Requesting Access

Purpose: This document describes how to ensure oversight and security of the protected health information (ePHI) responsibly on the LabArchives system.

 

In addition to the below guidance, The HIPPA Security Program provides guidance, templates, and other resources. ELN Service team encourages research units to partner with local departmental IT to ensure compliance.

 

1.HIPPA and Protocol Training

All users planning on using ePHI should complete the following before requesting access to Lab Archives.

1. HIPPA training
2. Protocol and Data Management Plan (DMP) Training

2.Limiting Access to PHI

The best way to keep ePHI safe is to limit access to only those who need it. Only people who are actively working on the research project involving ePHI should have access. 

a.UW Madison Collaborators 

Only UW-Madison users who have been added to an authorization Manifest group have access to log into LabArchives with UW Madison NetID credentials.

i. Those who request the ability to store ePHI in LabArchives will be divided into two permission groups:

- Notebook Owners (Can create new notebooks)

- Notebook Non-creators (Can edit shared notebooks)

1. 1. 2. Only PIs will be allowed to own notebooks and their designees to manage notebooks, thus have control over who has access to ePHI.

b.Requesting Access

Requesting a New Restricted Data Lab

1. Complete a request form on the UW Madison ELN website.
2. Look for an email from Security- RMC to complete a cybersecurity review.
3. Only the PI will notebook owners.

 

Requesting New Users be Added to Restricted Data Lab

1. Interested users complete a request form on the UW Madison ELN website.
2. ELN Service team confirms NET ID and UW Madison affiliation via NET ID Look Up tool
3. Users will be Non-Creators. Users will have permissions to edit existing notebooks shared with them (owned by PI) but cannot create notebooks themselves.

 

b.Access to External Non-UW-Madison Collaborators

LabArchives allows users to share their research with those who are not part of UW-Madison using the Guest access role. The service team does not have the permissions to disable this feature. Though Lab Archives provides this feature, users are cautioned against sharing notebooks containing ePHI in this way. 

9. If a guest user does not have a Net ID, the University has no way of linking an identity to the email address

2. 2. 2. If no action is done to change permissions, guests lose write access after 60 days of sharing due to the licensing agreement with LabArchives. After 60 days, access becomes Read Only
      3. External collaborators can instead request a NetID . 
      4. If research must be shared with non-UW collaborators, PI must ensure guests are trusted collaborators and may require a Data Transfer Use Agreement (DTUA), as they will have the ability to download data from the notebook and potentially to make changes to the content of the notebook depending on the permissions granted.
      5. PI’s providing access to a guest, must review access routinely (i.e. monthly)

c. Access Review

As mentioned in the PoAM no. 1.15.0 (1622) and in the artifact: User Access and Activity Audit

1. 1. Service team, PI, and user access review will occur at the beginning of each semester (Fall, Spring, Summer).
   2. Guest Access review will occur on a routine basis by PI and semesterly by the service team.

d.Activity Review

As mentioned in the Access, Audit, and Integrity Programs and artifact: User Access and Activity Audit

1. 1. The Activity Feed provides an audit trail of every action that has occurred within a notebook.
      1. An icon located on the top menu of Lab Archives notebook displays a red badge with the number of new notifications to view. 
      2. An email can also be set up to provide notification of changes.
   2. It does not track sign-in or offline content export.
   3. The Activity feed is only seen by the owner and shared collaborators. The service team does not have access to this detailed feed of changes at an admin level, however it can be obtained upon request to Lab Archives. Therefore, it is the PI’s responsibility to review on a routine basis. It is recommended to review routinely (i.e. weekly)

e. Reporting unauthorized access to ePHI

If you believe that PHI has been accessed without permission, contact the ELN service team contact form.

1. 1. Complete the HIPAA incident report form for the University. 
   2. Usage statistics are used to determine the scale of the breach and facilitate conversation with LabArchives.

3.Secure Work Environment

Each research unit/department is required to secure workplaces through encryption and asset management.

1. Encryption: 

The Secure Endpoint Configuration policy provides guidance for securing endpoints with access to ePHI, as part of the UW–Madison Workstation Security Requirements. 

