hipaa & research data security for bu · pdf filepublic data (restricted use ... email:...
TRANSCRIPT
HIPAA&RESEARCHDATASECURITYFORBURESEARCHERS
CHARLESRIVERCAMPUS
November14,2017
ThisTrainingWillCover-
• HowHIPAAimpactshumansubjectresearch
• Whatresearchersneedtodotoprotecthealthdatausedinresearch- whethercoveredbyHIPAAornot
• Howtoreportapossiblebreachofresearchdata
• YourBUresources
2
HIPAA
HealthInsurancePortabilityandAccountabilityActof1996(HIPAA).• Privacy• Security• BreachNotification• PatientRights
3
What’sthebigdeal?
• Nationalstandards• Complexity• Enforcement:consequencesofbreach
• FeinsteinInstituteforMedicalResearch:datafrom50studies,13,000individuals;breachcost$3.9million
• OregonHealthandScienceUniversity,$2.75
4
WhenResearchImplicateHIPAA?
ProtectedHealthInformation(PHI):• Informationaboutanindividual’spast,present,orfuturephysicalormental
health,and/or• informationaboutpaymentfor,orprovisionofhealthcareservices,• createdorreceivedbyaCoveredEntity/CoveredComponent.
5
Humansubjectsresearch
UsingPHI
CoveredEntity/CoveredComponent
• CoveredEntity:Ahealthinsuranceplan,claimclearinghouse,orahealthcareproviderthatconductsHIPAAelectronicbilling(typicallybillingofinsurancecompaniesorMedicare/Medicaid).
• CoveredComponent:SameasaCoveredEntity,butisacomponentofahybridentitythatdoesmorethanhealthcare.BUisaHybridEntity.
• BUCoveredComponents:
6
GSDM’sDentalHealthTreatment
Centers
SARPhysicalTherapyand Neuro-
Rehabilitation
SargentChoiceNutrition Danielsen Institute
Researchexamples:IsHIPAAImplicated?
1. Researchinvolvinganalysisofstillbirthsandmothersage.Usingbirthanddeathstatisticsfrompublicrecords.
2. Sameresearchstudy,butalsousesdatafromBMC3. Whatmodalityismosteffectiveintreatingmajordepressionplusanxiety:CBT,
meditationorboth?Datafrom:• Meditationcenter• Reportedbysubjects• BUCARD• DanielsenInstitute
7
PointsWhereHIPAAMatters
1.Preparingproposal 2.Recruitingsubjects
3.Obtainingdata4.Protectingyourdata
8
YouneedPHIfromaBUCoveredComponent(orfromaHIPAACoveredEntityoutsideBU)toprepareforresearch.Forexample:
• Evaluatingwhetherthemedicalrecordscontainenoughpotentialsubjectsforaresearchstudy
• ObtainingotherinformationfrommedicalrecordstopreparetheproposalorIRBsubmission• Designingaresearchproposalorprotocol
Twooptions:AuthorizationorWaiver
9
HIPAAinFirstPhaseofResearch:Preparations(Pre-IRBSubmission)
WaiverPreparatoryToResearch
• PatientAuthorization:usuallyimpractical• WaiverPreparatorytoResearchif:
• ReviewofPHIisnecessarytopreparetheprotocolorengageinsimilarpreparatoryactivities;• TheresearcherwillnotremoveorretainthePHIreviewed;and• ReviewingthePHIisnecessaryforresearchpurposes
• IfyouwanttoreviewdataataBUcoveredcomponent,usetheformavailableatwww.bu.edu/hipaa andgiveittothecoveredcomponent’sHIPAAContact.• PracticesvaryathealthcareprovidersoutsideBU- startbyaskingforthePrivacyOfficer
• Whyisthisnecessary?Accounting
10
• Atreatingprovidercanofferitsownpatientstheopportunitytoparticipateinresearch. DiscussingresearchparticipationwithapatientisconsideredpartofTreatment;sonoAuthorizationorWaiverisneeded.
• Itdoesn’tmatterthattheresearcherdoesnotpersonallytreateachpotentialstudysubject;theclinicisconsideredtheprovider.
