HIPAA&RESEARCHDATASECURITYFORBURESEARCHERS

CHARLESRIVERCAMPUS

November14,2017

ThisTrainingWillCover-

• HowHIPAAimpactshumansubjectresearch

• Whatresearchersneedtodotoprotecthealthdatausedinresearch- whethercoveredbyHIPAAornot

• Howtoreportapossiblebreachofresearchdata

• YourBUresources

2

HIPAA

HealthInsurancePortabilityandAccountabilityActof1996(HIPAA).• Privacy• Security• BreachNotification• PatientRights

3

What’sthebigdeal?

• Nationalstandards• Complexity• Enforcement:consequencesofbreach

• FeinsteinInstituteforMedicalResearch:datafrom50studies,13,000individuals;breachcost$3.9million

• OregonHealthandScienceUniversity,$2.75

4

WhenResearchImplicateHIPAA?

ProtectedHealthInformation(PHI):• Informationaboutanindividual’spast,present,orfuturephysicalormental

health,and/or• informationaboutpaymentfor,orprovisionofhealthcareservices,• createdorreceivedbyaCoveredEntity/CoveredComponent.

5

Humansubjectsresearch

UsingPHI

CoveredEntity/CoveredComponent

• CoveredEntity:Ahealthinsuranceplan,claimclearinghouse,orahealthcareproviderthatconductsHIPAAelectronicbilling(typicallybillingofinsurancecompaniesorMedicare/Medicaid).

• CoveredComponent:SameasaCoveredEntity,butisacomponentofahybridentitythatdoesmorethanhealthcare.BUisaHybridEntity.

• BUCoveredComponents:

6

GSDM’sDentalHealthTreatment

Centers

SARPhysicalTherapyand Neuro-

Rehabilitation

SargentChoiceNutrition Danielsen Institute

Researchexamples:IsHIPAAImplicated?

1. Researchinvolvinganalysisofstillbirthsandmothersage.Usingbirthanddeathstatisticsfrompublicrecords.

2. Sameresearchstudy,butalsousesdatafromBMC3. Whatmodalityismosteffectiveintreatingmajordepressionplusanxiety:CBT,

meditationorboth?Datafrom:• Meditationcenter• Reportedbysubjects• BUCARD• DanielsenInstitute

7

PointsWhereHIPAAMatters

1.Preparingproposal 2.Recruitingsubjects

3.Obtainingdata4.Protectingyourdata

8

YouneedPHIfromaBUCoveredComponent(orfromaHIPAACoveredEntityoutsideBU)toprepareforresearch.Forexample:

• Evaluatingwhetherthemedicalrecordscontainenoughpotentialsubjectsforaresearchstudy

• ObtainingotherinformationfrommedicalrecordstopreparetheproposalorIRBsubmission• Designingaresearchproposalorprotocol

Twooptions:AuthorizationorWaiver

9

HIPAAinFirstPhaseofResearch:Preparations(Pre-IRBSubmission)

WaiverPreparatoryToResearch

• PatientAuthorization:usuallyimpractical• WaiverPreparatorytoResearchif:

• ReviewofPHIisnecessarytopreparetheprotocolorengageinsimilarpreparatoryactivities;• TheresearcherwillnotremoveorretainthePHIreviewed;and• ReviewingthePHIisnecessaryforresearchpurposes

• IfyouwanttoreviewdataataBUcoveredcomponent,usetheformavailableatwww.bu.edu/hipaa andgiveittothecoveredcomponent’sHIPAAContact.• PracticesvaryathealthcareprovidersoutsideBU- startbyaskingforthePrivacyOfficer

• Whyisthisnecessary?Accounting

10

• Atreatingprovidercanofferitsownpatientstheopportunitytoparticipateinresearch. DiscussingresearchparticipationwithapatientisconsideredpartofTreatment;sonoAuthorizationorWaiverisneeded.

• Itdoesn’tmatterthattheresearcherdoesnotpersonallytreateachpotentialstudysubject;theclinicisconsideredtheprovider.

11

HIPAA in Second Phase of Research: Recruiting Subjects

HIPAA-CompliantRecruitingExamples

AphysicaltherapistwhoispartofBUPhysicalTherapyattheRyanCenterhasIRBapprovaltoconductastudycomparingtwopost-kneesurgerytreatmentregimens.Canshereviewpatientrecordstogetcontactinformationforpotentialsubjectsandcontactthemabouttheresearch?

