CMS Data Management Policy

DATA MANAGEMENT PLAN

 

1.     PHYSICAL POSSESSION AND STORAGE OF CMS DATA FILES

 

1.1.  Individual(s) responsible for organizing, storing, and archiving the data:

Data Core Manager, Stanford Population Health Sciences (Stanford PHS)

Data Custodian, Stanford, Population Health Sciences

 

1.2.  Data inventory and documentation:

All research work using CMS data is conducted on a PHI compliant server that abides by Stanford’s computer and network usage policy (http://adminguide.stanford.edu/62.pdf) and information security policy (http://adminguide.stanford.edu/63.pdf), as well as minimum security standards for servers (https://itservices.stanford.edu/guide/securitystandards) for PHI and other sensitive data. Upon receiving data from CMS, the Stanford PHS Data Core will track: a) the database name, b) the date that the data were received, c) the name of the analyst who was is responsible for the curation of the data and d) the filenames shared along with e) their file sizes.

 

The resulting data files are then saved in a different logical storage path and under a new name conforming to a file naming structure defined by the Data Manager. This structure incorporates the database name and the date of upload and merge. A record of this process is kept in the Cleaned Data Log. Incorporated in this log are a) the database name, b) the date any encryption and cleaning processes were completed, c) the name of the encryption program used, d) their file sizes, and e) a short description of the curating processes performed.

 

1.3.  Procedures for obtaining access to data including privacy and security policies:

CMS data are only shared with individuals who: a) have completed required HIPAA and human subject protection (CITI) training b) have had all electronic devices which may potentially be used to access the data or outputs encrypted c) have attested to this encryption via Stanford University School of Medicine’s encryption tracking and verification system (amie.stanford.edu) d) have institutional review board (IRB) approval for their study or are included as personnel on an IRB approved study, e) have a “need to know” status with regard to the data and cannot practically work on the project without it and; f) have signed a data use agreement with Stanford PHS stating that they will only use the data for the stated research purposes and that they cannot share the data with any third party.

 

The signed data use agreement will stipulate that only output results from analyses can be downloaded from the server – that is, the researcher agrees never to download datasets or subsets of those/analysis files and that all data outputs will conform to Stanford or CMS cell size policies, whichever is more restrictive.

 

File transfer activity is audited on a monthly basis. In the event of a suspected or reported file download, the researcher in question will be contacted. In the event any CMS (or other PHS) data has been downloaded to a computer or other device, the investigator will be required to purge the files from their computer. Disciplinary action up to and including termination of access to all PHS files will be taken as appropriate. All computers used to access CMS data must be encrypted and password protected as described above.

 

In the event of an employee leaving of their own volition or being terminated prior to the completion of a project, access to the data will be terminated. Data are not shared by Stanford with any third parties or with any parties not explicitly named on the project for which the CMS-ADS was received. All personnel working with data must individually sign a PHS-DUA.

 

1.4.  Notification of personnel changes:

The Principal Investigator (PI) of any research project using CMS data will promptly inform the Data Core Manager via email of any staffing changes. The Data Core Manager will provide the PI with a list of currently authorized users on their DUA on a yearly basis and seek updates. The Data Core Manager will inform CMS within 10 business days of any changes and confirm access to all data files has been terminated for any individuals who are no longer members of the research team. Email is the preferred method of transmitting this type of information as it provides the notice in writing, is a searchable format, includes a date and time stamp and allows the sender to confirm receipt.

 

1.5.  Encryption and privacy training:

As stated in Section 1.3, analytic data sets are only shared with individuals who have: a) have completed required HIPAA and human subject protection (CITI) training b) have had all electronic devices which may potentially be used to access the data or outputs encrypted c) attested to this encryption via Stanford University School of Medicine’s encryption tracking and verification system (amie.stanford.edu) d) have institutional review board (IRB) approval for their study or are included as personnel on an IRB approved study, e) have a “need to know” status with regard to the data and cannot practically work on the project without it and; f) signed a data use agreement with Stanford PHS stating that they will only use the data for the stated research purposes and that they cannot share the data with any third party.

