This document provides an overview of privacy and security fundamentals for researchers conducting studies involving personal health information (PHI). It discusses key requirements under privacy laws and research ethics boards including obtaining consent, adhering to approved research protocols, de-identifying data, safeguarding devices, encrypting files, and retaining/disposing of PHI properly. Researchers are expected to minimize PHI collection, adhere to all privacy rules and oversight bodies, and ensure data is kept secure throughout the research process from collection through dissemination of findings. Non-compliance may result in fines or legal action.
How to avoid being caught out by HIPAA compliance?Lepide USA Inc
The HIPAA Security compliance signifies good business practices. With greater values resulting from the compliance, Covered Entities will be well-served to adhere to and adopt the comprehensive IT principles it encompasses. LepideAuditor Suite can help you in HIPAA compliance for ePHI.
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesConference Panel
This 90-minute webinar will detail your practice (or business) information technology and how it relates to the HIPAA/HITECH Security Rule and securing PHI in transmission – what is required and what is myth… I will review multiple examples and specific scenarios and offer simple, common-sense solutions. I will also discuss the do's and don'ts relating to encryption and updated bulletins provided by the Office for Civil Rights.
Areas covered will be texting, email, encryption, medical messaging, voice data, personal devices, and risk factors.
I will uncover myths versus reality as they relate to this enigmatic law based on over 1000 risk assessments performed and years of experience in dealing directly with the Office for Civil Rights HIPAA auditors.
I will speak on specific experiences from over 18 years of experience working as an outsourced compliance auditor and expert witness on multiple HIPAA cases in state law and thoroughly explain how patients can now get cash remedies for wrongful disclosures of private health information.
More importantly, I will show you how to limit those risks by taking proactive steps and utilizing best practices.
Don't always believe what you read online about HIPAA, especially regarding encryption and IT; many groups sell more than necessary.
Register Now,
https://conferencepanel.com/conference/2024-hipaa-texting-and-emailing-dos-and-donts
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
These are the written materials accompanying a presentation I made at the SC Bar Convention on January 17, 2019 and addressing the role of human error, inattention, impatience, and greed in data security incidents, all of which often lead to the loss of sensitive information, client funds, and access to networks and files.
How to avoid being caught out by HIPAA compliance?Lepide USA Inc
The HIPAA Security compliance signifies good business practices. With greater values resulting from the compliance, Covered Entities will be well-served to adhere to and adopt the comprehensive IT principles it encompasses. LepideAuditor Suite can help you in HIPAA compliance for ePHI.
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesConference Panel
This 90-minute webinar will detail your practice (or business) information technology and how it relates to the HIPAA/HITECH Security Rule and securing PHI in transmission – what is required and what is myth… I will review multiple examples and specific scenarios and offer simple, common-sense solutions. I will also discuss the do's and don'ts relating to encryption and updated bulletins provided by the Office for Civil Rights.
Areas covered will be texting, email, encryption, medical messaging, voice data, personal devices, and risk factors.
I will uncover myths versus reality as they relate to this enigmatic law based on over 1000 risk assessments performed and years of experience in dealing directly with the Office for Civil Rights HIPAA auditors.
I will speak on specific experiences from over 18 years of experience working as an outsourced compliance auditor and expert witness on multiple HIPAA cases in state law and thoroughly explain how patients can now get cash remedies for wrongful disclosures of private health information.
More importantly, I will show you how to limit those risks by taking proactive steps and utilizing best practices.
Don't always believe what you read online about HIPAA, especially regarding encryption and IT; many groups sell more than necessary.
Register Now,
https://conferencepanel.com/conference/2024-hipaa-texting-and-emailing-dos-and-donts
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
These are the written materials accompanying a presentation I made at the SC Bar Convention on January 17, 2019 and addressing the role of human error, inattention, impatience, and greed in data security incidents, all of which often lead to the loss of sensitive information, client funds, and access to networks and files.
Presentation given by Kate LeMay at the 'Sharing Health-y Data: Challenges and Solutions' workshop, held at The Menzies Research Institute (Hobart, Tasmania) on 28th June 2016. The event was co-hosted by ANDS and the University of Tasmania library
Patient confidentiality is very important in healthcare. Healthcare members of all capacity, are exposed to a multitude of information, and access to obtain information on many individuals. This presentation stresses those important factors as well as communicates the various ways we can protect PHI.
