ABT data security plan

Att_7a_ABT Data Security Plan.docx

Formative Research and Tool Development

ABT data security plan

OMB: 0920-0840

Document [docx]
Download: docx | pdf





“Understanding Barriers and Facilitators to HIV Prevention, Care, and Treatment”





7a. ABT Data Security Plan

























D ata Security Plan




Understanding Barriers and Facilitators Experienced by HIV Care Providers


Contract#

200-2013-N-15633



Date: 1/10/2014



Prepared for:

Atlas Research/CDC



Submitted by:

Abt Associates Inc.

4550 Montgomery Avenue
Suite 800 North
Bethesda, MD 20814




Data Security Plan

Table of Contents



  1. Data Security Contact Information

Study Team Contacts:

Sean Owen

Director, Information Security

4550 Montgomery Ave #800N,

Bethesda, MD 20814

Phone: 301-347-5734

Sean_Owen@abtassoc.com


Cynthia Klein

Senior Associate

Abt Associates

2200 Century Parkway, Suite 950

Atlanta, GA 30345

Phone: 404-946-6310

Cynthia_Klein@abtassoc.com


Alex Mijares

Senior Analyst

Abt Associates

2200 Century Parkway, Suite 950

Atlanta, GA 30345

Phone: 404-946-6378

Alex_Mijares@abtassoc.com


Jamie Hart

Executive Vice President

Atlas Research 

3240 Prospect Street NW, Suite 100 

Washington, DC 20007 

Phone: 202.717.8716
jhart@atlasresearch.us


Client Contact:

Jim W. Carey

Senior Behavioral Scientist

Prevention Research Branch

Division of HIV/AIDS Prevention

Centers for Disease Control & Prevention

1600 Clifton Road, Mailstop E-37

Atlanta, GA 30333

Phone: 404.639.1903

jfc9@cdc.gov


  1. Study Overview

    1. Overview

Our objective in the development and implementation of this written data security plan is to create effective administrative, technical, and physical safeguards for the protection of data from the CDC Understanding Barriers and Facilitators Experienced by HIV Care Providers project. This plan is for use by the study team (including CDC), Institutional Review Board, and information security team.

The sections that follow in this document outline the type of data we will be safeguarding and our approach to protecting this information 1) commensurate with the level of sensitivity of the data and 2) in accordance with requirements from relevant regulations.

This is a living document that should be updated as needed throughout the study and lifecycle of the data.

    1. Study Information

Exhibit 1. Basic Study Information

Study Title and Nickname

Long: Understanding Barriers and Facilitators Experienced by HIV Care Providers

Short: HIV QUAL

Contract number:

200-2013-N-15633

IRB Number & Status

Pending

Division

Public Health and Epidemiology

Client Organization name

CDC

Funding Agency (if Abt is a sub)

Atlas Research



Exhibit 2. Key Study Dates


Start Date

End Date

Study:

09/2013

10/2014

Data Collection:

~05/2014

~08/2014


Exhibit 3. Study Partner Information

Organization

Point of Contact

Contract Number

Data Agreement #, if any

Atlas Research

Jamie Hart

TO_AA_CDC_200-2013-N-15633_001

None

  1. Description of Study Data and Study Procedures (Narrative)

3.1 Types of Study Data

The study will rely on 5 primary sources of data to inform the barriers and facilitators of HIV Care experienced by providers.

  1. Primary data collection

  1. Provider Demographic Questionnaire – Providers will complete a brief demographic questionnaire so that variables such as a gender/transgender status, sexual orientation, languages spoken, years in practice, and medical affiliations can be captured as part of the interview. Demographic data will not be linked to qualitative interview data, will not be delivered directly to CDC, and will only reported in aggregate summary form.

  2. Provider Interview Guide – Interview data will be collected from HIV care providers to better understand their perceived barriers and facilitators to the provision of care and treatment to HIV patients.



3.2. Security Procedures

Procedures to maintain the confidentiality of data:

For all data sources, Atlas will conduct the site visits in Washington, DC and Baltimore, MD, while Abt will conduct site visits in Atlanta, GA. Data will be collected using encrypted and password-protected laptops, audio-recorders and cameras that will not be connected to a server or the internet. Atlas and Abt staff will transport the data collection equipment back to their office location following the site visit. Data will be transferred via encrypted flash drives.


The following outlines procedures for each data source:

  1. Provider Demographic Questionnaire data (duration of 5-10 minutes) will be administered by Atlas and Abt using hard copy forms (Appendix A). All questionnaire data will be recorded manually onto paper forms by providers during the site visit immediately before the interviews. The hard copy information will be entered by Atlas and Abt staff onto an Excel dataset and converted into SPSS which will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. Abt and Atlas will consolidate all raw data using an encrypted flash drive, and extract summary information for the final report. At the end of the contract, Abt will deliver the Excel and SPSS datasets to CDC via an encrypted flash drive. Both Atlas and Abt will destroy the hard copy questionnaire forms.

