Human Subjects Research at Bmc and Bu: Accessing and ...
HIPAA and RESEARCH DATA SECURITY For Boston Medical Center and Boston University Medical Campus Researchers April 2018 What BU Medical Campus and BMC researchers need to know about HIPAA: What data does HIPAA protect? How can researchers access and use HIPAA data to recruit subjects and conduct research? What are researchers required to do to keep personally identifiable health data used in research SECURE--whether covered by HIPAA or not How to report a possible breach of research data 2
Definitions HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations implementing the law contain Privacy, Security, and Breach Notification Rules Covered Entity: HIPAA applies to Covered Entities: most commonly, health insurance plan and healthcare providers that bill electronically. BMC is a Covered Entity Covered Component: Same as a Covered Entity, but is a healthcare component of an entity that does more than healthcare (a Hybrid Entity with designated Covered Components). BU is a Hybrid Entity. 3 What Data Does HIPAA Protect? HIPAA protects Protected Health Information (PHI), which is data: about the past, present, or future physical or mental health and/or information about payment for health care services,
that may identify individuals, AND was created or received by a Covered Entity (e.g., BMC). For example: Patient demographics, including name and contact information Medical records Lab results, images, Billing information 4 HIPAA and Research at BMC and BU
BU BMC BU is a Hybrid Entity BMC is not a Hybrid Entity. BUs Covered Components, subject to HIPAA, are the GSDM Dental Treatment Centers; BU Rehabilitation Services; Sargent Choice
Nutrition; and the Danielsen Institute. BMC is a Covered Component under HIPAA. Whether you are caring for patients at BMC, doing research at BMC, or doing anything else with patient demographic or medical information at BMC, it is PHI subject to HIPAA BUs professional schools (BUSM, SPH) are not Covered Components. PHI disclosed to them
for research purposes (pursuant to a Waiver or Authorization) is not PHI 5 Patient Demographics, Contact Info Data can be PHI even if there is no information about specific health matters That means contact information held by a Covered Entity (BMC) cannot be used for recruiting unless you have a HIPAA Authorization or an IRB HIPAA Waiver What about just the name of a patient? In May 2017, Memorial Hermann Health System disclosed the name of a patient who attempted to use an (allegedly) false identification card to obtain services. No health information was disclosed about the patient, just the fact that she was a patient of the hospital Still, the System paid $2.4 million to the U.S. Department of Health and Human Services and adopted a comprehensive corrective action plan
6 But My Research Data is De-identified --Isnt it? Data that is de-identified in the manner defined by HIPAA as de-identified is not PHI; it cannot be used to identify an individual. BUT NOTE: HIPAA has a very specific definition of de-identified. For example: If your data includes any dates (birth dates, date of treatment, dates of admission/discharge) or location smaller than a state, it is not deidentified under HIPAA. If your data includes the medical record number, it is not deidentified under HIPAA HIPAA identifies 18 data elements that, if included in your data, means it is not de-identified; complete list on next slide 7 18 Identifiers That Must Be Absent To Deidentify PHI Most common ones needed in research bolded:
Names All geographic subdivisions smaller than a State All elements of dates (except year) for dates directly related to an individual: birth date admission date
discharge date date of death all ages over 89 Telephone numbers Fax numbers Electronic mail addresses
Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, e.g., serial numbers, license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code 8 Any other unique identifying number, characteristic, or code Test under HIPAA is whether the data can be used to identify an individual, whether alone or when combined with other available data. This arises commonly when a patient or patients condition is rare, making it easier to identify an individual 9 Alternative De-identification Method If the data doesnt meet the absence of 18 identifiers standard, but a researcher believes it cannot be used to identify any individual, the data can still
be considered de-identified if an expert determines, based on certain guidelines, that it is de-identified. Please contact the privacy officer at BU or BMC to pursue this method of establishing de-identification. 10 PHI or Not? Following slides give examples that apply the HIPAAs definition of PHI to various types of research data. For simplicity, BMC is used as the Covered Entity; however, it could be any Covered Entity, e.g., MGH, Spaulding, a BU Covered Component such as the GSDM Patient Treatment Centers, or any dentist or physician office. 11
PHI or Not? (1) BUSM researcher wants to study effect of workload on radiology techs at BMC Seeks data from BMC on number of patients seen in imaging department per day over the past year; that data will come from Epic Will interview radiology techs and administer screening tests for additional data This is Human Subjects research, but is not using PHI because- Data concerns BMC patients (number seen per day in a dept) But it does not identify an individual; is only a total number, so it is deidentified
