PHI on HiPerGator Process

HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:

https://it.ufl.edu/it-policies/information-security/related-standards-and-documents/data-classification-guidelines/ 

Policy

When a project is identified that benefits from the storage and processing capabilities of HiPerGator and that project involves protected health information, including one or more of the 18 identifiers listed in the HIPAA security and privacy rules, the procedure described below shall be followed.

Procedure

When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks:

Project Registration

A project is registered by entering a Request in UF’s Integrated Risk Management (IRM) system at https://riskmanagement.ufl.edu/apps/ArcherApp/Home.aspx This will record details of the project:

  • The data owner, usually the principal investigator
  • The type and size of data involved
  • Depending on the nature of the work that involves PHI:
    • For research projects: Provide the Institutional Review Board (IRB) record number
    • For healthcare operational work, such as care quality assessments: Provide the UFHealth Risk Assessment record number

The risk assessment by UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.

In coordination, UFIT Research Computing staff will record the project by its IRM identifier with the researcher’s HiPerGator account. A  project specific HPG group will be created to provide access to the data by the role of the project participants, which is encoded as membership of that group. PIs will need to make investments for the storage space needed for the project. While NCU and GPU allocations can be shared across restricted and non-restricted groups, storage must be allocated to each individually.

PHI data will be stored on directories in Blue/Orange/Red files systems that are not exported by SMB service to limit opportunities for unauthorized distribution of PHI data.

A data management plan submitted as part of the risk assessment will briefly describe the workflow and disposition of the project data and what actions participating members, by their role, are expected and allowed to do with the data.

A service core can be authorized to process PHI for approved projects. In that case the core submits the IRM request and includes the authorization for the core to operate and the list of staff who work in the core to replace individual project IRB approval and the list of project participants.

  • A data management plan, one copy signed by each participant, needs to be uploaded into the IRM system. The document content is described below. The Word document PHI Data Management Plan can be downloaded to add to the IRM record. The link is also available within the IRM system.
  • A data flow diagram: The PHI Flow Diagram Template can be downloaded, edited if necessary, and added to the IRM record. The link is also available within the IRM system.

Participant registration and agreement

The members of the project group will then sign an agreement form that specifies:

  • They understand their role in the project
  • They will take HIPAA basics training in myTraining, course UF_PRV800v_OLT
    • This training is required by the IRB approval process. Hence IRB approval, as recorded above as part of the process, implies that this training requirement is satisfied.
  • They will take HiPerGator training on handling restricted data

A scanned or digitally signed agreement for each project participant is stored in the IRM system.

When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for HIPAA violations will be followed as described in the HIPAA training.

What is needed

To set up a PHI group on HiPerGator, Research Computing needs the following:

  • PI Information
  • Project Name (and suggested short version for a group name)
  • Risk Assessment Number
  • IRB #
  • Specific staff to add to the group (must be listed on the IRB, must have submitted the Data Management Plan)
  • Amount of Orange/Blue storage to allocate from new or existing purchase

 

Project Owner and Data Manager Responsibilities

UFIT Research Computing as operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility and some responsibilities, with accountability, fall on the principal investigator (PI) or the designated data manager of the approved PHI project and the members of the project team.

The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards:

  • Encrypted laptops
  • Screen lock after 15 minutes of inactivity
  • Use devices in locations where shoulder surfing is not possible

The responsibility includes that the PI will provide instructions to users for when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their PHI projects from their endpoints while in public locations like airports, libraries, and venues like Starbucks. 

Each approved PHI project will designate a data manager, whose responsibility includes

  • Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a report to UFIT Research Computing quarterly of this list. 
    • The list of authorized participants is maintained in the IRB record. This requirement can be satisfied by pulling that information from the IRB database.
  • Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list.
  • Verify and review authorized accounts regularly, at least once per month, and notify RC staff immediately when users leave the project, change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the PHI project can be removed within one business day.
  • If the PHI project involves transaction based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.

Special Precautions

If there are special precautions that apply to this project and are called out in the risk assessment, then such actions or requirements will be added to the agreement documented in Archer and become part of regular review, vulnerability scanning, and/or risk assessments, depending on the level of risk assessed for the set of special precautions.