• No results found

IRB Policy for Security and Integrity of Human Research Data

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IRB Policy for Security and Integrity of Human Research Data"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

IRB Policy for Security and

Integrity of Human Research Data

Kathleen Hay – Human Subjects

Protection Office

Terri Shkuda – Research Informatics &

Computing, Information Technology

(2)

Overview of Presentation

Regulatory Background

Revised IRB Policy

Investigator Responsibilities

Requirements for Data Security and

Integrity

Investigator Resources

(3)
(4)

Regulatory Background

 45 CFR Part 46 and 21 CFR Part 56

 Criteria for IRB approval - “When appropriate, there are

adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.”

 HIPAA Privacy Rule

 Privacy Rule

 Establishes national standards to protect individuals’ medical records and other personal health information and sets limits and conditions on the uses and disclosures of this information

 Breach Notification Rule

 Requires entities to provide notification following a breach of unsecured PHI

 Security Rule

 Establishes standards for security of e-PHI

 HITECH – Enforcement Rule

(5)

Regulatory Background

Institutional policies – PSU and HMC

 PSU-AD20 – Computer and Network Security  PSU-AD23 – Use of Institutional Data

 PSU-AD71 – Data Categorization

 PSU ADG07 – Data Categorization Examples

 HAM – C-08 – Confidentiality – Disposal of Information,

Sanitizing of Electronic Media, and Destruction of Hard Copy Documents

 HAM – C-37 – Confidentiality – Electronic Storage of

Sensitive Data

 IRB SOP Addendum: Security and Integrity of Human

(6)

Revised IRB Policy Addendum

IRB SOP Addendum: Security and

Integrity of Human Research Data

(7)

Revised IRB Policy

IRB SOP Addendum: Security and

Integrity of Human Research Data

Became effective January 2012

Revision will be effective December 1, 2014

SOP is available on IRB website – Under

(8)

Revised IRB Policy

What are the main changes:

Defines Penn State Hershey researchers and

external researchers

Defines 2-level categorization for data

Includes a new process for submitting plan

Provides revised requirements for electronic

and paper data storage

Provides requirements for data transfer

Requires data transfer agreements if data are

(9)

Revised IRB Policy

Penn State Hershey researcher:

 Employee, faculty or student of the PSU College of

Medicine (COM) and/or Hershey Medical Center (HMC)

External researcher:

 If the research uses/discloses protected health

information (PHI): any researcher who is not an employee, faculty, or student of COM and/or HMC

 If the research does not use/disclose PHI: any

researcher who is not an employee, faculty or student of Penn State University, COM, HMC

(10)

Revised IRB Policy

Protected health information (PHI)

 Individually identifiable health information

 Transmitted or maintained in any form or medium by a

Covered Entity or its Business Associate

Individually identifiable health information

 Health information, including demographic information  Relates to an individual’s physical or mental health or the

provision of or payment for health care

 Identifies the individual

Personally Identifiable information (PII)

 Information that can be used to uniquely identify a single

(11)

Revised IRB Policy

Policy defines 2 levels for human research data

 Level 1 – De-identified research data about people

 De-identified data collected for a research study, such as an

anonymous survey

 Publicly available datasets

 Level 2 – Data about individually identifiable people

 Research data that include identifiable health information (PHI)

collected for a clinical trial

 Research data that include identifiable non-health information (PII),

such as test scores or student record information or employee records

 Research data that include identifiable non-health, non-sensitive

(12)

18 HIPAA Identifiers

• Names

• All geographic subdivisions

smaller than a State

• All elements of dates (except

year)

• Telephone numbers • Fax numbers

• Email addresses

• Social security numbers • Medical record numbers • Health plan beneficiary

numbers • Account numbers • Certificate/license numbers • Vehicle identifiers • Device identifiers • Web URLs

• Internet Protocol (IP)

• Biometric identifiers, finger

and voice prints

• Full face photographic image • Any other unique identifying

number/characteristic/code

__________________________ Identifier added as part of SOP:

(13)

Revised IRB Policy

Procedure:

 IRB Chair or designee reviews data security-integrity

plan by expedited review process

 New studies – plan reviewed during pre-review

 Reviewer determines if plan fulfills requirements for

applicable security category

 If plan does not meet policy requirements, it is reviewed

by the IT Security Group

 Provides guidance to IRB regarding changes needed to approve plan  May recommend IRB approve of a variance

 Compliance is monitored by Research Quality

Assurance Office as part of routine or directed post-approval reviews

(14)

Revised IRB Policy

For research involving transfer of PHI or PII to

and/or from any third party*

 IT Security must approve method of data transfer  Ancillary review process in CATS IRB

