1. HIPAA and RESEARCH DATA SECURITY
For Boston Medical Center
and Boston University Medical Campus
Researchers
April 2018

2. What BU Medical Campus and BMC researchers need to know about HIPAA:
What data does HIPAA protect? How can researchers access and use HIPAA data to recruit subjects and conduct research?
What are researchers required to do to keep personally identifiable health data used in research SECURE--whether covered by HIPAA or not
How to report a possible breach of research data

3. Definitions
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations implementing the law contain Privacy, Security, and Breach Notification Rules
Covered Entity: HIPAA applies to Covered Entities: most commonly, health insurance plan and healthcare providers that bill electronically. BMC is a Covered Entity
Covered Component: Same as a Covered Entity, but is a healthcare component of an entity that does more than healthcare (a Hybrid Entity with designated Covered Components). BU is a Hybrid Entity.

4. What Data Does HIPAA Protect?
HIPAA protects Protected Health Information (PHI), which is data:
about the past, present, or future physical or mental health and/or information about payment for health care services,
that may identify individuals, AND
was created or received by a Covered Entity (e.g., BMC).
For example:
Patient demographics, including name and contact information
Medical records
Lab results, images,
Billing information

5. HIPAA and Research at BMC and BU
BU is a Hybrid Entity
BU’s Covered Components, subject to HIPAA, are the GSDM Dental Treatment Centers; BU Rehabilitation Services; Sargent Choice Nutrition; and the Danielsen Institute.
BU’s professional schools (BUSM, SPH) are not Covered Components. PHI disclosed to them for research purposes (pursuant to a Waiver or Authorization) is not PHI
BMC is not a Hybrid Entity.
BMC is a Covered Component under HIPAA.
Whether you are caring for patients at BMC, doing research at BMC, or doing anything else with patient demographic or medical information at BMC, it is PHI subject to HIPAA

6. Patient Demographics, Contact Info
Data can be PHI even if there is no information about specific health matters
That means contact information held by a Covered Entity (BMC) cannot be used for recruiting unless you have a HIPAA Authorization or an IRB HIPAA Waiver
What about just the name of a patient?
In May 2017, Memorial Hermann Health System disclosed the name of a patient who attempted to use an (allegedly) false identification card to obtain services.
No health information was disclosed about the patient, just the fact that she was a patient of the hospital
Still, the System paid $2.4 million to the U.S. Department of Health and Human Services and adopted a comprehensive corrective action plan

7. But My Research Data is “De-identified” --Isn’t it?
Data that is de-identified in the manner defined by HIPAA as de-identified is not PHI; it cannot be used to identify an individual.
BUT NOTE: HIPAA has a very specific definition of de-identified. For example:
If your data includes any dates (birth dates, date of treatment, dates of admission/discharge) or location smaller than a state, it is not deidentified under HIPAA.
If your data includes the medical record number, it is not deidentified under HIPAA
HIPAA identifies 18 data elements that, if included in your data, means it is not de-identified; complete list on next slide

8. 18 Identifiers That Must Be Absent To Deidentify PHI
Most common ones needed in research bolded:
Names
All geographic subdivisions smaller than a State
All elements of dates (except year) for dates directly related to an individual:
birth date
admission date
discharge date
date of death
all ages over 89
Telephone numbers
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers, e.g., serial numbers, license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code

9. “Any other unique identifying number, characteristic, or code”
Test under HIPAA is whether the data can be used to identify an individual, whether alone or when combined with other available data.
This arises commonly when a patient or patient’s condition is rare, making it easier to identify an individual

10. Alternative De-identification Method
If the data doesn’t meet the “absence of 18 identifiers” standard, but a researcher believes it cannot be used to identify any individual, the data can still be considered de-identified if an ”expert” determines, based on certain guidelines, that it is de-identified.
Please contact the privacy officer at BU or BMC to pursue this method of establishing de-identification.

11. PHI or Not?
Following slides give examples that apply the HIPAA’s definition of PHI to various types of research data.
For simplicity, BMC is used as the Covered Entity; however, it could be any Covered Entity, e.g., MGH, Spaulding, a BU Covered Component such as the GSDM Patient Treatment Centers, or any dentist or physician office.