1. It is recommended that users connect to their departmental VPN
2. Each research unit/department are encouraged to partner with the local departmental IT to ensure compliance for the following areas:

1. Encryption mechanisms are in place to protect ePHI in transit
2. Encryption mechanism in place to protect ePHI at rest
3. Encryption mechanisms are in place to safeguard ePHI from being compromised when transmitted from one point to another
4. Encryption of ePHI data, systems, and networking devices
5. Protection of the integrity of ePHI data, systems, and networking devices

3. There are several resources available to secure workstations, some of which are referenced in the configuration matrix above:
4. The DDS - HIPAA Group Policy Objects in Campus Active Directory can be used to apply to Windows machines to join to the Campus Active Directory
5. Windows machines connected to any Active Directory can be configured to encrypt their storage drives via Bitlocker with the recovery keys stored in Active Directory. Documentation is available from Microsoft for configuring GPOs.
6. Qualys Cloud Agent for vulnerability scanning is available in the Office of Cybersecurity
7. Cisco Anti-Malware Protection is also available in the Office of Cybersecurity

3. Securing of MacOS machines will require further consultation with your HIPAA Security Officer and local deparmental IT support. MacOS does not inherit Group Policies from Active Directory.

 

4.  Asset Management: 

The IT Asset Reporting provides guidance for setting up and maintaining an inventory of equipment and media used. Additionally, the Office of Cybersecurity HIPPA Security Program provides a primary guidance workbook. 

 

1. Each research unit/department is responsible for following departmental policies and procedures related to.
1. Within Facility
1. Maintain record of movement of hardware and media inside the facility and responsible person(s) of the devices.
2. Inventory of physical systems, devices, and media in office space/facility that are used to store or contain ePHI
3. Inventory and location record of all devices

1. 1. Outside Facility

1. Maintain record of movement of hardware and media outside of the facility and responsible person(s) of the devices.
2. Set of Standards for workstations allowed to be used outside of facility
3. Maintain records of employees removing electronic devices and media from facility that have or can be used to access ePHI

 

3. Workstation 

1. Each research unit/department is encouraged to work with local departmental IT to develop and use policies and procedures that align with UW Madison compliance to ensure the security or workstations, such as the following.
1. Safeguards for laptop and tablet workstations
2. Workstation use policies and procedures
3. Remove ePHI before reusing electronic media

4. Data Disposal

Many regulatory bodies require PHI to be destroyed after a certain amount of time. 

1. The UW-Madison LabArchives site is set to disallow users to delete notebooks, so that, by default, no users are able to delete PHI in a notebook. In order to delete PHI from LabArchives, the notebook owner must request deletion by completing the UW Madison ELN service team  contact form. This request will then be passed on to Lab Archives. 
2. Ensure all backup copies are deleted.  
3. Follow Destruction/Disposal of Protected Health Information guidance 
4. Research units/departments are advised to work with departmental IT  to develop and follow policies and procedures to the ELN Service team for the following.

1. 1. Requirement that all ePHI is removed from equipment and media before removing equipment or media from facilities for off site maintenance or disposal
   2. Requirement that all ePHI is removed or destroyed from information technology devices and media prior to disposal of device

5. Backing up your PHI-containing data

While LabArchives backs-up data on their servers, these backups will not be accessible during a service outage.

 

1. To keep data accessible during an outage, make periodic copies of notebooks in PDF or HTML formats. 
2. Backup copies of PHI  notebooks  must also be stored on an approved platform.
1. The Office of Compliance has listed approved options. 
3. The ELN service team recommends using Restricted Research Drive. Research drive grants 5 TB of storage to research PIs at no cost.

6. Additional Resources

If questions arise about LabArchives and PHI specifically, contact the ELN team contact form.

 

If general questions arise about security for PHI data, contact the HIPAA security officer in the unit.

 

Net ID	Description of Changes	Date of Changes	Date of KB Publish
tobin	original	2020-05-08	None
murphy22	Reorganized, added policies and procedures each unit needs to provide to ELN service team to be compliant with UW Madison Cybersecurity	2022-08-23	Pending
murphy22	Updated access and activity review, data disposal,	2022-10-21	2023-04-13