Data Security
Some research data are highly sensitive, such as Protected Health Information (PHI) including names or addresses associated with clinical information, or Personally Identifiable Information (PII) such as Social Security numbers, credit card numbers, or personal financial data. The release of such data can lead to harm such as privacy violations, identify theft, financial liability for the University, and in some cases, individual liability for the person who released the data. Columbia University Information Security Charter sets forth key principles and definitions concerning information security at Columbia.
All researchers should be aware that sensitive information is highly regulated by federal laws, such as HIPAA and HITECH, and by University policy, such as the Electronic Information Resources Security Policy. As the Policy states: "Individuals who access or control University electronic information resources must take appropriate and necessary measures to ensure the security, integrity, and protection of these resources, using appropriate physical and logical security measures."
Federal Laws on Sensitive Infomation
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) are the laws that provides data privacy and security provisions for safeguarding medical information.1
All research personnel who are involved with Human Subjects Research are required to take the CITI Module in Rascal (TC0087) every 3 years. There may be additional training required by Columbia's IRB. Additional information regarding HIPAA policies at Columbia University can be found on CUMC's HIPPA webpage.
Breaches or suspected breaches of HIPAA protected data are taken seriously by Columbia University and needs to be reported to the appropriate office.
- CUMC Office HIPAA Compliance - [email protected]
- CUMCIT - [email protected]
- CUIT - [email protected]
1 http://searchhealthit.techtarget.com/definition/HIPAA
The Health Information Technology for Economic and Clinical Health (HITECH) Act are the laws that address the privacy and security concerns associate with the electronic transmission of heal information. Several of the provisions strengthen the civil and criminal enforcement of HIPAA rules.
Columbia University Policies on Sensitive Data
Data as defined by the Columbia University Information Security Charter are "All items of information that are created, used, stored or transmitted by the University community for the purpose of carrying out the institutional mission of teaching, research and clinical care and all data used in the execution of the University's required business functions."
Data at Columbia University are classified into four categories (from Data Classification Policy):
- Sensitive Data - any information protected by federal, state or local laws and regulations or industry standards, such as HIPAA, HITECH, the NY State Information Security Breach and Notfication Act, similar state law and PCI-DSS
- Confidential Data - any information that is contractually protected as confidential by law or by contract and any other information that is considered by the University for confidential treatment
- Internal Data - any information that is proprietary or produced only for use by members of the University community who have a legitimate purpose to access the data
- Public Data - any information that may or must be made available to the general public, with no legal restriction on its access or use
Protection requirements for each classification of Data can be found:
The Registration and Protection of Systems Policy describes the requirements for security controls to protect the Systems that process, transmit and/or store Data.
Requirements differ depending on the Data Classification (see above).
A System is defined as a server based software that resides on a single Server or multiple Servers and is used for University purposes. "Application" or "Information System" is synonymous with "System."
All systems located at Columbia University’s Morningside Heights or Manhattanville Campus that process, transmit and/or store Sensitive Data must be registered with the CU Information Security Office. All Systems located at CUMC (“CUMC Systems”) must be registered with the CUMC Information Security Office.
RSAM is the governance, risk and compliance (GRC) platform that Columbia is using to manage, organize and analyze data associated with Risk Management and Compliance for systems at Columbia University and Columbia University Medical Center (CUMC).
The Registration and Protection of Endpoints Policy describes the requirements for security controls to protect Endpoints that process, transmit and/or store Data. These requirements differ depending on the classification of data (see above).
Endpoint is defined as any desktop or laptop computer, mobile device or other portable device use to connect to the University wireless or wired Network, access Columbia email from any local or remote location or access any institutional (University, New York-Presbyterian Hospital, departmental or individual) System either owns by the University or by an individual and used for University purposes.
It is important to note that this Policy does distinguish an Endpoint owned by the University from one that is personally owned. All Information Security Policies will apply to a personally-owned Endpoint used for University business.
The Electronic Data Security Breach Reporting and Response Policy provides the measures that must be taken to report and respond to possible breach or compromise of Sensitive Data, including the determination of Systems affected, whether any Sensitive Data have in fact been compromised, what specific Data were compromised and what actions are required for forensic investigation and legal compliance.
Report Possible Breach of PHI
Office of HIPAA Compliance
email [email protected]
call 212-342-0059
Report Possible Breach of Sensitive Data at CUMC
CUMC-IT Information Security Office
email [email protected]
Report Possible Breach of Sensitive Data outside CUMC Campus
Columbia University Information Technology
email [email protected]
call 212-854-1919
- Human Research Protection Office (IRB)
- Data Security Plans Involving the Use, Storage or Transmission of Electronic Research Data Constituting Sensitive Data
- This Policy provides standards for IRB review and approval of data security plans involving the storage of electronic research data constituting Sensitive Data in human subjects research conducted at Columbia University, including Columbia University Medical Center (“CUMC”), or by Columbia University researchers. The intent of this Policy is to ensure that the protection of the privacy of research subjects and the confidentiality of identifiable research data is in accord with the requirements of HHS, NIH and FDA regulations and the Health Insurance Portability and Accountability Act (HIPAA). (Updated May/June 2014)
- Disclosure of Social Security Numbers Outside of Columbia for Research Purposes
- Disclosure of Social Security Numbers (SSNs) to entities outside of Columbia for research purposes requires authorization from institutional officials and high level security precautions, in addition to approval by the IRB. (Updated Sep/Oct 2015)
- Privacy and Security Agreement