Research Data Security Plan (RDSP) Reviewer Training

Similar documents
HIPAA and HIPAA Compliance with PHI/PII in Research

Privacy and Security Update: What Clinical Researchers Must Know

Virginia Commonwealth University School of Medicine Information Security Standard

(Provide name and role/title as identified in the study protocol, (a backup data custodian is recommended but not required))

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Reviewers Guide on Clinical Trials

01.0 Policy Responsibilities and Oversight

IAM Security & Privacy Policies Scott Bradner

Information Technology Standards

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Security Governance and Management Scorecard

PROTECTING PHI WITH BOX HEALTH DATA FOLDERS POLICIES AND GUIDELINES

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Informed Consent and the Consent Form

AUTHORITY FOR ELECTRICITY REGULATION

Use of Mobile Devices on Voice and Data Networks Policy

Client Computing Security Standard (CCSS)

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Securing BYOD With Network Access Control, a Case Study

The Relationship Between HIPAA Compliance and Business Associates

IRB News : Addition of a new application type for submitting reliance agreements

IRB RESEARCH REPOSITORY COMPLIANCE PROGRAM: Repository Protocols and FAQs

Oracle Data Cloud ( ODC ) Inbound Security Policies

Data Processing Agreement for Oracle Cloud Services

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

econsenting Using REDCap Instructions

Effective Strategies for Managing Cybersecurity Risks

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Provider Monitoring Process Overview Training. Updated August Course#: C Music Only No Narration

Overview of Presentation

Medical Sciences Division IT Services (MSD IT)

I-9 AND E-VERIFY VENDOR DUE DILIGENCE

IRB RESEARCH REPOSITORY COMPLIANCE PROGRAM. FAQs: Designing and Managing Repositories. Compliance Deadline: August 31, 2011

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Bring Your Own Device Policy

Degree Works Exceptions

If this is your first time submitting a protocol for review, see FAQs for information to consider beforehand.

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Family Medicine Residents HIPAA Highlights May 2016 Heather Schmiegelow, JD

Information Technology General Control Review

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

INFORMATION SECURITY AND RISK POLICY

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

HIPAA Faxing Checklist

Using the e Version of the Protocol Summary. University of Utah IRB Version: January 2012

Companion Guide Benefit Enrollment and Maintenance 834

ISACA Cincinnati Chapter March Meeting

Expanding Sleep Care Through Telemedicine

Emsi Privacy Shield Policy

REPORT 2015/149 INTERNAL AUDIT DIVISION

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

Fuse ipad App set up and use

FDA Audit Preparation

Privacy Policy. We may collect information either directly from you, or from third parties when you:

Network Security Policy

The simplified guide to. HIPAA compliance

Juniper Vendor Security Requirements

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Subject: University Information Technology Resource Security Policy: OUTDATED

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Accessing the SIM PCMH Dashboard

Last revised: September 30, e-protocol User Guide 1

PCI Compliance Assessment Module with Inspector

Xerox Audio Documents App

Online Reliance System FAQs

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

TxDOT Internal Audit Materials and Testing Audit Department-wide Report

DeMystifying Data Breaches and Information Security Compliance

Embedding Privacy by Design

EDI ENROLLMENT AGREEMENT INSTRUCTIONS

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

<Document Title> INFORMATION SECURITY POLICY

BENEFITS OF EXCIPACT CERTIFICATION TO SUPPLIERS, USERS AND PATIENTS The role in Supplier Qualification. March 2011

efolder White Paper: HIPAA Compliance

Privacy and Security for the Medical Student. HIPAA Compliance Audit and Compliance Services Mount Sinai Health System

DRAFT 2012 UC Davis Cyber-Safety Survey

The Common Controls Framework BY ADOBE

Mobile Device policy Frequently Asked Questions April 2016

Minimum Requirements For The Operation of Management System Certification Bodies

ODP Review of AE Operating Agreement Comments

Security Awareness, Training, And Education Plan

American Association for Laboratory Accreditation

PCA Staff guide: Information Security Code of Practice (ISCoP)

THE BASICS. 2. Changes

Standard For IIUM Wireless Networking

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

***** ***** June

Industry Webinar. Project Modifications to CIP-008 Cyber Security Incident Reporting. November 16, 2018

BHIG - Mobile Devices Policy Version 1.0

Applying E-Consent to Studies. Presenters: Haemar Kin, MHA, Melissa Scotti, PhD, Lara Lechtenberg, MPH

Server Security Procedure

Table of Contents. PCI Information Security Policy

Workday s Robust Privacy Program

Purpose This document defines the overall policy, principles, and requirements that govern the mybyu Portal.

