device or removable media, ensure that the device or media does not contain ephi. See Policy 900.29 Disposal Policy on proper disposal of equipment. Currently, IS provides Refresh Disposals and Non Updated Jan 2016 Northwell Health Page 6 of 8
2. What else should I consider before closing out my study? 3. Can I bring /remove research data containing PHI with me when I leave the health system? Other Concerns 1. How do I obtain training/education or information related to data security? 2. How can I report any concerns, questions, or incidents related to any possible PHI data loss or breach? refresh Disposals for desktops and laptops, as well as certified media destruction. Please contact the IS to place the order. Follow policy 100.97 Records Retention and Destruction. Ensure you have a plan for recording, archiving, retaining, and accessing the data for a sufficient amount of time after the study is closed. Follow policy GR088 Principal Investigator Exit Process. Investigators leaving the health system who desire to remove/transfer the data generated from their research are required to obtain a Material Transfer Agreement and complete the PI exit process in accordance with health system requirements. See the Public Research Education Program (PREP) schedule for any upcoming courses. For past courses you can view them through www.feinsteininstitute.org/prep. Go to the IS homepage to view Security Safeguard news and information or the Research IS homepage. Immediately contact the ORC for research related HIPAA issues or potential breaches. Please see contact information below: Help Desk (516, 718, 631) 470 7272 Help Desk email: ISHelpDesk@nshs.edu For IS security concerns or questions: OCIO Security Phone: (516) 734 3370 Security2@nshs.edu For Research IS services or questions: Research Information Systems (RIS) ResearchIS@nshs.edu Phone: (516) 562 0454 For research related compliance or HIPAA concerns or questions: Office of Research Compliance (ORC) Phone: (516) 321 2101 ORC@nshs.edu For general HIPAA privacy concerns or questions: Corporate Compliance Hotline: (800) 894 3226 www.northshorelij.ethicspoint.com What language can I include my research protocol? The following language can be included in the research protocol to address plans to protect ephi and should be modified as appropriate: The confidentiality, integrity and availability of research data in electronic form will be ensured through appropriate security measures per the HIPAA security rule requirements. Research data will be collected, recorded, stored, managed and transferred in a secure manner and only accessed by authorized personnel for research purposes. Research data containing PHI will be securely transmitted through between and. The final data disposition / storage will be after study completion. Updated Jan 2016 Northwell Health Page 7 of 8
The following language can be included in the research protocol to address plans to use REDCap to collect ephi and should be modified as appropriate: The Feinstein Institute for Medical Research will be used as a central location for data processing and management. Vanderbilt University, with collaboration from a consortium of institutional partners, has developed a software toolset and workflow methodology for electronic collection and management of research and clinical trial data. REDCap servers are housed in a local data center at the Feinstein Institute for Medical Research and all web based information transmission is encrypted. REDCap was developed specifically around HIPAA Security guidelines and is recommended to Northwell Health researchers by the Research IT Security group, Research Compliance Office, and Institutional Review Board. Remember: The following are links to our policies related to HIPAA privacy and security: https://nslijhp.northshorelij.com/nslij/departments/corporate%20compliance/pages/corporatecom pliancepolices.aspx https://nslijhp.northshorelij.com/nslij/policies/feinstein/pages/healthsystemresearchpolicies.aspx ee our SECURE IT card for more helpful tips: References: 1. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf 2. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf 3. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf 4. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf 5. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html Updated Jan 2016 Northwell Health Page 8 of 8