SameresearchisbeingconductedbyaresearcheratNortheasternUniversity.CanBUPhysicalTherapygivehimthatlistforstudyrecruitmentpurposes?

12

• Thereare4pathwaystoobtainPHIfromaCoveredEntityforanIRB-approvedresearchstudy:• Requestonlyde-identifieddatafromtheCoveredEntity• RequestaLimitedDataSet,underaDataUseAgreement• GetAuthorizationfromeachstudysubject• ObtainaWaiverofAuthorizationfromtheIRB

13

HIPAAinThirdPhaseofResearch:ObtainingPHIfromCoveredEntitytoConductResearch

FirstOption:UseDe-IdentifiedData

• PHIthathasbeen“de-identified”isnolongerPHIbecauseitdoesnotidentifyanyindividual.

• Butnote:de-identificationunderHIPAAdoesnotmeansimplydeletingthepatientnames.HIPAAregardsdataasde-identifiedonlyintwocircumstances:• Ifthedatadoesnotcontainanyofthe18identifyingelements(nextslide),or• Ifthedatacontainssomeofthose18identifyingelements,butanexperthasdetermined

thereisaverysmallriskofusingthedatatoidentifyindividuals.• Ifyouwishtopursueanexpertdetermination,contacttheBUPrivacyOfficerat

hipaa@bu.edu soshecanassistinensuringtheexpertusesmethodsadvisedbyHIPAA.

14

18IdentifiersThatMustBeAbsentToDe-identifyPHI

• Names• Allgeographicsubdivisionssmallerthana

State• Allelementsofdates(exceptyear)fordates

directlyrelatedtoanindividual:• birthdate• admissiondate• dischargedate• dateofdeath• allagesover89

• Telephonenumbers• Faxnumbers• Electronicmailaddresses

• SocialSecuritynumbers• Medicalrecordnumbers• Healthplanbeneficiarynumbers• Accountnumbers• Certificate/licensenumbers• Vehicleidentifiers,e.g.,serialnumbers,

licenseplatenumbers• Deviceidentifiersandserialnumbers• WebUniversalResourceLocators(URLs)• InternetProtocol(IP)address• Biometricidentifiers,includingfingerand

voiceprints• Fullfacephotographicimagesandany

comparableimages• Anyotheruniqueidentifyingnumber,

characteristic,orcode 15

SecondOption:UseaLimitedDataSet

• Donothavetoremoveall 18identifyingelements.Canleavethefollowing:• townorcityandzipcodeofsubject• datesrelatedtothesubject,e.g.,datesofbirth,death,admission,testing,etc.

• MustenterintoaDataUseAgreementwiththeCoveredEntitythatspecifieshowyouwillprotectandusethedata

• Ifyouwishtopursuethismethod,contacttheBUPrivacyOfficerathipaa@bu.edu

16

ThirdOption:ObtainPatientAuthorization

• ResearcherscanobtainPHIfromaCoveredEntityorBUcoveredcomponentifsubjectssignaHIPAAauthorization

• TheHIPAAAuthorizationmaybecombinedwiththestudyConsent,oritmaybeseparate

• Practicetip- IdentifyallcoveredentitieswhoserecordsyouwillbeseekingandnameeachintheAuthorization

17

FourthOption:IRBWaiverofAuthorization

ConditionsforgrantingaWaiver:

• PHIisnecessaryfortheresearch,• Theresearchcannotbeconductedwithoutawaiver(usuallybecauseobtainingindividual

Authorizationisimpractical)and• Theresearchdoesnotinvolvemorethanaminimalrisktoindividualsbasedonthe

following:• Anadequateplantoprotecttheidentifiersfromimproperuse• Anadequateplantodestroyidentifiersattheearliestopportunity• AssurancethatthePHIwillnotbeusedforanypurposeotherthanthatstudy,anditwon’tbefurtherdisclosed

18

19

4.ProtectingYourResearchData

MajorRisks:

• LostorStolen:• Laptop• Portabledevice(e.g.,flashdrive)• Paperorothertangibleresearchdata

• Cyberattack• Malware• Phishingattack• Exploitoperatingsystem,application

vulnerabilities

20

HIPAAIsNotTheOnlyLawOutThere…

Manylawsmayprotectyourhumansubjectsresearchdata,forexample:

• MassachusettsStandardsforProtectionofPersonalInformation(93H/201CMR17)• PaymentCardIndustryDataSecurityStandard• ExportControlLaw• ControlledUnclassifiedInformation(32CFRPart2002)• HumanSubjectsandotherresearchregulations,and• HIPAA

21

PHIorNotDuringResearch?

