Data Security and Confidentiality Guidelines for Clinical Research at Sparrow Health System

Introduction

This document was created to give you guidelines to follow in order to ensure that all confidential health information is protected as you procure, use, transfer, and store the data to complete your project. If you have additional questions after reading this document, a reference list is provided at the end to help you find answers to your questions or you may contact the IRB Office or Privacy Department.

Guidelines for Data Procurement

• Follow all Institutional Review Board (IRB) policies and procedures when requesting data located in Policy and Procedure Manual (PPM)

• Limit your data requests to the minimum necessary. The minimum necessary standard is the minimum necessary to accomplish the intended purpose of the project. For example, do not collect age and date of birth if collecting age only will meet the intended purpose of the project.

De-identify data using one of the two approved methods: the statistical method or the “safe harbor” method. See HIPAA Policy, HP-22, De-identified Information and Department of Health and Human Services De-identification Guidelines for more information.

• Follow the correct path to data procurement – direct all inquiries for data to Sparrow’s Data Analytics Department. You can complete the general report request and email the completed form to Sparrow’s IT HelpDesk at [email protected]. Your request will then be forwarded to the Data Analytics Department. (Note: Case studies are excluded from this requirement.)

• Use of Protected Health Information Preparatory to Research - an investigator may review protected health information solely to prepare a research protocol, or for similar purposes preparatory to research. No protected health information may be removed from SHS premises for this purpose.

Guidelines for Data Use

Data should be password protected and encrypted at all times whether in use, transit or storage.

Research should be conducted on a Sparrow asset (computer or other device). However, we also recognize that some of this work will necessarily be completed remotely.

• If you need to work with electronic data on a non-Sparrow asset (computer, laptop, tablet, etc.), the data should be stored and worked on through a sparrow.box.com account rather than to a non- Sparrow device. This reduces the risk of residual copies being left on unprotected devices, such as home computers or laptops.

• If you will be utilizing sparrow.box.com for research, you are required to install and utilize Box Edit. Box Edit is an add-on feature for sparrow.box.com that allows users to create and edit files directly in Box without downloading content to their personal device. It is designed for all files types,

browsers, and platforms. Temporary files that are opened and edited through Box Edit, are deleted from your personal computer device after 24 hours or the next time Box Edit is launched. For installation instructions, please reference SOP IT – ISGOO4b – IRB Addendum Box Edit Installation Instructions which can be found on the IRB website at www.sparrow.org/irb or can be requested from the IRB Administrator.

• If your project requires a key linking a patient identifier (name, MRN, etc.) to a study ID, the key should be stored in a password protected document, separate from the data to reduce the risk of re-identification. In sparrow.box.com the principal investigator (PI) will be granted access to the folder with the patient identifying key. Additional access by other study personnel to the key will need to be requested through the IRB administrator.

• If accessing remotely, the investigator is responsible for ensuring that the remote access meets the same confidentiality and security protections as if the information was accessed from a Sparrow workspace.

Guidelines for Electronic Data Transfer

Electronic research data should only be transferred off of Sparrow property in one of the following ways:

• Via a secure file transfer method after the patient identifiable key has been destroyed. (FTP with encryption for example)

• Via email with appropriate encryption. In no case should data ever be transferred electronically (over the internet) without appropriate encryption. To encrypt an email from a Sparrow email account, use the word “shsencrypt” in the subject line. Do not put PHI in the subject line as it is not part of the email encryption. Refer to HIPAA Policy HP-55 Email Use for more information.

Guidelines for Electronic Data Storage

• If you have access to a confidential directory on a Sparrow file server, store all research data in an encrypted format in that directory. If not, store all electronic data in a Sparrow provided sparrow.box.com account. You may obtain a sparrow.box.com account by contacting IRB Administrator.

• Electronic data should not be stored on any non-Sparrow asset (including personal computers, laptops, tablets, smart phones, and other devices). On a Sparrow issued asset, internet service provider (ISP) or personal network equipment may be used for internet connectivity.

• File storage and sharing websites such as evernote.com, wetransfer, google docs, box.com (excluding sparrow.box.com), or appbox.com are not secure storage methods and should never be used.

• Remote printing is not allowed without prior approval from the IRB office.

Guidelines for Paper Data Storage

• Paper records should be stored in a secure location with access restricted to investigators only.

• The key linking the patient identifiers to the study ID and the data collected should be stored separate from each other to reduce the risk of re-identification.

Guidelines for Project Completion (Data Destruction)

Investigator records must be retained, according to federal law (the “Common Rule” 45 CFR 46.115.7b and 21 CFR 312.62) for a specified period after the date that the study was completed. Any identified investigator records should be destroyed according to the following guidelines.

• Once all retention requirements have been met, electronic copies of data on network servers should be deleted off of systems using a secure deletion utility. Please contact the IRB Administrator when data retention requirements have been met.

• Electronic copies on sparrow.box.com accounts will be destroyed by the IRB office. The IRB office will retain the certificate of documentation destruction of investigator records.

If you have any reason to believe that your data has been inappropriately accessed or breached, call Sparrow’s helpdesk 517.364.4357 to be connected with IT Security or the Privacy Department.

For Questions, please contact:

Sparrow Health System’s IRB Administrator Phone: 517.364.2157 Email: [email protected]

Reference: HIPAA Policy, HP-22, De-identified Information HIPAA Policy, HP-53, Use and Disclosure of Protected Health Information for Purposes of Research HIPAA Policy, HP-55, Email Use “Common Rule” 45 CFR 46 Department of Health and Human Services De-identification Guidelines IT- ISG004 Request for Folder and File Sharing Capabilities Utilizing Sparrow.Box.com

Data Security and Confidentiality Agreement

As a user of Sparrow Health System resources and data, I understand that I am responsible for the security and confidentiality of the data collected for research purposes. I understand that I have the following responsibilities: • I will comply with all Sparrow IRB and Privacy and Security policies for Data Security and Confidentiality • I will comply with Federal and State Regulatory Requirements • I will protect access to my accounts, privileges, and Caregiver passwords. For example, I will not share my passwords or login with others • I am only allowed to access confidential information and protected health information for which I have a legitimate need to access for research and only for research that has been approved by the Sparrow IRB • If I am accessing data remotely, I will follow the information security requirements mandated by Sparrow, which may be modified from time to time consistent with evolving industry standards • I will not download, record or transfer any confidential files or data to any personal device • I am prohibited from divulging, copying, releasing, selling or loaning any confidential data or protected health information that I collect for research purposes • If I observe or have knowledge of unauthorized access or divulgence of confidential information or protected health information, I am obligated to report it immediately to the Sparrow Privacy or Security Department. • I will protect my computing devices. This includes not disabling or altering the anti-virus and/or firewall software. • I will only access the minimum necessary information and I will only access the data for which I have IRB approval for.

By signing this agreement, I am stating that I understand the Data Security and Confidentiality Guidelines for Clinical Research at Sparrow Health System and I understand my responsibilities under these guidelines. A copy of this signed agreement will be kept on file in the Privacy Department at Sparrow and a signed copy will be required prior to IRB review of my project.

______Signature Date and Time

______Printed Name