SlideShare a Scribd company logo

MSH-REB-Privacy-and-Security-Fundamentals-for-Researchers.ppt

Download as PPT, PDF
P
PedroPiminchumo

This document provides an overview of privacy and security fundamentals for researchers conducting studies involving personal health information (PHI). It discusses key requirements under privacy laws and research ethics boards including obtaining consent, adhering to approved research protocols, de-identifying data, safeguarding devices, encrypting files, and retaining/disposing of PHI properly. Researchers are expected to minimize PHI collection, adhere to all privacy rules and oversight bodies, and ensure data is kept secure throughout the research process from collection through dissemination of findings. Non-compliance may result in fines or legal action.

Technology
1 of 28
PRIVACY & SECURITY FUNDAMENTALS FOR RESEARCHERS
1. Privacy of Personal Health Information (PHI) 2. Governing Authorities 3. Protocol Adherence 4. Consent Obligations 5. De-Identification Tips 6. E-mail Security 7. Safeguarding Devices 8. Encryption Tips 9. Disseminating Findings 10. Additional Resources Presentation Overview
• Fundamental human right & legal obligation; internationally recognized norm & ethical standard. • Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) governs the collection, use and disclosure of PHI for research purposes. Privacy
PHI Physical or mental health, including family health history Identity of physician, care provider, or substitute decision maker Plan of service Payments or eligibility for health care coverage Health card number Donation of body parts or bodily substances PHI: identifying information in oral or recorded form that relates to any of the following about an individual: Personal Health Information (PHI)
In addition to PHIPA privacy rules, the following agencies also require privacy protection as a condition for conducting research: • Research Ethics Boards (REB) • Tri-Council Policy Statement (TCPS) • MSH Policies • Regulatory College Guidelines • Office for Human Research Protections • FDA Adherence to these standards protects patients and you Alignment with Research Authorities, Public Expectations
Provide for protecting privacy and security at all phases of the research process including: • Identification/selection of study subjects • Communication with research team • Recruitment • Consent procedures • Data collection procedures • Data storage • Analysis • Dissemination/publication • Retention • Disposal Research Planning
No deviation from protocol • Contact patients to request consent to participate after REB approves study. • Collect minimum (PHI) necessary and use only for approved purposes. • Implement safeguards outlined. • Disclose PHI only to authorized recipients identified in protocol. • Where possible, de-identify PHI by removing/changing information so individuals cannot be identified. Protocol Obligations
• Shared health systems may only be used for the purpose of providing care or assisting in care provision. • Privacy breach: accessing Connecting Ontario or other shared systems (OLIS, HDIRS, IAR, eCHN, RM&R, etc.) for research purposes or quality improvement. • Required Notice: to Information & Privacy Commissioner, patients, Chair of Research Ethics Board; Regulatory Colleges may be notified, potential for fines, civil action for privacy breach. Connecting Ontario – Shared Systems No access permitted for research purposes
Obtain express patient consent to collect PHI unless REB has waived consent obligation. REB may waive consent where: 1. Research purposes cannot be achieved without identifiable information; 2. Impractical to obtain consent; 3. Public interest in conducting the research exceeds the public interest in protecting the privacy of the individuals; and 4. Information is protected by adequate safeguards. Consent Obligations
PHI must be de-identified: • Before removal from a hospital site or network. • Before disclosure to a contractor or external member of research team (e.g. statistician) or to a sponsor or offsite monitor. • Before publishing or presenting unless patients have provided written consent. Best Practice: de-identify before importing to statistical or other software/tools. De-identification
Generate a unique study ID number for each participant (do not use initials, OHIP, MRN or DOB) Remove unique identifiers from data: • Name/Telephone/Fax number/DOB • Address, forward sortation postal code • Emergency Contact/Next-of-kin • Hospital number/OHIP number • IP/email addresses • Biometric identifiers • Photographs and identifying images Remove quasi identifiers from the data: • Physician name (if prominent) • Clinic name (if linked to condition) • Geographic location • Name of rare disease • Unique personal characteristic • Qualitative comments Create a study identification code list that contains participants’ study IDs and any identifiable information, including unique and quasi identifiers that were removed (list must be securely stored) Use the study ID on all study documents (other than source files) Correct for small sample/cell sizes when publishing or presenting results to decrease possibility of outliers or unique cases being re-identified based on inference even when names, other unique identifiers are not included Use age or year of birth rather than collect DOB unless strictly necessary Use De-identification Software (not an exhaustive list of methods) De-identification Tips Removing/changing information so that individuals cannot be identified
• Avoid using mobile devices/removable storage media to store/transport PHI. • E.g. - Laptops, tablets, smartphones, USB flash drives, optical discs (CDs, DVDs), memory cards (SD, CF, etc.),external hard drives, etc. • If it is necessary to store/transport PHI using such devices, then physical, technical and administrative safeguards must be employed; minimum requirement - encrypted files, whole disk encryption is best practice. Safeguarding PHI on Devices
Consider Secure Alternatives: Is there a secure alternative that would allow you to complete the work without storing PHI on your device (e.g. remote access)? Authorization to Store/Transport PHI: Are you authorized to store or transport PHI on devices? Minimize or De-identify PHI: Have you stored the least amount of PHI possible and used de- identified data when it will serve the purpose? Whole Disk Encryption & Passwords: Is the PHI protected from unauthorized access both by whole disk encryption and strong passwords? Avoid Unsecured Networks: Do you use secure networks/protocols when sending or receiving PHI on your device? Safeguarding PHI on Devices
