HIPAA - Download as PowerPoint

Document Sample
HIPAA - Download as PowerPoint Powered By Docstoc
					Storage and Security of
Research Data
IRB Continuing Education 2007

         Sheila Moore, CIP
      Director, Office of the IRB
          Terrell Herzig
            

  UAB/UABHS HIPAA Security Officer

                                     1
―The Good Old Days‖
   “All research files will be stored in
    a locked file cabinet in a locked
    office.”

   The above may still be true, but
    more than likely there will be some
    sort of electronic storage of data.



                                            2
Paper and Electronic
Storage
   The IRB is concerned with
    ensuring that the confidentiality of
    participant’s research records is
    maintained whether it be paper
    and/or electronic storage.
   Each protocol needs to adequately
    address confidentiality of
    participant records.


                                       3
Internet/Web
   The IRB is concerned with
    ensuring that the confidentiality of
    participant’s research records is
    maintained when data is sent via
    the internet as well.

    This includes use (transfiguring) of
          data on outside groups –
               e.g., Google

                                           4
Human Subjects Protocol (HSP)
Confidentiality Q#22
   Describe the manner and method for storing
    research data and maintaining confidentiality. If
    data will be stored electronically anywhere other
    than a server maintained centrally by UAB, identify
    the departmental and all computer systems used to
    store protocol-related data, and describe how
    access to that data will be limited to those with a
    need to know.
   If data stored electronically anywhere other than a
    server maintained centrally by UAB – contact
    HIPAA security for guidance.

                                                          5
HSP – Confidentiality (continued)

Will any information derived from this study be given to any
person, including the subject, or any group, including
coordinating centers and sponsors?
Yes No

If Yes, complete i-iii.
i.   To whom will the information be given?
ii.    What is the nature of the information?
iii.   How will the information be identified, coded,
       etc.?




                                                               6
Electronic Storage of
Data
   The IRB must review
    process/research in which
     Data  maintained electronically for
      storage and data analysis
     Databases used to collect/store
      information for current research or
      for future research use
     Will be asking about storage of
      data on final report form

                                            7
Database Research—
Clinical and/or Research
   Where the purpose/intent of the research is
    to generate and maintain a database for
    research purposes
   Researcher is gathering information about
    human subjects to populate a research
    database
   Database may have a dual intent. If
    research is an intent – must have IRB
    review

                                                  8
        Dual Intent
   Database for Clinical use and Research
    use
   Database for clinical use – review for
    compliance with HIPAA security
    standards
   Intent includes research must have IRB
    review
   No laptop storage – access a secure
    server where database is securely stored
                                               9
Research Data
 Data collected for a protocol
may not be released to others
(including other researchers or
students, at UAB or elsewhere)
without first obtaining UAB IRB
approval
 This includes data from

terminated protocols
                                  10
Electronic Storage
   If there has been a change in
    storage process and data are now
    stored electronically, submit
    revision to IRB for review.




                                       11
Rule of Thumb!

           DON’T
         use thumb
     drive for storage of
        research data!
                            12
    Describe to IRB
   The security measures for data
    Coding
    Encryption
    No data taken off-campus




                                     13
HIPAA and
The UAB Researcher

  Terrell W. Herzig, MSHI
  UAB/UABHS HIPAA Security Officer
  HSIS Data Security Officer


                                     14
A Recent Scenario
          Background:
            A computer external hard
             drive, used to backup a
             clinical research database,
             contains protected health
             information.
            It is of average size for such
             devices, 2”x8”x6”.
            It is in a locked private office.

           If this external hard drive
              goes missing, how
              much would it cost?