Transcription:

Research Data Security Plan (RDSP) Reviewer Training January 6, 2014 Duke Medicine Information Security Office DATA CLASSIFICATION: PUBLIC

RDSP Purpose Institutional oversight and management of Research Data Storage During an internal or external audit, can the auditors validate intended vs actual data storage? Can we guide our researchers into more secure methods of data storage? 2

History of RDSP Implemented November 2011 for all new non-exempt submissions through Duke Medicine IRB. Retrospective survey in REDCap was administered by Duke Office of Clinical Research (DOCR) to all existing approved, non-exempt studies at that time. 3

RDSP review Paper review is done by CRU/Study Owning Organization - Research Practice Manager or equivalent Electronic review is done by designated IT supporting CRU/Study Owning Organization Final approval should come after communication between paper and electronic reviewers assures that all data storage is listed and is compliant with Duke Medicine Information Security Standards and regulatory requirements. 4

but IRB approved my study The human subjects must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. IRB does not review the RDSP. The Research Study Team and CRU/Study Owning Organization are responsible for ensuring that what is listed in RDSP is reflected in the IRB submission (consent, waivers, summary). Communication with the study team and between reviewers is a critical aspect of the review process. 5

01. Storage Media Types Reviewer Note: If both sections are blank, this should be questioned as it is rare that a research study would not generate ANY paper or electronic data. Notice that this section does not mention PHI, so unless a study has generated no paper or electronic data at all (extremely rare) then something should be checked. 6

02.1 Storage of Paper or Non-digital Media Reviewer Note: Check to ensure that yes or no is selected for each dropdown option in the section labeled "Indicate if paper or nondigital media, even if the storage is temporary, contain:" The PHI dropdown box should almost always be Yes. If No is the selection, inform the PI/CRC that nearly all of the data collected for a research study at Duke Medicine is PHI. Even if it only has the date of a clinical service, it qualifies as PHI. Reviewer Note: SSNs require "two keys" for paper storage. Temporary storage of paper SSNs (permanently redacted at earliest possible time) may be permitted for participant payment purposes, but all other paper SSN storage requires institutional approval through Duke Medicine ISO. All storage, temporary or permanent, must be listed within RDSP. 7

02.2 Storage of Electronic Information Reviewer Note: Temporary storage of electronic SSNs (permanently redacted at earliest possible time) may be permitted for participant payment purposes, but all other electronic SSN storage requires institutional approval through Duke Medicine ISO. All storage, temporary or permanent, must be listed within RDSP. 8

02.2 Storage of Electronic Information (continued) Reviewer Note: This section, as of January 2014, contains two additional options for storage within: Duke University, OIT Managed Service Campus Department Supported IT Service. If either of these options are selected, IT reviewer should email Duke Medicine Information Security Office (infosec@mc.duke.edu) for review with subject RDSP Pro000XXXXX. 9

02.2 Storage of Electronic Information (continued) Additional Reviewer Notes: All places (both internal and external to Duke Medicine) where study data is managed must be reflected. Study data may be managed by more than one IT Support group. Research data stored within Duke Medicine is governed by Duke Medicine Security Standards. Research data maintained outside of Duke (such as another University, sponsor, or 3 rd party contractors or subcontractors) is protected by that entity. However, the human subject must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. If questions arise about the propriety of the consent form, direct them to the CRU reviewer who may discuss them with IRB Office. IT Staff is not responsible for reviewing consent forms, but should be able to understand that authorization within a consent form may be needed and communicate this to the CRU reviewer who will point researchers to the appropriate department (IRB) if necessary. 10