Data from interviews and screening tests come from subjects themselves; not PHI Researchers must still protect this data, as discussed on a later slide 12 PHI or Not? (2) BU SPH researcher recruits subjects from a
community center Subjects are women who have given birth in last 12 months Study examines association between post-partum depression and regular medical care (or its absence) Subjects provide information on their dates of birth, dates of postpartum medical visits, including type of provider visited (MD, NP, Midwife, hospital etc.), frequency, and type of care accessed Researcher administers depression screening test to subjects This research data is not PHI because- Data is not created or received by a Covered Entity: SPH is not a Covered Entity
Subjects themselves are not Covered Entity [Researchers must still protect this data, as discussed in later slides] 13 PHI or Not? (3) Same study as Example 2, except In addition, you obtain medical records for all doctor/hospital visits within 12 mos of giving birth This is PHI because it includes: Medical records held by physicians and hospitals
About individual patients Not deidentified 14 Limited Data Sets Limited Data Sets are PHI They are not de-identified because they have geographic data, or dates, but no other identifiers If a Limited Data Set satisfies your data needs, BMC will provide you a Data Use Agreement. Follow all of the requirements of the Data Use Agreement during your research and that will satisfy HIPAA. Contact [email protected] 15 Summary: Understand How HIPAA Impacts Your Research Data Needs
1. Can you do your research with only de-identified data (no patient names, MRNs, dates, geographical data or other HIPAA identifiers, or you have an expert opinion)? Then its not PHI, no need to worry about HIPAA. 2. If not, can you do your research with a Limited Data Set (meaning your data would be de-identified, except that it has dates and/or geographic data)? If so, you can enter into a Data Use Agreement and obtain the data 3. If not, do you need PHI to recruit for or conduct your research? You will need an IRB approved HIPAA Authorization, or an IRB Waiver of HIPAA Authorization 16 Using PHI to Prepare for Research Activities preparatory to research are activities that occur before you go to the IRB, such as:
Preparing the IRB application Preparing a research protocol Preparing a proposal Checking to see if there are a sufficient number of eligible persons to conduct the research Patient Authorization is usually impractical at this point. If you need PHI to engage in these activities, you must obtain a Waiver Preparatory to Research form and have it signed by the Privacy Officer 17 Waiver Preparatory To Research
Covered Entities/Components can grant a Waiver Preparatory to Research if you attest: Review of PHI is necessary to prepare the protocol (or similar preparatory activities); I wont remove PHI from the Covered Entity; and The PHI I will review is necessary for my research. To use BMC data to prepare for research, contact the BMC Privacy Officer for a waiver preparatory to research Practices vary at health care providers outside BU and BMC - ask for the Privacy Officer or Research Support Remember: IRB cannot grant a Waiver Preparatory to Research 18 Using PHI to Recruit Subjects When submitting an application to the IRB for research approval, you must specify how you intend to recruit subjects. You will be using PHI to recruit if you use any data about a patient from the
Covered Entity: e.g., a list of all BMC patients who have been diagnosed with Type II diabetes, including contact information is PHI. If you intend to use BMC (or another health care providers) patient information to screen and recruit subjects, you will need either: an Authorization signed by the patients or a Waiver of HIPAA Authorization from the IRB Recruiting includes screening, i.e., using PHI to examine exclusion criteria 19 IRB HIPAA Waiver for Recruitment Purposes PI must show the following: (A) The recruitment could not practicably be conducted without the waiver; (B) The research could not practicably be conducted without the PHI used for recruitment; and (C) Using the PHI for recruitment purposes poses only a minimal risk to the privacy of potential subjects, because the researcher has:
(1) Has an adequate plan to protect the patient contact information from improper use and disclosure; and (2) Has an adequate plan to destroy the contact data identifiers at the earliest opportunity (e.g., destroy identifiers of non-eligible patients and those who decline to participate); and (3) Provides written assurances that the contact information used for research recruitment will not be reused or disclosed to any other person or entity, except as required by law and for authorized oversight of the resaerch study 20 Using PHI in Clinical Research Recruitment and Study Following are the most common ways to comply with HIPAA in clinical research: 1. Submit application to IRB Request HIPAA Waiver to contact potential subjects 2. Contact potential subjects about research participation. Those who agree to join study will sign IRB-approved Consent to Participate and HIPAA Authorization to obtain records