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
More Related Content
Similar to MSH-REB-Privacy-and-Security-Fundamentals-for-Researchers.ppt
Presentation given by Kate LeMay at the 'Sharing Health-y Data: Challenges and Solutions' workshop, held at The Menzies Research Institute (Hobart, Tasmania) on 28th June 2016. The event was co-hosted by ANDS and the University of Tasmania library
Patient confidentiality is very important in healthcare. Healthcare members of all capacity, are exposed to a multitude of information, and access to obtain information on many individuals. This presentation stresses those important factors as well as communicates the various ways we can protect PHI.
Agenda
• Discuss how to handle patient communications
• Explain the issues involved with using Social Media
• Discuss how Social Media can work under HIPAA
• Identify guidance from HHS on patient communications
• Show what’s needed in a Social Media Policy
• Show the process that must be used in the event of breach
• Preparing for enforcement and auditing
• Learn how to approach compliance
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. 1. Privacy of Personal Health
Information (PHI)
2. Governing Authorities
3. Protocol Adherence
4. Consent Obligations
5. De-Identification Tips
6. E-mail Security
7. Safeguarding Devices
8. Encryption Tips
9. Disseminating Findings
10. Additional Resources
Presentation Overview
3. • Fundamental human right &
legal obligation; internationally
recognized norm & ethical
standard.
• Ontario’s Personal Health
Information Protection Act, 2004
(PHIPA) governs the collection,
use and disclosure of PHI for
research purposes.
Privacy
4. PHI
Physical or mental
health, including family
health history Identity of physician,
care provider, or
substitute decision
maker
Plan of service
Payments or eligibility
for health care
coverage
Health card number
Donation of body parts
or bodily substances
PHI: identifying information in oral or recorded form that relates to any of the following
about an individual:
Personal Health Information (PHI)
5. In addition to PHIPA privacy rules, the
following agencies also require privacy
protection as a condition for conducting
research:
• Research Ethics Boards (REB)
• Tri-Council Policy Statement (TCPS)
• MSH Policies
• Regulatory College Guidelines
• Office for Human Research Protections
• FDA
Adherence to these standards protects
patients and you
Alignment with Research Authorities,
Public Expectations
6. Provide for protecting privacy and security
at all phases of the research process
including:
• Identification/selection of study subjects
• Communication with research team
• Recruitment
• Consent procedures
• Data collection procedures
• Data storage
• Analysis
• Dissemination/publication
• Retention
• Disposal
Research Planning
7. No deviation from protocol
• Contact patients to request consent to
participate after REB approves study.
• Collect minimum (PHI) necessary and use
only for approved purposes.
• Implement safeguards outlined.
• Disclose PHI only to authorized recipients
identified in protocol.
• Where possible, de-identify PHI by
removing/changing information so individuals
cannot be identified.
Protocol Obligations
8. • Shared health systems may only be
used for the purpose of providing care
or assisting in care provision.
• Privacy breach: accessing Connecting
Ontario or other shared systems (OLIS,
HDIRS, IAR, eCHN, RM&R, etc.) for
research purposes or quality
improvement.
• Required Notice: to Information &
Privacy Commissioner, patients, Chair of
Research Ethics Board; Regulatory
Colleges may be notified, potential for
fines, civil action for privacy breach.
Connecting Ontario – Shared Systems
No access permitted for research purposes
9. Obtain express patient consent to collect PHI
unless REB has waived consent obligation. REB
may waive consent where:
1. Research purposes cannot be achieved
without identifiable information;
2. Impractical to obtain consent;
3. Public interest in conducting the research
exceeds the public interest in protecting the
privacy of the individuals; and
4. Information is protected by adequate
safeguards.
Consent Obligations
10. PHI must be de-identified:
• Before removal from a hospital site or
network.
• Before disclosure to a contractor or
external member of research team (e.g.
statistician) or to a sponsor or offsite
monitor.
• Before publishing or presenting unless
patients have provided written consent.
