© 2008. all rights reserved. information security and research data management todd ferris, md...

© 2008. All rights reserved.

Information Security and Research Data Management

Todd Ferris, MDAssociate CIO, IT Services

Director, Informatics Services

Privacy and Security Officer

Information Resources and Technology

Stanford University School of Medicine

Data Security, Data Collection Options, and Data Analysis Plans: Thinking about the End from the Beginning

Todd Ferris, MD, MS5/22/2008

2

Overview

Information Security Requirements HIPAA

Stanford University Security Policies

FISMA & California SB1386 & AB1298

Conducting a Secure Research Study Data security plans Secure data collection Data analysis and sharing


HIPAA

Federal regulation covers privacy, security and much, much more!

HIPAA privacy & security regulations only apply to protected health information (PHI) Security regs. only apply to electronic PHI (ePHI)

It is very important to have a good, solid understanding of what is PHI and what is not.

3


What the rule says

Protected Health Information Protected health information means

individually identifiable health information, that is transmitted by electronic media, maintained in electronic media; or transmitted or maintained in any other form or medium.

4


What the rule says

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

5


What we say (i.e. Stanford’s Policies)

Protected Health Information (PHI): Health information that is created or received by a covered entity and that is individually identifiable (i.e., is not de-identified.) Under HIPAA, protected health information does not include: …

De-identified Information: Health information that cannot be used to identify an individual. For information regarding how to determine that health information is de-identified or to generate de-identified information, refer to the HIPAA Use and Disclosure of Protected Health Information policy, Appendix A.

6


What we say in Appendix A

Names; Geographic subdivisions smaller than a

state; Dates (except year) directly related to

an individual, including birth date, health care service admission or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89;

Telephone numbers; Fax numbers; E-mail addresses; Social security numbers;

Medical record numbers; Health plan beneficiary numbers, Account

numbers; Certificate/Driver’s license numbers; Vehicle identifiers and serial numbers,

including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and

voice prints; Full face photographic images and any

comparable images; and Any other unique identifying number,

characteristic or code

7

Health information is de-identified if it does not include any of the following identifiers of the individual or of relatives, employers, or household members of the individual:


My brain is hurting! What must I know?

Will the study involve any PHI, if so which parts Collection? Almost always Analysis? May not be needed (think codebook) Reporting? Never!?

If you have PHI, then you must follow HIPAA policies and procedures. If any of this PHI is stored electronically, then

HIPAA security policies apply.

8


HIPAA Security from A-Z:Stanford Policy Statements

Audit Controls: Stanford will support security management activities designed to

detect potential security incidents by implementing hardware, software, and/or procedural mechanisms that will record and examine information systems activity.

Business Associates: When Stanford University enters into contracts on behalf of

University HIPAA Components with certain persons or entities pursuant to which the contracting party will be provided with or have access to protected health information ("PHI"), Stanford University will enter into agreements with such persons ("business associate agreements") intended to protect the privacy of PHI transmitted in connection with such relationship.

9


HIPAA Security:Stanford Policy Statements

Computing Devices and Electronic Storage Media: SUHC will implement reasonable and appropriate measures designed to

ensure that computing devices and electronic storage media covered by this policy will be installed, located and used in a way that minimizes the unauthorized or incidental disclosure of ePHI. SUHC workforce and business associates will employ reasonable and appropriate safeguards when receiving, storing, using, transferring or disposing of computing devices or electronic storage media that store ePHI.

Contingency Planning: SUHC will develop and implement for each information system a

contingency plan for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI (e.g., natural disaster, fire, vandalism, system failure, software corruption, virus, operator error).

10



Data and System Integrity Policy: SUHC will protect ePHI from unauthorized alteration,

destruction or disclosure by implementing reasonable and appropriate measures to facilitate the maintenance of reliable system components, workflows, and data.

Email and Other Electronic Messaging of ePHI SUHC will implement reasonable and appropriate

measures to guard against unauthorized access to and protect the integrity and confidentiality of ePHI that is being sent, received, or stored using an e-mail or other electronic messaging system ("electronic messaging").

11



Facilities Security: SUHC will limit physical access to its information systems

that contain ePHI by implementing reasonable and appropriate measures to allow only authorized persons to access the facilities in which those information systems are housed.

Information Access Control: SUHC will implement reasonable and appropriate measures

to (i) limit access to ePHI only to those persons or automated processes that have been granted access rights based on their required functions and (ii) prevent those who have not been granted those rights from obtaining access to ePHI.

12



Security Management: SUHC will take reasonable and appropriate

precautions to prevent, detect, contain and correct security violations.