3. Securely delete information of patients who do not become subjects (did not agree to participate in study or are excluded) 4. Use subjects HIPAA Authorizations to obtain medical records 21 Example of Recruitment Data Needs: A study needs to recruit subjects for a clinical trial who meet the following criteria: Age >= 60 years ICD9 diagnosis of Congestive Heart Failure (428.xx)
Mean echocardiographic left ventricular wall thickness > 12 mm African American Seen at BMC Cardiology Clinic from 1/1/201512/31/2017 Data requested from BMC for screening and recruitment: Name, MRN, Age, Gender, Race, diagnosis, echocardographic report, phone contact info Is it PHI? Not de-identified; is held by Covered Entity; and is about individuals, so it is PHI. Is it a Limited Data Set? No, because name and contact info needed
Can researcher obtain it? Yes, but only if IRB grants a Waiver. 22 Using PHI in a Retrospective Study Dont need recruitment waiver from IRB because you are not recruiting. Patient Authorization for use of PHI in research is unlikely to be practical option because patients are not involved in research Need patient data from a BMCs Epic EMR. 3 choices: Obtain data that is de-identified according to HIPAA standards discussed above: no HIPAA Authorization or IRB Waiver needed; in fact, would not be Human Subjects Research Obtain Limited Data Set, sign Data Use Agreement with BMC Obtain PHI with an IRB waiver 23
IRB HIPAA Waiver to Obtain Study Data The requirements for this waiver are the same as to obtain an IRB HIPAA waiver for recruitment purposes. PI must show: (A) The research could not practicably be conducted without the waiver; (B) The research could not practicably be conducted without the PHI; and (C) Using the PHI for recruitment purposes poses only a minimal risk to the privacy of potential subjects, because the researcher has: (1) Has an adequate plan to protect the PHI from improper use and disclosure; and (2) Has an adequate plan to destroy the PHI at the earliest opportunity; and (3) Provides written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law and for authorized oversight of the research study 24 Example of Retrospective Study Data Needs Study seeks to examine oral contraceptive use and heart attack,
needs the following data from BMC records for all female patients aged 1544 during 2013-2017: cardiac medical history, including dates of cardiac events dates of any oral contraceptive use and type of contraceptive history of smoking Is data sought de-identified? NO, not according to HIPAA because includes dates related to individuals Is it a Limited Data Set? Yes, because it would be de-identified except for the dates related to individuals; BMC may release the data to the PI after obtaining a Data Use Agreement.
25 Variation: Same study, same data plus PI determines also need for each patient: Number of pregnancies and outcome of each As seen in prior slide, data is not de-identified according to HIPAA With addition of new data element, not a HIPAA Limited Data Set Assuming it is not practicable to obtain patient consent, would ask
IRB for a HIPAA Waiver to obtain this data. 26 SAFEGUARDS 27 Protecting Data: BU and BMC Standards BU and BMC share an IRB share an IRB but have separate policies, separate email systems, separate networks In addition, BMC is a Covered Entity; BU is a Hybrid Entity Consequence: When research is conducted by BMC the data is always PHI: health info held by a Covered Entity When research is conducted by BU, the data has been released to a non-Covered Entity, so it is not PHI.
But . 28 BU and BMC Data Security Standards are Compatible, for any individually identifiable health data, HIPAA or not For purposes of keeping data secure, you dont need to know if HIPAA governs the data or not. BUs security standards for non-public identifiable health information are equivalent to BMCs security standards for PHI. Follow the steps below and you will be keeping research data secure, whether it is PHI or not, whether at BU or at BMC. 29 HIPAA and More
Depending on the type of data involved, a number of statutes require researchers to protect research data, and many impose serious penalties for breaches: HIPAA Massachusetts Standards for Protection of Personal Information (93H / 201 CMR 17) Payment Card Industry Data Security Standard Export Control Law Controlled Unclassified Information (32 CFR Part 2002) Human Subjects and other research regulations
See BU Data Protection Standards 30 BU and BMC Minimum Security Standards BU and BMC Policies require Minimum Security Standards for all nonpublic data http://www.bu.edu/policies/information-security-home/data-protection-standards/minimum-se curity-standards/ http://internal.bmc.org/policy/ All devices and data storage used for human subjects research, and all electronic sharing of non-public research data must comply with these standards
31 Classification of Non-Public Data at BU and BMC BU BMC Restricted Use: loss/misuse may require notification to individuals or government agency PHI and personally identifiable health data used in research Code or key to re-identify data Confidential: loss or misuse may adversely affect individuals or BU business non-health research De-identified PHI/health data