Subjectenrollsindepression/anxietystudy.Researcherscollectthefollowing.WhicharePHI?

• Subjectrecordsmoodsdailyforamonth.• SubjectprovidesAuthorizationforreleaseofherrecordsfromDanielsen• SubjectprovidesAuthorizationforreleaseofherrecordsfromCARD• SubjectprovidesAuthorizationforreleaseofherrecordsfrommeditationcenter

22

BU’sDataCategoriesMakeitSimple[r]

• RestrictedUse:loss/misusemayrequirenotificationtoindividualsorgovernmentagency–• HIPAAPHIandotherpersonallyidentifiablehealthdatausedinresearch• Codeorkeytore-identifydata

• Confidential:lossormisusemayadverselyaffectindividualsorBUbusiness• Humansubjectsresearchwithnon-healthdata(e.g.,CollegeofArtsandSciences

investigatingwhetherpre-teenmusiclessonsimpactacademicsuccess)• De-identifiedPHI/healthdata

• Internal:potentiallysensitive• Public:doesnotrequireprotectionfromdisclosure

23

Butmyresearchdataisalways“deidentified”….• Areyousure?• Thatmeansyourdatahasnodatesandnogeographicsignifiers,oranyofthe18

elementslistedinHIPAA• And,thatnoonecanidentifyanindividualfromyourdata– eitheraloneorin

combinationwithotheravailabledata.

24

Cautionarytale:Iowainsuranceexecutive:

“Healthcostsareskyrocketing!Itcosts$1millionpermonthtocovertreatmentforone17yearoldboy’swithhemophilia.”

MinimumSecurityStandardsforNon-PublicData

TheBUDataProtectionStandardsidentifyMinimumSecurityStandardsforallnon-publicdata(RestrictedUse,Confidential,andInternal)http://www.bu.edu/policies/information-security-home/data-protection-standards/minimum-security-standards/

25

4EasyRules1.Devicestandards

2.Datastorageoptions3.Datasharingoptions

4.FoilHackers

1BigTheme

ENCRYPT!

1.DeviceStandardsforNon-PublicData• Devices=desktops,laptops,andphones• Devicesmusthave:

• Operatingsystemsandapplicationsthataresupportedandupdated• Anti-Malware installedandsettoautoupdateandscan• Autoscreenlock(15minmax)topassword/code• Diskencryption(bestpracticebutrequiredforRestrictedUsedata)

26

Note:Yourpersonaldevicesdonotneedtomeetthesestandardsunless

youusethemtoaccess,process,orstoreresearchdata.

HowDoIMakeSuremyDeviceisOK?

• BUhasguidancehere:• http://www.bu.edu/tech/support/information-security/securing-your-devices/

• Askforhelpifyouneedit:• IS&THelpCenter:http://www.bu.edu/tech/about/help-center/

• DavidCorbett,MedicalCampusInformationSecurityandBUHIPAASecurityOfficer,atcorbettd@bu.edu

27

OnceDeviceisOK,KeepitThatWay

• Keepoperatingsystemsandapplicationsuptodate,byenablingauto-updateorpromptlyupdatingwhennotified

• Periodicallychangeyourstrongpassword,followingbestpractices:http://www.bu.edu/tech/about/security-resources/bestpractice/passwords/

• Regularlydeletefileswhennolongerneeded,includingemailsanddownloads

28

2.DataStorageOptions

• BUnetworkstorage(RU-NAS/”HIPAADrive”)• Cloud:

• BUMicrosoftOneDrive• BU’sDropbox

• Encrypted Removablemedia(e.g.,CD,DVD,USBkey/stick)• BUGoogleDrive-- forConfidentialorInternaldataonly(notRestrictedUse)

ChecktheBUITsitefromtimetotime;ITisalwayslookingfornewsecureoptions,andwilladdthemhere:http://www.bu.edu/tech/support/storage-options/

29

3.DataSharingCloudsharingsameascloudstorage:• BUDropbox• BUMicrosoftOneDrive(RestrictedUse)or• BUGoogleDrive(Confidential)

Email:Encrypt!1. UseDataMotion tosendasecureencrypted emailor2. Encrypt thedocument orspreadsheet beforeattachingit.

