THE COMMITTEE ON HUMAN RESEARCH (CHR)

UCSF GUIDANCE ON RESEARCH TOPICS AND ISSUES

Information Security and Human Subjects Research
(September 2007, Revised February 2008, Revised May 2008, Revised October 2008)

•  Introduction
•  Contacts
•  Minimum HRPP Standards
•  Questions for Investigators
•  Training
•  MyResearch
•  Encryption
•  Other Resources

NOTE: As of January 1, 2008, California law requires that residents be notified when their electronic medical information or health insurance information has been exposed. The costs of notification can be significant and departments may be at risk for notification costs if identifiable medical data are lost, stolen, or otherwise exposed.

For more information on AB 1298 please read the Legislative Update on the Privacy Office web site for the California Department of Health Services.

Introduction

The protection of the personal and confidential information of UCSF's research subjects and patients is one of UCSF’s highest priorities.  Policies and guidance for information security at UCSF are set by the University of California, Office of the President, and by UCSF Enterprise Information Security.  However, the HRPP is also concerned about the privacy and confidentiality of human research participants and reminds investigators of their responsibilities when entrusted with confidential and privileged human subject information, whether in paper or electronic form.

Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control (UCSF Administrative Policy 650-16).  All investigators and research staff should be familiar with information security policies and procedures of their department or unit, UCSF, the University of California, the State of California and Federal privacy laws (HIPAA).  Principle Investigators should work with information security experts to review their data storage and transmission procedures at least annually to minimize the risk of unauthorized access to or exposure of confidential information.

Contacts

Investigators and research staff with questions about best practices for information security should consult with Enterprise Information Security or the Privacy Office.

Minimum HRPP Standards for the Collection, Storage, Use and Transmission of Subject Identifiers for Human Subjects Research

CHR applications require investigators to address issues related to subject privacy and confidentiality, HIPAA and information security.  Before filling out CHR applications, please keep in mind the following HRPP minimum standards:

1. Do not collect any subject identifiers you do not need.


2. Remove/destroy subject identifiers as soon as they are no longer needed, subject to UCOP guidance on records retention.


3. Restrict physical access* to any area or computer system that contain subject  identifiers.


4. Restrict electronic access* to any computer system that contains subject identifiers.


5. Subject identifiers should never be stored on laptops, PDA’s, flash drives or other portable devices.  If there is a necessity to use portable devices for the initial collection of subject identifiers, the data files must be encrypted*, and the identifiers must be transferred to a secure system as soon as possible.


6. Subject identifiers must be removed from data files, and must be encrypted if stored electronically.  Identifiers must be stored in a physically separate and secure location from the data files, and associated with data files through a code that is also stored in a separate and secure location.


7. If subject identifiers must be retained in the data files because of the specific needs of the research study, additional explanation must be provided by investigators to justify such retention.  If the data are electronic, the information must be encrypted during storage and decrypted only during the limited time it is needed for matching or other similar purposes. Exceptions may be made for databases that serve both research and clinical purposes, but in these cases the server must be configured to comply with Medical Center Information Security policies.


8. Subject identifiers transmitted over public networks must be encrypted.


9. Subject identifiers and contact information may not be distributed outside of UCSF without the specific informed consent of the subjects, and approval by the CHR.  A Data Use Agreement will also be required.


10. All collaborating investigators at UCSF and at other institutions must comply with these standards.

* This is a UCSF Policy. For more information click on link below for UCSF Administrative Policy 650-16. Consult with information security experts for specific advice on controlling access, and for additional information on encryption.

Questions for investigators and research staff to ask themselves:

1. Am I collecting or retaining any data beyond what is absolutely necessary for the study, and have I destroyed data that are no longer needed for my research, subject to UCOP guidance?


2. Have I consulted with information security experts to make sure my research and/or clinical data are secure from both physical and electronic theft?


3. Have I replaced all personally identifiable information in my research records with a code and kept the code key separate from the records?  For example, the code key is kept in a separate locked office, or on a separate secure server.


4. Do I routinely and regularly review and update my data security procedures?

Training

The OAAIS/EIS Security Awareness, Training & Education (SATE) program provides year round programs to inform UCSF faculty, staff, and students of the perils of storing confidential information on unsecured servers, mobile devices and computers, data theft and corruption, and other technology-related dangers.

MyResearch

MyResearch was created to provide UCSF research teams with a professionally managed, secure, web based, collaborative environment in which to store files containing sensitive data. It provides application and data base services that allow investigators to view, manipulate, and save their data entirely in this protected environment without requiring files to be stored on their own computers.

Encryption

OAAIS offers encryption services to the UCSF community to assist campus departments and community members who do not have the resources to deploy proper encryption with appropriate key management. More information can be found at OAAIS Encryption Solutions.

Other Resources

The following information resources may assist you in your efforts to maintain the confidentiality of research and clinical information. Please take the time now to review this information and make sure that you are keeping your data as secure as possible.

1. UCSF Administrative Policy 650-16, Information Security and Confidentiality

2. UCSF HIPAA Training Guide

3. UCSF Information Security Policy, Procedures, and Guidelines