Internal: potentially sensitive Confidential: disclosure may cause serious harm Includes both PHI and personally identifiable health data used in research Internal: disclosure may cause some harm Slightly different nomenclature; Same minimum standards for non-public data 32 Bottom Line on Protecting Research Data If you are using public data, and if you are not concerned about your research becoming public, you do not need to worry about these safeguards and standards If your data or your research is non-public, you must implement the device safeguards and observe the safeguards applicable to sharing and data storage
The highest level of protection applies to research data that may be used to identify an individual (alone or in combination with other data) -- PHI or not. 33 Whats The Big Deal? At Feinstein Institute for Medical Research, an unencrypted laptop was stolen from a car, containing data of about 50 research studies and approximately 13,000 individuals Big money payment: settled alleged HIPAA violations for $3.9 million Ongoing government scrutiny: three year corrective action plan Loss of confidence and reputation: required to notify research subjects and media outlets 34
Yes, This Could Happen to You NYU School of Medicine Aging and Dementia Clinical Research Center, 2010: Unencrypted portable device with information of 1,200 was lost Kern Medical Center, 2012: Bag containing paper records of 1,500 (including HIV, AIDS, Hepatitis, and pregnancy test results) was stolen from a car Oregon Health and Science University, 2013: Surgeons unencrypted laptop was stolen from a vacation rental; $2.75 million settlement with OCR U Conn, 2016: Malware exposed research data on servers NY State Psychiatric Institute, 2016: Hackers accessed servers with highly sensitive information of 22,000 individuals participating in mental health studies 35 A Clear Pattern: Lost or Stolen: Cyberattack
Unencrypted laptop Unencrypted portable device (e.g., flash drive) Paper or other tangible research data Malware Phishing attack Exploit of operating system or application vulnerabilities We may not be able to prevent all breaches, but following the rules on the following slides will prevent most! 36
Summary of BU/BMC Data Protection Standards Electronic Data Non-Electronic Data 1. 2. 3. 4. 5. Protect Verbal Data Protect Tangible Data Device Standards Secure Data Storage Secure Email
Fight Phishing Working Remotely Paper X-rays Other tangible forms 37 1. Device Standards All endpoint devices - such as desktops, laptops, and phones - must have: Operating systems and applications that are supported and updated
Anti-Malware installed and set to auto update and scan Auto screen lock (15 min max) to password/code Disk encryption (BMC required / BU - only required for Restricted Use data) Note: Your personal devices are not affected unless used to access, process, or store research data. 38 BMC And BU Are Here To Help! Do what you can with the guidance found here: http://www.bu.edu/tech/support/information-security/securing-your-devices/ Ask for help: BUMC IT Help: http://www.bumc.bu.edu/it/support/bumc-it/request/ BMC ITS Service Desk: https://bmc.service-now.com/
39 Device Hygiene Keep operating systems and applications up to date, by enabling auto-update or promptly updating when notified Periodically change your strong password, following best practices: http://www.bu.edu/tech/about/security-resources/bestpractice/passwords/ Regularly delete files when no longer needed, including emails and downloads 40 2. Data Storage BU BMC
Restricted Use Data Storage: BU network storage BU Microsoft One Drive BU Dropbox Confidential Data Storage: PHI storage Any BMC network, to share with those who also have access Box.com All of the above, plus: BU Google Drive 41
Back Up Plans You should have a backup plan, and be careful where you store the data: At BU use approved tools and storage options. BU network storage comes with a backup plan: http://www.bu.edu/tech/support/storage-options/ At BMC use network storage or a Box.com account Use only encrypted devices: removable media (e.g., CD, DVD, USB key/stick) must be encrypted & password protected. 42 3. Secure Email BU Email BU email does not have encryption whenever you send RU data to ( [email protected])
Use Data Motion to send a RU data securely- both within BU ([email protected] to [email protected]) and to nonBU addresses (including to [email protected]) BMC Email BMC Email: Within BMC (from a [email protected] to [email protected]) is considered secure, so long as no non-BMC addresses are included Remember- emails may always be forwarded. Consider adding warning to email Outside BMC: type secure in the subject line to encrypt & send only to HIPAA secure addresses Secure alternative: Use regular email, but encrypt the document or spreadsheet: Encrypt when you save the document or spreadsheet, then attach to email Provide the password to the recipient by telephone
Do not send the password by email because it maybe intercepted Do not put RU data in subject line or body of email 43 4. Fight Phishing! Most people think it would never happen to them, but attempts are made regularly at BU and BMC. Red Flags: Email asks for password BMC and BU will never ask for login credentials through email Appears to be from someone you know but has an unexpected attachment Contains unexpected grammatical or spelling errors If there is any doubt, please get advice: BU email: forward the email to [email protected] . BMC email: forward suspect email to Learn more at our How to Fight Phishing webpage: [email protected] http://www.bu.edu/tech/services/cccs/email/unwant
