FDAnews
www.fdanews.com/articles/77823-firms-must-take-steps-to-ensure-electronic-records-privacy

Firms Must Take Steps to Ensure Electronic Records Privacy

January 4, 2006

Research organizations may think their data is secure, but if even one employee is burning CDs or printing information and taking it home, then there is a problem, an expert warns.

The Health Insurance Portability and Accountability Act (HIPAA) changed the way institutions keep records, and has complicated the electronic data issue, said Shane Baldwin, a regulatory services specialist at Duke Clinical Research Institute.

HIPAA privacy rules apply to protected health information (PHI), which includes written, electronic and oral information that is individually identifiable. Researchers can’t even add initials to a record without the patient’s authorization that he or she is waiving their right to privacy, Baldwin told a recent FDAnews conference.

Electronic data capture (EDC) packages are so new that many think they can ignore standard operating procedures or policies and rely on the packages. This is not the case, Baldwin said. Three areas of safeguards should be put into your electronic systems to protect PHI:

Administrative safeguards include contingency plans such as emergency and disaster recovery plans. Entities will need to define what a disaster is. Whenever the building is unusable and data is inaccessible, a contingency plan needs to be enacted. Administrative employees can be identified as contact points in case of emergencies. These designated people would get backups, supervise walk-through drills and serve as back up for the security officer.

Physical safeguards include facility access controls and workstation use and security as well as device and media controls. For example, a policy for disposal of CDs or old floppy disks should be included in a company’s procedures.

Technical safeguards include access and audit controls and data integrity. — Tamra Sami