PHI on HiPerGator Process

HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:

https://it.ufl.edu/it-policies/information-security/related-standards-and-documents/data-classification-guidelines/ 

Policy

When a project is identified that benefits from the storage and processing capabilities of HiPerGator and that project involves protected health information, including one or more of the 18 identifiers listed in the HIPAA security and privacy rules, the procedure described below shall be followed.

Procedure

When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks:

Project Registration

A project is registered by entering a Request in UF’s Integrated Risk Management (IRM) system at https://riskmanagement.ufl.edu/apps/ArcherApp/Home.aspx This will record details of the project:

  • The data owner, usually the principal investigator
  • The type and size of data involved
  • Depending on the nature of the work that involves PHI:
    • For research projects: Provide the Institutional Review Board (IRB) record number
    • For healthcare operational work, such as care quality assessments: Provide the UFHealth Risk Assessment record number

The risk assessment by UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.

In coordination, UFIT Research Computing staff will record the project by its IRM identifier with the researcher’s HiPerGator account. A  project specific HPG group will be created to provide access to the data by the role of the project participants, which is encoded as membership of that group. PIs will need to make investments for the storage space needed for the project. While NCU and GPU allocations can be shared across restricted and non-restricted groups, storage must be allocated to each individually.

PHI data will be stored on directories in Blue/Orange/Red files systems that are not exported by SMB service to limit opportunities for unauthorized distribution of PHI data.

A data management plan submitted as part of the risk assessment will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

A service core can be authorized to process PHI for approved projects. In that case the core submits the IRM request and includes the authorization for the core to operate and the list of staff who work in the core to replace individual project IRB approval and the list of project participants.

  • A data management plan, one copy signed by each participant, needs to be uploaded into the IRM system. The document content is described below. The Word document PHI Data Management Plan can be downloaded to add to the IRM record. The link is also available within the IRM system.
  • A data flow diagram: The PHI Flow Diagram Template can be downloaded, edited if necessary, and added to the IRM record. The link is also available within the IRM system.

Participant registration and agreement

The members of the project group will then sign an agreement form that specifies:

  • They understand their role in the project
  • They will take HIPAA basics training in myTraining, course UF_PRV800v_OLT
    • This training is required by the IRB approval process. Hence IRB approval, as recorded above as part of the process, implies that this training requirement is satisfied.
  • They will take HiPerGator training on handling restricted data

A scanned or digitally signed agreement for each project participant is stored in the IRM system.

When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for HIPAA violations will be followed as described in the HIPAA training.

What is needed

To set up a PHI group on HiPerGator, UFIT Research Computing needs the following:

  • PI Information
  • Project Name (and suggested short version for a group name)
  • Risk Assessment Number
  • IRB #
  • Specific staff to add to the group (must be listed on the IRB, must have submitted the Data Management Plan)
  • Amount of Orange/Blue storage to allocate from new or existing purchase

 

Project Owner/Data Manager Responsibilities

UFIT Research Computing as the operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the principal Investigator (PI) or the designated data manager of the approved project involving restricted data and the authorized members of the project team.

The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards:

  • All persistent storage within mobile computing devices will be encrypted:
    (https://policy.ufl.edu/policy/mobile-computing-and-storage-devices-policy/)
  • Screen lock after 15 minutes of inactivity
  • Use devices in locations where shoulder surfing is not possible
  • If transferring files via Globus, it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.

The PI is responsible for providing instructions to authorized users when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their restricted data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.

Each approved restricted data project will designate a data manager, whose responsibilities are listed below:

  • Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.
    • The list of authorized participants is maintained in the IRB record for projects involving PHI research, the UFHealth risk assessment record for projects involving operational work with PHI, the technology control plan (TCP) for ITAR/EAR project work, and the UFIT risk assessment system for FERPA projects. This requirement can be satisfied by pulling that information from the IRB, TCP, or relevant risk assessment database.
  • Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list. Training examples include:
    • HIPAA training (PHI)
    • FERPA training (FERPA)
    • Export control training (Export controlled data)
    • Protecting UF: Information Security Training
  • Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the restricted data project can be removed.
  • If the restricted data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.

Special Precautions

If there are special precautions that apply to this project and are called out in the risk assessment, then such actions or requirements will be added to the agreement documented in Archer and become part of regular review, vulnerability scanning, and/or risk assessments, depending on the level of risk assessed for the set of special precautions.

 

Restricted Data Project Retirement and Removal

All restricted data projects on HiPerGator are required to have a data management plan filed with the security assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all restricted data projects will have the following retirement conditions:

  • Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator ecosystem. This includes, but is not limited to, all restricted data.
  • Once removed, the data manager will contact HiPerGator support and open a request to have the top-level project folders removed.
  • The UFIT Research Computing staff will then remove all designated project folders and record the project closure date in the support request and any appropriate internal systems.

Abandoned Restricted Data Projects

If the storage investments for a specific restricted data project expire and are not replaced, then the restricted data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. If a PI would like to renew their investments, it should be made within 60 days of the previous expiration date. Once a project has been abandoned for more than 60 days, UFIT Research Computing reserves the right to remove all data from the project folders to maintain the security of the data on HiPerGator systems.