 

Additionally, individuals are not permitted to download CMS data onto individual computers or other electronic devices. All users of CMS data must sign a data use agreement stating that they will not attempt to do so and that they will adhere to cell size restrictions for outputs.

 

1.6.  Infrastructure (facilities, hardware, software, other):

The PHS data infrastructure is explained in more detail in section 2.5. The CMS data will be received by the Stanford PHS Data Core via secure FTP transfer and saved to a secure server that abides by Stanford’s computer and network usage policy (http://adminguide.stanford.edu/62.pdf) and information security policy (http://adminguide.stanford.edu/63.pdf), as well as minimum security standards for servers (https://itservices.stanford.edu/guide/securitystandards) for PHI and other sensitive data. The requirements associated with those standards include patching, server hosting in a data center, centralized logging, two-factor authentication, vulnerability scanning and mitigation, and intrusion detection. The server is behind a firewall with restricted access to authorized investigators only. Intrusion detection practices are in place, in accordance with Stanford’s minimum security requirements for servers. Data are replicated nightly to a replica system in a different secured Stanford data center in Forsythe Hall on the Stanford campus. This replica server adheres to all of the same security requirements as the main server. The server itself is housed in a secure research data center, the Stanford Research Computing Facility, with keycard access limited only to authorized individuals. In addition, the server rack itself is locked; the key is only available to the system administrators of the server and the Data Center Manager. The Data Center has 28 cameras that capture motion 24x7. In case of facility power failure, supplemental power is provided by a generator. Testing of the ability to switch between commercial and generator power occurs monthly. The server has also been outfitted with self-encrypting hard drives. All statistical software necessary for analyses live on the server so that it is never necessary to download data onto local computers or other electronic devices. In addition to the above safeguards, server system administrators are required to attend two days of information security training each year and they only access the server from bastion host systems specifically secured by the Stanford Information Security Office.

 

Authorized system administrators and the PHS Data Center Manager can physically access the system components when needed for maintenance activities.

 

The system is accessed by approved users via SSH, X2Go via SSH and RDP via the campus VPN. All authorized users of the data will connect to the Stanford network via VPN and will authenticate with two step authentication (SUNet ID and password with Duo or Text Code secondary authentication); they will then also authenticate to the server with SUNet ID and password.

 

The Stanford University Network Access Control (SUNAC) service (https://uit.stanford.edu/service/sunac) allows granular and configurable control of data access. The service allows the Manager of the Data Core (or the LNAs Local Network Administrator) to control remote access to departmental resources located behind University IT-managed firewalls. Using Workgroup Manager, access can be granted and customized for any PHS Member by SUNet ID. The PHS Data Core manager is responsible for this permissioning process for the CMS data projects.

 

Stanford PHS requires encryption of all devices used to access Stanford School of Medicine resources—whether the computers or devices are owned personally or by the University. As PHS sits within the School of Medicine these standards apply to all computers used to access PHS data regardless of the School or Department of the PHS member. The encryption status of every computer and device used to access Stanford systems (including the server where CMS data are stored) is tracked in an internal system and audited continuously. Each person accessing Stanford systems must fill out a data attestation form annually or whenever there is a change in either their devices or the types of data they access, whichever is most frequent. Each computer or device used to access Stanford School of Medicine systems PHI must have whole disk encryption. This policy is available here: https://med.stanford.edu/irt/security/information/policies.html.

 

Computer encryption is conducted and verified using the Stanford Whole Disk Encryption (SWDE) service. The SWDE service is for both Windows and Macintosh computers that support native encryption. Once installed, all files are automatically encrypted. The data are protected while the computer is in standby or hibernation mode. This requirement applies to both Stanford and personally owned computers that are used for Stanford activities on the campus network. Computers on campus require SUNET authentication to enter. Personal computers require a 10 character PIN to open the computer. Additionally, all Stanford systems require two step SUNET authentication with a password. Passwords must comply with Stanford password guidelines (https://uit.stanford.edu/service/accounts/passwords). Passwords must be a minimum of 8 characters and passwords less than 12 characters require a combination of mixed case letters, numbers and special characters.

