140 likes | 154 Views
This academic research paper explores the challenges of integrating HIPAA regulations into the academic and medical research cultures. It discusses the unique needs and conflicts faced by academic and medical researchers and provides a strategic positioning for implementing HIPAA regulations in research systems.
E N D
Academic Research Systems and HIPAA Bridging Academic and Medical Cultures William K. Barnett Anurag Shankar
Agenda • IU, IU Bloomington, and IU School of Medicine • Academic and Medical Research Cultures • IU Organization for Information Assurance • Strategic Positioning and Execution Customize footer: View menu/Header and Footer
50 Customize footer: View menu/Header and Footer
Research Need Conflicts @ IU • Academic Researcher Needs • Control Sensitive • Schedule Insensitive • Security Insensitive • No Subject Privacy Concerns • Expert Users • Budget Sensitive • Medical School Researcher Needs • Control Sensitive (but different) • Schedule Sensitive • Security Sensitive • Subject Privacy Concerns • Inexpert Users • Budget Insensitive Customize footer: View menu/Header and Footer
Research Need Synergies @ IU Academic Researcher Needs Medical School Researcher Needs • Rapidly Growing Data • Increasing use of Computational Approaches • Security Threat Increases • Growth of Online Tools • Local to National Collaborations Customize footer: View menu/Header and Footer
Unique IT Organization at IU • University Information Technology Service (UITS) provides services for all 8 IU campuses • Information Assurance is managed by UITS, reports to Board of Trustees • Center for Applied Cybersecurity Research (CACR) a leader in privacy policy research • Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) leadership at IU • Office of Research Administration NOW covers both IU Bloomington and IU Medical School campuses – IRB and Compliance Customize footer: View menu/Header and Footer
UITS at IU Office of the VP of IT and CIO at Indiana University • Research Technologies (RT) • Learning Technologies • Support • Enterprise Software • Enterprise Infrastructure • Networks • School of Medicine CIO Customize footer: View menu/Header and Footer
Research Technologies (RT) at IU • High Performance Systems • Big Red (30.7 TeraFLOPS) • Quarry (7 TeraFLOPS) • Research File System with 500 TB • Mass Store archive with 4 PB (4,000 TB) • High Speed Parallel Storage with 1 PB • Advanced Visualization Laboratories • High Performance Applications and Grids • Life Sciences, including IUSM Advanced IT Core Customize footer: View menu/Header and Footer
What are the HIPAA Rules? Privacy Rule • Policies and standards for protected health information (PHI) • For ‘covered entities’ (those who manage PHI) Security Rule • Security of PHI in electronic form (ePHI) Transactional Rule • Electronic billing and electronic claims Customize footer: View menu/Header and Footer
What is the HIPAA Security Rule? It Does • Deal with electronic protected health information (ePHI) • In databases, files, compute systems, in transit • Represent a real legal and trust threat It is NOT • A standard (but NIST 800-53 is) • It cannot be complied with • It is not certifiable It IS • Auditable by CMS (Health and Human Svcs) Customize footer: View menu/Header and Footer
Strategic Positioning for HIPAA Establish Information Protection for Privacy and Security (IPPS) oversight Committee and Review Process • Office of Research Administration, Compliance Office • IUSM CIO • IUSM Faculty • IU Information Assurance (Policy and Implementation) • UITS Enterprise Infrastructure • Director of High Performance Systems, Research Technologies Customize footer: View menu/Header and Footer
IPPS Committee Role • Review Progress • Provide Advice • Act as Advocate with Medical Researchers • Provide Signoff on ability to handle ePHI IPPS Committee Goals • Prevent violation of patient privacy • Prevent loss of customer trust Customize footer: View menu/Header and Footer
Implementation Process • Establish RT Implementation Group • Outside Consultant for Gap Analysis • Establish Controls and fill gaps with RT-wide team • Outside Consultant for Risk Analysis (required) • 90% of work was documenting controls • Establish ongoing Risk Management Plan • Change the way RT does business, including biannual review • Education and tools for Medical and Academic Researchers Customize footer: View menu/Header and Footer
Questions? Thank you! • Bill Barnett, Indiana University, barnettw@iu.edu • Anurag Shankar, Indiana University, ashankar@iu.edu Customize footer: View menu/Header and Footer