Clinical Research Data Storage Policy
Policy Number: IT-5
Effective Date: April 2013
Responsible Officer: Vice Dean for Research - College of Medicine, Chief Information Officer - College of Medicine
To enable data collected by applicable members of Drexel University College of Medicine involving protected health information (PHI) or other sensitive information to be maintained in a secure manner.
This policy applies to research using PHI or other sensitive information stored and collected by Drexel University College of Medicine students, employed faculty, staff, and authorized guests (hereafter referred to collectively as “User(s)”).
This Policy applies to all Users performing research activities with sensitive information as defined in this policy.
Sensitive Information: Sensitive Information is defined as PHI, credit card numbers, financial account numbers, dates, and other individually identifiable information protected by HIPAA, FERPA, Gramm Leach Bliley, Pennsylvania Breach of Personal Information Notification Act, and other laws and regulations.
PHI Data Elements:
- Geographic subdivisions smaller than state (e.g., street, zip codes, etc.)
- All dates, including all ages over 89 (ages over 89 recorded as category "Age >89," not 90, 91, 92, etc.)
- Telephone numbers
- Fax numbers
- Email addresses
- IP address
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers (financial account number, credit card number, bank numbers)
- Vehicle ID
- Device ID and serial numbers (including implant device numbers)
- License or certification numbers
- Finger and voice prints
- Other unique identifiers (e.g., clinical trial number)
REDCap: Research Electronic Data Capture (REDCap) is a secure, HIPAA-compliant, web-based system for research databases and surveys.
- Users must use technical solutions approved by DUCOM’s Information Technology department for collecting data for research studies involving sensitive information as defined under Section IV. Principal Investigators shall be responsible for ensuring that the data are collected and stored according to these approved technical solutions.
- Personal computers, mobile devices, media drives, and any other tools used for collecting, storing, and processing sensitive research data must be encrypted and comply with DUCOM policies. COM-IT provides guidance regarding encrypted laptops and USB drives at http://it.drexelmed.edu/LaptopEncryption.aspx.
- Approved technical solutions rely on HIPAA general standards from the Federal Information Processing Standard (FIPS) 140-2 including specific standards from the National Institute of Standards and Technology (NIST):
- Data in motion (being transmitted, e-mailed): NIST 800-52, 800-77, 800-113
- Data at rest (data in storage on any device): NIST 800-111
- Data to be disposed (data requiring destruction): NIST 800-88
- Users must retain their research data in accordance with the Record Management Policy (OGC-6).
Data are to be stored on DUCOM’s encrypted secure storage assets (i.e., REDCap space OR encrypted laptops, encrypted flash drives, encrypted desktops, encrypted back-up drives). All network drives are backed up nightly. Backups are rotated and kept according to the University records retention policy (OGC-6).
Drexel University College of Medicine reserves the right to monitor and identify files on network drives that would violate the Clinical Research Data Storage Policy. Penalties for violating the Clinical Research Data Storage Policy may include restricted access or loss of access to the DUCOM Network or systems, termination and/or expulsion from DUCOM and in some cases, civil and/or criminal liability.
OGC – 6: Records Retention
IT – 2: Acceptable Use