Download Data Security Plans Involving the Storage of Certain Electronic

Columbia University IRB Policy
Data Security Plans Involving the Storage of Electronic Research Data Constituting
Protected Health Information or Personally Identifiable Information
I. Background
Pursuant to regulations of the Department of Health and Human Services (HHS) (45 CFR 46)
and the Food and Drug Administration (FDA) (21 CFR 56), the IRB is charged with ensuring
that each human subjects protocol includes provisions for protecting the privacy of subjects and
maintaining the confidentiality of study data. This is particularly important when the study
involves Protected Health Information (PHI) and/or Personally Identifiable Information (PII),
both of which are classified by the University’s Policy on Data Classification
[http://policylibrary.columbia.edu/data-classification-policy] as Confidential/Sensitive Data and
therefore subject to the most stringent data security requirements. In addition, under the IRB
Policy “Research and the HIPAA Privacy Rule”, all research data constituting PHI must comply
with the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996
(HIPAA). Finally, PII is considered to be sensitive data by the NIH in its Guide for Identifying
Sensitive Information subject to special security controls.
II. Effective Date: February 1, 2013
III. Scope
This Policy provides standards for IRB approval of data security plans involving the storage of
electronic research data constituting PHI or PII in human subjects research conducted at
Columbia University or by Columbia University researchers. The intent of this Policy is to
ensure that the protection of the privacy of research subjects and the confidentiality of
identifiable research data is in accord with the requirements of HHS, FDA, HIPAA and NIH
regulations.
IV. Definitions
Protected Health Information (PHI): any information transmitted or maintained in any form
(i.e., by electronic means, on paper or through oral communication) that relates to the past,
present or future physical or mental health or condition of an individual, the provision of health
care to an individual or the past, present or future payment for health care and (a) identifies the
individual or (b) with respect to which there is a reasonable basis to believe that the information
can be used to identify the individual.
Personally Identifiable Information (PII): any information about an individual that could
cause harm to such individual, such as medical, financial, employment or criminal records or
other information, together with information that can be used to identify or trace an individual’s
identity, including any other personal information that is linked or linkable to that individual.
1
HIPAA includes 18 identifiers that when included with the research data makes the data
identifiable. These identifiers can be used as examples of information that could identify an
individual, either in the context of PHI or PII. The HIPAA identifiers are:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Names
All geographic subdivisions smaller than a state, including street address, city, county,
precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip
code
All elements of dates (except year) directly relating to an individual, including birth date,
admission date, discharge date, date of death and all ages over 89 and all elements of
dates (including year) indicative of such age, except for ages and elements aggregated
into a single category of age 90 or older
Telephone numbers
Fax numbers
Email addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger prints and voice prints
Full face photographic images or any other comparable images
Any other unique identifying numbers, characteristics or codes (other than unique codes
assigned to code the data).
Note that any codes used to replace the foregoing identifiers in data sets cannot be derived from
any information relating to the individual and the master codes, nor can the method to derive the
codes be disclosed. Additionally, although the use of codes is highly recommended as a means
of reducing risk, if a Principal Investigator (PI) or his/her research team has the ability to link
coded data to identifiable information, the coded data will be considered to be identifiable, i.e.,
PHI or PII. If the PI and his/her research team have no access to identifiable information, the
coded data will be considered de-identified and not PHI or PII.
V. Policy
All IRB protocols must have a data security plan that specifies whether PHI or PII will be
obtained and if so, how it will be stored and transferred. Any modification to the data security
plan must be approved by the IRB. Protocol renewals must identify any changes in such data
security plan and, at the time of renewal, the IRB may require that the plan be updated to meet
new requirements. The data security plan must be acceptable to the IRB for a protocol or
protocol renewal to be approved by the IRB.
2
It is the responsibility of the PI of any research study involving PHI or PII to comply with all
applicable University policies and guidelines. If the study is conducted at Columbia University
Medical Center (CUMC) or by CUMC personnel, CUMC policies and guidelines will also apply.
