IRB Policy for Security and Integrity of Human Research Data

Similar documents
HIPAA ephi Security Guidance for Researchers

Statement of Policy. Reason for Policy

What is Covered by HIPAA at VCU?

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Data Security Considerations for Research

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA and Clinical Research

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA COMPLIANCE. What is HIPAA?

HIPAA Compliance Guide

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

2014 Core Training 1

OCR/HHS HIPAA/HITECH Audit Preparation

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

University of Cincinnati Limited HIPAA Glossary

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

IRB Month Investigator Meeting April 2014

IRB, HIPAA, and Clinical Research

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

How To Write A Health Care Security Rule For A University

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

HIPAA Training for Hospice Staff and Volunteers

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA 101: Privacy and Security Basics

Newcastle University Information Security Procedures Version 3

HIPAA Compliance for Students

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Authorized. User Agreement

HIPAA Security Alert

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Audit Risk Assessment - Risk Factors

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

BUSINESS ASSOCIATE ADDENDUM

Datto Compliance 101 1

HIPAA Privacy & Security White Paper

Winthrop-University Hospital

BUSINESS ASSOCIATE AGREEMENT

Overview of the HIPAA Security Rule

HIPAA OVERVIEW ETSU 1

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Training for Staff and Volunteers

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Virginia Commonwealth University School of Medicine Information Security Standard

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA-Compliant Research Access to PHI

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

District of Columbia Health Information Exchange Policy and Procedure Manual

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Research Electronic Data Capture (REDCap)

Transcription:

IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology

Overview of Presentation Regulatory Background Revised IRB Policy Investigator Responsibilities Requirements for Data Security and Integrity Investigator Resources REDCap

Regulatory Background

Regulatory Background 45 CFR Part 46 and 21 CFR Part 56 Criteria for IRB approval - When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. HIPAA Privacy Rule Privacy Rule Establishes national standards to protect individuals medical records and other personal health information and sets limits and conditions on the uses and disclosures of this information Breach Notification Rule Requires entities to provide notification following a breach of unsecured PHI Security Rule Establishes standards for security of e-phi HITECH Enforcement Rule Establishes categories of violations and penalties

Regulatory Background Institutional policies PSU and HMC PSU-AD20 Computer and Network Security PSU-AD23 Use of Institutional Data PSU-AD71 Data Categorization PSU ADG07 Data Categorization Examples HAM C-08 Confidentiality Disposal of Information, Sanitizing of Electronic Media, and Destruction of Hard Copy Documents HAM C-37 Confidentiality Electronic Storage of Sensitive Data IRB SOP Addendum: Security and Integrity of Human Research Data

Revised IRB Policy Addendum IRB SOP Addendum: Security and Integrity of Human Research Data

Revised IRB Policy IRB SOP Addendum: Security and Integrity of Human Research Data Became effective January 2012 Revision will be effective December 1, 2014 SOP is available on IRB website Under Resources/Investigator Resources

Revised IRB Policy What are the main changes: Defines Penn State Hershey researchers and external researchers Defines 2-level categorization for data Includes a new process for submitting plan Provides revised requirements for electronic and paper data storage Provides requirements for data transfer Requires data transfer agreements if data are transferred to and/or from any third party

Revised IRB Policy Penn State Hershey researcher: Employee, faculty or student of the PSU College of Medicine (COM) and/or Hershey Medical Center (HMC) External researcher: If the research uses/discloses protected health information (PHI): any researcher who is not an employee, faculty, or student of COM and/or HMC If the research does not use/disclose PHI: any researcher who is not an employee, faculty or student of Penn State University, COM, HMC

Revised IRB Policy Protected health information (PHI) Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate Individually identifiable health information Health information, including demographic information Relates to an individual s physical or mental health or the provision of or payment for health care Identifies the individual Personally Identifiable information (PII) Information that can be used to uniquely identify a single person or group of individuals

Revised IRB Policy Policy defines 2 levels for human research data Level 1 De-identified research data about people De-identified data collected for a research study, such as an anonymous survey Publicly available datasets Level 2 Data about individually identifiable people Research data that include identifiable health information (PHI) collected for a clinical trial Research data that include identifiable non-health information (PII), such as test scores or student record information or employee records Research data that include identifiable non-health, non-sensitive information collected as part of a research study