                                                 15
Choose only one answer:
   A. $104
   B. 1.8 million x $30
   C. Lost productivity for an entire entity
    while cooperating with an investigation
    (estimated at $23 million)
   D. Research is shut down
   E. All of the above


                                                16
And the answer is…
   A. $104
   B. 1.8 million x $30
   C. Lost productivity for an entire entity
    while cooperating with an
    investigation (estimated at $23
    million)
   D. Research is shut down
   E. All of the above

                                            17
How much would the same drive
 have cost if proper safeguards
      had been in place?

              Answer:
               $127

          $104 for the drive
   $23 for the encryption software

                                     18
    Other interesting numbers
                                5
              Number of hours the person who lost
             the drive spent hooked to a polygraph
                                2
Number of federal agents on campus conducting the investigation
                               12
             Number of weeks of man hours spent
        by the organization cooperating with the agents
                               <1
     Number of blocks from UAB/UABHS this facility lies
                                9
 Number of joint UAB/VA research projects under investigation
    by the VA’s IRB and Chief Information Security Officer


                                                                  19
    VA Recommendations
   Take administrative sanctions against:
     IT Specialist
     Birmingham REAP Director
     Birmingham REAP Associate Director
     Medicare Analysis Center Director
     VA Information Resource Center Director
     Birmingham Medical Center Director
     Associate Chief of Staff for Research
   Develop Government Risk Criteria for determining
    need to notify.
   Require encryption on portable devices
                                                   20
VA Recommendations (cont.)
   Re-evaluate position sensitivity levels and background
    investigations.
   Institute release of information practices for research.
   Develop access policies for programmer access for
    research.
   Require data security plan before IRB approval.
   Audit for waiver compliance.
   Enforce access policies for National Data Centers.
   Prohibit storage of VA information on non-VA systems.
    Discontinue receiving VA email at UAB.
   Assess alignment of REAP management structure. Correct
    dysfunctional management structure.


                                                          21
“Oh, that can’t
 happen here…”

                  22
Recent Examples of Incidents
Impacting UAB/UABHS Research
   Research database with protected
    health information stolen from a
    locked office
   Thumb drive containing research
    database lost
   Laptop with research database stolen
                                       23
     What are the risks associated
     with a breach in security?
   Risks to Individual whose PHI is compromised:
        Embarrassment, misuse of personal data, victim of fraud or scams, identify
         theft
   Risks to the Institution:
        Loss of information and equipment, trust of constituencies, reputation, future
         grant awards; negative publicity; penalties, fines, litigation
   Risks to Research:
        Loss of data or data integrity, funding in jeopardy
        If serious and/or continuing noncompliance is determined by the IRB, then
         possible suspension or termination could result as well as report to the
         Office for Human Research Protections, other federal agencies, research
         sponsors, and other institutional officials as appropriate.
   Risks to Investigator or Employee:
        Loss of data, time, funding, reputation; embarrassment; disciplinary action,
         prosecution, fines, civil and criminal penalties

                                                                                        24
At UAB, HIPAA affects…
   More than 12,000 employees, which is
    approximately 67% of the UAB/UABHS
    workforce
   More than 5,000 students
   Over 44,000 hospital discharges annually
   Over 400,000 outpatient visits annually
   $450 million awarded in grants and
    contracts involving human subjects
   Physical plant of approximately 80 blocks

                                                25
Final Jeopardy
Answer:
The 18 elements that can
be used to identify an
individual as documented
in the HIPAA Regulations.

                            26
What is
protected health information?
Protected health information (PHI) is any
information, including demographic information,
that is TRANSMITTED or MAINTAINED in any
MEDIUM (electronically, on paper, or via the
spoken word) that is created or received by a
health care provider, health plan, or health care
clearinghouse that relates to or describes the past,
present, or future physical or mental health or
condition of an individual or past, present, or future
payment for the provision of healthcare to the
individual, and that can be used to identify the
individual.
“ePHI” is often used to designate electronic PHI.
                                                    27
                 PHI Data Elements
The following identifiers of the individual, or of relatives, employers, or
household members of the individual, are considered PHI:
  1.   Names
  2.   Geographic subdivisions smaller than a state (street address,
       city, county, precinct, zip, equivalent geo-codes)
  3.   All elements of dates (except year) including birth date,
       admission and discharge dates, date of death, and all ages over
       89 and all elements of dates (including year) indicative of such
       age.
  4.   Telephone numbers
  5.   Fax numbers
  6.   Electronic mail addresses
  7.   Social Security numbers
  8.   Medical record numbers
  9.   Health plan beneficiary numbers

                                                                              28
      PHI Data Elements (continued):
10.   Account numbers
11.   Certificate/License numbers
12.   Vehicle identifiers and serial numbers
13.   Device identifiers and serial numbers
14.   Web Universal Resource Locators (URLs)
15.   Internet Protocol (IP) address numbers
16.   Biometric identifiers, including finger and voice prints
17.   Full face photographic images and any comparable
      images
18.   Any other unique identifying number, characteristic,
      code, except as allowed under the ID specifications
      (164.514c)

                                                                 29
                  So that means…
Linking any one of these 18 PHI data elements to an identified
diagnosis or medical condition, whether the diagnosis comes from a
medical record or is self-reported by the participant, means that PHI
is being maintained.

