HIPAA and Research Data Security Awareness

This training module covers the importance of HIPAA regulations for GSDM researchers, including what researchers need to know, how to protect health data, and consequences of violations. It emphasizes the significance of safeguarding patient information and provides examples of past breaches. The content also explains when researchers must consider HIPAA and defines Protected Health Information (PHI) at GSDM. Additionally, it delves into Covered Entities and Components within the university's healthcare system.

• HIPAA
• Research Data Security
• GSDM Researchers
• Protected Health Information
• Healthcare Regulations

alte808 Follow

Uploaded on Mar 05, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. HIPAA & RESEARCH DATA SECURITY FOR GSDM RESEARCHERS April 2018

2. This Training Will Cover- What human subject researchers need to know about HIPAA What researchers need to do to protect health data used in research - whether covered by HIPAA or not How to report a possible breach of research data Your BU resources 2

3. Whats the big deal? HIPAA is a national law that provides patient privacy standards throughout the US HIPAA regulations can be a bit complex; you need to know the rules And the consequences of a HIPAA violation can be quite serious. For example: Feinstein Institute for Medical Research: Unencrypted laptop containing data from 50 studies, 13,000 individuals, stolen from researchers car. Settlement paid: $3.9 million Oregon Health and Science University, $2.75 million settlement paid after surgeon s unencrypted laptop was stolen. NY State Psychiatric Institute: Hackers accessed servers with highly sensitive information of 22,000 mental health studies participants; amount not yet known. 3

4. When Do Researchers Need to Consider HIPAA? If you use PHI of any patient in any human subjects research activities: to plan for research, submit a proposal, contact patients to recruit subjects, to enroll subjects, or to conduct the research. What s PHI? See next slide 4

5. PHI at GSDM Protected Health Information (PHI) means: Information about an individual s past, present, or future physical or mental (including dental) health, and/or information about payment for, or provision of healthcare (including dental) services, created or received by a Covered Entity/Covered Component, e.g., a GSDM clinic. At GSDM PHI is found: In the patient record or in a GSDM Clinical Information System (e.g. Salud, Dolphin, CBCT database, Eaglesoft, paper records, etc. In patient financial records: demographics, insurance information, billing and payment information pertaining to any individual patient In data repositories, including those that are maintained for research purposes 5

6. Covered Entity/Covered Component Covered Entity: A health insurance plan, claim clearinghouse, or a healthcare provider that conducts HIPAA electronic billing (typically billing of insurance companies or Medicare/Medicaid). Covered Component: Same as a Covered Entity, but is a component of a hybrid entity that does more than healthcare. BU is a Hybrid Entity. BU Covered Components: GSDM s dental clinics are BU Covered Components. The others are on the Charles River Campus: the Danielsen Institute (a psychology clinic); Sargent Choice Nutrition Center, and BU Rehabilitation (Physical Therapy and Neurorehabilitation). Boston Medical Center is separate from BU; it is a Covered Entity. 6

7. When Does HIPAA Matter in Research? 1. Preparing proposal 2. Recruiting subjects 4. Protecting your data 3. Obtaining data 7

8. HIPAA in Activities Preparatory to Research (Pre-IRB Submission) Activities in preparation for research means activities you perform before you go to the IRB, for example: Reviewing information in any dental record system to see if it contains enough subjects who meet certain criteria for a research study Reviewing images to select one that would be useful in a research project Design a research proposal or protocol Preparatory to Research activities do not include contacting patients; using data or retaining data. You are only allowed to look! And even to look, HIPAA requires you to complete a Waiver Preparatory to Research form 8

9. Waiver Preparatory To Research It s not practical to ask patients to sign an Authorization for you to use their PHI to prepare for research. Your alternative: Waiver Preparatory to Research. Waiver Prep to Research will be granted if you can show: Review of PHI is necessary to prepare the protocol or engage in similar preparatory activities; The researcher will not remove or retain the PHI reviewed; and Reviewing the PHI is necessary for research purposes If you want to review Salud or other patient data at GSDM, complete the form available at www.bu.edu/hipaa. See next slide for example of a completed form: 9