References to relevant policies and guidelines are included below.
A. Data Storage
The following methods of storing electronic research data containing PHI or PII will be
acceptable to the IRB:
•
The data will be stored on a multi-user server that has been registered and certified by
CUMC IT. The specific server name and IP address and, if provided to the user, a copy
of the CUMC IT System Certification Certificate, should be included with the protocol.
•
The data will be stored on a USB drive, CD/DVD, desktop or laptop computer, tablet or
other end user device (each, an “End User Device”), so long as the End User Device is
protected by a strong password and the data encrypted at all times. The inclusion of a
statement to such effect in a protocol shall constitute a certification by the PI that each
End User Device to be used in the study will be so protected.
Relevant University and CUMC policies and guidelines on electronic data protection are listed
on Attachment A hereto. No data containing PHI or PII may be stored in external organization
storage such as Google Docs unless such organization has appropriate legal documentation
approved by the University’s Privacy Officer and Office of the General Counsel.
B. Data Transfer
An acceptable data security plan must provide that all electronic transmissions of PHI or PII over
the internet (including by email), file transfers or other data transfer modalities, will be encrypted
in accordance with the University’s Encryption Policy.
No data containing PHI or PII may be sent from or forwarded to an external account such as
Gmail, Yahoo mail, etc.
See CUMC Policy Communicating Protected Health Information via Electronic Mail (Email).
http://www.cumc.columbia.edu/hipaa/pdf/cumcemailpolicy.pdf
C. Data Loss/Security Breach
Any loss of or breach of security relating to research data containing PHI or PII must be reported
as follows: (1) to the IRB in Rascal as an Unanticipated Problem Involving Risks to Subjects or
Others; and (2) also to the University’s Privacy Officer and the CUMC Information Security
Officer.
Examples of security breaches include: (1) lost or stolen desktops, laptops, USB drives,
CD/DVD/Zip drives, etc. with stored data; (2) a compromised account which is used to look up
3
data (e.g., unauthorized user has had access to the account); (3) a compromised work station or
server that contains data; and (4) accidental disclosure or data to unauthorized recipients (e.g.,
sending data to an incorrect email address).
See CUMC Policy: New Notification Requirements for Loss or Theft of Patient Data (Security
Breach) under ARRA/HITECH Act.
https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI10_InformationSecurityIncid
entProcedure_112007.pdf
4
Attachment A
University and CUMC
Policies and Guidelines on End User
Device Security
A. University
•
Data Classification
http://policylibrary.columbia.edu/data-classification-policy
•
Data Sanitization/Disposal of Electronic Equipment
http://policylibrary.columbia.edu/data-sanitizationdisposal-electronic-equipment-policy
•
Desktop and Laptop Security
http://policylibrary.columbia.edu/desktop-and-laptop-security-policy
•
Electronic Information Resources Security
http://policylibrary.columbia.edu/electronic-information-resources-security
•
Electronic Information Server Administration
http://policylibrary.columbia.edu/electronic-information-server-administration
•
Encryption
http://policylibrary.columbia.edu/encryption-policy
•
Identity Theft Prevention
http://policylibrary.columbia.edu/identity-theft-prevention-policy
B. CUMC
•
General Information Security (EPH 13)
https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI3_GeneralInformatio
nSecurityPolicy_112007.pdf
•
Mobile Device Security
http: www.cumc.columbia.edu/it/getting_help/docs/device_encryption.pdf
•
Sanctions for Unauthorized Access, Use or Disclosure of Protected Health Information
http://www.cumc.columbia.edu/hipaa/pdf/Sanctions_for_Unauthorized_Access_Use_or_
Disclosures_of_PHI.pdf
•
System Registration and Certification
https://secure.cumc.columbia.edu/cumcit/secure/security/docs/CUMC%20System%20Re
gistration%20and%20Certification%20Final%20May%2011%202011.pdf
•
Workstation Use and Security (EPH 15)
https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI5_WorkstationUse_S
ecurity_112012_final.pdf
5