HIPAA & Data Security: Guidelines for BMC & BU Researchers, Summaries of Law

Download HIPAA & Data Security: Guidelines for BMC & BU Researchers and more Summaries Law in PDF only on Docsity! What You Need to Know About HIPAA and Data Security for Research Diane Lindquist, JD, Director Health Privacy and Compliance, BU David Corbett, JD, BBA, Security Officer, BU Medical Campus Sean Nabi, JD, Privacy Officer, Boston Medical Center Matt Ogrodnik, MS CIP, Director, BUMC/BMC IRB. Overall objectives • Present what is HIPAA, not HIPAA, and how it matters for research • Describe what services investigators can use and which are not appropriate • Understand when researchers should use BMC services or BU services • Know how to secure devices and what resources are available • Learn answers to common mistakes with HIPAA in the INSPIR application What BU Medical Campus and BMC researchers need to know about HIPAA: How does HIPAA impact researchers? How to protect data - whether covered by HIPAA or not How to report a possible breach of research data 5 Definitions • HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations implementing the law contain Privacy, Security, and Breach Notification Rules • Covered Entity: health insurance plan or healthcare provider that bills insurance companies • Covered Component: Same as a Covered Entity, but is a healthcare component of a Hybrid Entity, an entity that does more than healthcare. 6 HIPAA and Research at BMC and BU BU • BU is a Hybrid Entity • BU Covered Components: GSDM Dental Treatment Centers, BU Rehabilitation Services, Sargent Choice Nutrition Center, and the Danielsen Institute • BU professional schools (BUSM, SPH) are not Covered Components. PHI disclosed to them for research purposes is not PHI BMC • BMC is not a Hybrid Entity. • BMC is a Covered Entity under HIPAA. • Whether you are caring for patients at BMC, doing research at BMC, or doing almost anything else with patient or billing information, it is PHI subject to HIPAA 7 De-identification Alternatives 1. Limited Data Set (town/zipcode and dates ok) • Must enter into a Data Use Agreement 2. IRB approved HIPAA authorization or IRB Waiver (authorization not practicable) 3. Expert determination that there is a very small risk of identification despite having one or more of the 18 identifiers • Contact BU or BMC Privacy Officer 10 SAFEGUARDS RSTEN EXCEPTIONAL CARE, WITHOUT EXCEPTION. Biggest Risks: Lost or Stolen • Unencrypted laptop or desktop • Unencrypted portable device (e.g., flash drive) • Paper or other tangible research data Cyberattack • Phishing attack • Malware • Exploit of operating system or application vulnerabilities 12 We may not be able to prevent all breaches, but following the rules on the following slides will prevent most! What’s The Big Deal? At Feinstein Institute for Medical Research, an unencrypted laptop was stolen from a car, containing data of about 50 research studies and approximately 13,000 individuals • Big money payment: settled alleged HIPAA violations for $3.9 million • Ongoing government scrutiny: three year corrective action plan • Loss of confidence and reputation: required to notify research subjects and media outlets 15 Device Hygiene Keep operating systems and applications up to date, by enabling auto-update or promptly updating when notified Periodically change your strong password, following best practices: http://www.bu.edu/tech/about/security-resources/bestpractice/passwords/ Regularly delete files when no longer needed, including emails and downloads 16 Classification of Non-Public Data at BU and BMC BU Restricted Use: loss/misuse may require notification to individuals or government agency – • PHI and personally identifiable health data used in research • Code or key to re-identify data Confidential: loss or misuse may adversely affect individuals or BU business • non-health research • De-identified PHI/health data Internal: potentially sensitive BMC Confidential: disclosure may cause serious harm • Includes both PHI and personally identifiable health data used in research Internal: disclosure may cause some harm 17 Slightly different nomenclature; Same minimum standards for non-public data Fight Phishing! • Most people think it would never happen to them, but accounts are regularly compromised. Red Flags: • Email asks for password – BMC and BU will never ask for login credentials through email • Appears to be from someone you know but has an unexpected attachment • Contains unexpected grammatical or spelling errors • If there is any doubt, please get advice: 20 BU email: forward the email to abuse@bu.edu Learn more at our “How to Fight Phishing” webpage: http://www.bu.edu/tech/services/cccs/email/unwant ed-email/how-to-fight-phishing/ BMC email: forward suspect email to DG-Spam- attack@bmc.org Check Before You Click Websites • Only enter login credentials if website address has green component and starts with https:// • Without the “s” preceding the colon, the website is not safe • Learn more at our “How to Fight Phishing” webpage 21 Safeguards For Working Remotely Use BMC secure portal (https://mybmc.org or https://portal.bmc.org) or BU 2FA VPN (vpn.bu.edu/2fa) Do not leave devices unattended (e.g., coffee shops, cars) Screen lock the device (Win + L) 22 25 BREACHES: What are they? How do I report? What Events Must Be Reported? Unusual system activity, including: • Malware detections • Unexpected logins • Unusual behavior such as seeming loss of control of mouse or keyboard Unauthorized access, use, disclosure, or loss, including: • Loss of a device (personal or BU-owned) used to access research data • Loss of tangible (paper or other) research data • Emailing without encryption 26 How to Report Security Concerns, Security Incidents, and Potential Breaches If you think the data belongs to BU, send an email to BU’s Incident Response Team (IRT): irt@bu.edu IRT will triage the report and contact the appropriate persons and offices If you think the data belongs to BMC, send an email to BMC’s Privacy Officer: privacy@bmc.org 27 BMC and BU prohibit retaliation for reporting security concerns, security incidents, and potential breaches Wherever you report to- BMC or BU—we will ensure the report gets to the appropriate person at either/both HIPAA and the IRB MATTHEW OGRODNIK, MS, CIP DIRECTOR INSTITUTIONAL REVIEW BOARD BOSTON MEDICAL CENTER AND BOSTON UNIVERSITY MEDICAL CAMPUS MEDICAL CAMPUS HIPAA and the IRB Learning Objectives  Highlighting common mistakes with HIPAA in the INSPIR application  Learn answers to submitted questions about HIPAA 31 HIPAA and the IRB Learning Objectives  Highlighting common mistakes with HIPAA in the INSPIR application  Learn answers to submitted questions about HIPAA 32 HIPAA in INSPIR •The answer is always Yes if you (i.e. anyone from the study team) are accessing protected health information, even if you are not *recording* HIPAA identifiers in your dataset 35 HIPAA in INSPIR To justify the waiver, you are asked to answer the following: ◦ Please describe why the research cannot be conducted without access to protected health information ◦ Why is it not practicable to obtain authorization from the participants? ◦ What is your plan to protect any identifiable information from use and disclosure by unauthorized parties? ◦ When and how will you destroy any identifiers linked to the data? Please note that your answers to these questions should pertain ONLY to the data accessed/used via the Waiver; NOT to the data collected during the study once the participants have signed consent/HIPAA authorization 36 HIPAA and the IRB Learning Objectives  Highlighting common mistakes with HIPAA in the INSPIR application  Learn answers to submitted questions about HIPAA 37 Questions about HIPAA Q: What should be done if you go past the HIPAA waiver of authorization timeframe? A: Please submit an amendment to request an extension of the date range that is needed for the records. The amendment request should provide a justification as to why this is needed. 40 Questions about HIPAA Q: What are the HIPAA requirements for qualitative studies done at BU? A: If the study PI is a BU investigator, HIPAA only applies if you are accessing BMC medical records – either for recruitment, for example, or to supplement the qualitative data. If all data comes directly from the participant (in an interview or survey, for example), HIPAA does not apply. 41 Questions about HIPAA What questions do you have? 42