Safeguarding program data in the National Chronic Disease Self-Management Education and Falls Prevention Databases is everyone’s responsibility.
Use these recommended practices to ensure the privacy and security of participant and workshop data.
1. Storing and Discarding Paper Files and Electronic Data
- Store completed data collection forms in a secure, locked cabinet when not in use.
- Enter data into a secure, password protected database, such as the National CDSME and Falls Prevention databases as soon as possible.
- Destroy these documents immediately after entering the information into the designated database:
- Program Information Cover Sheet
- Attendance Log
- Participant Information Survey (and Post Session Survey for falls prevention programs)
- Host and Implementation Site Organization Information Form
- Keep electronic copies of data for at least 3 years past the last report date associated with the grant. Once the data is entered into the respective national database, NCOA is responsible for maintaining that data for at least 3 years.
2. Staff Training and Non-Disclosure Agreements
- Centralize data management and limit the number of users accessing the National CDSME & Falls Prevention Databases.
- Create accountability for securing the safety of your program and participant-level data and conduct ongoing quality assurance.
- Train all staff handling data collection forms or entering program data in privacy and security basics. You do not need to provide additional training for personnel who have already undergone privacy and security training through their agency. Consider using these slides.
- Require all staff handling data collection forms or entering program data to complete a Non-Disclosure Agreement (NDA). An NDA is an acknowledgement that participant information should not be shared with others and should be safeguarded appropriately. The grantee lead or the designee for data collection must keep NDAs in locked storage or store electronically scanned copies in a secure, password protected database for 3 years.
3. Complying with HIPAA Regulations and Managing Sensitive Data
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI) or "personally identifiable information" (PII).
- Evidence-based program data may contain sensitive PHI/PII data that is protected by Privacy Act:
- Personal Health Information (PHI) – physical/mental health condition
- Personally Identifiable Information (PII) – name, zip code
- Consult your IT department about security protocols.
- Use a secure database to store information, like the National CDSME and Falls Prevention Databases.
- When sharing data with any other partner, follow the guideline in Section IV below.
- Communicate with NCOA about staff changes immediately to deactivate databases accounts.
- Securely discard forms (e.g. shredding) once entered into a secure database.
4. Sharing Participant-Level Data between Vendors, Data Users, and NCOA
- Share data in aggregate form whenever possible. This does not require a data use agreement.
- De-identify data if used in non-summarized form: Remove any individual identifiers, including zip code, phone numbers, names, birthday/ages, and others. Review this list of 18 recognized identifiers.
- Set up a Data Use Agreement:
- A Data Use Agreement (DUA) is a contractual document used for the transfer of data that has been developed by nonprofit, government or private industry, where the data is non-public or is otherwise subject to some restrictions on its use.
- If you are working with a research/academic institution, an IRB may cover only some aspects of the data sharing and data security requirements. It is advisable that you set up a DUA even when de-identified data is shared with a research partner so that you spell out expectations about how the analyses, findings, and data files will be shared back with your organization once the research is complete, clarify whether you’ll be given an opportunity to review publications or other reports before they are released, and indicate how your organization will be acknowledged in reports. Learn more about working with research institutions.
- Used Tools to Ensure the Safe Transmission of Data:
- Use email encryption software. Explore options with your IT staff, including cost, complexiity and compatibility with different systems.
- Use password protection available for different file types. For example Microsoft Word’s feature to "Protect Document" and "Encrypt with Password."
- Share files useing a Safe File Transfer Protocol (SFTP) server.
- Require users to create strong passwords (e.g. minimum of 8 characters, a mix of letters, case, and numbers) for email and database accounts.
- Be wary of “social engineering," disguised attacks in the form of emails from hackers who manipulate users into providing personal information or enticing users to click on links, which then permit their entry into your computer system.
- NCOA encrypts files with external users in 2 ways:
- Via OneDrive or SharePoint: The receiver is required to sign-in with a Microsoft account to access file. Office 365 is compliant with several security certifications. This information can be found on the Office 365 Security site.
- Through direct encrypted emails to other users. We type the word “encrypt” in the Subject line of the email message. The receivers will be required to sign in using a Microsoft account and password before they can read the email.
- NCOA laptops use BitLocker to encrypt the hard drives of laptops. Additional encryption software may be required based on contract requirements.
5. What is Salesforce’s Data Security Model?
The National CDSME Database and National Falls Prevention Database are hosted on the Salesforce.com platform. Therefore, they are automatically covered by the security guarantees that Salesforce provides across their entire platform. The additional methods listed above ensure that our legitimate users only see their own organization’s data.
- Salesforce is fully HIPAA compliant.
- Non-NCOA users are restricted from accessing data by:
- Global limits on their user license types;
- Record sharing policies set by NCOA;
- Record type restrictions; and
- Field level security.
- To provide a security model that satisfies numerous, unique, real-world business cases, Salesforce provides a comprehensive and flexible data security model to secure data at different levels. All these data security models are strictly followed by NCOA.