12. PHI or Not? (1)
BUSM researcher wants to study effect of workload on radiology techs at BMC
Seeks data from BMC on number of patients seen in imaging department per day over the past year; that data will come from Epic
Will interview radiology techs and administer screening tests for additional data
This is Human Subjects research, but is not using PHI because--
Data concerns BMC patients (number seen per day in a dept)
But it does not identify an individual; is only a total number, so it is deidentified
Data from interviews and screening tests come from subjects themselves; not PHI
Researchers must still protect this data, as discussed on a later slide

13. PHI or Not? (2) This research data is not PHI because--
BU SPH researcher recruits subjects from a community center
Subjects are women who have given birth in last 12 months
Study examines association between post-partum depression and regular medical care (or its absence)
Subjects provide information on their dates of birth, dates of postpartum medical visits, including type of provider visited (MD, NP, Midwife, hospital etc.), frequency, and type of care accessed
Researcher administers depression screening test to subjects
This research data is not PHI because--
Data is not created or received by a Covered Entity:
SPH is not a Covered Entity
Subjects themselves are not Covered Entity
[Researchers must still protect this data, as discussed in later slides]

14. PHI or Not? (3) Same study as Example 2, except
In addition, you obtain medical records for all doctor/hospital visits within 12 mos of giving birth
This is PHI because it includes:
Medical records held by physicians and hospitals
About individual patients
Not deidentified

15. Limited Data Sets Limited Data Sets are PHI
They are not de-identified because they have geographic data, or dates, but no other identifiers
If a Limited Data Set satisfies your data needs, BMC will provide you a Data Use Agreement. Follow all of the requirements of the Data Use Agreement during your research and that will satisfy HIPAA. Contact

16. Summary: Understand How HIPAA Impacts Your Research Data Needs
Can you do your research with only de-identified data (no patient names, MRNs, dates, geographical data or other HIPAA identifiers, or you have an expert opinion)?
Then it’s not PHI, no need to worry about HIPAA.
If not, can you do your research with a Limited Data Set (meaning your data would be de-identified, except that it has dates and/or geographic data)?
If so, you can enter into a Data Use Agreement and obtain the data
If not, do you need PHI to recruit for or conduct your research?
You will need an IRB approved HIPAA Authorization, or an IRB Waiver of HIPAA Authorization

17. Using PHI to Prepare for Research
Activities preparatory to research are activities that occur before you go to the IRB, such as:
Preparing the IRB application
Preparing a research protocol
Preparing a proposal
Checking to see if there are a sufficient number of eligible persons to conduct the research
Patient Authorization is usually impractical at this point.
If you need PHI to engage in these activities, you must obtain a “Waiver Preparatory to Research” form and have it signed by the Privacy Officer

18. Waiver Preparatory To Research
Covered Entities/Components can grant a Waiver Preparatory to Research if you attest:
Review of PHI is necessary to prepare the protocol (or similar preparatory activities);
I won’t remove PHI from the Covered Entity; and
The PHI I will review is necessary for my research.
To use BMC data to prepare for research, contact the BMC Privacy Officer for a waiver preparatory to research
Practices vary at health care providers outside BU and BMC - ask for the Privacy Officer or Research Support
Remember: IRB cannot grant a Waiver Preparatory to Research

19. Using PHI to Recruit Subjects
When submitting an application to the IRB for research approval, you must specify how you intend to recruit subjects.
You will be using PHI to recruit if you use any data about a patient from the Covered Entity: e.g., a list of all BMC patients who have been diagnosed with Type II diabetes, including contact information is PHI.
If you intend to use BMC (or another health care provider’s) patient information to screen and recruit subjects, you will need either:
an Authorization signed by the patients or
a Waiver of HIPAA Authorization from the IRB
Recruiting includes screening, i.e., using PHI to examine exclusion criteria