18 HIPAA Identifiers Names All geographic subdivisions smaller than a State All elements of dates (except year) Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers Device identifiers Web URLs Internet Protocol (IP) Biometric identifiers, finger and voice prints Full face photographic image Any other unique identifying number/characteristic/code Identifier added as part of SOP: Whole genomic sequence data

Revised IRB Policy Procedure: IRB Chair or designee reviews data security-integrity plan by expedited review process New studies plan reviewed during pre-review Reviewer determines if plan fulfills requirements for applicable security category If plan does not meet policy requirements, it is reviewed by the IT Security Group Provides guidance to IRB regarding changes needed to approve plan May recommend IRB approve of a variance Compliance is monitored by Research Quality Assurance Office as part of routine or directed postapproval reviews

Revised IRB Policy For research involving transfer of PHI or PII to and/or from any third party* IT Security must approve method of data transfer Ancillary review process in CATS IRB Written transfer agreements required for projects involving transfer of human research data to and/or from any third party* Agreements negotiated by OTD or ORA Ancillary review process in CATS IRB Written transfer agreements needed if PI is leaving PSH and plans to take data *Third party = external sponsor or external researcher

Investigator Responsibilities

Investigator Responsibilities Investigators are responsible for: Disclosing nature of data to be collected Submitting data security/integrity plan at initial review using Application Supplement Research Data Plan Review Form **NEW** Implementing & monitoring the plan upon IRB approval Ensuring all research personnel trained and signed confidentiality agreement Reporting breaches of confidentiality to IRB as RNI Contacting ORA or OTD to negotiate transfer agreements if applicable

Investigator Responsibilities New studies Submit Application Supplement-Research Data Plan Review Form with CATS IRB Upload form on Basic Information page question #7 along with protocol/psa Form will be stored in CATS IRB Library under Templates To avoid redundancy, do not include data security/integrity plan in protocol or protocol site addendum (PSA) State See the Research Data Plan Review Form in the Confidentiality, Privacy and Data Management section of protocol or PSA Section 10 of the protocol templates (HRP-591 and HRP-592) and Section 4 of the PSA (HRP-595) Ongoing active studies No action necessary Approved data security/integrity plan is in protocol

Investigator Responsibilities Research Data Plan Review Form Form format 15 questions What identifiers are recorded? Are data collected by mobile devices or internet? How are data stored? What is process for data integrity? Are data being transferred to/from PSH? If data transferred, how and what identifiers are being sent/received?

Requirements for Data Security and Integrity

Policy Recommendations Level 1 Data Hardcopy Stored securely in controlled environment Disposal in regular trash Electronic Good computer use practice (complex passwords, not sharing accounts, limiting access, etc.) Portable media secured when not in use (locked office or lock-down cables) Servers should have access controls Electronic devices may be disposed of following deletion of research data files

Policy Recommendations Level 1 Data Data transfer/sharing Requires a written agreement between PSH and the external institution Hardcopy Data may be transferred double-wrapped using secure chain of possession Electronic Data may be transferred by unprotected e-mail

Policy Requirements Level 2 Data Hardcopy Stored securely in controlled environment (e.g. at PSU/HMC) Data forms/code lists stored in locked file cabinets or limited access storage areas PI must maintain lists of staff with access to data Disposal by shredding

Policy Requirements Level 2 Data Electronic Stored on Secure file server supported and maintained by IT or PHS Secure database server supported and maintained by IT or PHS (such as REDCap or Oncore) Device not listed above is deemed unacceptable for storage of Level 2 information unless a variance is granted by the IRB based on recommendation of the IT Security Group Removable media (tracked, inventoried and physically managed) may only be used for either long-term archival storage or conveyance to another party

Policy Requirements Level 2 Data Electronic (cont.) Desktops and devices physically secured (locked offices and/or locked facilities with access restricted to study personnel and their guests) Electronic devices set to automatically log-off and lock after defined periods of inactivity Access controls PI keeps list of people with access to data Access must be removed if individual has no reason for access Access must be logged (identity of user, time & function) Data routinely backed up and the back-up copy physically secured if applicable

