PHI Standards to Augment Restricted Information Controls: Clinical Research Data

Title: PHI Standards to Augment Restricted Information Controls: Clinical Research Data
Approved by: Office of the President
Date approved by President or Board of Trustees: June 11, 2012
Effective date: June 11, 2012
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies: None
Review Period: 3 Years
Date of Last Review: August 21, 2024
Relates to: Faculty, Staff

Summary

As a risk mitigation action for enterprise-wide information protection, the ÐÇ¿Õ´«Ã½ information security standards are defined for the handling of clinical research data involving patient data, often referred to as electronic personal health information (ePHI). ÐÇ¿Õ´«Ã½ Western Reserve is a Hybrid Entity and not a standard Covered Entity, and thus portions of the university are not subject to the full Health Information Privacy and Portability Act (HIPAA) regulatory provisions. However, ÐÇ¿Õ´«Ã½ Western Reserve recognizes the need for privacy protections of patient data collected for research purposes. These security controls are defined to protect the current state of clinical research systems, with the acknowledgement that the university encourages researchers to house such data in our FISMA-Controlled research enclave, known as the Secure Research Environment or SRE.

This policy for protection of information applies to clinical research related information and information technology systems where identified patient data or ePHI are stored or processed. The governing Institutional Review Board (IRB) has oversight of the human-subjects research, and these controls are designed to address any privacy requirements imposed by IRBs and to mitigate risk of data loss or disclosure. These controls are designed to supplement the Controls- Restricted Information: Case Information Security Requirements for Restricted Information.

University operations where Covered Entity status is applicable will also be subject to HIPAA regulations, which further augment these standards.

Purpose

This procedure outlines basic controls necessary for all registered hosts which process, store, or transmit Restricted Information on ÐÇ¿Õ´«Ã½ IT systems. Because ePHI is considered a high impact for confidentiality, such data are categorized as Restricted.

These controls are to be applied in addition to the listed ÐÇ¿Õ´«Ã½ Public Information and Internal Use Only Controls. They are not comprehensive of all security controls applicable in the university environment.

Administrative Controls

  1. HIPAA Privacy/Security Training. All staff involved with clinical research involving human subjects must complete some training in the following areas:
    1. Mandatory training
      1. Annual survey of HIPAA Privacy and Security standards applicable from the IRB sponsoring hospital (e.g. University Hospitals, Cleveland Clinic, Metro Health, or Veterans Administration)
      2. One-time security awareness training under the for Health Information Privacy and Security (HIPS).
      3. Systems administrators are to be certified in accordance with Restricted Information Controls.
      4. ÐÇ¿Õ´«Ã½-supplied security awareness training. This is accomplished through the ÐÇ¿Õ´«Ã½ Securing The Human portal (request training from Information Security or contact the Help Desk )
    2. Optional training
      1. Annual refresher training from the CITI program, as mandated by the particular research contract.
      2. For NIH funded research contracts, the NIH Protecting Human Research Participants Web-based training course may also be required.
  2. Background Checks. Some research programs may require extensive background checks for all personnel with access to ePHI. These are obtained through Employee Relations at the ÐÇ¿Õ´«Ã½ Department of Human Resources
  3. Control of Information Systems: Research groups should assure information containing ePHI is not stored in unauthorized systems.
    1. Any identified data that inadvertently or temporarily is housed on an unauthorized system shall be immediately protected, securely removed, or properly de-identified.
  4. Any lost device or data must be reported to the ÐÇ¿Õ´«Ã½ Help Desk (help.case.edu) within 24 hours of loss to ensure timely incident response.
  5. IRB Approval. Management of data obtained from hospital clinical systems for research purposes must be performed under an approved Institutional Review Board (IRB) protocol.
    1. An Information Systems Security Plan (ISSP) addressing security risks may be required by the IRB. The ISSP requirement is outlined in university’s Restricted Information Controls
    2. A privacy impact assessment.
    3. When all necessary controls are adequately addressed, approval to operate may be granted by either the IRB or upon the recommendation of the Information Security Office.
    4. When an IRB Protocol ceases, all ePHI associated with the study shall be archived and then purged from working systems according to standard procedures and protected from disclosure. Additional provisions must be made to move the archived research data to an appropriately protected and managed environment.

