Clinical Research Data Storage Policy
(Provisional pending final approval in July)
Policy Number: IT-6
Effective Date: July 1, 2014
Applicability: This Policy applies to all Users performing research activities with sensitive information as defined in this policy.
Responsible Officer: Chief Privacy Officer and Chief Information Security Officers.
To enable data collected by applicable members of Drexel University involving protected health information (PHI) or other sensitive information to be maintained in a secure manner.
This policy applies to research using PHI or other sensitive information stored and collected by Drexel University students, employed faculty, staff, and authorized guests (hereafter referred to collectively as “User(s)”).
Sensitive Information: Sensitive Information is defined as PHI, credit card numbers, financial account numbers, dates, and other individually identifiable information protected by HIPAA, FERPA, Gramm Leach Bliley, Pennsylvania Breach of Personal Information Notification Act, and other laws and regulations.
PHI Data Elements:
- Geographic subdivisions smaller than state (e.g., street, zip codes, etc.)
- All dates, including all ages over 89 (ages over 89 recorded as category "Age >89," not 90, 91, 92, etc.)
- Telephone numbers
- Fax numbers
- Email addresses
- IP address
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers (financial account number, credit card number, bank numbers)
- Vehicle ID
- Device ID and serial numbers (including implant device numbers)
- License or certification numbers
- Finger and voice prints
- Other unique identifiers (e.g., clinical trial number)
REDCap: Research Electronic Data Capture (REDCap) is a secure, HIPAA-compliant, web-based system for research databases and surveys.
Information deemed to be Sensitive Information must only be stored using technical solutions provided by the Office of Information Resources and Technology or the Information Technology department of the College of Medicine. Principal Investigators shall be responsible for ensuring that the data are collected and stored according to these approved technical solutions.
Personal computers, mobile devices, media drives, and any other tools used for collecting, storing, and processing sensitive research data must be encrypted and comply with the End-User Device and Information Security Policy (IT-8) and all of its applicable Information Security Requirements. Drexel provides guidance regarding encrypted computers and storage at http://it.drexelmed.edu/LaptopEncryption.aspx.
Users must retain their research data in accordance with the Record Management Policy (OGC-6).
Approved technical solutions rely on HIPAA general standards from the Federal Information Processing Standard (FIPS) 140-2 including specific standards from the National Institute of Standards and Technology (NIST): Data in motion (being transmitted, e-mailed): NIST 800-52, 800-77, 800-113; Data at rest (data in storage on any device): NIST 800-111; Data to be disposed (data requiring destruction): NIST 800-88.
Drexel University reserves the right to monitor and identify files on network drives that would violate the Clinical Research Data Storage Policy. Penalties for violating the Clinical Research Data Storage Policy may include restricted access or loss of access to Drexel networks or systems, termination and/or expulsion from the university and in some cases, civil and/or criminal liability.
Records Retention Policy (OGC-6)
Acceptable Use Policy (IT-1)
End-User Device and Information Security Policy (IT-8)