Research Technology and Data Security
Technology and InfoSec Review Process
If a study implemented in the clinical environment at Prisma Health involves:
- An external direct connection (e.g. automatic transmission of electronic data) from any existing Prisma Health systems (e.g. Epic/Cerner or other) or devices to a system or device outside Prisma Health; OR
- New software not presently utilized at Prisma Health; OR
- New hardware (e.g. new computer, tablet, wearable, medical devices, or clinical equipment-EKG machine etc) not presently utilized at Prisma Health.
These studies will need additional evaluation for technical review and/or security review by Prisma Health. The review processes should be completed prior to any agreement execution and may be required before IRB approval.
Data Security Standards Guidelines
Physical security
- Access to the storage device on which PHI is kept must be protected. Consider the following as you develop your data-safety procedures.
- Stationary devices should be kept in locked rooms.
- Portable devices are at much higher risk of theft or accidental loss.
- Maintaining personal safety is important and using appropriate encryption is imperative.
Data encryption
- Data can be encrypted in multiple ways.
- Whole Disk Encryption – prevents undesired access to all data on your computer. Sources include:
- Other commercial or open-source product approved by your institution.
- Encryption of removeable storage devices – removable storage devices can and should be encrypted. Consider using the following:
- BitLocker to go
- VeraCrypt (see the chapter Portable Modein the VeraCrypt User Guide)
- OSX & Sierra
- Creation of a secure place on your device where sensitive information can be stored. Veracrypt and other software can create password protected storage vaults that prevent unauthorized access or identification.
- Encryption of individual files – encryption can be enabled on individual excel files.See Microsoft Guide.
Password security
- Please ensure your passwords adhere to the following guidance.
- If data is stored on a personal computer (laptop, desktop, tablet, etc.), that device must require a password for use.
- Passwords must contain characters from three of the following four categories: Uppercase characters, Lowercase characters, Base 10 digits and special characters. Passwords must be changed periodically (every 90 days).
Data retention
- Data Retention related to PHI identifiers:
- Retention of identifiers requires you to follow one of the following data destruction plans, as applicable.
- If your research is subject to more than one requirement, the longest data retention period applies.
- If your research is subject to HIPAA: 7 years after IRB acknowledgement of study closure.
- If your research is NIH funded: At least 3 years from the date the Financial Status Report is submitted.
- If your research is funded by another federal or state agency, at least as long as required per agency policy.
- If your research is funded: At least as long as required by contract with the sponsor.
- If your research is subject to FDA Regulations: At least 2 years following approval for marketing.
- If your research is subject to VA regulations: Destruction of VA research data must follow the VA ORD Records Control Schedule (RCS)10-1, Section 7.6 , Research Investigator files, approved July 2015.
Data destruction
- Simple deletion of a computer file is insufficient for the secure removal of protected health information. When a file is deleted, the reference to the file location is removed within an operating system, but unless the area on the hard-drive is overwritten that data can still be retrieved using data recovery software. Tutorials, provided by the Electronic Frontier Foundation, demonstrate how to securely delete files for: Windows; Linux; or OSX.
- Due to the nature in which data is stored on solid-state storage devices (SSD, thumb drives, SD cards, etc.), secure deletion using an overwrite is impossible. The best way to protect data on this type of storage is through use of appropriate encryption.
- Physical copies of datasets (paper, CD’s, DVD’s, etc.) that contain PHI must be destroyed by cross-cut shredding or incineration.
Data Transferring
Datasets and/or data approved to leave the health system will be required to utilize a Prisma Health approved solution or method of data collection. Note: Transferring data onto a personal device for analysis constitutes leaving the health system. The Data Support Core and/or the report writers helping with data requests will assist investigators with the data transfer as needed.
Academic Partners
Clemson University Research Computing
University of South Carolina Research Computing
Furman University Research Computing
Unintentional disclosures of PHI may cause you or members of your study team to incur fines or other penalties.
Civil Penalties for Accidental Disclosure
HIPAA Violation | Minimum Penalty | Maximum Penalty |
---|---|---|
Unknowing | $100 per violation, with an annual maximum of $25,000 for repeat violations.* | $50,000 per violation, with an annual maximum of $1.5 million. |
Reasonable Cause | $1,000 per violation, with an annual maximum of $100,000 for repeat violations.* | $50,000 per violation, with an annual maximum of $1.5 million. |
Willful neglect, but violation is corrected within the required time period. | $10,000 per violation, with an annual maximum of $250,000 for repeat violations.* | $50,000 per violation, with an annual maximum of $1.5 million. |
Willful neglect with no correction in the required time period. | $50,000 per violation, with an annual maximum of $1.5 million.* | $50,000 per violation, with an annual maximum of $1.5 million. |
*Maximum that can be imposed by State Attorneys General regardless of the type of violation.