20. IRB HIPAA Waiver for Recruitment Purposes
PI must show the following:
(A) The recruitment could not practicably be conducted without the waiver;
(B) The research could not practicably be conducted without the PHI used for recruitment; and
(C) Using the PHI for recruitment purposes poses only a minimal risk to the privacy of potential subjects, because the researcher has:
(1) Has an adequate plan to protect the patient contact information from improper use and disclosure; and  
(2) Has an adequate plan to destroy the contact data identifiers at the earliest opportunity (e.g., destroy identifiers of non-eligible patients and those who decline to participate); and
(3) Provides written assurances that the contact information used for research recruitment will not be reused or disclosed to any other person or entity, except as required by law and for authorized oversight of the resaerch study

21. Using PHI in Clinical Research Recruitment and Study
Following are the most common ways to comply with HIPAA in clinical research:
Submit application to IRB
Request HIPAA Waiver to contact potential subjects
Contact potential subjects about research participation.
Those who agree to join study will sign IRB-approved Consent to Participate and HIPAA Authorization to obtain records
Securely delete information of patients who do not become subjects (did not agree to participate in study or are excluded)
Use subjects’ HIPAA Authorizations to obtain medical records

22. Example of Recruitment Data Needs:
A study needs to recruit subjects for a clinical trial who meet the following criteria:
Age >= 60 years
ICD9 diagnosis of Congestive Heart Failure (428.xx)
Mean echocardiographic left ventricular wall thickness > 12 mm
African American
Seen at BMC Cardiology Clinic from 1/1/ /31/2017
Data requested from BMC for screening and recruitment:
Name, MRN, Age, Gender, Race, diagnosis, echocardographic report, phone contact info
Is it PHI? Not de-identified; is held by Covered Entity; and is about individuals, so it is PHI.
Is it a Limited Data Set? No, because name and contact info needed
Can researcher obtain it? Yes, but only if IRB grants a Waiver.

23. Using PHI in a Retrospective Study
Don’t need recruitment waiver from IRB because you are not recruiting.
Patient Authorization for use of PHI in research is unlikely to be practical option because patients are not involved in research
Need patient data from a BMC’s Epic EMR. 3 choices:
Obtain data that is de-identified according to HIPAA standards discussed above: no HIPAA Authorization or IRB Waiver needed; in fact, would not be Human Subjects Research
Obtain Limited Data Set, sign Data Use Agreement with BMC
Obtain PHI with an IRB waiver

24. IRB HIPAA Waiver to Obtain Study Data
The requirements for this waiver are the same as to obtain an IRB HIPAA waiver for recruitment purposes. PI must show:
(A) The research could not practicably be conducted without the waiver;
(B) The research could not practicably be conducted without the PHI; and
(C) Using the PHI for recruitment purposes poses only a minimal risk to the privacy of potential subjects, because the researcher has:
(1) Has an adequate plan to protect the PHI from improper use and disclosure; and  
(2) Has an adequate plan to destroy the PHI at the earliest opportunity; and
(3) Provides written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law and for authorized oversight of the research study

25. Example of Retrospective Study Data Needs
Study seeks to examine oral contraceptive use and heart attack, needs the following data from BMC records for all female patients aged during :
cardiac medical history, including dates of cardiac events
dates of any oral contraceptive use and type of contraceptive
history of smoking
Is data sought de-identified? NO, not according to HIPAA because includes dates related to individuals
Is it a Limited Data Set? Yes, because it would be de-identified except for the dates related to individuals; BMC may release the data to the PI after obtaining a Data Use Agreement.

26. Variation:
Same study, same data plus PI determines also need for each patient:
Number of pregnancies and outcome of each
As seen in prior slide, data is not de-identified according to HIPAA
With addition of new data element, not a HIPAA Limited Data Set
Assuming it is not practicable to obtain patient consent, would ask IRB for a HIPAA Waiver to obtain this data.

27. SAFEGUARDS

28. Protecting Data: BU and BMC Standards
BU and BMC share an IRB share an IRB but have separate policies, separate systems, separate networks
In addition, BMC is a Covered Entity; BU is a Hybrid Entity
Consequence:
When research is conducted by BMC the data is always PHI: health info held by a Covered Entity
When research is conducted by BU, the data has been released to a non-Covered Entity, so it is not PHI.
But ….

