General PHI Data Storage- IRB/HIPAA Non-compliance and Deviation?

[NotAProgDirector]

I have a serious question. If a medical student has stored PHI on a research file that has a password required to enter it and on a laptop that is encrypted (yet not owned by the hospital where the phi came from yet owned by a different medical institution) and has a password, are they in severe trouble? They essentially claim to have no knowledge of the information being in a non secure location on the laptop and that they thought the computer is actually safer than other places given that it is encrypted by a medical institution.

Essentially, could it boil down to the student losing access to medical records? Could it even be bigger than that and result in some lawsuit or legal action against the student?

The student told me they were asked to report an IRB deviation for now.

Maybe.

When doing work with a PHI containing database, the IRB application usually addresses how and where the data will be stored. If it is stored elsewhere, that can be considered a breach of the IRB process. It sounds unlikely there was any exposure of PHI so would not be reportable to local authorities, but still could be a huge problem. This is commonly a problem for medical students -- the IRB insists that the data stay on hospital hardware, and the student moves the data to university hardware. It's a real problem, and the student could get anything from a slap on the wrist to something more serious. I think it's unlikely that they would have all medical record access pulled, but details and intent matter. There won't be a lawsuit or legal action.

For example, if the student were told not to do this and then did it anyway, that would make things worse.

And even in the example you are talking about, how did they get the data from one place to another? Email? Flash drive? Both of those may be highly insecure. And if this data is now on a university laptop, there's some chance that the data is backed up on university servers -- where it absolutely can't be.

---

Members don't see this ad.

 

[lord999]

We have this problem in the VA with students who are on both sides of the relationship. It's not good. It has much to do with the politics between the institutions. If it happens to be VA, they are usually ordered to settle this on their own time at the very least as a beginning punishment (meaning the time they spend before the IRB or other committees is not part of the experience and must be made up probably eating into vacation or leave time). Also, it has a lot to do with who discovered it. The VA has actually done the Privacy Act fine for egregious cases which is charged to the PI or RPD (because students are under supervision, so that part of the blame is a command responsibility). It's not going to be an informal slap on the wrist as it can't be just a verbal warning. The punishment at the very least is a great deal of paperwork on their own time to explain what happened, what were the risks to losing this data, and how this will not happen again. Depending on intent or loss (so if you managed to get yourself in the news for losing this), there can be very severe consequences. Whoever their supervising full clinician or PI is will face severe consequences than even the student many times for failing to supervise (we're talking OHRP report bad), so they are going to be motivated to retaliate at some level in addition to whatever the committee hands down directly.

 

[tantacles]

What matters is what the IRB says. The IRB usually stipulates how PHI will be gathered and stored. It usually does not delineate consequences for deviating, though, so the sanction will be person- and institution-specific

 

[lord999]

This is an interesting perspective especially because this specific student is, like you said, "belonging" to a different institution than the one the research is performed at. I think they mentioned that their parent institution found out and informed the research one. To make it more intense, both institutions are known to have some form of "rivalry" whatever that means on a medical institutional level.

That sucks for the PI/supervising clinician and the medical student as each are probably going to hand down their own sanctions separately. I'm sure the Medical School is going to be real happy with the additional paperwork.

What matters is what the IRB says. The IRB usually stipulates how PHI will be gathered and stored. It usually does not delineate consequences for deviating, though, so the sanction will be person- and institution-specific

Agreed, though there are consequences that are specific to the IRB that are made with institutional independence. The guaranteed immediate punishment is the paperwork and probably on their own time. The additional actions are completely situational, actually all IRB's through AAHRPP have to have some policy for the non-compliance which does prescribe the research side of the matter, but the jurisdiction is only research related. These are along the lines of suspend or revoke research approval for any to all projects the PI is on, require retraining from scratch, or force the researcher to either gain a supervising PI or force transfer of the project. The personnel punitive actions are left to the institution, but the sanctions on the research side are the IRB's problem and are required to be made independently of the institution's other organs due to the inherent financial conflict-of-interest involved with the idea of suspension, supervision, or forced action. It has be justified over the actual damage or inherent risk to the human subjects.

