UVA School of Medicine Research Computing can assist medical researchers in both understanding what HIPAA compliance requires of their work, and how to implement technical solutions to achieve and verify such compliance.
Review & Assessment
From a compliance perspective, RC offers three levels of review/assessment:
Security Plan - Having a security plan in place is important to your success at UVA School of Medicine. If your lab or department doesn’t have a plan in place Research Computing Information Security will be happy to help you develop such a plan.
Security Review - If you have a security plan in place already we can help you verify that your computing resources are functioning as documented in your security plan. As part of security review, we will do a risk analyst and provide you a list of recommended enhancements.
Risk Assessment - This is the systematic process of evaluating the potential security risks/hazards and any business impact they could present. We analyze the likelyhood of events occurring. As we conduct a risk assessment we look for vulnerabilities and weaknesses that could your system more susceptible to an event. We will provide list of finds and either work with your local support person or other resources to help mitigate the risk.
For implementation, RC offers a number of skills and services:
- PHI and De-identification
- Encryption best practices
- Encryption of files, databases, and systems
PHI & De-Identification
Some research data are “de-identified” in order to remove them from HIPAA security requirements. This is particularly useful when researchers are processing across many hundreds or thousands of patients for trends and statistically meaningful insights that do not rely upon patient-specific data points.
Here are some common examples of PHI research data that may need to be de-identified. De-identification can mean the complete removal of such fields from your dataset, or the complete replacement of these data with meaningless placeholder values.
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voice prints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code, except as permitted as a “re-identifier”
- Certificate/license numbers