Written by Jarrod Irwin
Researchers across disciplines care about the security and privacy of their data–especially those with data containing personally identifiable information, as even limited combinations of certain data points can lead to the identification of a subject. Researchers in the health sciences have an especially strong need to protect it. Patient health data has special legal restrictions on its use and handling.
Here’s a quick look at the most important U.S. law affecting patient health data, as well as some best practices for preserving data privacy when working with laboratory tests and other types of medical research data.
The Health Insurance Portability and Accountability Act (HIPAA) covers any information relating to someone’s health care history or a health condition that could be used to identify that individual. This includes information that researchers are likely to record as metadata for lab tests, such as the person’s date of birth. The U.S. Department of Health and Human Services’ summary of the HIPAA Privacy Rule has more information about HIPAA’s privacy regulations.
HIPAA requires that protected health information be made available on a need-to-know basis, and that people access only the amount of information they need. This is reflected in the policies that universities have created for research that deals with protected health information. Johns Hopkins University includes the following among the restrictions and recommendations in their Data Security Profile:
- Maintain a list of researchers who are authorized to access the data. Researchers who have left the project must be promptly removed from this list and have their access to the data rescinded.
- Wherever possible, do not allow individual research assistants to make copies of the research database or have complete access to the data.
- Encrypt research data anytime it leaves the university’s computer network. This includes sending the data to someone outside the university, storing the data on a personal device, and backing it up to a device like an external hard drive.
- Store your subjects’ protected health information in your raw data files, but store only an anonymous ID assigned for the study in the files used for analysis and visualization. Create a separate table that links the study IDs to the subjects’ protected health information. Because this information is stored in the raw data files, access to these files should be restricted to as few people as possible.
To learn about what HIPAA requires of health researchers at UW-Madison, visit the HIPAA webpage of the Office of Compliance, where you can find UW-Madison’s HIPAA Privacy and Security policies and enroll in a free online HIPAA training.
If you work in a UW-Madison’s Health Care Component, there are designated HIPAA Privacy and Security Coordinators who can answer questions.