29. BU and BMC Data Security Standards are Compatible, for any individually identifiable health data, HIPAA or not
For purposes of keeping data secure, you don’t need to know if HIPAA governs the data or not. BU’s security standards for non-public identifiable health information are equivalent to BMC’s security standards for PHI.
Follow the steps below and you will be keeping research data secure, whether it is PHI or not, whether at BU or at BMC.

30. HIPAA and More
Depending on the type of data involved, a number of statutes require researchers to protect research data, and many impose serious penalties for breaches:
HIPAA
Massachusetts Standards for Protection of Personal Information (93H / 201 CMR 17)
Payment Card Industry Data Security Standard
Export Control Law
Controlled Unclassified Information (32 CFR Part 2002)
Human Subjects and other research regulations
See BU Data Protection Standards

31. BU and BMC Minimum Security Standards
BU and BMC Policies require Minimum Security Standards for all non-public data
All devices and data storage used for human subjects research, and all electronic sharing of non-public research data
must comply with these standards

32. Classification of Non-Public Data at BU and BMC
Restricted Use: loss/misuse may require notification to individuals or government agency –
PHI and personally identifiable health data used in research
Code or key to re-identify data
Confidential: loss or misuse may adversely affect individuals or BU business
non-health research
De-identified PHI/health data
Internal: potentially sensitive
Confidential: disclosure may cause serious harm
Includes both PHI and personally identifiable health data used in research
Internal: disclosure may cause some harm
Slightly different nomenclature;
Same minimum standards for non-public data

33. Bottom Line on Protecting Research Data
If you are using public data, and if you are not concerned about your research becoming public, you do not need to worry about these safeguards and standards
If your data or your research is non-public, you must implement the device safeguards and observe the safeguards applicable to sharing and data storage
The highest level of protection applies to research data that may be used to identify an individual (alone or in combination with other data) -- PHI or not.

34. What’s The Big Deal?
At Feinstein Institute for Medical Research, an unencrypted laptop was stolen from a car, containing data of about 50 research studies and approximately 13,000 individuals
Big money payment: settled alleged HIPAA violations for $3.9 million
Ongoing government scrutiny: three year corrective action plan
Loss of confidence and reputation: required to notify research subjects and media outlets

35. Yes, This Could Happen to You
NYU School of Medicine Aging and Dementia Clinical Research Center, 2010: Unencrypted portable device with information of 1,200 was lost
Kern Medical Center, 2012: Bag containing paper records of 1,500 (including HIV, AIDS, Hepatitis, and pregnancy test results) was stolen from a car
Oregon Health and Science University, 2013: Surgeon’s unencrypted laptop was stolen from a vacation rental; $2.75 million settlement with OCR
U Conn, 2016: Malware exposed research data on servers
NY State Psychiatric Institute, 2016: Hackers accessed servers with highly sensitive information of 22,000 individuals participating in mental health studies

36. A Clear Pattern: Lost or Stolen: Cyberattack
Unencrypted laptop
Unencrypted portable device (e.g., flash drive)
Paper or other tangible research data
Cyberattack
Malware
Phishing attack
Exploit of operating system or application vulnerabilities
We may not be able to prevent all breaches, but following the rules on the following slides
will prevent most!

37. Summary of BU/BMC Data Protection Standards
Electronic Data
Non-Electronic Data
Device Standards
Secure Data Storage
Secure
Fight Phishing
Working Remotely
Protect Verbal Data
Protect Tangible Data
Paper
X-rays
Other tangible forms

38. 1. Device Standards
All endpoint devices - such as desktops, laptops, and phones - must have:
Operating systems and applications that are supported and updated
Anti-Malware installed and set to auto update and scan
Auto screen lock (15 min max) to password/code
Disk encryption (BMC – required / BU - only required for Restricted Use data)
Note: Your personal devices are not affected unless used to access, process, or store research data.

