LabArchives: Protecting electronic Health Information
This document describes how to use protected health information (PHI) responsibly on the LabArchives system.
Getting Approval for using ePHI
Limiting access to PHI
The best way to keep your PHI safe is to limit access to only those who need it. Only people who are actively working on the research project involving PHI should have access. Only UW-Madison users who have been added to an authorization group can log into LabArchives with their NetID. Those who request the ability to store PHI in LabArchives will be divided into two permissions group: those who can own notebooks and those who cannot. Only PIs and their designees will be allowed to own notebooks and thus control who has access to PHI.
LabArchives allows users to share their research with those who are not part of UW-Madison using Guest access. We caution users against sharing notebooks containing PHI in this way because the University has no way of linking an identity to the email address PHI is shared with as we can with NetID, and guests lose write access after 60 days of sharing due to our licensing agreement with LabArchives. External collaborators can request a NetID . If you must share your research with non UW collaborators, make sure that guests are trusted collaborators, because they do have the ability to download data from the notebook and potentially to make changes to the content of the notebook depending on the permissions you grant them.
Working in a secure environment
There are several resources available for securing workstations, some of which are referenced in the configuration matrix document above:
The DDS - HIPAA Group Policy Objects in Campus Active Directory can be used to apply to Windows machines joined to Campus Active Directory
Windows machines connected to any Active Directory can be configured to encrypt their storage drives via Bitlocker with the recovery keys stored in Active Directory. Documentation is available from Microsoft for configuring GPOs.
Qualys Cloud Agent for vulnerability scanning is available here from the Office of Cybersecurity
Cisco Anti-Malware Protection is available here from the Office of Cybersecurity
Securing of MacOS machines will require further consultation with your HIPAA Security Officer and local IT support. MacOS does not inherit Group Policies from Active Directory.
Backing up your PHI-containing data
While LabArchives does back up your data on their servers, these backups will not be accessible during a service outage. Making periodic copies of your notebooks in PDF or HTML formats will keep your data accessible during an outage. See this document for details about how to download your data in these formats.
Because your notebooks contain PHI, their backup copies must also be stored on a platform that is approved for use with PHI. The ELN service team recommends using Restricted Research Drive. Research drive grants 5 TB of storage to research PIs at no cost. Click here to request an account.
Many regulatory bodies require PHI to be destroyed after a certain amount of time.
To delete PHI from LabArchives, use our contact form and request deletion. We will pass the request on to LabArchives.
If you have backed up your notebooks on other platforms such as ResearchDrive, remember to delete the backup copies as well.
Reporting unauthorized access to ePHI
If you believe that PHI has been accessed without permission, please contact the ELN service team at our contact form. We will help you look at usage statistics to determine the scale of the breach and facilitate conversation with LabArchives.
You should also complete the HIPAA incident report form for the University.
If you have questions about LabArchives and PHI specifically, contact the ELN team at our contact form.
If you have more general questions about security for PHI data, contact the HIPAA security officer for your unit.