EXAMPLE 2-JOINT PRIVACY AND SECURITY CHECKLIST

Transcription

1 Purpose: The purpose of this Checklist is to evaluate your proposal to use or disclose Protected Health Information ( PHI ) for the purpose indicated below and allow the University Privacy Office and Office of Cybersecurity to jointly review and provide guidance on the information privacy and security controls associated with your proposal. This Checklist is meant to be used in a variety of projects including IRB research, educational activities, any project involving vendors who will receive Institutional PHI or any project where you will be receiving PHI from another entity for a reason other than treatment. Instructions: Please complete this form with as much detail as you are able and return it via to the address listed at the end of this form. After we receive the completed Checklist, we will evaluate your responses and respond to you with next steps (if any). Should you have any questions about completing this form, please them to the University X Privacy Officer at privacyofficer@universityx.edu or by phone at PI or Project Leader Name & Title: Dr. Patricia Patterson, Developmental Behavioral Pediatrician PI or Project Leader Contact Information: Phone Number: ppatterson@universityx.edu School/Department: Pediatrics Your contact information (name/phone/ ) if you are not the PI or project leader: Rex Alman, Administrator; Purpose of this Request: Check all that apply Student education Quality improvement/quality assessment University administration and/or operations (including HR) Medical/clinical care IRB approved research (Protocol no ) Fundraising or marketing Other (describe: Click here to enter text.) If you have IT support in your department or as part of this project, please list their name and contact information here: Sid Foley; sid.foley@universityx.edu 1. Briefly describe your project and the timeline in which you hope to begin your project: Development of autistic children through various behavioral therapies. Studying social behaviors of children diagnosed with Autism Spectrum Disorder (ASD) using wearable technology (Google Glass) by measuring instances of eye contact with the researcher and/or parent to examine participant social behaviors. Study will examine variety of conditions, including differences between interaction with minor subject and his/her parent (bonded relationship) and minor subject and researcher (non-bonded relationship) to examine any behavioral patterns over time. 2. Will any data be disclosed to, or received from, a 3 rd party? ( A third party is any person outside the PI s research team, or outside of the Project leader s internal 1

2 team. 3 rd parties including people from elsewhere at University X, or from another institution altogether)? If yes, please describe: Yes, we will receive data: Please describe from where/whom and how the data will be transferred? University X will receive data directly from study participants (raw video footage between child and researcher and/or child and parent). Yes, we will disclose data: Please describe to where/whom and how the data will be transferred? University X will transmit video files to collaborating institution (University G) for analysis. No, we will not be transmitting data to any 3 rd party, nor will we receive data from any 3 rd party. 3. Check all that are identifiers that will be created, accessed, analyzed, transmitted, stored, received or disclosed as part of this research or project: Check all that apply. Names Geographic subdivisions smaller than a state: Please list exactly what geographic identifiers will be received and/or disclosed (state, city, county, street address, zip code): Click here to enter text.) Dates: (except year) directly related to an individual, including DOB, health care service, admission, or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89: Please list the types of dates (ex., date of service) and format of any dates (month/year) being received or disclosed: Dates of birth, dates of services Telephone numbers, fax numbers, and/or addresses Social security numbers Medical record numbers Health insurance ID number(s), account numbers, and/or plan beneficiary numbers Certificate/driver s license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Uniform Resource Locators (URLs) and/or Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code Student data (demographics, grades, other Click here to enter text. ) Faculty or staff employment documents (personnel files, salary, benefits, etc.) University ID numbers, student or employee ID numbers Donor information (from University fundraising) Research data from other IRB approved studies 2

3 Medical Records: Describe (ex: diagnosis and treatment information, lab results, physician notes, diagnostic images, prescription information, sensitive medical conditions (STDs, HIV, mental health records, alcohol and drug treatment information), etc.) Click here to enter text. Other (describe) Raw video footage of minor children diagnosed with Autism 4. For all data elements listed above, list the location(s) where the data will be 1) collected/created, 2) stored, 3) accessed from and/or analyzed, and 4) how it will be shared or released? (Include details covering both physical locations and electronic systems. Include system IDs if possible. Make special note if a system is mobile, such as a laptop, external hard drive or thumb drive.) If you are able to submit a data life cycle or data flow diagram with this Checklist, it will greatly improve our ability to analyze your proposal. A data life cycle or data flow diagram will list specifically the security controls in place at each stage of the data during its collection, storage, use (by all internal parties), release (including security controls used in planned transmissions of the data) as well as storage and ultimately archival and destruction. Raw video between study participants and parent/researcher will be temporarily stored locally on one of three sets of Google Glasses. Raw footage will be uploaded from mobile device via USB cable to a department-issued encrypted desktop and uploaded to an encrypted portal hosted by collaborating institution University G and stored on an encrypted server with University G s data warehouse. Local copy of video on Google Glass will be deleted upon confirmation that upload was successful to encrypted portal. University G researchers will analyze the video using study-specific metrics. University G researchers will share analysis with University X researchers. University G will archive the data for the duration of the project and approximately three years thereafter to meet statutory, regulatory and institutional records retention requirements. 5. Describe the population of individuals whose data will be collected, accessed, stored, transmitted, processed, released (e.g. University Hospital patients, clinical research participants, students, etc.) and provide an estimate of the number of persons and number of unique records per person for each category (e.g. All Medicare recipients living in the state of Wisconsin so roughly 1.5 million who have three types of records collected as part of this project each year over three years resulting in the collection of roughly 4.5 million different records, each year). Types of individuals whose data will be involved in this project: Males and females > 8 and <16 with Autism Spectrum Disorder (ASD). Total number of individuals who whose data will be involved with this project (please estimate if this is a multiyear project please provide an estimate over multi-year intervals): 3

4 Approximately 30 subjects (from University X). Longitudinal study to span approximately 3 years. 6. Will a vendor or third party perform any service as part of this research project on your behalf or at your request? If so, please list the name, address and contact information for the vendor or individual and describe the service they will perform and how data will be transmitted to this vendor. (Examples: using a survey system not owned and operated by the researcher team; using computer systems for storage, backup, or statistical analysis, providing data to another party for geo coding, etc ) University G (collaborating institution) will store raw video obtained from Google Glass sessions on device. 7. Will any data need to be shared with collaborators (internal or external to University X)? YES NO a. If YES, list the collaborators and their institution: University G, Dr. Jillian Goke, Department of Pediatrics b. Indicate how the data will be shared with collaborators? University G will provide encrypted portal and local servers to store raw video footage and perform analysis using systematic methodology developed between the collaborating institutions. 8. Is there an agreement (executed or in draft form) for the data sharing with the collaborator(s)? YES - If yes, please attach a copy NO 9. Have all University X employees involved with this project, including all IT staff supporting your systems, completed this current year s annual HIPAA training? YES NO Unknown Please return this form and any attachments as follows: University X Privacy Officer at privacyofficer@universityx.edu 4

5 5