39. BMC And BU Are Here To Help!
Do what you can with the guidance found here:
Ask for help:
BUMC IT Help:
BMC ITS Service Desk:

40. Device Hygiene
Keep operating systems and applications up to date, by enabling auto-update or promptly updating when notified
Periodically change your strong password, following best practices:
Regularly delete files when no longer needed, including s and downloads

41. 2. Data Storage BU BMC Restricted Use Data Storage: PHI storage
BU network storage
BU Microsoft One Drive
BU Dropbox
Confidential Data Storage:
All of the above, plus:
BU Google Drive
PHI storage
Any BMC network, to share with those who also have access
Box.com

42. Back Up Plans
You should have a backup plan, and be careful where you store the data:
At BU use approved tools and storage options. BU network storage comes with a backup plan:
At BMC use network storage or a Box.com account
Use only encrypted devices: removable media (e.g., CD, DVD, USB key/stick) must be encrypted & password protected.

43. 3. Secure Email BU Email BMC Email
BU does not have encryption – whenever you send RU data to
Use Data Motion to send a RU data securely- both within BU to and to non-BU addresses (including to
BMC
Within BMC (from a to is considered secure, so long as no non-BMC addresses are included
Remember- s may always be forwarded. Consider adding warning to
Outside BMC: type “secure” in the subject line to encrypt & send only to HIPAA secure addresses
Secure alternative: Use regular , but encrypt the document or spreadsheet:
Encrypt when you save the document or spreadsheet, then attach to
Provide the password to the recipient by telephone
Do not send the password by because it maybe intercepted
Do not put RU data in subject line or body of

44. 4. Fight Phishing!
Most people think it would never happen to them, but attempts are made regularly at BU and BMC. Red Flags:
asks for password – BMC and BU will never ask for login credentials through
Appears to be from someone you know but has an unexpected attachment
Contains unexpected grammatical or spelling errors
If there is any doubt, please get advice:
BU forward the to .
Learn more at our “How to Fight Phishing” webpage:
BMC forward suspect to

45. Check Before You Click Websites
Only enter login credentials if website address has green component (EV Cert) and starts with
Without the “s” preceding the colon, the website is not safe
Learn more at our “How to Fight Phishing” webpage

46. 5. Safeguards For Working Remotely
Use BMC secure remote access ( or or the BU VPN (vpn.bu.edu);
otherwise, even passwords can be intercepted and viewed
Do not leave devices unattended (e.g., coffee shops, cars)
Lock up devices when not in use (e.g., cable lock, locked room)

47. Verbal Safeguards
Do not discuss individual participant data outside closed offices
If necessary, talk quietly and away from others
Play music or background noise to disguise conversations
If necessary to contact friends/family to locate a research participant, only disclose the minimum necessary amount of information

48. Safeguards For Documents and Tangible Data
Do not remove documents or tangible data from the office
If you must, don’t leave unattended (e.g., car, classroom, coffee shop)
Lock up when not in use
Shred when no longer necessary – never throw in trash

49. BREACHES:
What are they?
How do I report?

50. Reporting Potential Breach/Loss of Data: Why Is It So Important?
Please note that any external reporting to governmental agencies or individuals whose data has been breached is handled by BMC/BU HIPAA Officers and other offices. Your responsibility is to report any suspected security incidents to or and assist as requested in any investigation.
BMC/BU may have an obligation to report the incident to individuals, the IRB, or state and federal authorities
BMC/BU may be able to prevent or minimize damage

51. What Events Must Be Reported?
Unusual system activity, including:
Malware detections
Unexpected logins
System or application alerts indicating a problem
Unusual behavior such as seeming loss of control of mouse or keyboard
Unauthorized access, use, disclosure, or loss, including:
Loss of a device (personal or BU-owned) used to access research data
Loss of tangible (paper or other) research data
ing without encryption

52. How to Report Security Concerns, Security Incidents, and Potential Breaches
If you think the data belongs to BU, send an to BU’s Incident Response Team (IRT): IRT will triage the report and contact the appropriate persons and offices
If you think the data belongs to BMC, send an to BMC’s Privacy Officer:
Wherever you report to- BMC or BU—we will ensure the report gets to the appropriate person at either/both
BMC and BU prohibit retaliation for reporting security concerns, security incidents, and potential breaches

53. Additional Resources on HIPAA and Data Protection
This PowerPoint is available at
BU Data Protection Standards:
BMC Policies:
BMC HIPAA Privacy Officer:
BU HIPAA Security Officer David Corbett:
BU HIPAA Privacy Officer Diane Lindquist:
Both receive s at this address:
NIH education materials