Protecting Identifiers in Human Subjects Data
Secure Data Storage & Access Options
Options for secure data storage and access
When working with restrictive or sensitive data, especially data that contains PII or PHI, it is the responsibility of everyone who can access the data to keep files within secure storage at all times. Use networked storage managed by JHU whenever feasible, particularly for collaborative access to files. JHU Information Technology provides resources to meet most storage needs, even for collaborations with those outside JHU. IRB, the JHM Data Trust Council, and other compliance policies strongly prefer particular JHU-managed network platforms for sensitive data with PII/PHI, and all clinical and health data derived from JHM sources, and require evaluation and certification of any networked access outside of JHU domains. Similar levels of security are a best practice for any data from human subjects or other restricted access.
Operated by JHU Central IT, SAFE Desktop (Secure Analytic Framework Environment) is a virtual machine (VM) cloud-based platform that is fully HIPAA compliant. Access both the data and software for working with the data within the secure environment, avoiding the transmission of files to individual desktops. Collaborators with JHED ID can manage shared access to files within the VM. In most cases, SAFE Desktop is the best infrastructure at JHU to satisfy IRB and JHM Data Trust Council's criteria for a secure shared space for working with data containing PII/PHIs.
- Virtual machine with Windows desktop interface
- SAS, Stata, R, MS SQL, MS Office, and certain Hopkins applications
- Can add custom software by request
- 100 Gb of storage (can be increased)
- Fully HIPAA compliant environment
- IRB Tier A environment
- Free (to 100GB) for all JHU faculty & staff with JHED ID. (Student access to a SAFE Account may be limited to those listed on an IRB for a study.)
REDCap is a mature, secure web application for building and managing online surveys and databases.
- Design your own survey electronically
- Share data securely with research staff and external collaborators
- Built in tools for viewing EPIC data, and limited de-identification
Basic level free for JHU/JHMI users. (See site for Bronze and Gold levels)
Introductory videos: https://projectredcap.org/resources/videos/
Local NAS and Server storage
The networked accessed storage space provided for your department or research group that is managed by JHU IT staff and facilities will provide a certain level of security, including controlled password access, firewalls and other protections. However, not all JHU servers are rated with adequate security for human subjects data. for storing unencrypted files containing Personally Identifying Information or Personal Health. Information such as medical records. For PHI records in particular, NAS and other data servers must meet security levels established by HIPAA and similar standards.
If you are working with files containing PHI/PII, it is your responsibility to check with your department or research group's IT representative on the security rating of your server storage, and its approval level for sensitive data. IT Departmental contacts: https://it.johnshopkins.edu/help/additional_info/dept.html
IRB applications, particularly for School of Medicine studies and those requiring review by the JHM Data Trust, may require completion of a Data Security Checklist reporting which servers and storage options will be used for sensitive data. Storage outside of those previously rated for PHI/PII security will require an additional review using the Data Security Profile. Note also policies from the JHM Data Trust Council for maintaining Data Registries of clinical and medical data: Guidelines and Technical Requirements for Registries (DATAG001)
Secure Cloud Storage
Overview and access info at JH@IT's Office 365 Communications Hub
OneDrive is part of JHU's licensed services with Microsoft 365. All users with a JHED account are provided with 5TB of storage. OneDrive is particularly useful as a collaborative storage space, for managing shared access to files and folders, and collaborative access to MS Office documents.
According to IT@JH, OneDrive meets all HIPAA and FERPA compliance standards for secure file sharing and storage, provided that any shared access to files is managed properly. It is possible to set any file or folder for open public access outside the JHU, violating protections of files containing sensitive or human subjects information. Similarly, folders with PII/PHI could be accidently set to allow access to anyone with a JHU account, rather than only to approved collaborators listed on a study IRB form.
Therefore, if using OneDrive for collaborative access to sensitive files:
- Consider first whether SAFE Desktop if a feasible option.
- Consider encrypting the files separately, with password protection within files when possible (e.g. for Excel worksheets) or software that encrypts folders and directories.
- Follow instructions for Configuring OneDrive for Secure Sharing (IT@JH) and contact your IT representative for assistance if necessary. Limit who has access to those folders and assign someone to be responsible for monitoring and administering access settings.
Microsoft Teams is another option for secure collaborative storage within the Office 365 service suite. It includes additional tools for collaboration, communication, and limited project management. Research teams and departments can request Team spaces, which will help maintain file access to approved participants. Like OneDrive, however, files and folders can be accidently set for more broad public access and must be managed carefully.
Overview and access info at JH@IT: https://livejohnshopkins.sharepoint.com/sites/Office365Hub/SitePages/Teams.aspx
Dropbox and other non-JHU cloud servers: Not approved for PHI/PII.
Generally, commercial Dropbox accounts and other third-party cloud services are not recommended for collaborative research, especially involving human subjects. JHU domain services are the preferable and free alternatives for both internal and external collaborations. Using external services may require review and approval by IRB, JHM Data Trust Council and IT@JH. [See Data Trust section for details.]