• Know the PHI: If your device is lost or stolen, could you identify all the PHI stored on it? • Use Protective Software & Configure Your Device Settings: Have you installed and are you using up-to- date firewalls, anti-virus and anti-theft software? • Be Aware of Physical Security: Do you transport/use devices in a secure manner to prevent loss, theft, “shoulder-surfing” or eavesdropping? Do you take the most direct route and keep things locked up? • Report Immediately Losses or Theft: If it occurs, do you know who to contact to report the loss? (MSH’s Chief Privacy Officer (CPO): Janet Guevara – jguevara@msh.on.ca). • Remove PHI from your Device as Soon as Possible: Do you securely remove all PHI stored on your device as soon as possible? Safeguarding PHI on Devices
• Only use secure system to transmit PHI; i.e. a system that automatically encrypts data during transmission. • Secure transmission: e.g. between MSH email users. • Never send PHI to personal accounts: gmail, hotmail, etc. • System not secure: send only de- identified data that has been encrypted & protected by strong password. – Note: encryption protects against re- identification if data is lost/stolen. Emailing PHI to Research Team
• PHI on mobile devices/removable storage media is not allowed unless encrypted • Make sure you are encrypting a copy of the original and not the original or else you will always have to use a password to open originals stored on secure networks/servers • Create a strong password. Write it down. Send the file to the recipient and explain that the password will be sent in a separate email. They can just copy and paste the password to open the document. If retaining password, store securely Encrypting Files
How to encrypt a Word 2010 document: • Click the File tab • Click Info • Click Protect Document, and then click Encrypt with Password • In the Encrypt Document box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Word Files
How to encrypt an Excel 2010 file: • Click the File tab • Click Info • Click Protect Workbook, and then click Encrypt with Password • In the Encrypt Workbook box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Excel Files
How to encrypt an Access 2010 database: • Open the database in Exclusive mode • Click the File tab • Click Info • Click Protect Workbook, and then click Encrypt with Password • In the Encrypt Workbook box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Access Files
Encrypting an Adobe PDF file (requires Adobe Acrobat Pro): • Click the Tools pane • Open the Protection panel • Click Encrypt and select Encrypt With Password • Confirm that you want to change the security of the document • In the Password Security Settings dialog box you can add two types of passwords • The Document Open password restricts who may open the document • The Permissions password restricts printing, editing and copying based on your selections • Click OK and confirm the password(s) chosen • Save the document to apply the new security settings • Type a name for your file and click Save Encrypt Adobe Files
 I have minimized the amount of PHI on mobile devices and removable storage media and it is stored in encrypted form.  I use a strong password to protect the encrypted data AND it is different than the password that I use to login to my computer.  Best practice: I have purchased software to implement whole disk encryption on my device , or I buy devices with whole disk encryption already installed.  I have enabled my operating system encryption.  I never write my password down unless it is stored under lock and key or in such a manner that it is very secure e.g. encrypted file list.  I do not share my password with anyone.  I delete PHI from all mobile devices and removable storage media once I have finished working with it.  Please note: PHI should be deleted/erased from mobile devices in such a manner that reconstruction of the data is not reasonably foreseeable in the circumstances. Encryption Checklist
• De-identified, aggregated data must be used for presentations/publications unless participants’ express consent is sought and documented. • Never reveal identities of non- consenting participants; participants may be recognizable even when direct identifiers are removed. Disseminating Findings
• Not required but may support clinical care/research relationship if access consistent with REB approved protocol. • Ask for consent before giving any information to participants’ family or friends and before leaving a detailed voicemail. • Refer requests for clinical non- research information to MSH’s Release of Information department. Providing PHI to Participants
Select secure location for retention; Use a hospital or other secure network for electronic files. At the end of the retention period, confirm destruction plans with sponsor, securely destroy identifiable data to avoid recovery; Tips: • Don’t recycle or trash material. • Cross-cut shred paper, disks, CDs, DVDs. • Destroy USB keys/hard drives or use software to securely wipe. • Obtain certificates of destruction from any vendors that assist you. Retaining & Disposing of PHI
This tribunal provides oversight of compliance with the Personal Health Information Protection Act (PHIPA). In this role, the Commissioner: • adjudicates access appeals, investigates privacy complaints and may issue public reports. • may enter and inspect premises, records, information management practices and require evidence under oath, affirmation. • has Order making powers; may levy fines of up to $100K – individuals, $500K – organizations. • IPC Contact: 416-326-3333 www.ipc.on.ca. Information & Privacy Commissioner of Ontario (IPC)
ATTESTATION OF COMPLETION I hereby attest that I have completed Privacy & Security Fundamentals training for Researchers. I understand that this attestation is valid for one year. After expiry, the training must be redone and a current attestation submitted for any new studies. Name: ____________________________ ____________________________ Print Signature __________________________ Date Please print this slide and sign. A copy of the signed attestation must be submitted with your application for REB approval. Keep a copy as it may be used for new studies submitted prior to the one year expiry date.
Please take some time to familiarize yourself with the following resources: MSH Policies Mobile Devices, Removable Storage Media, and Personal Health Information Security Privacy & Data Protection Disclosure of Personal Health Information Additional Information
For more information please contact Janet Guevara, Chief Privacy Officer at (905) 472-7373 ext. 6004 Thank You

