Privacy and Security of Electronic Health Information
International Clubfoot Registry (ICR) Compliance Policies
Sec 164.308
1. Security Management Process (Sec 164.308(a)(1)
a. Risk Analysis 164.308(a)(1)(ii)(A)
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected health information held by the
covered entity.”
Beginning prior to 2005, in collaboration with PIA, MF, and CURE leadership, a thorough and ongoing assessment of the risks in deploying a distributed web-based (online and offline) system for collecting and maintaining patient records relevant to clubfoot treatment have been conducted.
b. Risk management 164.308(a)(1)(ii)(B)
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and
appropriate level to comply with 164.306(a).”
As described below in detail, the potential risks for loss of patient privacy have been mitigated through a combination of personnel policies, encryption, data hiding, and access control, among others.
c. Sanction Policy (R) 164.308(a)(1)(ii)(C)
“Apply appropriate sanctions against workforce members who fail to comply with the security
policies and procedures of the covered entity.”
All developers are bound by policies for which they receive periodic training and refresher courses in HIPAA and IRB procedures. All users of the system must be sponsored by one of the trained and recognized administrators of the system before being assigned valid login credentials. Failure to maintain these policies could result in sanctions up to and including dismissal and termination of employment, and other appropriate legal consequences related to breach of private healthcare information.
d. Information System Activity Review 164.308(a)(1)(ii)(D)
“Implement procedures to regularly review records of information system activity, such as audit
logs, access reports, and security incident tracking reports.”
Developers and administrators for the ICR periodically examine access logs and monitor network traffic to detect and control unauthorized access to patient data.
2. Assigned Security Responsibility (Sec 164.308(a)(2)
“Identify the security official who is responsible for the development and implementation of the
policies and procedures required by this subpart [the Security Rule] for the entity.”
Professor Thomas Casavant, director of the Center for Bioinformatics at the University of Iowa is the primary individual charged with the implementation of the policies in this document.
3. Workforce Security (Sec 164.308(a)(3)
a. Authorization and/or supervision 164.308(a)(3)(ii)(A)
“Implement procedures for the authorization and/or supervision of workforce members
who work with electronic protected health information or in locations where it might be
accessed.”
All developers and IT staff at the University of Iowa have regular training in HIPAA and IRB policies with the goal to maintain patient privacy and ensure data integrity for all research subjects and their data.
b. Workforce Clearance Procedure 164.308(a)(3)(ii)(B)
“Implement procedures to determine that the access of a workforce member to electronic
protected health information is appropriate.”
Access logs are maintained and periodically examined to assure only appropriate access.
c. Termination Procedures 164.308(a)(3)(ii)(C)
“Implement procedures for terminating access to electronic protected health information when
the employment of a workforce member ends or as required by determinations made as specified
in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”
As stated above.
4. Information Access Management (Sec 164.308)(a)(4)
“Implement policies and procedures for authorizing access to electronic protected health information
that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”
a. Isolating Health Care Clearinghouse Functions (Sec 164.308 (a)(4)(ii)(A)
“If a health care clearinghouse is part of a larger organization, the clearinghouse must implement
policies and procedures that protect the electronic protected health information of the
clearinghouse from unauthorized access by the larger organization.”
N/A
b. Access Authorization 164.308(a)(4)(ii)(B)
“Implement policies and procedures for granting access to electronic protected health
information, for example, through access to a workstation, transaction, program, process, or
other mechanism.”
Requests for accounts on the ICR are submitted through a website interface. Each request is routed to the primary administrator for each of the sponsoring, and/or participating NGOs. Each request is thus sponsored, and it is the responsibility of the organization that supports or monitors the requester (e.g., a Ponsetti-trained Doctor) to assure that ICR users only use their access as appropriately defined.
c. Access Establishment and Modification 164.308(a)(4)(ii)(C)
“Implement policies and procedures that, based upon the entity’s access authorization
policies, establish, document, review, and modify a user’s right of access to a workstation,
transaction, program, or process.”
Users of the ICR may hold rights as either 1) System administrator, 2) Sponsoring NGO administrator, 3) Hospital Administrator, 4) Doctor, or 5) Data Entry. From 1 to 5, the rights to search, modify and review patient records are increasingly restricted. Users below level 1 will only have access to a specific set of patients treated by that NGO’s treatment network. Data entry users may be unable to review records of patients that were not directly entered by that same person.
5. Security Awareness and Training (Sec 164.308(a)(5)
“Implement a security awareness and training program for all members of its
workforce (including management).”
a. Security Reminders 164.308(a)(5)(ii))A
“Periodic security updates”
All ICR developers are responsible for applying all security updates to all relevant systems – the underlying system support framework, the ICR system itself, and all workstations upon which development work is carried out.
b. Protection from Malicious Software 164.308(a)(5)(ii)(B)
“Procedures for guarding against, detecting, and reporting malicious software.”
Each end user of the ICR system is responsible for maintaining appropriate virus, malware and spyware detection software and applying updates as recommended by the developer team.
c. Log-in Monitoring 164.308(a)(5)(ii)(C)
“Procedures for monitoring log-in attempts and reporting discrepancies.”
Logs are maintained to track user access as well as failed attempts to log in to the system. These are reviewed periodically (at least once per quarter).
d. Password Management 164.308(a)(5)(ii)(D)
“Procedures for creating, changing, and safeguarding passwords.”