10. GOLDMAN SCHOOL OF DENTAL MEDICINE REQUEST FOR WAIVER TO ACCESS PHI FOR ACTIVITIES PREPARATORY TO RESEARCH Date of Request: Researcher making request: E-mail, telephone: Describe what kind of preparation requires you to access and view PHI: oDetermine number of potential subjects, oLocate images or procedures suitable for research projects oPrepare a proposal or protocol oPrepare IRB application oOther: ________________________________ What database will you be accessing? oSalud oDolphin oCBCT images oOther: ___________________ In compliance with HIPAA, I assure GSDM of the following: 1.I will use the PHI described above solely to prepare a research protocol or for similar purposes preparatory to research. 2.The PHI described above is necessary to develop the research protocol or to conduct other activities preparatory to research; and 3.Neither I nor anyone working with me will download, print or otherwise take any PHI. Requestor s signature: __________________________________________ Please send completed Requests to jfreilly@bu.edu. If your request form has all required information, you can expect approval within 24-48 hours. 10

11. What do I do with the Prep to Research Waiver Request form? Send it to John Reilly for his approval, jfreilly@bu.edu. (Remember: The IRB can t grant you a waiver because you haven t gone to the IRB yet) Once John Reilly approves your waiver request, you can conduct your activities preparatory to research. You can review records in Salud, Dolphin or any other dental record containing patient PHI to prepare for your research If you require a report from IT to prepare for research, provide the approved Waiver Request to IT. That tells IT they can provide you the data. 11

12. HIPAA in Second Phase of Research: Recruiting Subjects If you use Salud or any other patient record/database to obtain information to contact patients and offer them the opportunity to enroll in a research study, you are using PHI because PHI includes the patient s demographics. Often it is impractical to obtain patient consent for recruitment, so the IRB may grant a Waiver for recruiting purposes. The IRB application (INSPIRII) asks you to describe your plan to recruit and asks if you need a waiver. A treating provider can always discuss the possibility of participation in a research study with his/her patient. 12

13. HIPAA in Third Phase of Research: Obtaining PHI to Conduct Research There are 4 pathways to obtain PHI from a Covered Entity for an IRB-approved research study. Which you use depends on the type of data needed, and the feasibility of contacting patients for Authorization. Request only de-identified data from the Covered Entity Request a Limited Data Set, under a Data Use Agreement Get Authorization from each study subject Obtain a Waiver of Authorization from the IRB 13

14. First Option: Use De-Identified Data PHI that has been de-identified is no longer PHI because it does not identify any individual. But note: de-identification under HIPAA does not mean simply deleting the patient names. HIPAA regards data as de-identified only in two circumstances: If the data does not contain any of the 18 identifying elements (next slide), or If the data contains some of those 18 identifying elements, but an expert has determined there is a very small risk of using the data to identify individuals. If you wish to pursue an expert determination, contact the BU Privacy Officer at hipaa@bu.edu so she can assist in ensuring the expert uses methods advised by HIPAA. 14

15. 18 HIPAA Identifiers If any of these are included in your research data, it is not de-identified under HIPAA unless you obtain an expert opinion supporting de-identification Medical/dental record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers, e.g., serial numbers, license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code Names All geographic subdivisions smaller than a State All elements of dates (except year) for dates directly related to an individual: birth date treatment date date of death all ages over 89 Telephone numbers Fax numbers Electronic mail addresses Social Security numbers 15

16. Second Option: Use a Limited Data Set Do not have to remove all 18 HIPAA identifiers. Can leave the following: town or city and zip code of subject dates related to the subject, e.g., dates of birth, death, admission, testing, etc. Only HIPAA requirement: You must enter into a Data Use Agreement with the Covered Entity that specifies how you will protect and use the data Contact the BU Privacy Officer at hipaa@bu.edu for an appropriate Data Use Agreement Several research data repositories exist at GSDM that require only a Data Use Agreement, and do not require IRB approval. 16