 

Every computer using SWDE automatically checks in with a logging and administrative server every 7 days. In the event of loss or theft of a computer with High Risk Data, Stanford policy requires notification of the Information Security Office (ISO). ISO in turn will use the logs to determine if a lost or stolen computer is a "reportable" event, possibly requiring notification of persons whose data may have been lost or stolen.

 

In addition to these security policies, PHS does not permit individuals to download any PHS data (including CMS data) onto individual computers or devices. All analyses must be conducted in the server environment and researchers are only permitted to download outputs which comply to PHS cell size restrictions, or the cell size restrictions of the owner of the data (CMS), whichever is more restrictive. Printing in the server environment is disabled. Thus, individuals are unable to print CMS data.

 

Collaborators from outside institutions wishing to gain access to PHS data for the purposes of analyses must adhere to all the same stipulations and conditions as researchers at Stanford including completion and verification of CITI and/or HIPAA training, encryption of their computer (to equivalent standards required of computers used by Stanford University Medical Center employees) and signing a PHS-DUA. In addition, they must have a SUNet ID sponsored by an investigator at Stanford which will allow them to gain limited access to the Stanford PHS server. Collaborators must have IRB approval at their home institution and be included on the IRB application of the Stanford investigator sponsoring their SUNet and access to the data.

 

Stanford PHS requires encryption of all devices used to access Stanford School of Medicine resources—whether the computers or devices are owned personally or by the home institution of the researcher. The encryption status of every computer and device used to access Stanford systems (including the server where PHS data are stored) is tracked in an internal system and audited continuously. Each person accessing Stanford systems must fill out a data attestation form annually or whenever there is a change in either their devices or the types of data they access, whichever is most frequent. Each computer or device used to access Stanford School of Medicine systems PHI must have whole disk encryption regardless of the home institution of the individual accessing the data. This policy is available here: https://med.stanford.edu/irt/security/information/policies.html.

 

Computer encryption must be conducted and verified using Whole Disk Encryption (WDE). Both Windows and Macintosh computers support native encryption. Once installed, all files must be automatically encrypted. The data must be protected while the computer is in standby or hibernation mode. This requirement applies to both computers owned by the home institution of the researcher and personally owned computers that are used for Stanford activities on the campus network. Computers on campus require SUNet authentication to enter. Personal computers must require a 10 character PIN to open the computer. Additionally, all Stanford systems require two step SUNet authentication with a password. Passwords must comply with Stanford password guidelines (https://uit.stanford.edu/service/accounts/passwords). Password requirements and two step authentication are explained in greater detail in section 2.2.

 

1.7.  Policies and procedures for physical possession and storage of data files:

All severs will abide by Stanford’s computer and network usage policy (http://adminguide.stanford.edu/62.pdf) and information security policy (http://adminguide.stanford.edu/63.pdf), as well as minimum security standards for servers (https://itservices.stanford.edu/guide/securitystandards) for PHI and other sensitive data. The requirements associated with those standards include patching, server hosting in a data center, centralized logging, two-factor authentication, vulnerability scanning and mitigation, and intrusion detection. In addition, server system administrators are required to attend two days of information security training each year.

 

1.8.  Research personnel tracking and data access:

The Stanford PHS Data Core, keeps records of study personnel and status with regard to protocols, data access and current CITI and HIPAA training. This information can be verified in the Stanford e-protocol system. In this system roles are delineated and records are updated as protocol or personnel changes occur or on an annual basis, whichever is more frequent. In addition to listing relevant personnel on IRB protocols, the e-protocol system also confirms that required HIPAA and privacy trainings are completed and up to date. In the event research projects are completed, the Stanford Data Manger records the completion of the project and the access to data is terminated. The closure is also noted in the e-protocol system.