Users will be required to select strong passwords upon initial creation and modification of same. Modification of user software is performed on the online system, and updated passwords are “pushed” to the offline systems at the time an online synchronization operation is performed.
Implementation of the ICR on any mobile device (cellular smart phone, tablet, or PDA) will comply with the following standard operating procedures:
a) Mobile devices must always be utilizing the latest version of the software available to ensure against malicious attack.
b) A timeout of the device (set to no greater than 10 minutes idle inactivity) requires re-entry of the ICR user ID and password.
c) Inactivity of the ICR application on a mobile device will result in required re-entry of a user’s ID and password to continue use.
6. Security Incident Procedures (Sec 164.308(a)(6)
“Implement policies and procedures to address security incidents.”
a. Response and Reporting 164.308(a)(6)(ii)
“Identify and respond to suspected or known security incidents; mitigate, to the extent practicable,
harmful effects of security incidents that are known to the covered entity; and document security
incidents and their outcomes.”
Administrators and users at all levels of access are required to protect their login credentials. These credentials may not be shared among multiple users. Administrators and users are required to report any suspicious access activity and/or attempts to access the system by unauthorized persons.
7. Contingency Plan (Sec 164.308(a)(7)
a. Data Backup Plan 164.308(a)(7)(ii)(A)
“Establish and implement procedures to create and maintain retrievable exact copies of electronic
protected health information.”
The ICR database is backed up daily in the CBCB at the Univ of Iowa. Offsite copies are created daily. Snapshots of NGO-specific data are created and distributed semi-annually.
b. Disaster Recovery Plan 164.308(a)(7)(ii)(B)
“Establish (and implement as needed) procedures to restore any loss of data.”
Standard procedures for restoration of backups from the system described above are tested monthly.
c. Emergency Mode Operation Plan 164.308(a)(7)(ii)C)
“Establish (and implement as needed) procedures to enable continuation of critical business
processes for protection of the security of electronic protected health information while operating
in emergency mode.”
N/A
d. Testing and Revision Procedures 164.308(a)(7)(ii)(D)
“Implement procedures for periodic testing and revision of contingency plans.”
The procedures above are reviewed annually among all stakeholders.
e. Application and Data Criticality Analysis 164.308(a)(7)(ii)(E)
“Assess the relative criticality of specific applications and data in support of other contingency
plan components.”
Subject to annual review.
Sec 164.310
1. Facility Access Controls (Sec 164.310(a)(1)
“Implement policies and procedures to limit physical access to its electronic information systems and
the facility or facilities in which they are housed, while ensuring that properly authorized access is
allowed.”
a. Contingency Operations 164.310(a)(2)(i)
“Establish (and implement as needed) procedures that allow facility access in support of restoration
of lost data under the disaster recovery plan and emergency mode operations plan in the event of
an emergency.”
The ICR is operated entirely from secured IRB-compliant machine rooms with controlled and monitored access doors. Building security, maintenance personnel have access as do IT staff and developers.
b. Facility Security Plan 164.310(a)(2)(ii)
“Implement policies and procedures to safeguard the facility and the equipment therein from
unauthorized physical access, tampering, and theft.”
MARLOC keycard access with access logs are employed to control access to all machine rooms that host the ICR and associated data.
c. Access Control and Validation Procedures 164.310(a)(2)(iii)
“Implement procedures to control and validate a person’s access to facilities based on their role or
function, including visitor control, and control of access to software programs for testing for
revision.”
As stated above.
d. Maintenance Records 164.310(a)(2)(iv)
“Implement policies and procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example, hardware, walls, doors and
locks).”
The University of Iowa College of Engineering is responsible for maintenance of the physical facilities housing the ICR and logs are maintained pertaining to all necessary maintenance.
2. Workstation Use (Sec 164.310(b)
“Implement policies and procedures that specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes of the surroundings of a specific
workstation or class of workstation that can access electronic protected health information.”
Users of the ICR may hold rights as either 1) System administrator, 2) Sponsoring NGO administrator, 3) Hospital Administrator, 4) Doctor, or 5) Data Entry. From 1 to 5, the rights to search, modify and review patient records are increasingly restricted. Users below level 1 will only have access to a specific set of patients treated by that NGO’s treatment network. Data entry users may be unable to review records of patients that were not directly entered by that same person.
3. Workstation Security (Sec 164.310(c)
“Implement physical safeguards for all workstations that access electronic protected health
information, to restrict access to authorized users.
As stated above.
4. Device and Media Controls (Sec 164.310(d)(1)
“Implement policies and procedures that govern the receipt and removal of hardware and electronic
media that contain electronic protected health information, into and out of a facility, and the
movement of these items within the facility.”
As stated above in relevant parts of Sec 164.308.
a.Disposal 164.310(d)(2)(i)
“Implement policies and procedures to address the final disposition of electronic protected health
information, and/or the hardware or electronic media on which it is stored.”
b. Media Re-Use 164.310(d)(2)(ii)
“Implement procedures for removal of electronic protected health information from electronic
media before the media are made available for re-use.”
c. Accountability 164.310(d)(2)(iii)
“Maintain a record of the movements of hardware and electronic media and any person
responsible therefore.”
d. Data Backup and Storage 164.310(d)(2)(iv)
“Create a retrievable, exact copy of electronic protected health information, when needed, before
movement of equipment.”