Best Practice: de-identify before importing
to statistical or other software/tools.
De-identification
11. Generate a unique study ID number for each participant (do
not use initials, OHIP, MRN or DOB)
Remove unique identifiers from data:
• Name/Telephone/Fax number/DOB
• Address, forward sortation postal code
• Emergency Contact/Next-of-kin
• Hospital number/OHIP number
• IP/email addresses
• Biometric identifiers
• Photographs and identifying images
Remove quasi identifiers from the data:
• Physician name (if prominent)
• Clinic name (if linked to condition)
• Geographic location
• Name of rare disease
• Unique personal characteristic
• Qualitative comments
Create a study identification code list that contains
participants’ study IDs and any identifiable information,
including unique and quasi identifiers that were removed
(list must be securely stored)
Use the study ID on all study documents (other than
source files)
Correct for small sample/cell sizes when publishing or
presenting results to decrease possibility of outliers or
unique cases being re-identified based on inference even
when names, other unique identifiers are not included
Use age or year of birth rather than collect DOB unless
strictly necessary
Use De-identification Software
(not an exhaustive list of methods)
De-identification Tips
Removing/changing information so that individuals cannot be identified
12. • Avoid using mobile devices/removable
storage media to store/transport PHI.
• E.g. - Laptops, tablets, smartphones,
USB flash drives, optical discs (CDs,
DVDs), memory cards (SD, CF,
etc.),external hard drives, etc.
• If it is necessary to store/transport PHI
using such devices, then physical,
technical and administrative safeguards
must be employed; minimum
requirement - encrypted files, whole
disk encryption is best practice.
Safeguarding PHI on Devices
13. Consider Secure Alternatives: Is there a secure
alternative that would allow you to complete the
work without storing PHI on your device (e.g.
remote access)?
Authorization to Store/Transport PHI: Are you
authorized to store or transport PHI on devices?
Minimize or De-identify PHI: Have you stored the
least amount of PHI possible and used de-
identified data when it will serve the purpose?
Whole Disk Encryption & Passwords: Is the PHI
protected from unauthorized access both by whole
disk encryption and strong passwords?
Avoid Unsecured Networks:
Do you use secure networks/protocols when
sending or receiving PHI on your device?
Safeguarding PHI on Devices
14. • Know the PHI: If your device is lost or stolen, could
you identify all the PHI stored on it?
• Use Protective Software & Configure Your Device
Settings: Have you installed and are you using up-to-
date firewalls, anti-virus and anti-theft software?
• Be Aware of Physical Security: Do you
transport/use devices in a secure manner to prevent
loss, theft, “shoulder-surfing” or eavesdropping? Do
you take the most direct route and keep things locked
up?
• Report Immediately Losses or Theft: If it occurs,
do you know who to contact to report the loss?
(MSH’s Chief Privacy Officer (CPO): Janet Guevara –
jguevara@msh.on.ca).
• Remove PHI from your Device as Soon as
Possible: Do you securely remove all PHI stored on
your device as soon as possible?
Safeguarding PHI on Devices
15. • Only use secure system to transmit
PHI; i.e. a system that automatically
encrypts data during transmission.
• Secure transmission: e.g. between
MSH email users.
• Never send PHI to personal accounts:
gmail, hotmail, etc.
• System not secure: send only de-
identified data that has been encrypted
& protected by strong password.
– Note: encryption protects against re-
identification if data is lost/stolen.
