1 / 32

Beyond HIPAA Regulations Inside the Research Quadrant

NCHICA. Beyond HIPAA Regulations Inside the Research Quadrant. NCHICA Conference AMC Security & Privacy: Progress & Prospects. Sept 26 - 28, 2005. Gregg Fromell, MD Office of Human Research University of Pennsylvania. Lowrie Beacham, PhD Duke Clinical Research Institute Duke University.

colton
Download Presentation

Beyond HIPAA Regulations Inside the Research Quadrant

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NCHICA Beyond HIPAA Regulations Inside the Research Quadrant NCHICA Conference AMC Security & Privacy: Progress & Prospects Sept 26 - 28, 2005 Gregg Fromell, MD Office of Human Research University of Pennsylvania Lowrie Beacham, PhD Duke Clinical Research Institute Duke University

  2. HIPAA Re-cap • HIPAA Privacy Rule • Effective date: April 2003 • Identifies protected health information (PHI) • Applies to information in any form, paper or electronic • HIPAA Security Rule • Effective date: April 2005 • Applies to PHI in electronic form

  3. HIPAA Security Rule • Three main areas of focus • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  4. HIPAA Security Rule • Administrative safeguards • Security Management process(risk analysis & risk management) • Assigned Security Responsibility • Work force security(method to grant and revoke access) • Security awareness training • Security incidents procedures (includes sanctions) • Contingency planning(back-up & disaster recovery) • Evaluation (independent assessment of compliance) • Business associate contracts

  5. HIPAA Security Rule • Physical Safeguards • Facility access controls • Work station use • Work station security • Device & Media controls • Technical Safeguards • Access control • Audit control • Integrity controls • Person or entity authentication • Transmission security

  6. “HIPAA” & the NIH Lowrie Beacham, PhD Duke Clinical Research Institute 6

  7. HIPAA influencing the NIH or vice versa? • Precursors • Computer Security Act of 1987 • DHHS AISSP Handbook (1994) • “Automated Info Systems Sec. Program” • OMB A-130, Appendix III (2000) • “Security of Fed. Automated Info Systems”

  8. Case in Point: NIH - the first “sighting” • TADS RFP, April 2002 • “…the proposal must present a detailed outline of its proposed IT systems security program…” • Lists the three references as resources • Page 49 of the RFP, so…

  9. NIH - the “serious” sighting • Roadmap contract, August 2004 • Page 30 of 34 • Same language; but… • “this time we mean it!” • Now, there’s a template

  10. The Template: “Hey! These folks are serious!” • One of the items called for by “DHHS Info. Security Program C&A Guide (August 2003)” • 22 Pages of requirements • System Identification • Management Controls • Operational Controls • Technical Controls

  11. Deja HIPAA View • HIPAA Security 164 Subpart C • Administrative Safeguards • Physical Safeguards • Technical Safeguards • DHHS Info. Security Program • Management Controls • Operational Controls • Technical Controls

  12. NIH Plan Security Template Contents • Management Controls • Risk Assessment and Management • Review of Security Controls • Rules of Behavior • Planning for Security in the Life Cycle • Certification and Accreditation

  13. NIH Plan Security Template Contents • Operational Controls • Personnel Security • Physical and Environmental Protection • Contingency Planning and Disaster Recovery • Security Awareness and Training • System Configuration Mgmt. Controls

  14. NIH Plan Security Template Contents • Technical Controls • Identification and Authentication • Logical Access Controls • Public Access Controls • Audit trails

  15. FDA & Data Security Gregg Fromell, MD University of Pennsylvania 15

  16. FDA & 21CFR 11 • Title 21 of the Code of Federal Regulations, part 11 governs: • Electronic records • Electronic signatures • Handwritten signatures executed to electronic records