  2. Provider interview data will be collected by Atlas and Abt using the Provider Interview Guide in Appendix A. One hour interviews will be conducted with each provider in a private setting (e.g. provider’s office). All interview data will be recorded by Atlas and Abt using an encrypted digital audio-recorder (not video-tape) with the consent of interview participants. Upon completion of the site visit, a member from the Atlas team (both Atlas Research and Abt) will upload interview recordings on password protected/encrypted non-network laptops . Notes will also be taken using an encrypted laptops in MS Word. Participants will be reminded by the interviewer not to use full names or identifying information during the discussion. Atlas will perform the transcription of all audio-recordings. Any reference to full name or other identifying information that arises unintentionally during the discussion will be redacted from the transcripts by Atlas, and reviewed for quality assurance by Abt staff. All qualitative analyses will be conducted by Atlas and Abt using the redacted interview data on NVivo 10 (stand-alone version). All transcripts and NVivo datasets will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the interview recordings.


The following steps will be taken to minimize the risk of breach of confidentiality during recruitment:

  • Roster of Potential Participants. The roster of potential participants will be either faxed or obtained in person and delivered directly to Atlas and Abt offices. The roster will not include a study name. Electronic copies of the roster will be stored on a password and encrypted computer not connected to the server, and hard copies will be kept in a locked filed cabinet and destroyed after the completion of the study.

  • Schedule of Interviews. The schedule of interviews will include: time, date, facility and name of provider. This information will be kept separate from data collected. Electronic copies of interview schedules will be password protected and hard copies of schedules will be immediately destroyed after interviews. Schedules will not be linked to participant ID or facility ID.



    1. Systems and Security

The Atlas Team is committed to conducting research in conformity with basic ethical principles, and federal and other regulatory requirements that govern research involving human subjects, as well as information security regulations.  We protect the confidentiality of data through the following processes:

  • Data security – We utilize password protected and encrypted laptops, digital recorders and cameras for this project that are not connected to the network, internet or cloud. Additionally, we will store in locked and separate facilities at least two back-ups of all study data.



  • Physical security – Access to the data processing areas is controlled, with only authorized personnel allowed in the offices. Locked storage areas are protected by assigned group memberships, passwords and other techniques (e.g., Access Control Lists), which prohibit access by unauthorized users.

  1. Staff Training on Data Security and Monitoring

Prior to data collection, key staff from Atlas Research and Abt Associates will 1) complete study-specific data collection trainings, 2) receive a copy of the data security plan, and 3) complete the following general trainings to promote data security and compliance. Management of trainings is handled within each organization and occurs annually or biannually. A list of some of the trainings completed by Abt Associates and their partner organizations is provided below.

Exhibit 4. Trainings

Team Member

Training

Abt Associates

  • HIPAA Rules of the Road – Practical Information for Ensuring Compliance

  • IRB 101 Training

  • General Security Awareness Training

  • CITI Human Subjects Training

Atlas Research

  • HIPAA Rules of the Road – Practical Information for Ensuring Compliance

  • General Security Awareness Training

  • CITI Human Subjects Training


All project staff will be trained on the project-specific data security plan (which includes the regulations and requirements for handling data for the study).


Monitoring and supervision of the staff who are handling data and/or are interviewing program staff at Abt Associates and Atlas Research will allow for additional opportunities to identify and correct any security or procedural issues. All project staff will be made aware of the project-specific data regulations and best practices associated with handling data for the study. These practices will be incorporated in the study protocol and will be detailed in training plans for interviewers, as well as for support and data analytic staff.


  1. Deliverables

The following are key deliverables associated with tasks relevant to this data security plan. In all reports no PII will be included and all reported data will be aggregated at either the site or multi-site level. Interview data will include programmatic information alone.

Exhibit 5. Deliverables

Data Source

Deliverable

Deliverable Date

None

  • Draft data collection instruments

11/15/13

None

  • Draft Sampling Plan

11/15/13

None

  • Draft data plan

11/22/13

None

  • Draft study protocol

12/3/13

None

  • IRB submission

1/17/14

None

  • OMB submission

1/24/14

All: Questionnaire Data, Interview Data (i.e., redacted interview transcripts)

  • Submit final dataset and supporting documents to CDC

10/3/14

Within two weeks of the end of the task order, we will provide CDC with all data collected as part of this project, to include but not be limited to: Sampling Plan, Data Plan and Study Protocol; IRB/OMB documents; redacted interview transcripts, document review/observation checklist data, results of any literature reviews and any other guidance. If a provider refuses audio-recording, notes will be taken, and redacted for coding. Raw interview notes will not be shared or transitioned to CDC during or at the conclusion of the project.

