Security Requirements
Required Practices for Safeguarding Access to Confidential Data
The Department of Health Care Access and Information (HCAI) has additional requirements to the CPHS requirements. These requirements apply to all researchers, their contractors, and subcontractors.
If the researcher demonstrates that he or she is unable to comply with any of the requirements below, the researcher may request an exception from these requirements. An exception will only be granted if the researcher can demonstrate that adequate alternative measures have been taken to minimize risks to justify the exception.
General Safeguards
- The researcher must provide a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
- The researcher must provide sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
- The researcher must provide a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
- Researchers must state whether data/samples will be destroyed or returned as soon as it is no longer needed for the research.
- Researchers must provide proof of destruction to HCAI certifying data has been destroyed or returned.
Administrative Safeguards
- All research staff with access to data shall have training on Privacy and Data Security. Research teams shall hold any confidentiality statements related to general use, security, and privacy for the full term of the research project.
- Researchers should have proper vetting either through reference checks or background checks for any person who has access to data.
- Researchers should ensure that data will not be provided to any unauthorized person or reused for any other purposes other than what is originally approved.
- Researchers shall take appropriate precautions to ensure that data cannot be used to personally identify individuals.
- Researchers must request an alternative to SSN for unique identifiers.
- All data requested shall only be the minimum data needed to complete the study.
- Access to the data will be limited to those performing the research.
- HCAI requires that no cell (and no statistic based on a cell of) 11 or less may be used reporting aggregate data.
Physical Safeguards
- Researchers should describe how faxes with HCAI data are secured in secure or non-secure areas.
- Researchers must describe how facilities which store data in paper or electronic form, have controlled access procedures, and 24-hour guard or monitored alarm.
- Researchers should indicate whether identifiers will be stored separately from analysis data.
Technical Safeguards
- Researchers must describe how all computers that contain data will have full disc encryption that uses FIPS 140-2 certified products.
- All data on removable media devices (e.g. USB thumb drives, CD/DVD, smartphones, backup tapes) will be encrypted with software which is a FIPS 140-2 certified product.
- Researchers should indicate how all workstations, laptops and other systems that process and/or store data have security patches applied in a reasonable time frame (include the frequency).
- Researchers must explain how all transmissions of electronic data outside the secure internal network (e.g., emails, website access, and file transfer) are encrypted using software which is a FIPS 140-2 certified.
- Researchers must describe how all password controls are in place to protect data stored on workstations, laptops, servers, and removable media and should follow a minimum of 16 characters with at least one capital letter, one small letter, one number and one special character.
- Researchers must provide what security antivirus controls are in place by product name and current version.
- Researchers must describe methods of secure wiping, degaussing, or physical destruction to be used when disposing of electronic data in accordance with NIST Guidelines for Media Sanitization NIST Special Publication 800-88 Revision 1.
- HCAI provided data is not allowed to be published or accessible to the Internet.