Protecting Personal Health Information in Research

lock-2

In Australia, data derived from individuals is protected by various laws to avoid the release of personal sensitive information to unauthorised parties. This covers situations within the health sector when personal health information from a patient is collected, as well as situations when data derived from an individual is used in research.

For the latter, a number of codes, policies and best practices also exist to ensure that the privacy of individuals who are involved in research projects is retained, whilst encouraging data to be shared for research purposes when appropriate and possible.

Additionally, a number of IT security frameworks exist that can be deployed in systems that are used to store and process personal health information.

These laws, codes of best practice and IT security requirements are outlined in depth in our Discussion Paper: “Legal, Best Practice and Security Frameworks for consideration in operation of the Australian National Medical Research Data Storage Facility“.

Legislation

Data derived from individuals is protected by various laws to avoid the release of personal sensitive information to unauthorised parties.

These laws cover situations both within the health sector (i.e. when personal health information from a patient is collected for the purposes of providing care), as well as situations when data derived from an individual is used in research.

Legislation Jurisdiction Notes

Commonwealth Privacy Act (1988) 

Australia (Commonwealth)

Applies to the collection, use, storage, disclosure of and access to any personal information in Australia. The Privacy Act permits the handling of health information for health and medical research purposes through two sets of legally binding guidelines, issued by the NHMRC (see S95 and S95A guidelines below)

Privacy Act S95 guidelines (2014)

Australia (Commonwealth)

The Australian framework in which medical research (that involves personal information obtained by Commonwealth agencies) should be conducted to ensure that such information is protected against unauthorised collection or disclosure.

Privacy Act S95A Guidelines (2014)

Australia (Commonwealth)

The Australian framework to ensure privacy protection of health information that is collected or used in research.

State and territory privacy regulations   Each Australian State or Territory A summary of Privacy regulations in each Australian State or Territory, compiled by the Australian Law Reform Commission. Refers to the Information Protection Principles and/or Health Privacy Principles defined in each Australian State and Territory, and explains situations where health-related data may be used for research purposes.

Directive 95/46/EC of the European Parliament and of the Council (Data Protection Directive) 

 EU

Not legally binding in Australia and included here for information purposes only. Provides protections for personal data (which includes health information), yet is balanced so that it can permit the use of health information for research purposes.

US Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule

 USA

Not legally binding in Australia and included here for information purposes only. Provides protections for individually identifiable health information, yet is balanced so that it permits the disclosure of health information needed for research purposes.

US Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule

 USA

Not legally binding in Australia and included here for information purposes only. Specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

US Federal Genetic Information Nondiscrimination Act (GINA)

 USA

Not legally binding in Australia and included here for information purposes only. Designed to prohibit the use of genetic information to discriminate in health insurance and employment. Additional Guidance on the use of Human Genetic Material in Research is provided by the US Department of Health and Human Services (HHS).

Codes, Statements and Policies

A number of codes, policies and best practices exist to ensure that the privacy of individuals who are involved in research projects is retained, whilst encouraging data to be shared for research purposes when appropriate and possible.

These outline the roles and responsibilities of both individual researchers and research institutions when undertaking research on human participants.

Document Jurisdiction Notes

National Statement on Ethical Conduct in Human Research 2007 (updated May 2015)

Australia Consists of a series of guidelines made in accordance with the National Health and Medical Research Council Act 1992 and is intended for use by: researchers conducting research with human participants; members of ethical review bodies reviewing that research; those involved in research governance and participants in research. Chapter 3 contains several focus areas that are particularly pertinent to med.data.edu.au including Data banks and Human Genetics.

NHMRC Statement on Data Sharing

Australia The NHMRC encourages data sharing and providing access to data and other research outputs (metadata, analysis code, study protocols, study materials and other collected data) arising from NHMRC supported research. The statement is a general guide for researchers to consider data and metadata management when planning and conducting research.

NHMRC Open Access Policy

Australia The NHMRC Open Access policy is intended to maximise the benefits of publicly funded research through requiring that any publication arising NHMRC supported research be made freely available through an institutional repository within 12 months of publication.