 

For outside collaborators, the individual’s name, affiliation, Stanford collaborator and SUNET sponsor, verification of HIPAA and CITI training, verification of encryption and IRB approval will be collected and tracked by the Data Core Manager.

 

1.9.  Physical and technical safeguards:

These safeguards are also outlined in sections 1.6 and 2.5. The data from CMS (data) will be stored on a secure server that abides by Stanford’s computer and network usage policy (http://adminguide.stanford.edu/62.pdf) and information security policy (http://adminguide.stanford.edu/63.pdf), as well as minimum security standards for servers (https://itservices.stanford.edu/guide/securitystandards) for PHI and other sensitive data. The requirements associated with those standards include patching, server hosting in a data center, centralized logging, two-factor authentication, vulnerability scanning and mitigation, and intrusion detection. In addition, server system administrators are required to attend information security training. The server is behind a firewall with restricted access to authorized investigators only. Intrusion detection practices are in place, in accordance with Stanford’s minimum security requirements for servers. Data are replicated nightly to a replica system in a different Stanford data center which adheres to the same standards for protection of PHI as the main server. The server itself is housed in a secure research data center, with keycard access limited only to authorized individuals. In addition, the server rack itself is locked; the key is only available to the system administrators of the server and the Data Center Manager. The data center has 28 cameras that capture motion 24x7. In case of facility power failure, supplemental power is provided by generator. Testing of the ability to switch between commercial and generator power occurs monthly.

 

The system is accessed via SSH, X2Go via SSH and RDP via the campus VPN. All authorized users of the data will connect to the Stanford network via VPN and will authenticate with two step authentication (SUNet ID and password with Duo or Text Code secondary authentication); they will then also authenticate to the server with SUNet ID and password.

 

Authorized system administrators and the PHS Data Center Manager can physically access the system components when needed for maintenance activities.

 

Upon receipt of media containing CMS data, the received data files are immediately copied to a secure area on the server accessible only to the Data Custodian (or Data Manager) and catalogued as described in Section 1.2. The drives, discs or media containing the original CMS files, as received, will be stored in a safe in the locked room accessible only to the Data Core management team (Data Custodian, Data Manager and the Center Director at the Stanford Center for Population Health Sciences). The combination of the safe, a SentrySafe SFW205CWB Water-Resistant Combination Safe, 2X-Large, is only known to the Data Core management team (Data Custodian, Data Manager and the Center Director at the Stanford Center for Population Health Sciences). Further, the data will not be physically moved or transmitted in any way from Stanford without written approval from CMS.

 

Individuals are not permitted to download any PHS data (including CMS data) onto individual computers. All analyses must be conducted in the server environment and researchers are only permitted to download outputs which comply to PHS cell size restrictions, or the cell size restrictions of the owner of the data (CMS), whichever is more restrictive. PHS will audit data download activity on an ongoing basis. Individuals suspected of having CMS data will be notified and, in the event data have been downloaded, the individual will be required to wipe the data from their computer and further access to CMS (or any other PHS data) will be terminated. Disciplinary and corrective action will be taken as appropriate. Printing in the server environment is disabled. Thus, individuals are unable to print CMS data.

 

2.     DATA SHARING, ELECTRONIC TRANSMISSION, DISTRIBUTION

 

2.1.  Data sharing:

As outlined in section 1.3, analytic data sets are only shared with individuals who have: a) have completed required HIPAA and human subject protection training and b) have institutional review board (IRB) approval for their study or are included as personnel on an IRB approved study, c) have a “need to know” status with regard to the data and cannot practically work on the project without it and; d) signed a data use agreement with Stanford PHS stating that they will only use the data for the stated research purposes and that they cannot download the data or share the data with any third party. Governing policies of PHI (more generally can be found here: https://med.stanford.edu/irt/security/stanfordinfo.html

