As seasoned analysts of economic and healthcare data, we understand the importance of data security. It cannot be over-emphasized in our organization. There are two options to access data that has personally identifiable information (PII) or protected health information (PHI).

• House such data in our data system. We have a data security system that meets the requirements of the National Institute of Standards and Technology Special Publication 800-171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” See additional details below.
• Utilize the data system of a third party who owns the data if such an arrangement is available. For example, the Centers for Medicare and Medicaid Services allows authorized users to access their Virtual Research Data Center (VRDC). We can utilize VRDC if a project is approved by its Research Data Assistance Center and we meet all the security requirements as specified.

First of all, we apply the minimum necessary standard. That is, we limit unnecessary or inappropriate access to and disclosure of PII and PHI. Whenever is possible, we will use de-identified data. If de-identified data are not sufficient to answer specific research questions, we will pursue a Limited Data Set, which has a limited set of identifiable individual information as defined in the Health Insurance Portability and Accountability Act (HIPAA). A Limited Data Set may be used for research purposes. If a Limited Data Set is still not sufficient, we will use identifiable data as the last resort.

We make every effort to securely house data in our system. Specifically, we only store data in a room housing stand-alone computers that are not connected to our internal network or any external network. All data are encrypted using software that is compliant with Federal Information Processing Standard (140-2). All analyses will take place in this room on these stand-alone computers only. No data are allowed to leave the room. Entry to the room is restricted to authorized users and tracked to provide physical protection. Data access is granted only upon project review. The user interface requires individual log-in with access to folders to which the user has been granted permission.

Because our stand-alone computers have no physical connections to any internal or external networks, all data will be transferred to these stand-alone computers using portable media. Data transferred via portable media must be encrypted using software that is compliant with Federal Information Processing Standard (140-2). Data on portable media are immediately destroyed after they are transferred to stand-alone computers. Analysts are not allowed to do analysis using data on removable media. And again, no data are allowed to leave the room. Data from a third party will be encrypted and transferred either via physical media or a secure FTP server; passwords will be delivered separately from the data.

All staff members are made aware of the security risks associated with their activities and of our data security protocol and receive security awareness training every year. On a regular basis, we review the protocol and audit the process to monitor and report unauthorized access, inappropriate system activity, or violations of our data security protocol. We track user activities and ensure violations can be uniquely traced to individual users and hold them accountable for such activities.

On a regular basis, all our staff receives the Collaborative Institutional Training Initiative (CITI Program) training, specifically, the Social-Behavioral-Educational (SBE) Comprehensive course. “This course provides an expansive review of human subjects research topics for social-behavioral-educational researchers.”