Office of Human Research
Page Title
SOP No.: 902 INFORMATION ACCESS CONTROL |
||
Author: Office of Human Research |
||
Effective Date: October 1, 2007 |
Supercedes document dated: N/A |
|
Last Reviewed on: N/A |
Results of Review: N/A |
|
This SOP pertains to: All personnel participating FDA regulated human subject research to ensure that subject protected information is controlled and access to such information is limited to authorized research staff for approved purposes only. |
||
Responsibility for executing this SOP: Investigator and Designated Research Personnel |
||
Approved By:
J. Bruce Smith, MD
Associate Vice President for Research
(signature on file at OHR) |
Approved By:
Steven E. McKenzie, MD, Ph.D.
Vice President for Research
(signature on file at OHR) |
|
1. INTRODUCTION AND PURPOSE
This standard operating procedure (SOP) describes the steps taken to ensure that subject protected health information (PHI) is controlled and access to such information is limited to authorized research staff for approved purposes only. Adequate password protection is vital to safeguarding PHI and must be limited to research staff who require access to this information. Therefore, each user of PHI will be identified and allowed access to information based on his/her assigned password.
2. SCOPE
This SOP applies to all research staff with access to private health information.
3. APPLICABLE REGULATIONS AND GUIDELINES
45 CFR Parts 160, 162 and 164
4. REFERENCES TO OTHER APPLICABLE SOPs
GA-102 Responsibilities of the Research Team
GA-103 Training and Education
DM-502 Electronic Data Management
5. ATTACHMENTS
None
6. RESPONSIBILITY
This SOP applies to those members of the clinical research team involved in conducting clinical trials at this research site. This includes the following:
- Principal investigator
- Subinvestigator
- Research nurse/coordinator
- Data manager
- Support staff
7. DEFINITIONS AND GLOSSARY
Confidentiality: Prevention of disclosure, to other than authorized individuals, of a sponsor’s proprietary information or of a subject’s identity.
Protected Health Information: Information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or when there is a reasonable basis to believe the information can be used to identify the individual. (Under HIPAA regulations at 45 CFR 164, PHI (Protected Health Information) also includes: Individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media at §162.103, or (iii) Transmitted or maintained in any other form or medium.)
8. PROCESS OVERVIEW
A. Access of PHI via computer
B. Assignment of passwords
C. Password oversight
9. PROCEDURES
A. Access of PHI via computer
PI Research manager
|
Control access through individual identification and authentication. Assign users a unique identification code.Change passwords every ninety (90) days. |
PI Research manager
|
Ensure that each individual who has been assigned a password is responsible for its safekeeping. Stress that divulging a password may result in a disciplinary action, including termination. |
B. Assignment of passwords
Jeff-IT Research manager
|
Assign a password and maintain a log of assigned passwords. Require that all individuals, prior to being issued a password, sign a confidentiality statement. |
Jeff-IT Research manager
|
Deactivate passwords when:
|
C. Password oversight
PI Research nurse/coordinator
|
Control issuing and use of passwords centrally. Ensure passwords are changed every ninety (90) days. Remind users that they are responsible for proper password use. Instruct users that passwords must be protected by the user and not shared with or divulged to others. |