17. Third Option: Obtain Patient Authorization Researchers can obtain PHI from a Covered Entity or BU covered component if subjects sign a HIPAA authorization The HIPAA Authorization may be combined with the study Consent, or it may be separate Practice tip - Identify all covered entities whose records you will be seeking and name each in the Authorization If you have patient Authorization to access their Salud records for research purposes, provide that Authorization to IT to obtain access to that patient s record. 17

18. Fourth Option: IRB Waiver of Authorization The IRB can waive the requirement of patient Authorization if the researcher assures the IRB that: PHI is necessary for the research, The research cannot be conducted without a waiver (usually because obtaining individual Authorization is impractical), and The research does not involve more than a minimal risk to individuals based on the following: An adequate plan to protect the identifiers from improper use An adequate plan to destroy identifiers at the earliest opportunity Assurance that the PHI will not be used for any purpose other than that study, and it won t be further disclosed 18

19. Practical Tips: IRB Waiver If you have an IRB approval and waiver of Authorization, provide it to GSDM IT to obtain the data from Salud. If you are creating a study database and wish to extend access to other study staff, you should also provide the IRB application to GSDM IT showing members of the study staff. 19

20. Protecting Your Research Data 20

21. Major Risks to Research Data Security: Lost or Stolen: Laptop Portable device (e.g., flash drive) Paper or other tangible research data Cyberattack Malware Phishing attack Exploit operating system, application vulnerabilities 21

22. HIPAA Is Not The Only Law Out There Many laws may protect your human subjects research data, for example: Massachusetts Standards for Protection of Personal Information (93H / 201 CMR 17) Payment Card Industry Data Security Standard Export Control Law Controlled Unclassified Information (32 CFR Part 2002) Human Subjects and other research regulations, and HIPAA 22

23. BUs Data Categories Make Data Security Simple[r] Restricted Use: loss/misuse may require notification to individuals or government agency HIPAA PHI and other personally identifiable human subject research data SSN, driver license #, checking account #, debit/credit card # (even without the pin) Code or key to re-identify data Confidential: loss or misuse may adversely affect individuals or BU business Human subjects research with non-health data (e.g., College of Arts and Sciences investigating whether pre-teen music lessons impact academic success) De-identified Restricted Use data (must keep the key or code in different storage) Internal: potentially sensitive, requires protection from disclosure Public: does not require protection from disclosure 23

24. Minimum Security Standards for Non-Public Data The BU Data Protection Standards identify Minimum Security Standards for all non- public data (Restricted Use, Confidential, and Internal) http://www.bu.edu/policies/information-security-home/data-protection-standards/minimum- security-standards/ 4 Easy Rules 1 Big Theme 1. Workstation standards 2. Data storage options 3. Data sharing options 4. Foil Hackers ENCRYPT! 24

25. Rule 1: Make Sure All Workstations Meet BU Standards for Non-Public Data Workstations = desktops, laptops, phones, and tablets Must have: Operating systems and applications that are supported and updated Anti-Malware installed and set to auto update and scan Auto screen lock (15 min max) to password/code Disk encryption (best practice but required for Restricted Use data) Note: Your personal workstations do not need to meet these standards unless you use them to access, process, or store research data. 25

26. How Do I Make Sure my Workstation is OK? BU has guidance here: http://www.bu.edu/tech/support/information-security/securing-your-devices/ Then ask for help: Dental IT dentit@bu.edu David Corbett, Medical Campus Information Security and BU HIPAA Security Officer, at corbettd@bu.edu 26

27. Once Workstation is OK, Keep it That Way Keep operating systems and applications up to date, by enabling auto-update or promptly updating when notified Periodically change your strong password, following best practices: http://www.bu.edu/tech/about/security-resources/bestpractice/passwords/ Regularly delete files when no longer needed, including emails and downloads 27