Recommended

Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
ejazmazhar
 
How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?
Lepide USA Inc
 
Legal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informaticsLegal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informatics
AHMED ZINHOM
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
robint2125
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
SecurityMetrics
 
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
Apollo Hospitals Group and ATNF
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
Jack Pringle
 

Recommended

Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
ejazmazhar
 
How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?
Lepide USA Inc
 
Legal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informaticsLegal and ethical considerations in nursing informatics
Legal and ethical considerations in nursing informatics
AHMED ZINHOM
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
robint2125
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
SecurityMetrics
 
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
Apollo Hospitals Group and ATNF
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
Jack Pringle
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
Geoffrey Vaughan
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613
Ravinia Hayes-Cozier
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613Ravinia Hayes-Cozier
 
Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...
CureMD
 
Publishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 JunePublishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 June
ARDC
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
MichelleSaver
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
AkshaySajith3
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
AmanSoni665879
 
Mha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationMha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentation
falane
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
TimBee1
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using new
OnlineAudio Training
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Legal Services National Technology Assistance Project (LSNTAP)
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
TriageLogic
 
LW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptxLW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptx
TimBee1
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
StephenGwadi
 
Harshit security
Harshit securityHarshit security
Harshit security
HarshitGupta435
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
franbodh
 
4 it-security.ppt
4 it-security.ppt4 it-security.ppt
4 it-security.ppt
DevenderDahiya9
 
C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2
CGibbs3121
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

More Related Content

Similar to MSH-REB-Privacy-and-Security-Fundamentals-for-Researchers.ppt

Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
Atlantic Training, LLC.
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
Geoffrey Vaughan
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613
Ravinia Hayes-Cozier
 
Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...
CureMD
 
Publishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 JunePublishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 June
ARDC
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
MichelleSaver
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
AkshaySajith3
 
Mha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationMha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentation
falane
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
TimBee1
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using new
OnlineAudio Training
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Legal Services National Technology Assistance Project (LSNTAP)
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
TriageLogic
 
LW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptxLW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptx
TimBee1
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
StephenGwadi
 
Harshit security
Harshit securityHarshit security
Harshit security
HarshitGupta435
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
franbodh
 
4 it-security.ppt
4 it-security.ppt4 it-security.ppt
4 it-security.ppt
DevenderDahiya9
 
C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2
CGibbs3121
 

Similar to MSH-REB-Privacy-and-Security-Fundamentals-for-Researchers.ppt (20)

Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPO
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613
 
Hippa powerpoint 92613
Hippa powerpoint 92613Hippa powerpoint 92613
Hippa powerpoint 92613
 
Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...
 
Publishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 JunePublishing and sharing sensitive data 28 June
Publishing and sharing sensitive data 28 June
 
Media_644046_smxx (1).pptx
Media_644046_smxx (1).pptxMedia_644046_smxx (1).pptx
Media_644046_smxx (1).pptx
 
cybersecurity
cybersecurity cybersecurity
cybersecurity
 
it-security.ppt
it-security.pptit-security.ppt
it-security.ppt
 
Mha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationMha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentation
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using new
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
 
Are You HIPAA Safe?
Are You HIPAA Safe?Are You HIPAA Safe?
Are You HIPAA Safe?
 
LW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptxLW GDPR and Cyber Security.pptx
LW GDPR and Cyber Security.pptx
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
 
Harshit security
Harshit securityHarshit security
Harshit security
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
4 it-security.ppt
4 it-security.ppt4 it-security.ppt
4 it-security.ppt
 
C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2C. Gibbs MHA 690 week 1 discussion 2
C. Gibbs MHA 690 week 1 discussion 2
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