Example:
A database entitled “Liver Transplant Recipients” containing only
individuals’ names is linking 1 PHI data element with a medical
condition. The database contains PHI.


       Do you have PHI as part of
          your research data?
                                                                        30
Types of Data
Protected by HIPAA
   Written documentation and all paper
    records
   Spoken and verbal information
    including voice mail messages
   Electronic databases and any
    electronic information containing PHI
    stored on a computer, PDA, memory
    card, USB drive, or other electronic
    media

                                            31
Research: A Use
   Sharing of PHI among UAB/UABHS
    covered entities for research is
    considered a “use” of PHI.
   New requirement for researchers: All
    databases containing PHI must adhere
    to the UAB/UABHS information privacy
    and security standards as required by
    the federal HIPAA regulations.



                                            32
How Researchers Can
Use or Disclose PHI
in Compliance with HIPAA
   If the Institutional Review Board (IRB) has
    approved the research and
   One or more of the following conditions exists:
    1. The  activity is preparatory to research.
    2. The research involves only decedent PHI.
    3. The research uses a “limited data set” and data use
       agreement.
    4. The patients or participants have signed an
       authorization to use the PHI for the research.
    5. The IRB has granted a waiver for the required
       patient/participant signed authorization.
                                                             33
         Recruiting and Screening
   Research recruitment techniques must meet HIPAA standards
    for privacy and confidentiality.
   Investigators must separate the roles of researcher and
    clinician.
   Investigators must not use their clinical access privileges to
    search patient records for potential research participants.
   Physicians may contact only their own patients to recruit for
    research studies.
   If investigators receive data from a covered entity to complete
    their research, then the principal investigators or designated
    researchers must provide a copy of the fully executed IRB
    approval form to the covered entity holding the data before the
    data can be released for research.
   A covered entity may require that the investigators complete its
    own HIPAA compliant Authorization for Use/Disclosure of Health
    Information form in addition to providing the IRB approval form.

                                                                  34
De-Identified Data and HIPAA
    De-identified data means that all 18 PHI data
     elements have been removed prior to receipt
     by the researcher, no further action is required
     to meet HIPAA compliance. De-identified data
     are not PHI.
    See “HIPAA Handbook for Researchers”
     regarding statistical methods to de-identify data
     and re-identifying codes. This UAB handbook
     is available at www.uab.edu/irb/hipaa/hipaa-
     handbook.pdf.


                                                    35
Minimum Necessary Standard
     HIPAA requires that a covered entity limits
      the PHI it releases/discloses to a researcher
      to the “information reasonably necessary to
      accomplish the purpose.” A covered entity
      relies on the researcher’s request and the
      documentation from the IRB to describe the
      minimum PHI necessary to accomplish
      research goals.
     A signed authorization from the research
      patient or participant supersedes the
      minimum necessary restriction.

                                                  36
    A Business Associate
    Agreement (BAA)…
   Is required before you contract with a third party
    individual or vendor to perform research activities
    involving the use or disclosure of PHI.
   Binds the third party individual or vendor to the
    HIPAA regulations when performing the
    contracted services.
   Must be approved in accordance with
    UAB/UABHS policies and procedures.

Additional information about BAAs can be found on the UAB/UABHS
   HIPAA Website at www.hipaa.uab.edu.
                                                              37
            Patient Rights
HIPAA guarantees certain rights of privacy to
patients.

If PHI is released or disclosed to a researcher,
then the researcher becomes responsible for
ensuring that the use and disclosure of PHI
complies with HIPAA regulations as outlined in
the UAB/UABHS HIPAA standards.