Written transfer agreements – required for

projects involving transfer of human research

data to and/or from any third party*

 Agreements negotiated by OTD or ORA  Ancillary review process in CATS IRB

Written transfer agreements needed if PI is

leaving PSH and plans to take data

(15)
(16)

Investigator Responsibilities

Investigators are responsible for:

 Disclosing nature of data to be collected

 Submitting data security/integrity plan at initial

review using Application Supplement – Research Data Plan Review Form **NEW**

 Implementing & monitoring the plan upon IRB

approval

 Ensuring all research personnel trained and signed

confidentiality agreement

 Reporting breaches of confidentiality to IRB as RNI

 Contacting ORA or OTD to negotiate transfer

(17)

Investigator Responsibilities

New studies

 Submit Application Supplement-Research Data Plan Review

Form with CATS IRB

 Upload form on Basic Information page question #7 along with protocol/PSA  Form will be stored in CATS IRB Library under Templates

 To avoid redundancy, do not include data security/integrity

plan in protocol or protocol site addendum (PSA)

 State “See the Research Data Plan Review Form” in the Confidentiality,

Privacy and Data Management section of protocol or PSA

 Section 10 of the protocol templates (HRP-591 and HRP-592) and Section 4

of the PSA (HRP-595)

Ongoing active studies

 No action necessary

(18)

Investigator Responsibilities

Research Data Plan Review Form

Form format – 15 questions

 What identifiers are recorded?

 Are data collected by mobile devices or internet?

 How are data stored?

 What is process for data integrity?

 Are data being transferred to/from PSH?

 If data transferred, how and what identifiers are

(19)

Requirements for

(20)

Policy Recommendations – Level 1 Data

Hardcopy

 Stored securely in controlled environment  Disposal in regular trash

Electronic

 Good computer use practice (complex passwords,

not sharing accounts, limiting access, etc.)

 Portable media secured when not in use (locked

office or lock-down cables)

 Servers should have access controls

 Electronic devices may be disposed of following

(21)

Policy Recommendations – Level 1 Data

Data transfer/sharing

Requires a written agreement between

PSH and the external institution

Hardcopy – Data may be transferred

double-wrapped using secure chain of

possession

Electronic – Data may be transferred by

(22)

Policy Requirements – Level 2 Data

Hardcopy

Stored securely in controlled environment

(e.g. at PSU/HMC)

Data forms/code lists stored in locked file

cabinets or limited access storage areas

PI must maintain lists of staff with access to

data

(23)

Policy Requirements – Level 2 Data

Electronic

 Stored on

 Secure file server supported and maintained by IT or PHS

 Secure database server supported and maintained by IT or PHS (such as REDCap or Oncore)

 Device not listed above is deemed unacceptable for

storage of Level 2 information unless a variance is granted by the IRB based on recommendation of the IT Security Group

 Removable media (tracked, inventoried and

physically managed) may only be used for either

long-term archival storage or conveyance to another party

(24)

Policy Requirements – Level 2 Data

Electronic (cont.)

 Desktops and devices physically secured (locked

offices and/or locked facilities with access restricted to study personnel and their guests)

 Electronic devices set to automatically log-off and

lock after defined periods of inactivity

 Access controls

 PI keeps list of people with access to data

 Access must be removed if individual has no reason for access

 Access must be logged (identity of user, time & function)

 Data routinely backed up and the back-up copy

(25)

Policy Requirements – Level 2 Data

Electronic (cont.)

 Devices must undergo secure deletion of the disc at

the end of life of the device or prior to recycling

 Data may not be stored, temporarily cached or

otherwise accessed in a way that creates a local copy of the data on personal devices (PDAs, USB portable devices), or non-PSU owned devices of any kind (home computers, personal laptops or public computers)

 Remote displaying permitted for remote access

using applications where there are no persistent data copies when programs are remotely displayed (Citrix or Remote Desktop)

(26)

Policy Requirements – Level 2 Data

Data transfer/sharing

Data must be de-identified before sharing

with PSH study team members whenever

the identifying information is not necessary

Data must be de-identified or date shifted

before transfer to external entities unless

subjects have given authorization to disclose

identifiers to external entities

 Requires data transfer agreement

 Mechanism of transfer must be approved by IT

(27)

Policy Requirements – Level 2 Data

Data transfer/sharing (cont.)