MSH-REB-Privacy-and-Security-Fundamentals-for-Researchers.ppt

  • 1. PRIVACY & SECURITY FUNDAMENTALS FOR RESEARCHERS
  • 2. 1. Privacy of Personal Health Information (PHI) 2. Governing Authorities 3. Protocol Adherence 4. Consent Obligations 5. De-Identification Tips 6. E-mail Security 7. Safeguarding Devices 8. Encryption Tips 9. Disseminating Findings 10. Additional Resources Presentation Overview
  • 3. • Fundamental human right & legal obligation; internationally recognized norm & ethical standard. • Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) governs the collection, use and disclosure of PHI for research purposes. Privacy
  • 4. PHI Physical or mental health, including family health history Identity of physician, care provider, or substitute decision maker Plan of service Payments or eligibility for health care coverage Health card number Donation of body parts or bodily substances PHI: identifying information in oral or recorded form that relates to any of the following about an individual: Personal Health Information (PHI)
  • 5. In addition to PHIPA privacy rules, the following agencies also require privacy protection as a condition for conducting research: • Research Ethics Boards (REB) • Tri-Council Policy Statement (TCPS) • MSH Policies • Regulatory College Guidelines • Office for Human Research Protections • FDA Adherence to these standards protects patients and you Alignment with Research Authorities, Public Expectations
  • 6. Provide for protecting privacy and security at all phases of the research process including: • Identification/selection of study subjects • Communication with research team • Recruitment • Consent procedures • Data collection procedures • Data storage • Analysis • Dissemination/publication • Retention • Disposal Research Planning
  • 7. No deviation from protocol • Contact patients to request consent to participate after REB approves study. • Collect minimum (PHI) necessary and use only for approved purposes. • Implement safeguards outlined. • Disclose PHI only to authorized recipients identified in protocol. • Where possible, de-identify PHI by removing/changing information so individuals cannot be identified. Protocol Obligations
  • 8. • Shared health systems may only be used for the purpose of providing care or assisting in care provision. • Privacy breach: accessing Connecting Ontario or other shared systems (OLIS, HDIRS, IAR, eCHN, RM&R, etc.) for research purposes or quality improvement. • Required Notice: to Information & Privacy Commissioner, patients, Chair of Research Ethics Board; Regulatory Colleges may be notified, potential for fines, civil action for privacy breach. Connecting Ontario – Shared Systems No access permitted for research purposes
  • 9. Obtain express patient consent to collect PHI unless REB has waived consent obligation. REB may waive consent where: 1. Research purposes cannot be achieved without identifiable information; 2. Impractical to obtain consent; 3. Public interest in conducting the research exceeds the public interest in protecting the privacy of the individuals; and 4. Information is protected by adequate safeguards. Consent Obligations
  • 10. PHI must be de-identified: • Before removal from a hospital site or network. • Before disclosure to a contractor or external member of research team (e.g. statistician) or to a sponsor or offsite monitor. • Before publishing or presenting unless patients have provided written consent. Best Practice: de-identify before importing to statistical or other software/tools. De-identification
  • 11. Generate a unique study ID number for each participant (do not use initials, OHIP, MRN or DOB) Remove unique identifiers from data: • Name/Telephone/Fax number/DOB • Address, forward sortation postal code • Emergency Contact/Next-of-kin • Hospital number/OHIP number • IP/email addresses • Biometric identifiers • Photographs and identifying images Remove quasi identifiers from the data: • Physician name (if prominent) • Clinic name (if linked to condition) • Geographic location • Name of rare disease • Unique personal characteristic • Qualitative comments Create a study identification code list that contains participants’ study IDs and any identifiable information, including unique and quasi identifiers that were removed (list must be securely stored) Use the study ID on all study documents (other than source files) Correct for small sample/cell sizes when publishing or presenting results to decrease possibility of outliers or unique cases being re-identified based on inference even when names, other unique identifiers are not included Use age or year of birth rather than collect DOB unless strictly necessary Use De-identification Software (not an exhaustive list of methods) De-identification Tips Removing/changing information so that individuals cannot be identified
  • 12. • Avoid using mobile devices/removable storage media to store/transport PHI. • E.g. - Laptops, tablets, smartphones, USB flash drives, optical discs (CDs, DVDs), memory cards (SD, CF, etc.),external hard drives, etc. • If it is necessary to store/transport PHI using such devices, then physical, technical and administrative safeguards must be employed; minimum requirement - encrypted files, whole disk encryption is best practice. Safeguarding PHI on Devices
  • 13. Consider Secure Alternatives: Is there a secure alternative that would allow you to complete the work without storing PHI on your device (e.g. remote access)? Authorization to Store/Transport PHI: Are you authorized to store or transport PHI on devices? Minimize or De-identify PHI: Have you stored the least amount of PHI possible and used de- identified data when it will serve the purpose? Whole Disk Encryption & Passwords: Is the PHI protected from unauthorized access both by whole disk encryption and strong passwords? Avoid Unsecured Networks: Do you use secure networks/protocols when sending or receiving PHI on your device? Safeguarding PHI on Devices
  • 14. • Know the PHI: If your device is lost or stolen, could you identify all the PHI stored on it? • Use Protective Software & Configure Your Device Settings: Have you installed and are you using up-to- date firewalls, anti-virus and anti-theft software? • Be Aware of Physical Security: Do you transport/use devices in a secure manner to prevent loss, theft, “shoulder-surfing” or eavesdropping? Do you take the most direct route and keep things locked up? • Report Immediately Losses or Theft: If it occurs, do you know who to contact to report the loss? (MSH’s Chief Privacy Officer (CPO): Janet Guevara – jguevara@msh.on.ca). • Remove PHI from your Device as Soon as Possible: Do you securely remove all PHI stored on your device as soon as possible? Safeguarding PHI on Devices