 

In the case where a particular analysis requires a specific analytic dataset, the Data Manager will meet with the investigator to identify the cohort and variables necessary to perform the particular analyses outlined in the Data Use Agreement. This information will be used to construct an analytic dataset which will then be put in a separate folder on the server labeled with the investigator’s name, project name and date initiated. The investigator and their designees (such as a Statistician or Data Manager) will then be given access to this folder. All analyses, code and resulting work files related to the project will be kept in the project folder on the PHS server. The investigator is expected to also put the final version of any resultant products of research (in most cases a peer-reviewed publication) in the same folder. At the end of the project or proposed analyses, access to the project folder will be terminated.

 

The data use agreement will stipulate that only output results from analyses can be downloaded from the server – that is, the researcher agrees never to download datasets or subsets of those/analysis files and that all data outputs will conform to Stanford or CMS cell size policies, whichever is more restrictive.

 

Collaborators from outside institutions wishing to gain access to CMS data for the purposes of analyses must adhere to all the same stipulations and conditions as researchers at Stanford including completion and verification of CITI and/or HIPAA training as required by their institution, encryption of their computer and signing a PHS-DUA. In addition, they must have a SUNet ID sponsored by an investigator at Stanford which will allow them to gain access to their project file on the Stanford PHS server.

 

2.2.  Data tracking and Auditing:

Upon receiving data from CMS, the Stanford PHS Data Core will track: a) the database name, b) the date that the data were received, c) the name of the analyst who was is responsible for the curation of the data and d) the filenames shared along with e) their file sizes.

 

The resulting cleaned data files are then saved in a different logical storage path and under a new name conforming to a file naming structure defined by the Data Manager. This structure incorporates the database name and the date of upload and merge. A record of this process is kept in the Cleaned Data Log. Incorporated in this log are a) the database name, b) the date the encryption and cleaning processes were completed, c) the name of the encryption program utilized, d) their file sizes, and f) a short description of the cleaning or curating processes performed.

 

System and access logs associated with PHS servers are collected on each server and forwarded to a remote log server, per the requirements of Stanford’s Minimum Security standards for servers (see https://uit.stanford.edu/guide/securitystandards) using Stanford’s Splunk service. Splunk is software that allows monitoring, searching and inspection of multiple system logs, across time; it is also a powerful tool for analyzing system logs to identify anomalies and trends. The PHS system administrators and the PHS Data Manager (Bella, please insert your correct title) have access to view and analyze log data associated with PHS servers, as does the university’s Information Security Office. Logs are retained for at least 18 months.

 

Data access will be monitored three ways depending on source and destination. File transfers and access via SFTP will be logged and sent to the Splunk service. File access on the storage system will be logged from the storage system and sent to the Splunk service. File access within the systems will also be monitored via the auditd service; however care must be taken to not adversely impact system performance with audited and then sent to Splunk for processing and analysis.

 

CMS data do not leave the server environment. No investigator is permitted to download or print data.

 

2.3.  Data removal, transport and transmission:

The data from CMS (data) will be received by the Stanford PHS Data Core via secure FTP transfer. Stanford will not physically remove, transport or transmit CMS data files.

 

2.4.  Data access and permissions:

The Data Core Manager will work with the PIs to determine which individuals on their research team require data access. Individuals will be given access to a project folder which will contain a CMS analytic data set and any other programs or files needed for the project. Individuals approved for access will have to complete the steps outlined in section 1.3. Access will be granted on a need to know basis and individuals will only receive access to CMS data which are required for the specific analysis requested.

 

Data access privileges are based on a given individual’s role in the project. The Data Core Manager and lead data analyst on a given project will have a superset of the privileges associated with individual approved researchers. Individual approved researchers will have only read access to the master CMS files, while the Data Core Manager and lead data analyst will have access to move the master CMS files to other locations on the secure servers; they and the system administrators are responsible for the actual data transfers from CMS. Individual approved researchers will create their own analysis files from the master CMS data; access to those analysis files is limited to the specific individual researcher and his/her approved research team members. System logs track any file uploads and downloads; the Data Core Manager will review those logs on a routine basis to ensure that individuals are complying with security requirements.