11
HIPAA in Second Phase of Research: Recruiting Subjects
HIPAA-CompliantRecruitingExamples
AphysicaltherapistwhoispartofBUPhysicalTherapyattheRyanCenterhasIRBapprovaltoconductastudycomparingtwopost-kneesurgerytreatmentregimens.Canshereviewpatientrecordstogetcontactinformationforpotentialsubjectsandcontactthemabouttheresearch?
SameresearchisbeingconductedbyaresearcheratNortheasternUniversity.CanBUPhysicalTherapygivehimthatlistforstudyrecruitmentpurposes?
12
• Thereare4pathwaystoobtainPHIfromaCoveredEntityforanIRB-approvedresearchstudy:• Requestonlyde-identifieddatafromtheCoveredEntity• RequestaLimitedDataSet,underaDataUseAgreement• GetAuthorizationfromeachstudysubject• ObtainaWaiverofAuthorizationfromtheIRB
13
HIPAAinThirdPhaseofResearch:ObtainingPHIfromCoveredEntitytoConductResearch
FirstOption:UseDe-IdentifiedData
• PHIthathasbeen“de-identified”isnolongerPHIbecauseitdoesnotidentifyanyindividual.
• Butnote:de-identificationunderHIPAAdoesnotmeansimplydeletingthepatientnames.HIPAAregardsdataasde-identifiedonlyintwocircumstances:• Ifthedatadoesnotcontainanyofthe18identifyingelements(nextslide),or• Ifthedatacontainssomeofthose18identifyingelements,butanexperthasdetermined
thereisaverysmallriskofusingthedatatoidentifyindividuals.• Ifyouwishtopursueanexpertdetermination,contacttheBUPrivacyOfficerat
[email protected] soshecanassistinensuringtheexpertusesmethodsadvisedbyHIPAA.
14
18IdentifiersThatMustBeAbsentToDe-identifyPHI
• Names• Allgeographicsubdivisionssmallerthana
State• Allelementsofdates(exceptyear)fordates
directlyrelatedtoanindividual:• birthdate• admissiondate• dischargedate• dateofdeath• allagesover89
• Telephonenumbers• Faxnumbers• Electronicmailaddresses
• SocialSecuritynumbers• Medicalrecordnumbers• Healthplanbeneficiarynumbers• Accountnumbers• Certificate/licensenumbers• Vehicleidentifiers,e.g.,serialnumbers,
licenseplatenumbers• Deviceidentifiersandserialnumbers• WebUniversalResourceLocators(URLs)• InternetProtocol(IP)address• Biometricidentifiers,includingfingerand
voiceprints• Fullfacephotographicimagesandany
comparableimages• Anyotheruniqueidentifyingnumber,
characteristic,orcode 15
SecondOption:UseaLimitedDataSet
• Donothavetoremoveall 18identifyingelements.Canleavethefollowing:• townorcityandzipcodeofsubject• datesrelatedtothesubject,e.g.,datesofbirth,death,admission,testing,etc.
• MustenterintoaDataUseAgreementwiththeCoveredEntitythatspecifieshowyouwillprotectandusethedata
• Ifyouwishtopursuethismethod,[email protected]
16
ThirdOption:ObtainPatientAuthorization
• ResearcherscanobtainPHIfromaCoveredEntityorBUcoveredcomponentifsubjectssignaHIPAAauthorization
• TheHIPAAAuthorizationmaybecombinedwiththestudyConsent,oritmaybeseparate
• Practicetip- IdentifyallcoveredentitieswhoserecordsyouwillbeseekingandnameeachintheAuthorization
17
FourthOption:IRBWaiverofAuthorization
ConditionsforgrantingaWaiver:
• PHIisnecessaryfortheresearch,• Theresearchcannotbeconductedwithoutawaiver(usuallybecauseobtainingindividual
Authorizationisimpractical)and• Theresearchdoesnotinvolvemorethanaminimalrisktoindividualsbasedonthe
following:• Anadequateplantoprotecttheidentifiersfromimproperuse• Anadequateplantodestroyidentifiersattheearliestopportunity• AssurancethatthePHIwillnotbeusedforanypurposeotherthanthatstudy,anditwon’tbefurtherdisclosed
18
19
4.ProtectingYourResearchData
MajorRisks:
• LostorStolen:• Laptop• Portabledevice(e.g.,flashdrive)• Paperorothertangibleresearchdata
• Cyberattack• Malware• Phishingattack• Exploitoperatingsystem,application
vulnerabilities
20
HIPAAIsNotTheOnlyLawOutThere…
Manylawsmayprotectyourhumansubjectsresearchdata,forexample:
• MassachusettsStandardsforProtectionofPersonalInformation(93H/201CMR17)• PaymentCardIndustryDataSecurityStandard• ExportControlLaw• ControlledUnclassifiedInformation(32CFRPart2002)• HumanSubjectsandotherresearchregulations,and• HIPAA
21
PHIorNotDuringResearch?