Qualitative data will be delivered in NVivo 10.0 (stand alone, non-network version) compatible datasets unless otherwise specified by CDC. A data dictionary will be developed and delivered to document data files to include a listing and description of the data files and the variables in each data file, and, for interview or form data, and annotated questionnaires/forms. Each data source collected will be given a unique participant and facility ID:

  • Demographic Data - Demographic questionnaires will have the following form of ID: DQ (demographic questionnaire), first letter of city, facility number (same for all data points) and participant number (different from transcript). For example: DQA01_P1.

  • Provider Data - Provider transcripts will have participant ID and facility ID, and be linked to the variables in exhibit 6, observation tool data and document review data. Provider transcripts will have the following form of ID: IT (interview transcript), first letter of city, facility number (same for all data points) and participant number (different from demographic questionnaire). For example: ITA01_P1011. Any reference to full name or other identifying information that arises unintentionally during the discussion will be redacted from the transcripts by Atlas.


Only the variables outlined in exhibit 6 below will be linked to interview transcripts. All other demographic data will be in a separate dataset and have a different ID.

Exhibit 6. Linked Variables Between Demographic Questionnaire and Interview Transcripts

Variable

Description

Type of Provider

Physician, Nurse Practitioner, Physician Assistant, Registered Clinical Nurse Specialist, Registered Nurse, or Case Manager

Type of Facility

Ryan White or Non-Ryan White

Type of Location of Facility

Urban, Suburban or Rural; City

Amount of time providing care for HIV Patients

Months or Years

Final report to CDC will include:

  1. Summary demographic data – Aggregate demographic data will be reported by city/facility type and type of provider.

  2. Interview data – Data will be reported by themes analyzed. Quotes used in report only include type of provider, city, type of facility location (urban, rural, suburban), type of facility (Ryan White vs. Non-Ryan White) and amount of time providing care for HIV infected patients.


The report will be submitted to CDC as a final deliverable. Summary data may also be analyzed for manuscript publication in academic journals and/or poster and oral presentations at conferences (e.g. American Public Health Association) as feasible.

  1. Physical Record Lifecycle

    Pathway of Physical Records

    Source

    Data Types

    Destination

    Transport

    Storage

    (Destination)

    Destruction

    (Destination)

    Atlas Team Site Visit Data – Provider Demographic Questionnaire

    Provider Demographic Questionnaire (hard copy which will then be recorded electronically into excel spreadsheets)

    Atlas Research/Abt

    Paper

    Encrypted CD/DVD

    Tape

    Encrypted thumb drive

    Encrypted Hard drive


    USPS (Registered)

    UPS

    FedEx

    Licensed/bonded carrier

    Hand-delivery by project member

    Locked file cabinets in Atlas/Abt secured facilities

    At the end of the contract



  2. Electronic Record Lifecycle

    Pathway of Electronic Records

    Source

    Information Types

    Destination

    Transport

    Storage System

    Destruction Date

    Atlas Team Site Visit Data – Provider Demographic Questionnaire

    Demographic questionnaire data (Excel Spreadsheet and SPSS datasets)

    Abt/Atlas

    Abt MoveIT DMZ

    Secure web portal

    Fax

    Encrypted flash drive

    Locked file cabinets in Atlas and Abt secured facilities

    At the end of the contract, Abt will deliver the Excel and SPSS datasets to CDC via an encrypted flash drive. Both Atlas and Abt will destroy the hard copy questionnaire forms..

    Atlas Team Site Visit Data – Interview Data

    Interview recordings (transcripts and NVivo datasets)

    Abt/Atlas

    Abt MoveIT DMZ

    Secure web portal

    Fax

    Encrypted flash drive

    Locked file cabinets in Atlas and Abt secured facilities

    At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the interview recordings..

  3. Physical Security



Physical Access Chart

Organization

Building Access

Room Access

Media Access

Atlas Research



Key card



Biometric imprint



Other method: _____________




Key card



Biometric imprint



Other method: _____________




Key card



Biometric imprint



Other method: Secure/lock doors; locked file cabinets


Atlas Research



Key card



Biometric imprint



Other method: _____________




Key card



Biometric imprint



Other method: _____________




Key card



Biometric imprint



Other method: Secure/lock doors; locked file cabinets_____________




File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleAbt Single-Sided Body Template
AuthorDouglas Fuller
File Modified0000-00-00
File Created2021-01-30

© 2024 OMB.report | Privacy Policy