 

2.5.  Technical safeguards:

As stated in sections 1.6, 1.7 and 1.9, the data from CMS (data) will be received by the Stanford PHS Data Core via secure FTP transfer and saved to a secure server that abides by Stanford’s computer and network usage policy (http://adminguide.stanford.edu/62.pdf) and information security policy (http://adminguide.stanford.edu/63.pdf), as well as minimum security standards for servers (https://itservices.stanford.edu/guide/securitystandards) for PHI and other sensitive data. The requirements associated with those standards include patching, server hosting in a data center, centralized logging, two-factor authentication, vulnerability scanning and mitigation, and intrusion detection. In addition, server system administrators are required to attend two days of information security training each year. The server has also been outfitted with self-encrypting hard drives.

 

Computer encryption is conducted and verified using the Stanford Whole Disk Encryption (SWDE) service. The SWDE service is for both Windows and Macintosh computers that support native encryption. Once installed, all files are automatically encrypted. The data are protected while the computer is in standby or hibernation mode. This requirement applies to both Stanford and personally owned computers that are used for Stanford activities on the campus network. Computers on campus require SUNET authentication to enter. Personal computers require a 10 character PIN to open the computer. Additionally, all Stanford systems require two step SUNET authentication with a password. Passwords must comply with Stanford password guidelines (https://uit.stanford.edu/service/accounts/passwords).

 

Password Protocols:

 

Stanford recognizes that individual passwords often represent the weakest link to system access. Stanford’s password checking system is designed to address this; please see https://uit.stanford.edu/service/accounts/passwords for additional details. While Stanford implements a complex set of password rules, detailed at the previous URL, the institution also strongly recommends the use of pass phrases as an alternative. Beyond passwords, Stanford implements additional safeguards for systems generally, and for PHS systems specifically.

 

System logons will via SSH be authenticated via passwords, publickey and GSSAPI protocol combined with Duo two-factor authentication. Network firewall rules will require uses to be on the Stanford VPN and authenticated via SUNAC. The passwords and GSSAPI will be connected to Stanford’s Kerberos system and all Stanford SUnet password policies will apply. Every connection to the system will require a new Duo two factor prompt. If web applications are presented, the will be authenticated to via Stanford’s SAML2 instance, and Duo will be required.

 

SSH sessions will time out after 30 minutes of inactivity. To enable graphical interfaces, initially X2Go will be used through SSH for access to graphical environments. X2Go allows users to manager graphical sessions, reconnecting to existing sessions or starting a new session. This will permit longer term work in the graphical environment. To enable a better user experience and security, uses will be automatically place into a screen or tsmux session and reconnected when logging back onto the system. There will be a limit on ssh sessions per user; initially start at 5 sessions per user. The screen or tsmux session will lock the screen after a period of inactivity also.

 

Data transfers and access will be performed via SSL encryption, either via SSH or HTTPS. Data residing on hard drives will be encrypted via LUKS using hardware accelerated AES encryption.

 

Security Evaluations: Stanford PHS shall periodically (no less than annually) evaluate its processes and systems to ensure continued compliance with obligations imposed by Stanford policy, law, regulation or contract with respect to data confidentiality, integrity, availability, and security. Results of these evaluations will be documented and any remedial action indicated will be taken in a timely manner.

 

The Stanford Population Health Sciences Data Management Plan has been reviewed and approved by both the funding agency (Stanford PHS) as well as the Stanford Institutional Review Board (IRB). The data management plan will be reviewed no less than annually and updates will be made as indicated either by changes to the protocol or technological requirements for optimal data security.