Subjectenrollsindepression/anxietystudy.Researcherscollectthefollowing.WhicharePHI?
• Subjectrecordsmoodsdailyforamonth.• SubjectprovidesAuthorizationforreleaseofherrecordsfromDanielsen• SubjectprovidesAuthorizationforreleaseofherrecordsfromCARD• SubjectprovidesAuthorizationforreleaseofherrecordsfrommeditationcenter
22
BU’sDataCategoriesMakeitSimple[r]
• RestrictedUse:loss/misusemayrequirenotificationtoindividualsorgovernmentagency–• HIPAAPHIandotherpersonallyidentifiablehealthdatausedinresearch• Codeorkeytore-identifydata
• Confidential:lossormisusemayadverselyaffectindividualsorBUbusiness• Humansubjectsresearchwithnon-healthdata(e.g.,CollegeofArtsandSciences
investigatingwhetherpre-teenmusiclessonsimpactacademicsuccess)• De-identifiedPHI/healthdata
• Internal:potentiallysensitive• Public:doesnotrequireprotectionfromdisclosure
23
Butmyresearchdataisalways“deidentified”….• Areyousure?• Thatmeansyourdatahasnodatesandnogeographicsignifiers,oranyofthe18
elementslistedinHIPAA• And,thatnoonecanidentifyanindividualfromyourdata– eitheraloneorin
combinationwithotheravailabledata.
24
Cautionarytale:Iowainsuranceexecutive:
“Healthcostsareskyrocketing!Itcosts$1millionpermonthtocovertreatmentforone17yearoldboy’swithhemophilia.”
MinimumSecurityStandardsforNon-PublicData
TheBUDataProtectionStandardsidentifyMinimumSecurityStandardsforallnon-publicdata(RestrictedUse,Confidential,andInternal)http://www.bu.edu/policies/information-security-home/data-protection-standards/minimum-security-standards/
25
4EasyRules1.Devicestandards
2.Datastorageoptions3.Datasharingoptions
4.FoilHackers
1BigTheme
ENCRYPT!
1.DeviceStandardsforNon-PublicData• Devices=desktops,laptops,andphones• Devicesmusthave:
• Operatingsystemsandapplicationsthataresupportedandupdated• Anti-Malware installedandsettoautoupdateandscan• Autoscreenlock(15minmax)topassword/code• Diskencryption(bestpracticebutrequiredforRestrictedUsedata)
26
Note:Yourpersonaldevicesdonotneedtomeetthesestandardsunless
youusethemtoaccess,process,orstoreresearchdata.
HowDoIMakeSuremyDeviceisOK?
• BUhasguidancehere:• http://www.bu.edu/tech/support/information-security/securing-your-devices/
• Askforhelpifyouneedit:• IS&THelpCenter:http://www.bu.edu/tech/about/help-center/
• DavidCorbett,MedicalCampusInformationSecurityandBUHIPAASecurityOfficer,[email protected]
27
OnceDeviceisOK,KeepitThatWay
• Keepoperatingsystemsandapplicationsuptodate,byenablingauto-updateorpromptlyupdatingwhennotified
• Periodicallychangeyourstrongpassword,followingbestpractices:http://www.bu.edu/tech/about/security-resources/bestpractice/passwords/
• Regularlydeletefileswhennolongerneeded,includingemailsanddownloads
28
2.DataStorageOptions
• BUnetworkstorage(RU-NAS/”HIPAADrive”)• Cloud:
• BUMicrosoftOneDrive• BU’sDropbox
• Encrypted Removablemedia(e.g.,CD,DVD,USBkey/stick)• BUGoogleDrive-- forConfidentialorInternaldataonly(notRestrictedUse)
ChecktheBUITsitefromtimetotime;ITisalwayslookingfornewsecureoptions,andwilladdthemhere:http://www.bu.edu/tech/support/storage-options/
29
3.DataSharingCloudsharingsameascloudstorage:• BUDropbox• BUMicrosoftOneDrive(RestrictedUse)or• BUGoogleDrive(Confidential)
Email:Encrypt!1. UseDataMotion tosendasecureencrypted emailor2. Encrypt thedocument orspreadsheet beforeattachingit.