 

[lord999]

Not to sound like im belittling the situation, but wouldnt this be considered a “potential” breach of HIPAA and not a full breach that constitutes such a drastic decision like preventing the PI from doing any more research? The data was not used to blackmail people and was not sold or lost. Given that it is out of pure lack of knowledge of how the computer systems work, it being a first, and then having had the file deleted permanently (from the hardware at least I know technically nothing gets deleted forever) wouldnt all that help in rendering the consequences more of a “next time you shouldn't do this and now you should prove that you understand what you did wrong” type of consequence?

It very much depends on the data and the circumstances of how it got to the other institution. If it cannot be accounted for in a proper chain, then it is actually a breach, it's just not a public one. The way I understand it, it is a breach with the data in an unauthorized zone but thankfully the breach was caught before actual damages would account. That is also why I wrote about institutional relations being a factor in the consideration. Also, incompetence is also going to be cited on top of negligence, that actually would be grounds to vote for PI retraining which would be a suspension until completed. Again, that student is going to make that PI pretty angry for all the dumb bureaucracy and hoops that s/he is going to have to jump through at the IRB's pleasure. Very situational as stated, but if it is chalked up to incompetence, that student and that PI will get the retraining bit just to meet AAHRPP accreditation issues and to make a relatively costless (to them) example out of the PI to remind everyone else to fall in line.

If it helps any, it happens occasionally and with a collective groan from us since they could very well get us all into yet another self-flagellating in-service about how data is important and not screwing up is in everyone's interest. It just sucks that the PI/clinician has such a person working for them, it speaks to their lack of judgment and supervision as much as the medical student's qualities.

If I am speaking to that student, I would say the following: you've got at least a good deal of paperwork ahead of you to explain all of these things and how this will never happen again, written and verbal apologies at least to your PI and the two IRB's of the individual institutions if not others, and a guaranteed retraining as the regulatory punishment at minimum. You probably put a burden on the PI or clinician who faces worse for failing to supervise and will have to write a supervision plan for a bunch of low yield personnel. Whoever is the person deemed most responsible as well as any associated is going to redo their training (hopefully just the CITI version). Anything else is circumstantial, but what I just wrote is quite a bit of headache. The harsher punishment which is used for incredibly negligent cases is the researchers involved may never submit an exempt or expedited protocol ever again as they would have to recertify the human subject protection/data safety plan every single time under the Full. There is an art to saying that you are incompetent but not negligent. To that student, the best of luck walking that tightrope.

 

[KidPharmD]

Not to sound like im belittling the situation, but wouldnt this be considered a “potential” breach of HIPAA and not a full breach that constitutes such a drastic decision like preventing the PI from doing any more research? The data was not used to blackmail people and was not sold or lost. Given that it is out of pure lack of knowledge of how the computer systems work, it being a first, and then having had the file deleted permanently (from the hardware at least I know technically nothing gets deleted forever) wouldnt all that help in rendering the consequences more of a “next time you shouldn't do this and now you should prove that you understand what you did wrong” type of consequence?

We would consider this an actual breach of PHI. The issue is that the computer is owned by another entity. Presumably they have access to files stored on the computer. If the computer owning institution noticed the PHI, then there is a good chance that someone not authorized to view that information was able to access it (in the course of their job probably). I don't think this would be really different then accidentally e-mailing PHI to the wrong person. It doesn't really matter if they open that e-mail or not. What matters is that the information was accessible by unauthorized individuals.

Our IRB's would be unlikely to do more than require the student attend research privacy training. The privacy office would be the one that dealt with the potential/actual PHI breach and they are less likely to be forgiving. I can't imagine they will be happy about contacting all the people who's PHI was involved.