 

File transfer activity is audited by the PHS Data Core manager on a monthly basis. In the event of a suspected or reported file download, the researcher in question will be contacted. In the event any CMS (or other PHS) data has been downloaded to a computer or other device, the investigator will be required to purge the files from their computer. Disciplinary action up to and including termination of access to all PHS files will be taken as appropriate. All computers used to access CMS data must be encrypted and password protected as described above.

 

PHS will audit data download activity on an ongoing basis. Individuals suspected of having downloaded CMS data will be contacted and, in the event there is CMS data on their computer, the individual will be required to wipe the data from their computer and further access to CMS (or any other PHS data) will be terminated. Disciplinary and corrective action will be taken as appropriate.

 

2.6.  Collaborators from non-Stanford institutions:

At present, access to the Stanford PHS server (and CMS analytic data sets) is restricted to Stanford employees and affiliates. In the event a Stanford investigator has a collaborator from another institution, they will need to complete the steps outlined in section 1.3.

 

The server will be accessed through a VPN connection using two step authentication, just as it is for Stanford investigators.

 

2.7.  Data replication:

Data are replicated nightly to a replica system in a different Stanford data center in Forsythe Hall on the Stanford campus. The server itself is housed in a secure research data center, with keycard access limited only to authorized individuals. In addition, the server rack itself is locked; the key is only available to the system administrators of the server and the Data Center Manager. The Data Center has 28 cameras that capture motion 24x7. In case of facility power failure, supplemental power is provided by a generator. Testing of the ability to switch between commercial and generator power occurs monthly.

 

 

3.     DATA REPORTING AND PUBLICATION

 

3.1.  Notification of potential or actual security or privacy incidents:

In the event of a suspected or known privacy incident PHS Data Core Manager shall notify CMS within 1 hour if Stanford PHS reasonably believes there may have been unauthorized access to, modification of, or disclosure of CMS Information and/or CMS Information Systems. A written resolution plan for any such incidents will be provided to CMS after any such incident.

 

In the event of an incident, a remediation plan will be drafted and executed within 72 hours or three business days, whichever is longer.

 

3.2.  Data Management Plan updates during the DUA period:

Data Management plans are developed by the Stanford PHS Data Core Manager and Director in partnership with the Director of the Stanford Center for Clinical Informatics and their staff. Data Management plans are then reviewed and by the Stanford IRB and the Stanford University Privacy Office.

 

Since the Data Management Plan is heavily influenced by data security technology and requirements, The Chief Technology Officer of Stanford Research Computing and the Data Core Manager will review the data management arrangements annually or whenever there is a significant change or improvement in data security technology, whichever is more frequent. Any changes or updates to the Data Management Plan will also be included in the annual IRB renewal or modification, whichever is more frequent. If there is a change in Data Management Plan during the DUA period CMS will be informed within 5 business days of the proposed changes. Any changes requested by CMS will be incorporated into the DMP and submitted for approval at the time the DMP is submitted to the IRB and Stanford Privacy Office.

 

3.3.  Cell size suppression policy:

Stanford does not disclose direct findings, listings, or information derived from the file(s) specified in section 5, with or without direct identifiers, if such findings, listings, or information can, by themselves or in combination with other data, be used to deduce an individual’s identity. Additionally, Stanford will not identify or report any identifiable pharmacy, provider, prescriber or health plan in any publication. All data are reported in aggregate.

 

The signed data use agreement will stipulate that only output results from analyses can be downloaded from the server – that is, the researcher agrees never to download datasets or subsets of those/analysis files or any output of formula which could and that all data outputs will conform to Stanford or CMS cell size policies (no cell smaller than 11), whichever is more restrictive.

 

No cell (e.g. admittances, discharges, patients, services) 10 or less may be displayed or used in any publication. Also, no use of percentages or other mathematical formulas will be used if they result in the display of a cell 10 or less. In the event that Stanford is unsure they meet the above criteria, they will submit written products for CMS review with the understanding that CMS agrees to make a determination about approval and to notify the user within 4 weeks after receipt of findings. CMS may withhold approval for publication only if it determines that the format in which data are presented may result in identification of individual beneficiaries.

