Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Columbia University IRB Policy Data Security Plans Involving the Storage of Electronic Research Data Constituting Protected Health Information or Personally Identifiable Information I. Background Pursuant to regulations of the Department of Health and Human Services (HHS) (45 CFR 46) and the Food and Drug Administration (FDA) (21 CFR 56), the IRB is charged with ensuring that each human subjects protocol includes provisions for protecting the privacy of subjects and maintaining the confidentiality of study data. This is particularly important when the study involves Protected Health Information (PHI) and/or Personally Identifiable Information (PII), both of which are classified by the University’s Policy on Data Classification [http://policylibrary.columbia.edu/data-classification-policy] as Confidential/Sensitive Data and therefore subject to the most stringent data security requirements. In addition, under the IRB Policy “Research and the HIPAA Privacy Rule”, all research data constituting PHI must comply with the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Finally, PII is considered to be sensitive data by the NIH in its Guide for Identifying Sensitive Information subject to special security controls. II. Effective Date: February 1, 2013 III. Scope This Policy provides standards for IRB approval of data security plans involving the storage of electronic research data constituting PHI or PII in human subjects research conducted at Columbia University or by Columbia University researchers. The intent of this Policy is to ensure that the protection of the privacy of research subjects and the confidentiality of identifiable research data is in accord with the requirements of HHS, FDA, HIPAA and NIH regulations. IV. Definitions Protected Health Information (PHI): any information transmitted or maintained in any form (i.e., by electronic means, on paper or through oral communication) that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for health care and (a) identifies the individual or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Personally Identifiable Information (PII): any information about an individual that could cause harm to such individual, such as medical, financial, employment or criminal records or other information, together with information that can be used to identify or trace an individual’s identity, including any other personal information that is linked or linkable to that individual. 1 HIPAA includes 18 identifiers that when included with the research data makes the data identifiable. These identifiers can be used as examples of information that could identify an individual, either in the context of PHI or PII. The HIPAA identifiers are: • • • • • • • • • • • • • • • • • • Names All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code All elements of dates (except year) directly relating to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except for ages and elements aggregated into a single category of age 90 or older Telephone numbers Fax numbers Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger prints and voice prints Full face photographic images or any other comparable images Any other unique identifying numbers, characteristics or codes (other than unique codes assigned to code the data). Note that any codes used to replace the foregoing identifiers in data sets cannot be derived from any information relating to the individual and the master codes, nor can the method to derive the codes be disclosed. Additionally, although the use of codes is highly recommended as a means of reducing risk, if a Principal Investigator (PI) or his/her research team has the ability to link coded data to identifiable information, the coded data will be considered to be identifiable, i.e., PHI or PII. If the PI and his/her research team have no access to identifiable information, the coded data will be considered de-identified and not PHI or PII. V. Policy All IRB protocols must have a data security plan that specifies whether PHI or PII will be obtained and if so, how it will be stored and transferred. Any modification to the data security plan must be approved by the IRB. Protocol renewals must identify any changes in such data security plan and, at the time of renewal, the IRB may require that the plan be updated to meet new requirements. The data security plan must be acceptable to the IRB for a protocol or protocol renewal to be approved by the IRB. 2 It is the responsibility of the PI of any research study involving PHI or PII to comply with all applicable University policies and guidelines. If the study is conducted at Columbia University Medical Center (CUMC) or by CUMC personnel, CUMC policies and guidelines will also apply. References to relevant policies and guidelines are included below. A. Data Storage The following methods of storing electronic research data containing PHI or PII will be acceptable to the IRB: • The data will be stored on a multi-user server that has been registered and certified by CUMC IT. The specific server name and IP address and, if provided to the user, a copy of the CUMC IT System Certification Certificate, should be included with the protocol. • The data will be stored on a USB drive, CD/DVD, desktop or laptop computer, tablet or other end user device (each, an “End User Device”), so long as the End User Device is protected by a strong password and the data encrypted at all times. The inclusion of a statement to such effect in a protocol shall constitute a certification by the PI that each End User Device to be used in the study will be so protected. Relevant University and CUMC policies and guidelines on electronic data protection are listed on Attachment A hereto. No data containing PHI or PII may be stored in external organization storage such as Google Docs unless such organization has appropriate legal documentation approved by the University’s Privacy Officer and Office of the General Counsel. B. Data Transfer An acceptable data security plan must provide that all electronic transmissions of PHI or PII over the internet (including by email), file transfers or other data transfer modalities, will be encrypted in accordance with the University’s Encryption Policy. No data containing PHI or PII may be sent from or forwarded to an external account such as Gmail, Yahoo mail, etc. See CUMC Policy Communicating Protected Health Information via Electronic Mail (Email). http://www.cumc.columbia.edu/hipaa/pdf/cumcemailpolicy.pdf C. Data Loss/Security Breach Any loss of or breach of security relating to research data containing PHI or PII must be reported as follows: (1) to the IRB in Rascal as an Unanticipated Problem Involving Risks to Subjects or Others; and (2) also to the University’s Privacy Officer and the CUMC Information Security Officer. Examples of security breaches include: (1) lost or stolen desktops, laptops, USB drives, CD/DVD/Zip drives, etc. with stored data; (2) a compromised account which is used to look up 3 data (e.g., unauthorized user has had access to the account); (3) a compromised work station or server that contains data; and (4) accidental disclosure or data to unauthorized recipients (e.g., sending data to an incorrect email address). See CUMC Policy: New Notification Requirements for Loss or Theft of Patient Data (Security Breach) under ARRA/HITECH Act. https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI10_InformationSecurityIncid entProcedure_112007.pdf 4 Attachment A University and CUMC Policies and Guidelines on End User Device Security A. University • Data Classification http://policylibrary.columbia.edu/data-classification-policy • Data Sanitization/Disposal of Electronic Equipment http://policylibrary.columbia.edu/data-sanitizationdisposal-electronic-equipment-policy • Desktop and Laptop Security http://policylibrary.columbia.edu/desktop-and-laptop-security-policy • Electronic Information Resources Security http://policylibrary.columbia.edu/electronic-information-resources-security • Electronic Information Server Administration http://policylibrary.columbia.edu/electronic-information-server-administration • Encryption http://policylibrary.columbia.edu/encryption-policy • Identity Theft Prevention http://policylibrary.columbia.edu/identity-theft-prevention-policy B. CUMC • General Information Security (EPH 13) https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI3_GeneralInformatio nSecurityPolicy_112007.pdf • Mobile Device Security http: www.cumc.columbia.edu/it/getting_help/docs/device_encryption.pdf • Sanctions for Unauthorized Access, Use or Disclosure of Protected Health Information http://www.cumc.columbia.edu/hipaa/pdf/Sanctions_for_Unauthorized_Access_Use_or_ Disclosures_of_PHI.pdf • System Registration and Certification https://secure.cumc.columbia.edu/cumcit/secure/security/docs/CUMC%20System%20Re gistration%20and%20Certification%20Final%20May%2011%202011.pdf • Workstation Use and Security (EPH 15) https://secure.cumc.columbia.edu/cumcit/secure/security/docs/EPHI5_WorkstationUse_S ecurity_112012_final.pdf 5