GCRC web-based data management tools for your clinical research study
Paul Harris, Ph.D. – Director, GCRC Informatics Core
Web-Based Data System: The Vanderbilt General Clinical Research Center’s Director of Informatics, Paul Harris, PhD, has developed a web-based data system for use in clinical research studies at VUMC. This system is capable of authenticating users via passwords and meets HIPAA-Security requirements. The system allows autonomous control of access and data export by end-users, therefore study Investigators have control over who can manipulate his/her data. The system is also capable of supporting multiple users at multiple layers of security and provides 24/7 data access. It creates an audit trail for all data entered and can support other data files (ex. Consent forms, analysis files, etc.). Reporting functions allow export of tables and logs into analysis programs. This system is flexible enough to accommodate a wide variety of study types, while built on a common framework to provide an intuitive and consistent graphical user interface for end users.
Advantages
•Form-Based Data Validity Checks (Date, Number, Min/Max).
•Data Access Security - Form Level.
•Autonomous Administration of User Rights (research group controls access).
•24/7 Data Access - Table Dumps (copy/paste to Excel/SPSS).
•File Management System for storage of files, documents, etc.
•End users – Intuitive user interface. Autonomous I/O and administrative functions.
•Logging – User/Date/Machine/Data Changes.
Disadvantages
•Data entry may be slightly slower than input in a grid spreadsheet.
•Development process is iterative and requires help from research.
•Centralized database model is counterintuitive to PC trends over past 10-15 years.
HIPAA Security Questionnaire – Vanderbilt Departmental Systems – December, 2003
1.Will the unavailability of this system impact patient care or the department's mission?
2.Approximately how many users access this System?
3.Does the system generate audit logs?
4.Do the audit logs record Date and Time an event occurred?(Please answer N/A if the system does not have audit logs.)
5.Do the audit logs record User-ID associated with an event?(Please answer N/A if the system does not have audit logs.)
6.Do the audit logs record Queries that are made of the data?(Please answer N/A if the system does not have audit logs.)
7.Do the audit logs record Modifications made to the data?(Please answer N/A if the system does not have audit logs.)
8.Does your department have a process in place to regularly review the audit logs for this information system? (Please answer N/A if the system does not have audit logs).
9.Does your department have procedures for disabling or deleting an individual's access to this system when they leave Vanderbilt? (This includes both voluntary and involuntary terminations.)
10.Does your department have procedures for disabling or deleting access to this system when an individual no longer needs such access to perform their job duties, such as a change in job functions or a transfer?
11.Are there procedures in place to restrict access to the audit logs to only those individuals who need to review them?(Please answer N/A if the system does not have audit logs.)
12.Does this system display the date, time, and last user-id that logged-in for the user to view?
13.Does the system allow you to assign different levels of access based upon the user's role?
14.Does this system have procedures for verifying that a person or entity seeking access to electronic protected health information is the one they claim to be (e.g., user-id/password, PIN number, etc.)?
15.Does this system use a default password for authentication?
16.Does this system use the e-password for authentication?
17.If e-password is not used, does this system or application allow the use of a password that uses a combination of three of the following: upper case letters, lower case letters, numbers, and special characters? (Please answer N/A if the system uses e-passwords.)
18.What is the minimum password length allowed (if e-password is not used)?
19.What is the maximum password length allowed (if e-password is not used)?
20.Does the server reside behind the firewall?
21.Where is the server physically located?
22.How often is data backed up for this application?
23.Do you have a data backup plan that will create retrievable exact copies of electronic protected health information? (The purpose of this is so that electronic protected health information will still be available during an emergency or other event that may damage the system, such as a fire, system failure, or natural disaster.) Note: Unless your backup plan will allow you to recover data from the point of the system crash and not some period of time prior to the crash, you must answer No to this question.
24.Have you submitted a Disaster Recovery plan to the InformaticsCenter - Disaster Recovery team for review?
25.Are there documented procedures for testing and revising the disaster recovery plan? (Answer N/A if a documented disaster recovery plan doesn't exist for this system.)
26.Is the disaster recovery plan tested and revised at least semi-annually? (Answer N/A if a disaster recovery plan does not exist for this system.)
27.Does each individual who has access to the system have their own unique user-id?
28.Has an automatic log-off feature or time-out feature been implemented on the system?
29.Does this system have a procedure for protecting data from input errors by end users?
30.Does this system store password files?
31. Are the password files encrypted?
32.Is this system used to transmit electronic protected health information to any transcription companies outside of Vanderbilt?
33.Does this system use digital signatures to protect electronic protected health information from being improperly modified without detection during transmission?
34.Does this system encrypt electronic protected health information during transmission outside of Vanderbilt?
35.Does this system have processes for protecting electronic protected health information from being improperly altered or destroyed, such as digital signatures? (Applies to electronic protected health information at rest that's not being transmitted.)
36.Does your department have a process for regularly applying security patches to this application?
37.Are you planning any upgrades to this system in the next year?
38.Are you planning any new releases to this system in the next year?
39.Does this system send transactions (claims, remittances, eligibility inquiries, etc.) electronically to another system or entity?
IF YES, What is the name of the system or entity?