 

3.4.  Identification of pharmacy, provider, prescriber, or health plans:

As stated above in Section 3.3, Stanford does not disclose direct findings, listings, or information derived from the file(s) specified in section 5, with or without direct identifiers, if such findings, listings, or information can, by themselves or in combination with other data, be used to deduce an individual’s identity. Additionally, Stanford will not identify or report any identifiable pharmacy, provider, prescriber or health plan in any publication. All data are reported in aggregate.

 

4.     COMPLETION OF RESEARCH TASKS AND DATA DESTRUCTION

 

4.1.  Completion of Certificate of Data Disposition forms:

At the end of the project, all the research identifiable data will be purged from the servers using packages like “shred”. Any retired data disks will be first “zeroed out” or reformatted. Any CD/DVD ROMs or other physical data storage devices will be destroyed or returned to CMS using CMS’s preferred delivery mode at that time. The Data Custodian will then complete the Certification of Disposition form at http://www.cms.gov/Medicare/CMS-Forms/CMSforms/downloads/cms10252.pdf and submit to CMS.

 

4.2.  Personnel changes:

As outlined in section 1.4, the Data Core Manager will inform CMS of any changes to personnel. In the event of an employee leaving of their own volition or being terminated prior to the completion of a project, the investigator or individual sponsoring the SUNET ID will terminate the sponsorship according to Stanford’s Network Access Control policy (https://uit.stanford.edu/service/sunac). For individuals who will no longer be employees, this termination is handled centrally in HR. Termination of SUNET sponsorship will prevent the employee or affiliate from having any further access to any Stanford system.

 

For non-employees or individuals remaining with Stanford but no longer working on a project which uses CMS data, the termination will be handled by the Stanford Data Core Manager. The SUNAC allows the Data Core Manager to assign permissions on an individual basis and terminate the ability for individuals to access CMS data and individual project folders on the Stanford PHS server.

 

For individuals leaving Stanford, termination of all SUNET access and permissions is handled centrally by HR and occurs on the employees last day of work. The Data Core Manager will verify that individuals leaving Stanford no longer have an active SUNET. For individuals remaining at Stanford but leaving a project which uses CMS data, access to the data will be terminated the last day of that individuals participation in the project.

 

As individuals are not permitted to download CMS data and access to data is restricted to those fields necessary for the analyses the individual was working on, termination of data access will prevent any further contact with CMS data.

 

The Data Core Manager will inform CMS of changes in staff or access within 10 business days.

 

4.3.  Termination of access to CMS data upon project completion

As outlined in Section 1.6 and 4.2, for non-employees or individuals remaining with Stanford but no longer working on a project which uses CMS data, the termination will be handled by the Stanford Data Core Manager. The SUNAC allows the Data Core Manager to assign permissions on an individual basis and terminate the ability for individuals to access CMS data and individual project folders on the Stanford PHS server.

 

For individuals leaving Stanford, termination of all SUNET access and permissions is handled centrally by HR and occurs on the employees last day of work. The Data Core Manager will verify that individuals leaving Stanford no longer have an active SUNET. For individuals remaining at Stanford but leaving a project which uses CMS data, access to the data will be terminated the last day of that individuals participation in the project.

 

4.4.  Termination of Data Access

 

As outlined in Section 1.6, 4.2 and 4.3, upon completion of the project, or completion of subanalyses within a project, access to CMS data used for the project or analyses will be terminated. The Stanford University Network Access Control (SUNAC) service (https://uit.stanford.edu/service/sunac) allows granular and configurable control of data access. The service allows the Manager of the Data Core (or the LNAs Local Network Administrator) to control remote access to departmental resources located behind University IT-managed firewalls. Using Workgroup Manager, access to CMS data will be terminated upon project completion.