Privacy and Security Update: What Clinical Researchers Must Know

Transcription

1 Privacy and Security Update: What Clinical Researchers Must Know Megan Morash Chair of Partners Human Research Committee Sarah E. Jordan Privacy and Security Specialist Fabio Martins Research Information Security Officer Toby Tsuchida MGH Information Security Officer

2 Agenda Concepts HIPAA Future Use Genetic Information/GINA Decedents Sale of PHI Policies and Tools Data Management (RPDR and secure Survey Tools) Data Security Review Encryption Cloud storage Approved file transfer and storage tools Securing Communications Social Media Appropriate Access 2

3 Breaches in Research ed sensitive information to patients/subjects with Carbon Copy CC instead of Blind Carbon Copy BCC Left research files on top of mailbox Unencrypted USB with sensitive information stolen Unencrypted laptops with research/patient information stolen Encrypted laptop without sleep mode screen saver enabled stolen from public area Researcher s car broken into and bag with subject information taken Access to a patient s electronic health record without a need to know 3

4 HIPAA Key Concepts How Can PHI Be Used or Disclosed for Research? 1. Authorization 2. Waiver of authorization by IRB 3. De-identification Remove all 18 HIPAA identifiers 4. Limited Data Set (Dates and Zip codes only) 4

5 Authorization Written authorization to use/disclose PHI for research Merged into the written informed consent IRB templates Every research subject and/or patient must receive a copy of the Privacy Notice Compound Authorization 5

6 Use/Disclosure of PHI for Future Research Authorization to use PHI for future research studies, adequately described reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research Obtain upfront authorization for future, unspecified uses and disclosures pursuant to certain conditions 6

7 Waiver of Authorization 1. The research involves no more than minimal risk to the privacy of the subjects 2. The research could not practicably be carried out without the waiver or alteration 3. The research could not practicably be conducted without access to and use of this identifiable information 7

8 De-identification 1.Safe harbor method = remove all 18 HIPAA identifiers 2.Expert determination method = statistical methods used to render the information not individually identifiable. 8

9 Limited Data Set / Data Use Agreement Limited Data Set (LDS) health information + dates and/or zip codes/ city/town names; all other identifiers removed Limited Data Set is still PHI, just fewer requirements HIPAA LDS Data Use Agreement required The PI can sign an outgoing LDS DUA if template used 9

10 Genetic Information Genetic information is not Protected Health Information (PHI) unless it also includes one or more of the 18 HIPAA identifiers GINA prevents health plans from discriminating based on genetic information 10

11 Decedents Individually identifiable health information of a person who has been deceased for more than 50 years is no longer considered PHI Facilitates historical/archival work Competing interest: privacy of still-living relatives 11

12 Sale of PHI Disclosure of PHI to Researcher Reasonable, cost-based fees Labor, materials and supplies for generating, storing, retrieving and transmitting PHI Related capital and overhead costs Does NOT include PHI transfer under research grant or contract 12

13 Research Patient Data Repository Clinical data registry Online query tool Aggregate patient totals Limited dataset Identifiable data Why use this? Efficient Automated security measures 13

14 Secure Survey Tools and EDC REDCap (free) StudyTRAX (at cost) LimeSurvey (free) 14

15 What is a Data Security Review? Who is monitoring/responsible (qualifications)? Vendors/websites Physical locations of data storage Encryption methods Instruction/Education to participants BAAs Password Management, Access Audit Controls Data backups/recovery Data Retention policy Special issues with use of Mobile Devices Anti-Virus Settings 15

16 Encryption Any mobile device* used for any Partners/MGH business must be encrypted. This policy applies- Both to devices issued by Partners and devices you own When accessing Partners systems such as *applicable devices include laptops, netbooks, smart phones, tablets, etc. 16

17 Encryption Misconceptions My laptop is password protected; I thought that was encryption. 17

18 Encryption Misconceptions I bought my laptop, new, last month directly from the Apple store. I was told it had encryption built in. I didn t know I had to do anything. 18

19 Encryption Misconceptions I make sure I use VPN or GoToMyPC every time. My computer is secure. 19

20 Cloud Computing 20

21 Partners Approved File Storage and Transfer Approved options: Information regarding data storage and backup options for research is available here: Transfer files using an encrypted USB or external drive Secure File Transfer and Collaboration Information about secure file transfers and collaboration can be found here: To use the Secure File Transfer and Collaboration tool, follow this link: 21

22 22

23 DropBox Business DropBox Business is approved for workforce use. Features: Your personal DropBox may not be used for PHI or confidential information. Your institution has agreed to pay for it. Encrypted Compliant with Partners policies and procedures Unlimited storage Contact your Service Desk for a DropBox Business account. DropBox Business knowledge link: 23

24 Securing Communications Sending inside Partners Sending outside Partners Procedure (How to Protect and Secure the ) sent from one Partners.org address to another Partners.org address is secure because it is behind the firewall Sending outside Partners could mean ing with patients/subjects or external business partners ing with Patients: Patient Gateway is the preferred patient communication tool and is a secure alternative to . If you need to use to communicate with patients/subjects, use send secure to encrypt the message ing with External Business Partners (You@Partners.org Sponsor@Novartis.com) s sent outside of PHS firewall that contain Confidential Data must be encrypted. Encryption can be accomplished by: (1) send secure; or (2) secure tunnel (a list of the entities we have a secure tunnel with is available at Remember: subject lines are never encrypted. Never include Confidential Data in the subject line. 24

25 Social Media Who can view? Not only you 25

26 Why use Social Media? HEALTH: A top reason for Internet use Expand reach Low Cost Increase access to information Pre-eligibility selfscreening Patients want information and contact with others about their disease/condition Keep participants interested and engaged It s cool Target population Social media may not be used for human subjects research activities unless specifically approved by the IRB. 26

27 By Gleeson Rebello 27

28 28

29 Appropriate Access Curiosity can kill careers. Make sure your only access is appropriate access 29

30 Navigating Access Did you know? Access starts with search 30

31 Searching VIPs, friends and coworkers Does this count as access? 31

32 Break the Glass Does this count as access? 32

33 Appropriate Access 33

34 Inappropriate Access Access to PHI is not appropriate if you do not need to know it to do your job. 34

35 Self Audit Tool Screenshot All Partners / MGH employees can monitor access to their own electronic health record. Concerns? Contact the Privacy Office:

36 Resources Partners Human Research Committee HIPAA Page: MGH Privacy and Security Intranet Page: Partners Information Security and Privacy Office Page (Partners Pulse): 36

37 Open Discussion, Questions Megan Morash Sarah E. Jordan Fabio Martins Toby Tsuchida Contact Us! Intranet: 37