• Tip:Providethepasswordtotherecipientbytelephone- Donotsendthepasswordbyemailbecauseitcanbeinterceptedaswell.

30

4.FoilHackersandFightPhishing!

• Mostpeoplethinkitwouldneverhappentothem,butitregularlyhappenstoBUfaculty,staff,andstudents

• Typicalsigns:• Emailasksforpassword– BUwillneveraskforlogincredentialsthroughemail• Appearstobefromsomeoneyouknowbuthasanunexpectedattachment• Containsunexpectedgrammaticalorspellingerrors

• Ifthereisanydoubt,pleaseforwardtheemailtoabuse@bu.edu andgetadvice

LearnmoreatBU’s“HowtoFightPhishing”webpage:http://www.bu.edu/tech/services/cccs/email/unwanted-email/how-to-fight-phishing/

31

CheckBeforeYouClick

• Onlyenterlogincredentialsifwebsiteaddresshasgreen component(EVCert)andstartswithhttps://

• Withoutthe“s”precedingthecolon,thewebsiteisnotsafe

32

AdditionalTips:SafeguardsforWorkingRemotely

UsetheBUVPN(vpn.bu.edu)

Donotleavedevicesunattended(e.g.,coffeeshops,cars)

Lockupdeviceswhennotinuse(e.g.,cablelock,lockedroom)

33

AdditionalTips:ProtectDocumentsandTangibleData

Donotremovedocumentsortangibledatafromtheoffice.Ifyoudo,don’tleaveunattended(e.g.,car,classroom,coffeeshop)

Lockupwhennotinuse

Shredwhennolongernecessary– neverthrowintrash.

34

35

BREACHES:Whatarethey?HowdoIreport?

ReportingPotentialBreach/LossofData:WhyIsItSoImportant?

PleasenotethatanyexternalreportingtogovernmentalagenciesorindividualswhosedatahasbeenbreachedishandledbyyourBUHIPAAPrivacyandSecurityOfficers,InformationSecurity,OGC,andotherBUoffices.Yourresponsibilityistoreportanysuspectedsecurityincidentstoirt@bu.edu,andassistasrequestedinanyinvestigation.

BUmayhaveanobligationtoreporttheincidenttoindividuals,theIRB,orstateandfederalauthorities

BUmaybeabletopreventorminimizedamage

36

WhatEventsMustBeReported?

• Unusualsystemactivity,including:• Malwaredetections• Unexpectedlogins• Systemorapplicationalertsindicatingaproblem• Unusualbehaviorsuchasseeminglossofcontrolofmouseorkeyboard

• Unauthorizedaccess,use,disclosure,orloss,including:• Lossofadevice(personalorBU-owned)usedtoaccessresearchdata• Lossoftangible(paperorother)researchdata• Emailingwithoutencryption

37

HowtoReportSecurityConcerns,SecurityIncidents,andPotentialBreaches:

• SendanemailtoBU’sIncidentResponseTeam(IRT):irt@bu.edu.• IRTwilltriagethereportandcontacttheappropriatepersonsandoffices

• Ifyouforgettheirt@bu.edu emailaddress,reporttotheprincipalinvestigator,theIRB,orhipaa@bu.edu

BUprohibitsretaliationforreportingsecurityconcerns,securityincidents,andpotentialbreaches

38

AdditionalResources

• ThisPowerPointwillbeavailableatwww.bu.edu/hipaa• BUDataProtectionStandards:http://www.bu.edu/policies/information-security-

home/data-protection-standards/• BUHIPAApolicies,formsandresources:http://www.bu.edu/hipaa• BUHIPAASecurityOfficerDavidCorbett:corbettd@bu.edu• BUHIPAAPrivacyOfficerDianeLindquist:dlindq@bu.edu

• Bothreceiveemailsatthisaddress:hipaa@bu.edu• NIHeducationmaterialshttps://privacyruleandresearch.nih.gov/clin_research.asp

39