California law requires that residents be notified when their electronic medical or health insurance information has been exposed. The costs of notification can be significant and departments may be at risk for notification costs if identifiable medical data are lost, stolen, or otherwise exposed. The below covers data security procedures to help prevent this occurrence.
It is the policy of the UC Irvine (UCI) Institutional Review Board (IRB) to consider whether adequate provisions exist for the security of research data. When conducting research, Investigators are entrusted with confidential and privileged human subject information, whether in paper or electronic form and must take measures to protect the security of this information. Policies and guidance for information security at UCI are set by the University of California, Office of the President, and by UCI's Office of Information Technology (OIT) which has established a comprehensive UCI Information Security website on the subject for all UCI constituents.
Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control UCI Administrative Policy 800-18. All investigators and research staff should be familiar with information security policies and procedures of their department or unit, UCI, the University of California, the State of California and Federal privacy laws (HIPAA). Lead Researchers should work with information security experts to review their data storage and transmission procedures at least annually to minimize the risk of unauthorized access to or exposure of confidential information.
Issues to Consider when Submitting a Protocol
The IRB Application requires investigators to address issues related to subject privacy and confidentiality, HIPAA and information security. Keep in mind the following issues when filling out the IRB application in Kuali Research (KR) Protocols.:
- Collect only the minimum necessary subject identifiers.
- Remove/destroy subject identifiers as soon as they are no longer needed. See the following website for record retention requirements.
- Limit physical access to any area or computer that contains subject identifiers.
- Limit electronic access to any computer that contains subject identifiers.
- Avoid storing subject identifiable data on portable devices (such as laptop computers, digital cameras, portable hard drives including flash drives, USB memory sticks, iPods or similar storage devices) as these devices are particularly susceptible to loss or theft. If there is a necessity to use portable devices for initial collection of subject identifiers, the data files must be encrypted, and subject identifiers transferred to a secure system as soon as possible.
- Remove necessary subject identifiers from data files, and encrypt data files if stored electronically. Identifiers should be stored in a physically separate and secure location from the data files, and associated with the data files through a key code that is also stored in a separate and secure location.
- If subject identifiers will be retained in the data files because of the specific needs of the research study, additional justification must be provided by the Investigator to justify retention. Again, if the data are stored electronically the files must be encrypted.
- Use only secure modes of transmission of data; subject identifiers submitted over a public network must be encrypted.
- Review the Information Security & Privacy website for additional recommendations on how to best secure confidential data.
- In the Confidentiality section of the IRB Protocol Narrative, Investigators must address the method of collecting, recording, coding and maintaining data, as well as specify who will have access to the data and at what point subject identifiable data will be de-identified or destroyed.
- In the Informed consent document, Investigators must describe the extent, if any, to which confidentiality of records identifying the subject will be maintained.
- If there is an inadvertent breach of confidentiality of the research data which causes harm or places subjects or others at a greater risk of harm (including physical, psychological, economic, or social harm), the Lead Researcher must report this to the IRB via Kuali Research (KR) Protocols within 5 working days of the researcher becoming aware of the event.
Encryption can be applied to storage devices (data "at rest") and to network data (data "in flight"). The type of computing device and network communicating from/to, and if personal or Protected Health Information is involved will dictate whether or not encryption is required. For more information, including recommendations on encryption tools, please visit the UCI Information Security webpage on encryption.
Encryption is not needed if you do not store or work with research data that includes personal or Protected Health Information. Therefore, it is best not to collect any of this information unless it is actually needed.
Scenarios in which storage encryption is REQUIRED
- Possession of research data that includes personal and/or Protected Health Information AND
- Computing device is a mobile device OR
- Computing device is a personal system OR
- Storage device is removable (portable) OR
- Access to the storage device is not in a physically secure environment.
Scenarios in which network encryption is REQUIRED
- Use of research data that includes personal and/or Protected Health Information over a network
- The information is not already encrypted by means of storage encryption AND
- Any part of the data transmission is outside of a trusted network OR
- Access to a system containing research data that is personal and/or includes Protected Health Information that is not entirely over a trusted network
Examples of common tasks where encryption is REQUIRED
- Use of electronic research data that includes personal and/or Protected Health Information AND
- The information is being sent by:
- Email OR
- Webmail OR
- Web browser OR
- Traditional mail (US Post Office) OR
- Courier OR
- Instant Messenger OR
- Peer-To-Peer network OR
- Wireless (Wi-Fi, 802.11, Cell phone, Blackberry, etc.) OR
- A backup of the information is created