Data Handling Requirements

Distribution of the Data

Completely de-identified data such as a single aggregate count may be distributed in a non-secure manner. Other approved data requests will be fulfilled via distribution in a secured private location. This will be accomplished by means of creation of restricted folders on the HSC network. Drive mappings will be provided to this area. To facilitate audit controls, folders will be named with last name of the principal investigator and with the HRRC number. Only the BMI Specialist, the PI and designated members of his or her research team will be granted permissions to this folder. Such individuals will be named in the application process and signatory to agreements on proper behavior. Written notification should be provided to the BMI Specialist to revoke such permissions due to staff turnover, etc. or to request that new persons be added. HSC and UH Help Desks will be instructed NOT to handle permissions for this network area.

Note that in addition to privacy of study subjects/patients, that business privacy may be a concern for our partners. For this reason, de-identification of healthcare facilities and/or individual providers will be required unless otherwise approved.

Only minimum data necessary to satisfy approved requests will be released, and it will be de-identified to the maximum extent possible that still meet demonstrated and approved study needs. If approved, data sets may contain protected health information (PHI). MRNs (medical record numbers) will not be provided, but will replaced with randomized study numbers to which the BMI Specialist will retain the key.

Protection from Loss

The following restrictions will apply to the use and storage of the data provided by the CTSC Clinical Research Data Warehouse,

• Files will reside on HSC computer systems, queried only through HSC work stations, and accessed only by software approved for HSC use.
• Downloading of files containing PHI to laptops, external storage devices (floppies, compact discs, zip drives, thumb drives, etc.), or the hard drive or desk tops of institutional computers is strictly prohibited.
• Accessing files from remote computers is strictly prohibited except where an encrypted, institutionally-approved Virtual Private Networking is employed.
• No file containing PHI will be transmitted across the Internet, through the Intranet, or through any form of e-mail at any time.
• All hardcopy reports containing PHI will be stored in locked filing cabinets in locked offices in accordance with standard research policy. No such documents will be transferred off-site. All paper records will be kept only for as long as required by applicable regulations and then disposed of in a secured manner.
• Viewing of records must be done through private work stations in locked rooms. Accessing programs or files through work stations in common use areas such as clinics is prohibited.
• All printing tasks must be sent to local printers in the same room as the work station.
• Creating “short-cuts” to files maintained by the CTSC Data Warehouse is prohibited.
• All other institutional policies must be strictly followed, including prohibitions on sharing passwords or accessing protected files of another person.
• Audits will be done on a regular basis to identify the persons accessing investigator folders and dates/times of access.

Termination Procedures

The principal investigator is responsible for notifying the BMI Specialist when data supplied by the CTSC is no longer needed for the research project. This notification will include the minimum retention period after the completion of a protocol. Any documentation required by the HIPAA Privacy Rule must be retained for 6 years from when it was last in effect.

The next section discusses the actual data available in the Data Warehouse Contents .