• Tip:Providethepasswordtotherecipientbytelephone- Donotsendthepasswordbyemailbecauseitcanbeinterceptedaswell.
30
4.FoilHackersandFightPhishing!
• Mostpeoplethinkitwouldneverhappentothem,butitregularlyhappenstoBUfaculty,staff,andstudents
• Typicalsigns:• Emailasksforpassword– BUwillneveraskforlogincredentialsthroughemail• Appearstobefromsomeoneyouknowbuthasanunexpectedattachment• Containsunexpectedgrammaticalorspellingerrors
• Ifthereisanydoubt,[email protected] andgetadvice
LearnmoreatBU’s“HowtoFightPhishing”webpage:http://www.bu.edu/tech/services/cccs/email/unwanted-email/how-to-fight-phishing/
31
CheckBeforeYouClick
• Onlyenterlogincredentialsifwebsiteaddresshasgreen component(EVCert)andstartswithhttps://
• Withoutthe“s”precedingthecolon,thewebsiteisnotsafe
32
AdditionalTips:SafeguardsforWorkingRemotely
UsetheBUVPN(vpn.bu.edu)
Donotleavedevicesunattended(e.g.,coffeeshops,cars)
Lockupdeviceswhennotinuse(e.g.,cablelock,lockedroom)
33
AdditionalTips:ProtectDocumentsandTangibleData
Donotremovedocumentsortangibledatafromtheoffice.Ifyoudo,don’tleaveunattended(e.g.,car,classroom,coffeeshop)
Lockupwhennotinuse
Shredwhennolongernecessary– neverthrowintrash.
34
35
BREACHES:Whatarethey?HowdoIreport?
ReportingPotentialBreach/LossofData:WhyIsItSoImportant?
PleasenotethatanyexternalreportingtogovernmentalagenciesorindividualswhosedatahasbeenbreachedishandledbyyourBUHIPAAPrivacyandSecurityOfficers,InformationSecurity,OGC,andotherBUoffices.Yourresponsibilityistoreportanysuspectedsecurityincidentstoirt@bu.edu,andassistasrequestedinanyinvestigation.
BUmayhaveanobligationtoreporttheincidenttoindividuals,theIRB,orstateandfederalauthorities
BUmaybeabletopreventorminimizedamage
36
WhatEventsMustBeReported?
• Unusualsystemactivity,including:• Malwaredetections• Unexpectedlogins• Systemorapplicationalertsindicatingaproblem• Unusualbehaviorsuchasseeminglossofcontrolofmouseorkeyboard
• Unauthorizedaccess,use,disclosure,orloss,including:• Lossofadevice(personalorBU-owned)usedtoaccessresearchdata• Lossoftangible(paperorother)researchdata• Emailingwithoutencryption
37
HowtoReportSecurityConcerns,SecurityIncidents,andPotentialBreaches:
• SendanemailtoBU’sIncidentResponseTeam(IRT):[email protected].• IRTwilltriagethereportandcontacttheappropriatepersonsandoffices
• [email protected] emailaddress,reporttotheprincipalinvestigator,theIRB,[email protected]
BUprohibitsretaliationforreportingsecurityconcerns,securityincidents,andpotentialbreaches
38
AdditionalResources
• ThisPowerPointwillbeavailableatwww.bu.edu/hipaa• BUDataProtectionStandards:http://www.bu.edu/policies/information-security-
home/data-protection-standards/• BUHIPAApolicies,formsandresources:http://www.bu.edu/hipaa• BUHIPAASecurityOfficerDavidCorbett:[email protected]• BUHIPAAPrivacyOfficerDianeLindquist:[email protected]
• Bothreceiveemailsatthisaddress:[email protected]• NIHeducationmaterialshttps://privacyruleandresearch.nih.gov/clin_research.asp
39