  • 15. • Only use secure system to transmit PHI; i.e. a system that automatically encrypts data during transmission. • Secure transmission: e.g. between MSH email users. • Never send PHI to personal accounts: gmail, hotmail, etc. • System not secure: send only de- identified data that has been encrypted & protected by strong password. – Note: encryption protects against re- identification if data is lost/stolen. Emailing PHI to Research Team
  • 16. • PHI on mobile devices/removable storage media is not allowed unless encrypted • Make sure you are encrypting a copy of the original and not the original or else you will always have to use a password to open originals stored on secure networks/servers • Create a strong password. Write it down. Send the file to the recipient and explain that the password will be sent in a separate email. They can just copy and paste the password to open the document. If retaining password, store securely Encrypting Files
  • 17. How to encrypt a Word 2010 document: • Click the File tab • Click Info • Click Protect Document, and then click Encrypt with Password • In the Encrypt Document box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Word Files
  • 18. How to encrypt an Excel 2010 file: • Click the File tab • Click Info • Click Protect Workbook, and then click Encrypt with Password • In the Encrypt Workbook box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Excel Files
  • 19. How to encrypt an Access 2010 database: • Open the database in Exclusive mode • Click the File tab • Click Info • Click Protect Workbook, and then click Encrypt with Password • In the Encrypt Workbook box, type a password, and then click OK • In the Confirm Password box, type the password again, and then click OK Encrypt MS Access Files
  • 20. Encrypting an Adobe PDF file (requires Adobe Acrobat Pro): • Click the Tools pane • Open the Protection panel • Click Encrypt and select Encrypt With Password • Confirm that you want to change the security of the document • In the Password Security Settings dialog box you can add two types of passwords • The Document Open password restricts who may open the document • The Permissions password restricts printing, editing and copying based on your selections • Click OK and confirm the password(s) chosen • Save the document to apply the new security settings • Type a name for your file and click Save Encrypt Adobe Files
  • 21.  I have minimized the amount of PHI on mobile devices and removable storage media and it is stored in encrypted form.  I use a strong password to protect the encrypted data AND it is different than the password that I use to login to my computer.  Best practice: I have purchased software to implement whole disk encryption on my device , or I buy devices with whole disk encryption already installed.  I have enabled my operating system encryption.  I never write my password down unless it is stored under lock and key or in such a manner that it is very secure e.g. encrypted file list.  I do not share my password with anyone.  I delete PHI from all mobile devices and removable storage media once I have finished working with it.  Please note: PHI should be deleted/erased from mobile devices in such a manner that reconstruction of the data is not reasonably foreseeable in the circumstances. Encryption Checklist
  • 22. • De-identified, aggregated data must be used for presentations/publications unless participants’ express consent is sought and documented. • Never reveal identities of non- consenting participants; participants may be recognizable even when direct identifiers are removed. Disseminating Findings
  • 23. • Not required but may support clinical care/research relationship if access consistent with REB approved protocol. • Ask for consent before giving any information to participants’ family or friends and before leaving a detailed voicemail. • Refer requests for clinical non- research information to MSH’s Release of Information department. Providing PHI to Participants
  • 24. Select secure location for retention; Use a hospital or other secure network for electronic files. At the end of the retention period, confirm destruction plans with sponsor, securely destroy identifiable data to avoid recovery; Tips: • Don’t recycle or trash material. • Cross-cut shred paper, disks, CDs, DVDs. • Destroy USB keys/hard drives or use software to securely wipe. • Obtain certificates of destruction from any vendors that assist you. Retaining & Disposing of PHI
  • 25. This tribunal provides oversight of compliance with the Personal Health Information Protection Act (PHIPA). In this role, the Commissioner: • adjudicates access appeals, investigates privacy complaints and may issue public reports. • may enter and inspect premises, records, information management practices and require evidence under oath, affirmation. • has Order making powers; may levy fines of up to $100K – individuals, $500K – organizations. • IPC Contact: 416-326-3333 www.ipc.on.ca. Information & Privacy Commissioner of Ontario (IPC)
  • 26. ATTESTATION OF COMPLETION I hereby attest that I have completed Privacy & Security Fundamentals training for Researchers. I understand that this attestation is valid for one year. After expiry, the training must be redone and a current attestation submitted for any new studies. Name: ____________________________ ____________________________ Print Signature __________________________ Date Please print this slide and sign. A copy of the signed attestation must be submitted with your application for REB approval. Keep a copy as it may be used for new studies submitted prior to the one year expiry date.
  • 27. Please take some time to familiarize yourself with the following resources: MSH Policies Mobile Devices, Removable Storage Media, and Personal Health Information Security Privacy & Data Protection Disclosure of Personal Health Information Additional Information
  • 28. For more information please contact Janet Guevara, Chief Privacy Officer at (905) 472-7373 ext. 6004 Thank You