Computational Resources
IT SecuritySecurity Responsibility
You have a major role in keeping your workstation and the IGSP servers safe and secure. Even though some security safeguards can be made "automatic," the choices you make when you read email, use the web, or log in to a server make or break the security of IGSP computer systems.
Secure System Usage
To help you make safe computing decisions, Duke requires that all users of medical center computing facilities read and understand a Secure System Usage Memo (PDF) that outlines people's responsibilities as they use a computer or the network. During the regular reviews of IGSP computer security, reviewers from other Duke departments or from outside agencies may ask you specific questions about the contents of this memo. Your ability to do so plays a role in whether IGSP computers can be considered safe.
The security rules apply for all IGSP systems, whether or not they contain or are used to access patient helalth information. This is because the integrity of the medical center network, much of which stores, updates, and distributes "protected health information," depends on the integrity of every computer attached to it. Even though you may be doing yeast genomics, the rules apply to you, too.
HIPAA
HIPAA is a federal law that includes sections that call for the securing of patient information and privacy. The acronym stands for "Health Information Portability and Accountability Act." Violation of the law has criminal penalties, including fines and prison terms.
HIPAA applies to all of IGSP. Because some IGSP researchers use "protected health information" (the term used for clinical or medical information that can be associated with individual patients), HIPAA applies to the computing systems within IGSP. This is the case regardless of the specific research interests faculty may have; a yeast researcher in IGSP who has never set eyes on a medical record is bound to keep his or her computer compliant with Duke's policies so that HIPAA compliance is maintained. Of course, the same rules apply to the clinician who is part of IGSP.
The best circumstance is to avoid using protected health information or sensitive information unless you absolutely need to. Seek to use de-identified or anonymized data. If you have to store protected health information, IGSP IT will create a special place for the data for you. This storage will only be available from the Duke Medicine networks, either by physical connection or by VPN ("Virtual Private Network"). See the section below to learn more about what elements in a dataset make it protected health information.
For the most part, the security policies are invisible to users, and when they are more obvious, the policies are not onerous. The HIPAA law, and Duke's response to it, have done little more than codified sound and sensible computer security practices.
Much of what you need to know is included in the Secure System Usage Memo (PDF).
What is "Protected Health Information" or "PHI"? PHI is any information that can be associated with an individual. This includes information that might not seem "medical" in nature, such as a date of treatment or a birthdate or even a zip code. PHI includes the following, some of them quite obvious:
- names
- any geocodes that identify an individual household such as street address or Post Office Box number
- telephone numbers
- fax numbers
- email addresses
- Social Security Numbers
- medical record numbers
- health plan beneficiary identifiers
- account numbers
- certificate/license numbers
- vehicle identifiers and serial numbers, includiing license plate numbers
- medical device identifiers and serial numbers
- web addresses (Univeral Resource Locators, URL)
- biometric identifiers, including inger and voice prints
- full face photographic images
In addition, constellations of data that can be used to identify a person also are considered PHI. So, for example, a zip code and a date of birth could together be considered as PHI.
So, what is "de-identified" data? A "de-identified" dataset contains no PHI. It may not contain any element of the list above, and it may not contain any of the following information about the individual, the individual's relatives, employers, or household members:
- geographic subdivisions smaller than a state, e.g. county, city, town, or precinct
- five or nine-digit ZIP codes, with some further restriction listed below
- all elements of dates, except year directly related to an individual, including birth or death dates or dates of health care services or health care claims
- specified ages of 90 or above
- any other unique identifying number, characteristic or code that could be used by the researcher to identify the individual
The first three digits of ZIP codes are considered de-identified except for ZIPs starting with 036, 059, 063, 102, 203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, or 893. These digits should be replaced with 000.
Although a de-identified dataset cannot contain a birth date, it may contain the individual's age expressed in years, months, days, or hours, except for individuals who are age 90 years or more. For those individuals use age "90 or above."
A reidentification code is allowed for a de-identified dataset, but it cannot be derived from any identifier that is prohibited, so "encrypted identifiers" are not allowed.
(This information provided by Lawrence Muhlbaier, DCRI.)
© 2004-2012, Duke Institute for Genome Sciences & Policy. Duke University | Duke Medicine | Interdisciplinary Studies at Duke