One of the primary responsibilities of InfoSec's policy team is to assist researchers at UVA with ensuring the privacy and security of research data. In meeting this goal, our University can conduct research in a compliant manner, and we can also continue to provide those we serve with the peace of mind that their identity and health information can be entrusted into our care. Establishing this trust with subjects and patients requires vigilance, and adhering to the best industry practices for information security. Below are some tips to consider when planning out data collection for your research.
DISCLAIMER: The tips listed below are meant to serve as explanatory guidance, and while they reference policy, these tips are exclusively guidelines and are NOT intended to convey legal counsel.
Highly Sensitive Data (HSD) Collection
Due to HIPAA, any “Personal Health Information (PHI)” that can be associated with an individual subject or patient via a “Personal Identifier” is regarded as highly sensitive data (HSD) by University policy. This means that if you are collecting information about an individual’s physical or mental health, and that information is being paired or stored with an identifier (e.g. name, SSN, email etc.), the information that you have collected must be given the highest standards of protection.
There are three common approachs to collecting identified PHI for research at UVA: HIPAA-compliant servers; an approved, compliant individual-use device with the proper documentation and compensating controls; or, paper stored in a restricted access, double-locked environment.
Secure server collection means storing data directly into a storage location approved for HSD. These secure servers meet the standards set in the UPDS 3.0 for the storage of HSD, and greatly mitigate the risk of unauthorized exposure. Whether it be through the Qualtrics HSD portal or your research drive, the University has provided many options for HIPAA-compliant servers onto which you can collect your data. Review question 1B(4) of your data security plan for a list of examples. If you are unsure if a storage location has been approved for the storage of HSD, please reach out to email@example.com so that InfoSec can confirm or make a determination regarding the storage's compliance.
Additionally, your study may also require you to collect data directly onto storage maintained by a Sponsor or CRO. In the event that you are using a Sponsor or CRO's storage, remember to include the contact information for the technical support of the storage in 1B(5)'s appendix on your data security plan. This allows InfoSec to follow-up in the event there are concerns regarding the security of the storage location.
InfoSec often receives data security plans with 1B(1) checked, in which a researcher indicates their intent to store identified PHI on their laptop or desktop. Collecting HSD onto an individual-use electronic device might seem like a convenient option, however, it is actually neither convenient nor compliant. Per the University's applicable data protection standard, any HSD storage on an individual-use device requires an approved exception request which involves authorization from a dean, vice president, or designee. In addition, the data must be stored with the appropriate controls in place such as encryption at rest, double-locked and restricted access physical storage, and the device must be in compliance with the HSD storage requirements outlined in the UDPS 3.0. This is true even in cases where HSD is only intended to briefly reside on a device. The exception request process can add a lot of time to the overall IRB review, and is not an effective way to meet deadlines or to protect your subjects’ data. Generally, InfoSec discourages pursuing this as an option unless it can be demonstrated that there is no viable, compliant alternative.
Keep in mind that using an individual-use device to connect to a HIPAA-compliant server is different from collecting HSD onto an individual-use device. If the data you are collecting is going directly into your approved research drive, then the use of your device in this manner would NOT require an exception request.
If you are ever confused on this point and require clarification as to what qualifies as “connecting to a server” versus “storing on an individual-use device” please contact us at firstname.lastname@example.org.
For physical paper storage, remember to follow the appropriate HIPAA guidelines:
- Physical files with HIPAA identifiers should be stored in a locked filing cabinet in a locked office, or some other combination that equates to a double-locked environment.
- Access to the room containing the files should be restricted exclusively to authorized personnel.
Remember to keep track of all papers which contain HIPAA data, to ensure that they can be properly disposed of when they meet retention per the Records Management policy.