                                                   38
The HIPAA Security Rule


   Confidentiality     Integrity



             Availability




                                   39
The Researcher must…
   Provide and maintain database
    security, including physical security
    and access.
   Control and manage the access, use,
    and disclosure of the PHI.




                                            40
The Researcher’s Role in
Information Security
   Store PHI in locked areas, desks, and
    cabinets.
   Control access to research areas.
   Obtain lock down mechanisms for devices
    and equipment in easily accessible areas.
   Challenge persons without badges in
    restricted areas.
   Verify requests of maintenance, IT, or
    delivery personnel.

                                                41
Desktop/Workstation Security
   Arrange computer screen so that it is not visible by
    unauthorized persons.
   Log off before leaving the workstation.
   Configure the workstation to automatically log off and
    require user to login if no activity for more than 15
    minutes.
   Set a screensaver with password protection to engage
    after 5 minutes of inactivity.
   Manage your research data. Store documents and
    databases with ePHI securely on a network file server.
    Do NOT store ePHI on the workstation (C: drive).
   Do not allow coworkers to use your computer without
    first logging off.

                                                        42
           Portable Device Security
    Portable devices include hand-held, notebook, and laptop
    computers, personal digital assistants, cell phones, and pocket or
    portable memory devices such as thumb and jump drives.

   Do not use a portable device for storing ePHI.
   Use password protection.
   Delete ePHI when it is no longer needed.
   Keep your application software up-to-date.
   Back-up critical software and data on a secured network.
   Follow all of the recommendations for workstation security.
   Use only VPN for remote wired and wireless connectivity.
   Check with IT representatives for other security safeguards.
   Use encryption when transporting ePHI on any mobile computing
    device. Be sure to backup encryption keys.


                                                                     43
What is encryption?
The process of transforming
data to an unintelligible form in
such a way that the original data
can not be obtained without
using the inverse decryption
process.



                                44
Email Use
   General Rule: Do NOT send emails containing
    PHI.
   At UAB/UABHS, do NOT email ePHI except
    between Groupwise and Central Exchange
    email addresses. Confirm Central Exchange
    addresses with AskIT.
   Email with ePHI to addresses outside the
    Groupwise/Central Exchange systems must be
    encrypted. Ask your IT representative to assist
    you with encryption.
   Do not FORWARD your UAB emails to outside
    email systems, i.e. AOL, hotmail, yahoo, gmail.
                                                 45
Internet Use
   Do not use web-based personal
    file and backup media, i.e. Google
    docs, spreadsheets, personal
    backup sites, etc.
   Do not surf the web if using an
    account with administrator rights.




                                         46
                 Account Management
   Do not share your user account, password, token, or other system
    access.
   Use strong passwords that are at least 6 or 8 characters long,
    depending on the minimum required by your system. Include upper
    and lower case letters, numbers, and special characters such as #, %,
    ?, and $.
   Do not use pet names, birthdates, or words found in the dictionary.
   If you must write down your password, keep it locked up or in your
    wallet protected like a credit card.
   Do not enable your browser to remember your password.
   Only access PHI/ePHI for business related purposes.
   Do not use your system access to look up medical information on
    yourself, family, friends, or coworkers.
   Notify IT support immediately if you believe your system access has
    been compromised.
                                                                        47
What if an incident occurs?
   Call the appropriate helpdesk: HSIS at 934-8888 or
    AskIT at 996-5555.
   Contact the IRB office at 934-3789.
   Gather as much information regarding the incident as
    possible.
   Document information on the appropriate incident
    reporting form.
   Do not delete anything.
   If information or equipment is stolen, contact the UAB
    Police Department and file a report.
   Cooperate with investigators (both internal and
    external).
   Refer external inquiries regarding the incident to UAB
    Media Relations.

                                                         48
Others That Can Help

   AskIT Help Desk at 996-5555
   HSIS Help Desk at 934-8888
   Your Entity Privacy Coordinator or
    your Entity Security Coordinator
   UAB HIPAA Security Officer, Terrell
    Herzig, at 975-0072


                                      49
Remember the HIPAA Mantra

Everyone is responsible for the
privacy and security of
protected health information.



                              50

				
DOCUMENT INFO