ed-email/how-to-fight-phishing/ 44 Check Before You Click Websites Only enter login credentials if website address has green component (EV Cert) and starts with https:// Without the s preceding the colon, the website is not safe Learn more at our How to Fight Phishing webpage 45 5. Safeguards For Working Remotely Use BMC secure remote access (https://mybmc.org or https://portal.bmc.org) or the BU VPN (vpn.bu.edu); otherwise, even passwords can be intercepted and viewed
Do not leave devices unattended (e.g., coffee shops, cars) Lock up devices when not in use (e.g., cable lock, locked room) 46 Verbal Safeguards Do not discuss individual participant data outside closed offices If necessary, talk quietly and away from others Play music or background noise to disguise conversations If necessary to contact friends/family to locate a research participant, only disclose the minimum necessary amount of information 47 Safeguards For Documents and Tangible Data Do not remove documents or tangible data from the office
If you must, dont leave unattended (e.g., car, classroom, coffee shop) Lock up when not in use Shred when no longer necessary never throw in trash 48 BREACHES: What are they? How do I report? 49 Reporting Potential Breach/Loss of Data: Why Is It So Important? BMC/BU may have an obligation to report the incident to individuals, the IRB, or state and federal authorities BMC/BU may be able to prevent or minimize damage
Please note that any external reporting to governmental agencies or individuals whose data has been breached is handled by BMC/BU HIPAA Officers and other offices. Your responsibility is to report any suspected security incidents to [email protected] or [email protected] and assist as requested in any investigation. 50 What Events Must Be Reported? Unusual system activity, including: Malware detections Unexpected logins System or application alerts indicating a problem
Unusual behavior such as seeming loss of control of mouse or keyboard Unauthorized access, use, disclosure, or loss, including: Loss of a device (personal or BU-owned) used to access research data Loss of tangible (paper or other) research data Emailing without encryption 51 How to Report Security Concerns, Security Incidents, and Potential Breaches If you think the data belongs to BU, send an email to BUs Incident Response Team (IRT): [email protected] IRT will triage the report and contact the appropriate persons and offices
If you think the data belongs to BMC, send an email to BMCs Privacy Officer: [email protected] Wherever you report to- BMC or BUwe will ensure the report gets to the appropriate person at either/both BMC and BU prohibit retaliation for reporting security concerns, security incidents, and potential breaches 52 Additional Resources on HIPAA and Data Protection This PowerPoint is available at www.bu.edu/hipaa BU Data Protection Standards: http://www.bu.edu/policies/information-security-home/data-protection-standards/ BMC Policies: http://internal.bmc.org/policy/ BMC HIPAA Privacy Officer: [email protected]
BU HIPAA Security Officer David Corbett: [email protected] BU HIPAA Privacy Officer Diane Lindquist: [email protected] Both receive emails at this address: [email protected] NIH education materials https://privacyruleandresearch.nih.gov/clin_research.asp 53
NDEP - National Defense Education Program offers grants for DoD employees that mentor FIRST teams. We also worked with SAIC to match their employees with teams in need of kits (SAIC donates kits to teams with SAIC employees) ... APP....
Machine cycle is 8.222 milliseconds. Start of cycle synchronized with AC Line crossing (positive and negative slope). Timing Gates Clocked by 2.8 Mhz Ring Revolution Frequency. 1 Second Super-Cycle (120 Cycles). Versatile (and therefore complex) facility: 3 flavors of H-...
Evolution in milk supply management continues, at an accelerated pace, with greater urgency and contemplation of change. The Ingredient Strategy signals prospect of deeper changes, and true significance of milk protein surpluses, imports. Credible threats associated with trade agreements exacerbate...
Collaborative Values Inventory (CVI), a validated tool that assesses how much a group shares beliefs and values that underlie its work. Participants can share their experiences or keep their answers private. Discussion should be limited to understanding value clarification instead...
interpretation is computed by adding an implicature (=negation of stronger alternatives) to its plain value Plain/scalar value are compared SI is adopted, only if it leads to a more informative statement What is said [literal meaning]: SOME (= at least...
Magnetism Physics 114 Concepts Magnetic field Magnetic force Skills Determine the direction of magnetic field created by electric current Determine the direction of magnetic force on electric current Two right hand rules Magnets Magnets have magnetic poles - north and...
Point-Slope Form of the Equation of a Line ... Slope-Intercept, Standard, or Point-Slope Form The line passes through the points (1, 3) and (-2, 4). Point-slope because a point is given and a slope can be determined. The line has...
Ready to download the document? Go ahead and hit continue!