  17. FDA & 21CFR 11 History of “Part 11” • March 1997, first release • establish criteria for the acceptance of electronic records as trustworthy, reliable and equivalent to paper records. • 1997 - 2002 • Significant industry feedback on large cost burdens and restrictions on technology development • 2002 - 2003 • FDA withdrew draft guidance for a rewrite • August 2003 • Guidance revised: Electronic Records; Electronic Signatures – Scope and Application • September 2003 • Guidance: Computerized Systems Used in Clinical Trials

  18. 21CFR 11 • 21CFR312 predicate rule -- research data that must be maintained: • §312.62 (b) An investigator is required to prepare and maintain adequate and accuratecase histories that record all observations and other data pertinent to the investigations … • 21CRF 11 addresses research data that are maintained in electronic format: • in place of paper format • in addition to paper format, and that are relied on to perform regulated activities • Medical record data also affected by 21CFR312 & 21CFR11 • When medical records contain data used as source documentation for FDA-regulated human research

  19. Validation Ability to create accurate copies Audit trail Documentation of system access & data change Computer-generated date & time stamp Common additional interpretation: Maintain “old” response & “new” response Access to records & record retention Authority & Device checks(security) Physical access Electronic access Operational checks(QA/QC) Personnel training Persons supporting system Persons entering/editing data Written policies Responsibilities of those with access Accountability Controls over system documentation Open system control Only applies if access is beyond internal electronic network Electronic Signature standards FDA & 21CFR 11

  20. Validation Ability to create accurate copies Audit trail Access to records & record retention Authority & Device checks(security) Deja HIPAA View All Over Again HIPAA - 21CFR11, where’s the overlap? • Operational checks • Personnel training • Written policies • Controls over system documentation • Open system control • Electronic signature standards

  21. Validation Ability to create accurate copies Audit trail Access to records & record retention Authority & Device checks(security) Deja HIPAA View All Over Again HIPAA - 21CFR11, where’s the overlap? • Operational checks • Personnel training • Written policies • Controls over system documentation • Open system control • Electronic signature standards • Operational checks • Personnel training • Written policies • Controls over system documentation • Open system control • Audit trail • Access to records & record retention • Authority & Device checks(security)

  22. Approaches to Compliance Lowrie Beacham, PhD Duke Clinical Research Institute 22

  23. How are we going to comply? Two approaches: • A. System-atically • In one (large) document, cover any and all applications that will be used in fulfilling the contract. • B. Environmentally • Treat the entire IT environment as one “system,” since most security measures are so directed.

  24. “One from Column A…” we’ve done both • Approach A: 41 pages • It’s complex • It’s repetitive • It’s comprehensive! • Approach B: 18 pages • It’s “cleaner” • It’s “leaner” • But it may not always sell

  25. Why not? • Inter-agency acceptability • Moving target

  26. Interagency Acceptability: Example • NIH and CDC • Both DHHS agencies • Both require System Security Plans • But—they’re not (exactly) the same template

  27. The moving target • Everyone is working on Information Security • The latest (as of this writing): • NIST Special Publication 800-53

  28. NIST SP 800-53 Recommended Security Controls for Federal Information Systems • Fresh off the presses, May 2005 • 116 scintillating pages; best being… • Security Control Catalog pp. 40-105

  29. NIST SP 800-53 • Security Control Catalog • 162 items covering (among others) • Access control • Training • Assessments and certification • Contingency planning • Physical and environmental protection • Personnel Security • Risk Assessment • Communications protection • and, (buried under System & Services Acquisition)…

  30. SA-9: Outsourced Information System Services • “Third party providers are subject to the same information system security policies and procedures of (sic) the supported organization, and must conform to the same security control and documentation requirements as would apply to the organization’s internal systems.”

  31. SA-9: Outsourced Information System Services • The NIH is “the supported organization” • The contractor is “the third-party provider” • If you want to play, you use their ball.

  32. Have fun! But: • Aren’t you glad you did such a thorough job of complying with HIPAA Security? ;-)

More Related