NHMRC Principles for accessing and using publicly funded data for health research

Australia The NHMRC Principles for Accessing and Using Publicly Funded Data for Health Research provide information and guidance for researchers and organisations when researchers seek permission from organisations to access and use data for their research. They have been developed by NHMRC on the advice of researchers, consumer representatives and organisations that hold data.  They represent a common view about sharing the data, and the roles and responsibilities of all parties.
NHMRC Funding Agreement (Oct 2015) Australia The NHMRC Funding Agreement between the Commonwealth of Australia and an NHMRC grant Administering Institution explicitly refers to the dissemination of related data via deposition in an appropriate publicly accessible subject and/or institutional data repository.
Australian Code for the Responsible Conduct of Research (2007)  Australia “The Code” guides institutions and researchers in responsible research practices and promotes research integrity. It assists institutions in developing their own employee codes of conduct and procedures for the investigation of allegations of research misconduct by providing a comprehensive framework of acceptable academic standards.
NIH Human Genomics Sharing Policy  USA This Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data (including genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data). Human-derived genomic data should be submitted with relevant associated data (e.g. phenotype and exposure data) to an NIH-designated data repository. Human derived genomic data is also expected to be de-identified according to the standards set forth in the HHS Regulations for the Protection of Human Subjects to ensure that the identities of research subjects cannot be readily ascertained. Investigators should also strip the data of identifiers according to the HIPAA Privacy Rule (see Legislation above). The de-identified data should be assigned random, unique codes by the investigator, and the key to other study identifiers held by the submitting institution.

IT Security Requirements

The following two documents together point to the security requirements of an IT system that is intended to handle personal health information (including for research purposes) in Australia:

The 2015 Australian Guidelines for the Protection of Health Information (published by the Health Informatics Society of Australia) provides extensive advice for establishing best working practice for protecting of health information. This includes 8 technology and Security services that need to be in place for anyone who needs to protect personal health information (see Appendix A of the Guidelines Document and see table below).

The Australian Government’s Information Security Manual (ISM) (published by the Australian Signals Directorate) provides an extensive list of explicit IT controls that are required by Australian Government agencies for the storage and use of sensitive or protected information. Whilst it is only Australian Government agencies that are required to adopt the ASD controls outlined in the ISM, the controls also provide a useful framework for non-government organisations to consider when protecting data that ranges across various levels of sensitivity.

Please contact us if you would like to discuss how our infrastructure adheres to these security controls.

Privacy and Security Technology Service Description .
User Identity Management User Identity Management (IdM) describes the IT service components required to accurately identify users of a system. Included are tasks such as: registering users; assigning roles that define their access privileges; and managing changes in user status (i.e. creation, deletion and modification of user identity data).
User Authentication User authentication is the process of determining whether someone is, in fact, who they declare they are. In IT systems, authentication is a process in which the credentials provided by someone wanting to access a system are compared to those on file of authorised users’ information. If the credentials match, the user is granted access.
Access Control Access Control provides methodologies to ensure access to information is controlled in order to preserve confidentiality and integrity of information. Three models may be followed: Role-based access control – where access to information is based on professional role; Group-based access control – where access is based on membership in a working group; Discretionary access control – where a user with legitimate access to information, can grant access to other users who have no previously established relationship to the information.
Anonymisation Anonymisation is a process that removes all personal identifiers from information/data that represents an identifiable individual. One of the main purposes for anonymising personally related information (e.g. health or financial-related records) is to make this information accessible for secondary uses (such as research) without infringing upon an individual’s privacy.
Encryption Encryption is a method to render digital data unreadable by anyone other than authorised users. It can be used to provide a layer of security by making the data unreadable to anyone who is not authorised to view it. Data can be encrypted: ‘in transit’ – i.e. when being transferred across a network or the internet between devices, or ‘at rest’ – i.e. when it is stored and not being used, whether this be on a physical or virtual device
Digital Signatures With a digital signature, health care professionals may sign a document (e.g. an electronic health record) in much the same way as they would sign a traditional paper-baed record with the assurance that the signature cannot be forged and neither the document or the signature can be altered without rendering the signature invalid.
Secure Audit Examples of auditing include event logging and log analysis – e.g. when were records accessed and by whom. A secure audit service records significant privacy and security related events in an event log. Component services include event logging and log analysis.
General IT Security Examples include scanning for viruses, backups, software patching and the destruction of information in a secure manner.
A number of other International Security Standards that are relevant to the collection, use, storage and disclosure of health and medical data, including data used for research are:
Security Standard Juridisdiction Notes
HIPPA Security Rule USA For health information from citizens of the USA, the US Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law 104-191 Security Rule applies. This rule specifies a series of administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information. The US National Institute of Standards and Technology (NIST) provide a HIPAA Security Toolkit Application which is a self-assessment survey intended to help organisations better understand the requirements of the HIPAA Security Rule (HSR), implement those requirements, and assess those implementations in their operational environment.
NIH Security Best Practices for Controlled-Access Data  USA The NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy provides clear and in-depth security guidelines for local and cloud computing infrastructure that is intended for storage and computation of these data in the US.