Privacy and Data Security Practices for the Healthy Aging Programs Integrated Database (HAPID)
15 min read
1. Storing and discarding paper files and electronic data
| Recommended Actions |
| Store completed data collection forms in a secure, locked cabinet when not in use. |
| Enter data into a secure, password-protected database, such as HAPID®, as soon as possible. |
|
Destroy these documents immediately after entering the information into the designated database
|
| Keep electronic copies of data for at least three years past the last report date associated with the grant. Once the data is entered into the respective national database, NCOA is responsible for maintaining that data for at least three years. |
2. Staff training and non-disclosure agreements
| Recommended Actions | Download |
| Centralize data management and limit the number of users accessing HAPID | |
| Create accountability for securing the safety of your program and participant-level data and conduct ongoing quality assurance. | |
| Train all staff handling data collection forms or entering program data in privacy and security basics. You do not need to provide additional training for personnel who have already undergone privacy and security training through their agency. Consider using these slides. | Link |
| Require all staff handling data collection forms or entering program data to complete a Non-Disclosure Agreement (NDA). An NDA is an acknowledgement that participant information should not be shared with others and should be safeguarded appropriately. The grantee lead or the designee for data collection must keep NDAs in locked storage or store electronically scanned copies in a secure, password protected database for 3 years. |
Link- English Link- Spanish |
3. Complying with HIPAA regulations and managing sensitive data
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI) or "personally identifiable information" (PII).
Evidence-based program data may contain sensitive PHI/PII data that is protected by Privacy Act:
- Personal Health Information (PHI) – physical/mental health condition
- Personally Identifiable Information (PII) – name, ZIP code
| Recommended Actions |
| Consult your IT department about security protocols. |
| Use a secure database to store information, like HAPID. |
| When sharing data with any other partner, follow the guidelines in Section IV below. |
| Communicate with NCOA about staff changes immediately to deactivate databases accounts. |
| Securely discard forms (e.g. shredding) once the data is entered into a secure database. |
4. Sharing participant-level data between vendors, data users, and NCOA
| Recommended Actions | Details |
| Share data in aggregate form whenever possible | This does not require a data use agreement. |
| De-identify data if used in non-summarized form | Remove any individual identifiers, including ZIP code, phone numbers, names, birthday/ages, and others. Review this list of 18 recognized identifiers. |
| Set up a Data Use Agreement |
|
| Used Tools to Ensure the Safe Transmission of Data |
|
NCOA encrypts files with external users in several ways:
| Tool | Details |
|
MoveIt from Ipswitch |
When receiving or sending data files with participant-level data, we use MoveIt from Ipswitch for any file exchange between services, systems and organizations. Users are added as temporary users and can email encrypted files to NCOA and vice versa. MoveIt encrypts files using secure File Transfer Protocols through automation, analytics and failover options. It is a HIPAA compliant system used widely by other healthcare organizations. |
| Via OneDrive or SharePoint | The receiver is required to sign-in with a Microsoft account to access file. Office 365 is compliant with several security certifications. This information can be found on the Office 365 Security site. |
| Via direct encrypted emails to other users | We type the word “encrypt” in the Subject line of the email message. The receivers will be required to sign in using a Microsoft account and password before they can read the email. |
| BitLocker | NCOA laptops use BitLocker to encrypt the hard drives of laptops. Additional encryption software may be required based on contract requirements. |
5. What is Salesforce’s data security model?
HAPID is hosted on the Salesforce.com platform. Therefore, they are automatically covered by the security guarantees that Salesforce provides across their entire platform. The additional methods listed above ensure that our legitimate users only see their own organization’s data.
- Salesforce is fully HIPAA compliant.
- Non-NCOA users are restricted from accessing data by:
- Global limits on their user license types;
- Record sharing policies set by NCOA;
- Record type restrictions; and
- Field level security.
- To provide a security model that satisfies numerous, unique, real-world business cases, Salesforce provides a comprehensive and flexible data security model to secure data at different levels. All these data security models are strictly followed by NCOA.