Policy Requirements Level 2 Data Electronic (cont.) Devices must undergo secure deletion of the disc at the end of life of the device or prior to recycling Data may not be stored, temporarily cached or otherwise accessed in a way that creates a local copy of the data on personal devices (PDAs, USB portable devices), or non-psu owned devices of any kind (home computers, personal laptops or public computers) Remote displaying permitted for remote access using applications where there are no persistent data copies when programs are remotely displayed (Citrix or Remote Desktop)

Policy Requirements Level 2 Data Data transfer/sharing Data must be de-identified before sharing with PSH study team members whenever the identifying information is not necessary Data must be de-identified or date shifted before transfer to external entities unless subjects have given authorization to disclose identifiers to external entities Requires data transfer agreement Mechanism of transfer must be approved by IT Security Group

Policy Requirements Level 2 Data Data transfer/sharing (cont.) No PHI or PII may leave PSH unless subjects have given authorization to disclose their PHI/PII or the data are a limited data set Requires written agreement Electronic transmission data must be encrypted C-37 HAM Transfer of portable media use a secure chain of possession Hardcopy double-wrapped using secure chain of possession Commercial carrier or hand-delivered by research team member

Policy Requirements Data Integrity Ensures that data are of high quality, correct, and consistent Examples of measures to ensure data integrity Data entry performed twice by two different people Edit checks Random, internal quality and assurance auditing PI must ensure that backup copies of human research data are made and stored If data stored on IT or PHS supported server backups can be assumed For others, backup copies maintained in a secure location

Investigator Resources

Investigator Resources For more information HMC/COM applications Call IT Helpdesk at x6281 PHS applications Call PHS Helpdesk at x7682 Contact helpdesk@hes.hmc.psu.edu Email: ResearchComputing@hmc.psu.edu

REDCap REDCap (Research Electronic Data Capture) Web-based application Supports data capture and management for research studies Designed to build and manage research data and surveys De-identification tools to protect PHI A build-it-yourself, intuitive user interface that allows study team members to create data collection forms without prior knowledge of database design

REDCap Data Security REDCap at PSU has been designed to respond to the PSU Audit of 2010 and to support this Data Security and Integrity policy. The application has been thoroughly: Scanned for security threats Evaluated for the probability and impact of risks Extra measures have been put in place to ensure the data is safe from potential attacks and data is stored in our internal network

REDCap HIPAA Compliance HIPAA compliant by providing: SOPs for role-based user access at the project level to insure minimum access necessary to perform the task User accounts that are centrally managed by IT Accounts Management Audit trails for every action to ensure proper alteration or destruction of data User training requirements A secure data center where the project data is easily available by a web application and backed up to a remote location, nightly. A dashboard showing users for each project on the Project Home page

REDCap Data Integrity Features addressing correctness of data entry Allows for stages of form completion (incomplete, unverified, complete, locked, e- signed) Data type validation and range checks Data Quality tool that supplies rules to search the data for missing, out of range, invalid values and also the ability for the user to create rules themselves. Double Data Entry module

REDCap Data Integrity (continued) Features addressing threats to data validity Access - Role-based access monitored by IT Accounts Management & the REDCap Systems Analyst Modify/Alter/Destroy Data - every interaction with data is logged in an easily accessible audit trail Automated data import and export procedures with de-identification tools Upgrade and testing SOPs

Data Migration from Excel to REDCap REDCap Build REDCap forms to match your existing Excel database. Download the REDCap Data Import template to Excel. Excel Copy and Paste existing data into columns of the Data Import template. REDCap Import data from Data Import template in Excel to REDCap. For a complete description of how to migrate your data from Excel to REDCap, please visit the REDCap Training webpage on our site at http://ctsi.psu.edu/

For more information about REDCap Email REDCap@hmc.psu.edu View REDCap tutorials on the Vanderbilt University website: www.projectredcap.org Visit our website at http://ctsi.psu.edu and select REDCap. Training offered biweekly on Tuesday afternoons (next session 8/28/12). Register for training by emailing REDCap@hmc.psu.edu,

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information