Technical Controls

  1. Use of Personally Owned Equipment. All ePHI used in research settings shall only be stored or maintained in university-owned or licensed systems. No personally owned devices (e.g. personal laptops, tablets, smart phones, etc.) shall be used to store, manage, or transmit ePHI.
  2. Encryption. All non-server systems authorized for management of ePHI systems shall have standard university encryption utilities implemented for protection of Restricted data from inadvertent disclosure.
    1. Desktops and mobile computers (standard laptops) running Windows or MacOS shall use the whole-disk encryption utility provided by the operating system to protect local data.
    2. Linux desktop operating systems, shall use standard on-disk encryption methods. The standard includes the use of Seagate Momentus FDE hard drives (available for both laptop and desktop computers with a BIOS).
      1. Options for full disk encryption using software will be addressed on a case-by-case basis.
      2. In all cases, the university shall retain institutional control of all logical keys, passphrases, and access to encrypted data through the ÐÇ¿Õ´«Ã½ Information Security Office.
    3. Mobile data (USB key drives) shall use the university standard encrypted USB drives.
      1. For the storage and use of ePHI, Whole Disk Encryption is required.
      2. Where warranted by the Institutional Review Board, contact security@case.edu for additional assistance.
    4. Communication of Restricted data, including ePHI, via email in clear text is prohibited. Communication utilizing end-to-end encryption methods shall be used for Restricted data.
    5. Users are discouraged from using mobile systems (e.g. smartphones, tablet computers) to store and process Restricted data. If needed, mobile systems shall employ appropriate encryption techniques to protect stored Restricted data from loss or disclosure.
  3. Email. In accordance with ÐÇ¿Õ´«Ã½ Public Information Controls, email systems are prohibited from transferring identified patient data without an adequate implementation of one of these protections:
    1. File encryption (e.g. using PGP) implemented in a full end-to-end encryption method (asymmetric key encryption).
    2. Digital certificate encryption (e.g S/MIME) of message body and attachments.
    3. ÐÇ¿Õ´«Ã½ personnel located in partner hospitals will be encouraged to use the local (non-ÐÇ¿Õ´«Ã½) email systems for clinical support.

Physical Controls

  1. Research Data Repositories. Research data repositories for identified patient data shall be hosted in one of the centrally-managed ÐÇ¿Õ´«Ã½ data centers. The SRE is the preferred location.
    1. Appropriate migration plans to data centers must be included in the Restricted Information ISSP (security plan).
    2. Cloud-based options that meet strong access controls may be permitted on a case-by-case basis.
  2. Facility Access. All server resources that process, store, and manage Restricted information shall be hosted in a facility that permits audit-able physical access controls, which will protect the Restricted information through:
    1. Physical access controls which restrict access to minimum essential personnel.
    2. Data Center specific firewall network filtering.
    3. Intrusion prevention systems.
    4. Host vulnerability management.
    5. Appropriate environmental controls such as cooling, humidity controls.
    6. Electrical power requirements and emergency uninterruptible power supplies.

Responsibility

ÐÇ¿Õ´«Ã½ End Users: Assure controls based on ÐÇ¿Õ´«Ã½ information categories are implemented.

ÐÇ¿Õ´«Ã½ [U]Tech Information Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.

ÐÇ¿Õ´«Ã½ Registered System Owners: Assure that restricted information controls are applied where applicable. Take reasonable steps to remove Internal Use Only and Restricted Information data from Public Information systems.

Principal Investigators: Ensure appropriate security controls are in place.

Definitions

Host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers.

Covered Entity: A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter [e.g., HIPAA Administrative Simplification transaction standards].

ePHI: electronic personal health information

FISMA: Federal Information Security Management Act- a framework of security controls for information used by the US Federal Government for its agencies and contractors.

HIPAA: Health Insurance Portability and Availability Act

HITECH Act: Health Information Technology for Economic and Clinical Health Act

IRB: Institutional Review Board

NIH: National Institutes of Health

System: a single or group of computers, laptops, tablets, data storage media, or server resources, consisting of hardware, operating system software, and application software, which contain research data.