28. Rule 2: Use Secure Data Storage Options BU network storage approved for Restricted Use GSDM HIPAA network drives BU Y Drive or RU-GPNAS BU Microsoft SharePoint or OneDrive BU Google Drive-- for Confidential or Internal data only (not Restricted Use) Find out more about your storage options here: http://www.bu.edu/tech/support/storage-options/ 28

29. Rule 3: Share Data Only Securely Cloud Share: BU Microsoft SharePoint or OneDrive Email: Encrypt! 1. Use DataMotion to send a secure encrypted email or 2. Encrypt the document or spreadsheet before attaching it. Tip: Provide the password to the recipient by telephone - Do not send the password by email because it can be intercepted as well. 29

30. Rule 4: Foil Hackers and Fight Phishing! Terriers get hooked regularly, including faculty, staff, and students Typical signs: Sense of urgency Has attachments or links (hover over to see true address) Requests personal information or your password Similar but different sender email address, such as david@bx.edu When you receive phishing or suspicious emails (not marketing emails) forward the message, along with the headers to abuse@bu.edu Delete the message after you forward it to abuse@bu.edu Permanently block marketers using Outlook junk options Learn more at our How to Fight Phishing webpage 30

31. Check Before You Click Only enter login credentials if website address has green component (EV Cert) and starts with https:// Without the s preceding the colon, the website is not safe 31

32. Additional Tips: Safeguards for Working Remotely Use the BU two-factor VPN (vpn.bu.edu/2fa) Do not leave workstations unattended (e.g., coffee shops, cars) Lock up workstations when not in use (e.g., cable lock, locked room) 32

33. Additional Tips: Protect Documents and Tangible Data Do not remove documents or tangible data from the office. If you do, don t leave unattended (e.g., car, classroom, coffee shop) Lock up when not in use Shred when no longer necessary never throw in trash. 33

34. BREACHES: What are they? How do I report? 34

35. Reporting Potential Breach/Loss of Data: Why Is It So Important? BU may have an obligation to report the incident to individuals, the IRB, or state and federal authorities BU may be able to prevent or minimize damage Please note that any external reporting to governmental agencies or individuals whose data has been breached is handled by your BU HIPAA Privacy and Security Officers, Information Security, irt@bu.edu OGC, and other BU offices. Your responsibility is to report any suspected security incidents to irt@bu.edu, and assist as requested in any investigation. 35

36. What Events Must Be Reported? Unusual system activity, including: Malware detections Unexpected logins System or application alerts indicating a problem Unusual behavior such as seeming loss of control of mouse or keyboard Unauthorized access, use, disclosure, or loss, including: Loss of a device (personal or BU-owned) used to access research data Loss of tangible (paper or other) research data Emailing without encryption 36

37. How to Report Security Concerns, Security Incidents, and Potential Breaches: Send an email to BU s Incident Response Team (IRT): irt@bu.edu. IRT will triage the report and contact the appropriate persons and offices If you forget the irt@bu.edu email address, report to the principal investigator, the IRB, or hipaa@bu.edu BU prohibits retaliation for reporting security concerns, security incidents, and potential breaches 37

38. Additional Resources For a consultation on HIPAA in your research project, please contact hipaa@bu.edu. We are happy to support your research activities. Best to contact us early in your research planning! This PowerPoint will be available at www.bu.edu/hipaa BU Data Protection Standards: http://www.bu.edu/policies/information-security- home/data-protection-standards/ BU HIPAA policies, forms and resources: http://www.bu.edu/hipaa BU HIPAA Security Officer David Corbett: corbettd@bu.edu BU HIPAA Privacy Officer Diane Lindquist: dlindq@bu.edu Both receive emails at this address: hipaa@bu.edu NIH education materials https://privacyruleandresearch.nih.gov/clin_research.asp 38