Emailing PHI to Research Team
16. • PHI on mobile devices/removable storage
media is not allowed unless encrypted
• Make sure you are encrypting a copy of the
original and not the original or else you will
always have to use a password to open
originals stored on secure networks/servers
• Create a strong password. Write it
down. Send the file to the recipient and
explain that the password will be sent in a
separate email. They can just copy and paste
the password to open the document. If
retaining password, store securely
Encrypting Files
17. How to encrypt a Word 2010 document:
• Click the File tab
• Click Info
• Click Protect Document, and then click
Encrypt with Password
• In the Encrypt Document box, type a
password, and then click OK
• In the Confirm Password box, type the
password again, and then click OK
Encrypt MS Word Files
18. How to encrypt an Excel 2010 file:
• Click the File tab
• Click Info
• Click Protect Workbook, and then click
Encrypt with Password
• In the Encrypt Workbook box, type a
password, and then click OK
• In the Confirm Password box, type the
password again, and then click OK
Encrypt MS Excel Files
19. How to encrypt an Access 2010 database:
• Open the database in Exclusive mode
• Click the File tab
• Click Info
• Click Protect Workbook, and then click
Encrypt with Password
• In the Encrypt Workbook box, type a
password, and then click OK
• In the Confirm Password box, type the
password again, and then click OK
Encrypt MS Access Files
20. Encrypting an Adobe PDF file (requires
Adobe Acrobat Pro):
• Click the Tools pane
• Open the Protection panel
• Click Encrypt and select Encrypt With Password
• Confirm that you want to change the security of the document
• In the Password Security Settings dialog box you can add
two types of passwords
• The Document Open password restricts who may
open the document
• The Permissions password restricts printing, editing
and copying based on your selections
• Click OK and confirm the password(s) chosen
• Save the document to apply the new security settings
• Type a name for your file and click Save
Encrypt Adobe Files
21. I have minimized the amount of PHI on
mobile devices and removable storage
media and it is stored in encrypted form.
I use a strong password to protect the
encrypted data AND it is different than
the password that I use to login to my
computer.
Best practice: I have purchased software
to implement whole disk encryption on
my device , or I buy devices with whole
disk encryption already installed.
I have enabled my operating system
encryption.
I never write my password down unless it
is stored under lock and key or in such a
manner that it is very secure e.g.
encrypted file list.
I do not share my password with anyone.
I delete PHI from all mobile devices and
removable storage media once I have
finished working with it.
Please note: PHI should be
deleted/erased from mobile devices in
such a manner that reconstruction of the
data is not reasonably foreseeable in the
circumstances.
Encryption Checklist
22. • De-identified, aggregated data
must be used for
presentations/publications
unless participants’ express
consent is sought and
documented.
• Never reveal identities of non-
consenting participants;
participants may be
recognizable even when direct
identifiers are removed.
Disseminating Findings
23. • Not required but may support
clinical care/research relationship if
access consistent with REB
approved protocol.
• Ask for consent before giving any
information to participants’ family or
friends and before leaving a
detailed voicemail.
• Refer requests for clinical non-
research information to MSH’s
Release of Information department.
Providing PHI to Participants
24. Select secure location for retention; Use a
hospital or other secure network for
electronic files.
At the end of the retention period, confirm
destruction plans with sponsor, securely
destroy identifiable data to avoid recovery;
Tips:
• Don’t recycle or trash material.
• Cross-cut shred paper, disks, CDs,
DVDs.
• Destroy USB keys/hard drives or use
software to securely wipe.
• Obtain certificates of destruction from
any vendors that assist you.
Retaining & Disposing of PHI
25. This tribunal provides oversight of compliance with
the Personal Health Information Protection Act
(PHIPA). In this role, the Commissioner:
• adjudicates access appeals, investigates
privacy complaints and may issue public
reports.
• may enter and inspect premises, records,
information management practices and require
evidence under oath, affirmation.
• has Order making powers; may levy fines of up
to $100K – individuals, $500K – organizations.
• IPC Contact: 416-326-3333 www.ipc.on.ca.
Information & Privacy Commissioner of
Ontario (IPC)
26. ATTESTATION OF
COMPLETION
I hereby attest that I have completed Privacy & Security Fundamentals training for
Researchers. I understand that this attestation is valid for one year. After expiry, the training
must be redone and a current attestation submitted for any new studies.
Name: ____________________________ ____________________________
Print Signature
__________________________
Date
Please print this slide and sign. A copy of the signed attestation must be submitted with your
application for REB approval. Keep a copy as it may be used for new studies submitted prior
to the one year expiry date.
27. Please take some time to familiarize
yourself with the following resources:
MSH Policies
Mobile Devices, Removable Storage Media,
and Personal Health Information Security
Privacy & Data Protection
Disclosure of Personal Health Information
Additional Information
28. For more information please contact Janet Guevara, Chief Privacy
Officer at (905) 472-7373 ext. 6004
Thank You