Events Calendar | Contact Us | Site Map

Clinical Studies

Genomes to Health

Undergrad Programs

IGSP Home » Resources » Computational » Security

Security

You have a major role in keeping your workstation and the IGSP servers safe and secure. Even though some security safeguards can be made "automatic," the choices you make when you read email, use the web, or log in to a server make or break the security of IGSP computer systems.

Because IGSP researchers often use "protected health information" (the term used for clinical or medical information that can be associated with individual patients), all computing systems within IGSP must comply with the regulations set forth in HIPAA, (The Health Information Portability and Accountability Act)

Secure System Usage

To help you make safe computing decisions, Duke requires that all users of medical center computing facilities read and understand a Secure System Usage memo that outlines people's responsibilities as they use a computer or the network. During the regular reviews of IGSP computer security, reviewers from other Duke departments or from outside agencies may ask you specific questions about the contents of this memo. Your ability to do so plays a role in whether IGSP computers can be considered safe.

The security rules apply for all IGSP systems, whether or not they contain or are used to access patient helalth information. This is because the integrity of the medical center network, much of which stores, updates, and distributes "protected health information," depends on the integrity of every computer attached to it. Even though you may be doing yeast genomics, the rules apply to you, too.

Links:

• Secure System Usage Memo (PDF)
• Duke Online HIPAA Training Update
• All About HIPAA

HIPAA

HIPAA is a federal law that includes sections that call for the securing of patient information and privacy. The acronym stands for "Health Information Portability and Accountability Act." Violation of the law has criminal penalties, including fines and prison terms.

HIPAA applies to all of IGSP. Because IGSP researchers often use "protected health information" (the term used for clinical or medical information that can be associated with individual patients), HIPAA applies to the computing systems within IGSP. This is the case regardless of the specific research interests faculty may have; a yeast researcher in IGSP who has never set eyes on a medical record is bound to keep his or her computer compliant with Duke's policies so that HIPAA compliance is maintained. Of course, the same rules apply to the clinician who is part of IGSP.

For the most part, the security policies are invisible to users, and when they are more obvious, the policies are not onerous. The HIPAA law, and Duke's response to it, have done little more than codified sound and sensible computer security practices.

Much of what you need to know is included in the Secure System Usage Memo (PDF).

What is "Protected Health Information" or "PHI"? PHI is any information that can be associated with an individual. This includes information that might not seem "medical" in nature, such as a date of treatment or a birthdate or even a zip code. PHI includes the following, some of them quite obvious:

• names
• any geocodes that identify an individual household such as street address or Post Office Box number
• telephone numbers
• fax numbers
• email addresses
• Social Security Numbers
• medical record numbers
• health plan beneficiary identifiers
• account numbers
• certificate/license numbers
• vehicle identifiers and serial numbers, includiing license plate numbers
• medical device identifiers and serial numbers
• web addresses (Univeral Resource Locators, URL)
• biometric identifiers, including inger and voice prints
• full face photographic images

In addition, constellations of data that can be used to identify a person also are considered PHI. So, for example, a zip code and a date of birth could together be considered as PHI.

So, what is "de-identified" data? A "de-identified" dataaset contains no PHI. It may not contain any element of the list above, and it may not contain any of the following information about the individual, the individual's relatives, employers, or household members:

• geographic subdivisions smaller than a state, e.g. county, city, town, or precinct
• five or nine-digit ZIP codes, with some further restriction listed below
• all elements of dates, except year directly related to an individual, including birth or death dates or dates of health care services or health care claims
• specified ages of 90 or above
• any other unique identifying number, characteristic or code that could be used by the researcher to identify the individual

The first three digits of ZIP codes are considered de-identified except for ZIPs starting with 036, 059, 063, 102, 203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, or 893. These digits should be replaced with 000.

Although a de-identified dataset cannot contain a birth date, it may contain the individual's age expressed in years, months, days, or hours, except for individuals who are age 90 years or more. For those individuals use age "90 or above."

A reidentification code is allowed for a de-identified dataset, but it cannot be derived from any identifier that is prohibited, so "encrypted identifiers" are not allowed.

(This information provided by Lawrence Muhlbaier, DCRI.)