 No PHI or PII may leave PSH unless subjects have

given authorization to disclose their PHI/PII or the data are a limited data set

 Requires written agreement

 Electronic transmission – data must be encrypted

 C-37 HAM

 Transfer of portable media – use a secure chain of possession

 Hardcopy – double-wrapped using secure chain of

possession

(28)

Policy Requirements – Data Integrity

Ensures that data are of high quality, correct,

and consistent

Examples of measures to ensure data integrity

 Data entry performed twice by two different people  Edit checks

 Random, internal quality and assurance auditing

PI must ensure that backup copies of human

research data are made and stored

 If data stored on IT or PHS supported server – backups

can be assumed

 For others, backup copies maintained in a secure

(29)
(30)

Investigator Resources

For more information

HMC/COM applications

Call IT Helpdesk at x6281

PHS applications

Call PHS Helpdesk at x7682

Contact [email protected]

Email:

[email protected]

(31)
(32)

REDCap

REDCap (Research Electronic Data Capture)

Web-based application

 Supports data capture and management for

research studies

 Designed to build and manage research data

and surveys

 De-identification tools to protect PHI

 A build-it-yourself, intuitive user interface that allows study team members to create data collection forms without prior knowledge of database design

(33)

REDCap – Data Security

REDCap at PSU has been designed to respond

to the PSU Audit of 2010 and to support this

Data Security and Integrity policy.

The application has been thoroughly:

Scanned for security threats

Evaluated for the probability and impact of

risks

Extra measures have been put in place to

ensure the data is safe from potential attacks

and data is stored in our internal network

(34)

REDCap – HIPAA Compliance

HIPAA compliant by providing:

 SOPs for role-based user access at the project level to

insure minimum access necessary to perform the task

 User accounts that are centrally managed by IT

Accounts Management

 Audit trails for every action to ensure proper alteration or

destruction of data

 User training requirements

 A secure data center where the project data is easily

available by a web application and backed up to a remote location, nightly.

 A dashboard showing users for each project on the

(35)

REDCap – Data Integrity

Features addressing correctness of data

entry

Allows for stages of form completion

(incomplete, unverified, complete, locked,

e-signed)

Data type validation and range checks

Data Quality tool that supplies rules to

search the data for missing, out of range,

invalid values and also the ability for the

user to create rules themselves.

(36)

REDCap – Data Integrity (continued)

Features addressing threats to data

validity

Access - Role-based access monitored by IT

Accounts Management & the REDCap

Systems Analyst

Modify/Alter/Destroy Data - every interaction

with data is logged in an easily accessible

audit trail

Automated data import and export

procedures with de-identification tools

(37)

Data Migration from Excel to REDCap

REDCap

• Build REDCap forms to match your existing Excel

database.

• Download the REDCap Data Import template to Excel.

Excel

• Copy and Paste existing data into columns of the Data

Import template.

REDCap

• Import data from Data Import template in Excel to

REDCap.

For a complete description of how to migrate your data from Excel to REDCap, please visit the REDCap Training webpage on our site at http://ctsi.psu.edu/

(38)

For more information about REDCap

Email

[email protected]

View REDCap tutorials on the Vanderbilt

University website:

www.projectredcap.org

Visit our website at

http://ctsi.psu.edu

and

select REDCap.

Training offered biweekly on Tuesday

afternoons (next session 8/28/12). Register for

training by emailing

[email protected]

,

References

Download now ( PDF - 38 Page - 1.47 MB )

Related documents

Morfologi Hemipenis Biawak Air (Varanus Salvator Bivittatus)

Hemipenis biawak Varanus salvator bivittatus secara morfologi seperti organ kopulatori pada amniota lainnya, berjumlah sepasang, berbentuk silinder (truncus ) yang cukup fleksibel

W o r l d w i d e C l o u d B i l l i n g F o r e c a s t

While suppliers will continue to work to monetize the computing and network assets that underpin the cloud services, it is the operational expertise of billing

CONTACTLESS ROOM DELIVERY

Suntory’s Toki Japanese Whiskey, Cointreau Orange Liqueur, Barrow’s Intense Ginger Liqueur, Fresh Lemon Juice, Cane Sugar, Green Chartreuse Herbal Liqueur Wash.

Patrick J Shearer Chairperson

Our Homelessness Project continues to work in partnership with Dumfries and Galloway Council’s Homeless Department as well as other external agencies within the area to

Caibration of a Lib rate and the SABR-LMM

The SABR-LMM does not reproduce the implied smile for the swap dynamics correctly which leads to tremendous pricing errors for high strikes, if the real prices and expiries of

The Peter F. Drucker and Masatoshi Ito Graduate School of Management Claremont Graduate University

In addition to the CRM strategic plan, the course involves in-depth class discussions of concepts, tools and a case, student “expert” presentations, and hands-on analysis of

Business Planning For Your Agritourism Enterprise

components: the executive summary, mission statement, business concept or idea, goals and objectives, background information (industry research and market analysis), management

Why Privileges or Immunities ? An Explanation of the Framers\u27 Intent

A primary focus of Justice Miller’s interpretation of the Privileges or Immunities Clause was his effort to dispel belief that new substantive rights were to be identified