Transmission of ePHI: SUHC will implement reasonable and appropriate

measures to guard against unauthorized access to and protect the integrity and confidentiality of ePHI that is transmitted over an electronic communications network while the data is in transit when the transmission is initiated by SUHC.

13


My brain hurts again, isn’t there an easier way?

Unfortunately, systems that hold ePHI must comply with these policies.

However, next section will talk about some options that speed compliance.

The School of Medicine Information Security group is available to review any system.

14


Federal Information Security Management Act, aka FISMA

Signed into law December 2002 Title III of the E-Government Act

“Requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”

15


The VA and FISMA

As a federal agency, VA hospitals fall under FISMA.

All systems that hold VA data must be FISMA certified.

Problem – How to FISMA certify your system for a VA research project?

http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

http://csrc.nist.gov/groups/SMA/fisma/overview.html

16


Last but not least:California’s SB 1386 and AB 1298

California leads the nation in laws protecting its residents against identity theft.

SB 1386 – September 2002 Requires notification if “personal information” is

potentially compromised Personal information includes SS #, banking

information…

AB 1298 – October 2007 Adds medical information and health insurance

information to definition of “personal information”

17

© 2008. All rights reserved.

Conducting a Secure Research Study

Thinking about the End from the Beginning

18


Plan, Plan, Plan, then Do

Don’t leave the security of a research study until the last minute.

A good study will have contemplated how security will be handled even before submitting to the IRB.

Many granting agencies require a data security plan.

19

A lack of planning on your part doesn’t constitute an emergency on my part.


How to approach a data security plan

All good security programs start with a risk assessment! How much data (# of patients, # of variables) How sensitive is the data (HIV, Ψ, SS#, etc.) How many will have access How long will it be used Where will the data be stored Will the data be transferred

The risk assessment will drive the security techniques employed.

20


How to write a data security plan

Start at the beginning - Go from data collection to final analysis and don’t forget the eventual close down.

Describe the security measures that will be put into place for each natural segment of the research. Use the HIPAA security policies to walk through each pertinent area.

Take your time and don’t forget about the SoM Information Security group. We love to proofread!

21


Secure Data Collection

Data collection poses many security threats Many touch points Poorly

designed/implemented systems

Frequent movement of data

Requires significant attention of security solutions

22


Secure Data Collection Systems

Setup Cost Multi user

Integrity controls

Audit Summary

Excel easy $ No none none Can work well for very small studies run by a single investigator

Access/Filemaker

med $-$$ No minimal minimal Lack of security limits multi-user use, best used by small studies run on single computer

Commer. Web app

med $$-$$$

Yes varies varies Wide range of abilities, don’t forget BAA!

Custom web app

hard $$$ Yes varies varies Most flexible, but tons of hidden costs.

STRIDE varies $-$$$ Yes varies full Flexible, HIPAA compliance handled

23


A message from our sponsor

STRIDE Run by the Center for Clinical Informatics Houses clinical data from both LPCH and SHC that

can be used for research Also supports many research databases

Informatics Consultation Service http://clinicalinformatics.stanford.edu/consultation/ Free!* Will help with data dictionary design as well as

database design

24


Data Analysis

From a security standpoint, it is best to use de-identified data in the analysis phase. Dates can present an issue. Consider converting to day

# and age.

If can’t be de-identified must be handled as PHI. Ensure biostatistician or others doing analysis are

aware and prepared to handle PHI. Secure transmission of PHI. Secure storage and processing of PHI.

Still remove any identifiers you can, this lowers the risk

25


Data Sharing

Increasing requirements to make data available for analysis by others.

Must carefully review the data before posting or releasing to ensure it is de-identified.

Information Privacy office can assist in the review.

26


Closing out the Study

Don’t forget this step! Once study is over, may need to comply with

retention requirements. Only keep what is required. Securely destroy anything that is not required or

planned to be maintained. Shredding, secure erasing, etc.

Use a secure storage service for paper documents (e.g., Iron Mountain)

If you will be storing ePHI, you should have had a plan for secure long term electronic storage.

27


Don’t Panic

There are many resources to help you create a secure research study.

SoM Information Security group Ellen Amsel, [email protected]

SoM Information Privacy group Todd Ferris, [email protected]

Center for Clinical Informatics http://clinicalinformatics.stanford.edu

28

© 2008. all rights reserved. information security and research data management todd ferris, md...

Documents

subset of health information

demographic information

mental health

deidentified information

provision of health

health care provider

health care clearinghouse

health care service