One of the primary responsibilities of University Information Security’s policy team is to assist the IRB in ensuring the privacy and security of research data. In meeting this goal, our University can conduct research in a compliant manner; and, we can also continue to provide those we serve with the peace of mind that their identity and health information can be entrusted into our care. Establishing this trust with subjects and patients requires vigilance, and adhering to the best industry practices for information security. Below are some tips to consider when planning out your research.
DISCLAIMER: The tips listed below are meant to serve as explanatory guidance, and while they reference policy, these tips are exclusively guidelines and are NOT intended to convey legal counsel.
Highly Sensitive Data (HSD) Collection
Due to HIPAA, any “Personal Health Information (PHI)” that can be associated with an individual subject or patient via a “Personal Identifier” is regarded as Highly Sensitive Data by University policy. This means that if you are collecting information about an individual’s physical or mental health, and that information is being paired with an “identifier” (i.e. a name, SSN, email etc.), the information that you have collected must be given the highest standards of protection.
Unfortunately, these protective standards cannot be met by most devices or storage. For this reason, the University of Virginia requires one of three tactics when collecting HSD: the data is collected directly onto a HIPAA-compliant server; the data is collected on an approved individual-use device with the proper documentation; or, the data is being collected directly onto paper with the appropriate physical security mechanisms in place.
Whether it be through the Qualtrics HSD portal or your research drive, the University has provided many options for HIPAA-compliant servers onto which you can collect your data. Check question 1B(4) of your data security plan for your full list of options.
Additionally, you may choose to collect data directly onto a HIPAA-compliant server maintained by your Sponsor or CRO. In the event that you choose this option, remember to include a URL for the site you will be using to access the server in your data security plan, so that InfoSec can review and confirm its compliance.
Generally, collecting any HSD on an individual-use device is discouraged. That being said, we recognize that there are situations in which doing so is necessary for a study. In these situations, be sure to consult our webpage that discusses HSD storage on individual-use devices.
To summarize, while collecting HSD onto an individual-use device (like a personal laptop or tablet) might seem like the most convenient option, it is actually neither convenient nor secure. Per University policy, any HSD storage on an individual-use device requires a signed HSD Storage Request form which involves obtaining the signature of a dean or vice president: even if the data will only rest on the device for a brief period of time. This approval process can add a lot of time to the overall IRB review, and is not an effective way to meet deadlines or to protect your subjects’ data.
Nevertheless, it is important to remember that using an individual-use device to connect to a HIPAA-compliant server is different from collecting HSD onto an individual-use device. If the data you are collecting is going directly into your research drive, even if you are using your device to connect to that drive, the use of your device in this manner would NOT require an HSD Storage Request form.
If you are ever confused on this point and require clarification as to what qualifies as “connecting to a server” versus “storing on an individual-use device” please contact us at firstname.lastname@example.org.
Physical (Paper) Storage
For physical paper storage, remember to follow the appropriate HIPAA guidelines:
- Physical files with HIPAA identifiers should be stored in a locked filing cabinet in a locked office (or some other room/cabinet locking mechanism that equates to a double-lock).
- Access to the room containing the files should be restricted to authorized personnel.
Remember to always keep track of all papers which contain HIPAA data, to ensure that they can be properly disposed of when they are no longer needed per the Records Management policy.
Safely Transferring and Storing Data
After data is collected, you may want to transfer the data elsewhere for a variety of reasons. Perhaps you are working with a colleague who does not have access to the same secure server that you plan to use; or, maybe you need to send data to a sponsor that provided the device being used on the study?
In these situations, it is important to remember the best practices of information transfer. The transfer method you choose should take in to consideration what is available to you, and what is compliant with University policy. Regular email, while a convenient mode of transfer for moderately sensitive data, is NOT compliant with University policy for transferring HSD (for more clarification, please consult the UDPS).
The best two options for transfer are to either conduct the transfer on paper (via secured FAX or secure mail) or https, password protected web entry. These methods are compliant with university policy, are readily available options for most researchers, and are effective at reaching only the intended recipient of the data.
Remember, as stated above, if you intend to download HSD onto a thumb drive or CD for transfer, an HSD Storage Request form is required. This requirement does not change even in cases where HSD is intended to be on the device for less than a few minutes.