03 Duke Electronic Storage Details Reviewer Notes: SEI is not prohibited from being stored on a workstation (local home drive) or networked personal home drive in all instances, but it is strongly discouraged. Thought should be given toward data availability in the event that an employee leaves Duke or is gone for an extended period. Storage on media other than a server should have a business justification. 11

03.1 Mobile Storage Device Details Reviewer Notes: If mobile devices are listed, PI/CRC has been told that no SEI may be stored on mobile devices without encryption. PGP for Windows; PGP or FileVault2 for Mac. Non-Duke owned mobile devices are not allowed to be used to store Duke SEI. 12

03.1 Mobile Storage Device Details Additional Reviewer Notes: Mobile Devices (general) -- security of Mobile devices are governed by the Duke Medicine Mobile Computing and Storage Device Standard. Laptops no personal (non-duke owned) laptops may be used to store human subject research protocol study data. Item #15 in the Duke Confidentiality Agreement states, With the exception of accessing Duke email on a personal smartphone (e.g., iphone or Android device) or tablet (e.g., ipad), I WILL NOT store Confidential Information on non-duke systems including on personal computers/devices. Other mobile devices (including external hard drives, flash drives and smart devices) The data or device must be encrypted. Item #16 in the Duke Confidentiality Agreement states, I WILL NOT maintain or send Confidential Information to any unencrypted mobile device in accordance with Duke policies and procedures. The encryption algorithm must be the Advanced Encryption Standard (AES) with a block size of 256 bits or greater. PGP is the preferred encryption method. 13

04 Software Environment & Survey Tools Reviewer Notes: Look for Survey tools, Cloud storage, Social Media, Mobile Devices, 3 rd party websites, etc. Remember, ALL data storage, both internal and external, must be listed. If PI/CRC listed Other entity outside of Duke Medicine it should be adequately described. Application, database, and operating system software: Only currently supported (able to be patched) systems are allowed. IT Staff is responsible for checking versions and sending protocol back to research team if not listed. 14

04 Software Environment & Survey Tools Reviewer Notes: Require specific details (e.g. rather than sponsor website ask PI/CRC to list link for data entry http://sponsor.website. ) If a sponsor, vendor, or contractor website or tool external to Duke Medicine (including websites for 3 rd party affiliates of sponsor) is used as an interface to collect or enter study data, one of the following must occur: The human subject must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. Formal review and signoff by Duke Medicine Information Security Office. 15

04 Software Environment & Survey Tools: Mobile Apps Reviewer Notes: If the submitter indicates use of a mobile app, as of January 2014, IT reviewer should email Duke Medicine Information Security Office (infosec@mc.duke.edu) for review with subject Mobile App Pro000XXXXX. 16

General Notes CRU/Owning Org & IT Staff are expected to document completion of the review and items that must be remedied in the RDSP. If there are unresolved concerns, those remarks must be recorded in the comments section. The CRU/Study Owning Organization is responsible for stopping any protocol from further IRB action if there is no reasonable plan to remedy deficient IT controls. If there is a question about the significance of an issue, contact the Information Security Office. For questions regarding non-digital media or data de-identification, contact the SOM Compliance Office or ISO. New RDSP reviewers must be given training by the Information Security Office prior to beginning the RDSP review process and a current list of all RDSP reviewers will be maintained by ISO for annual refresher training. CRU/Study Owning Organization is responsible for informing ISO when reviewers leave or new reviewers are added. Reviewers are encouraged to communicate within their CRU/Study Owning Organization and to ask questions of ISO and SOM Compliance Office if they are unsure about how to aid a researcher in a particular RDSP submission. Study teams should be trained in RDSP submission by CRU/Study Owning Organization, but ISO and Duke Office of Clinical Research (DOCR) is available to assist with group training upon request. 17

Worth Repeating The human subjects must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. IRB does not review the RDSP. The Research Study Team and CRU/Study Owning Organization are responsible for ensuring that what is listed in RDSP is reflected in the IRB submission (consent, waivers, summary). Communication with the study team and between reviewers is a critical aspect of the review process. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback