The Department of Health Care Policy at Harvard Medical School has been a leader at Harvard University in procedures for ensuring data security.  As the University undertook measures to comply with the Harvard Research Data Security Policy (HRSDP), the Harvard Enterprise Information Security Policy (HEISP), evolving state and federal laws protecting confidential research information. Department was distinguished as one of the first to design and implement new measures to ensure accountability and research best practice related to data security and compliance.  It established the Health Care Policy Compliance Office (HCPCO), whose mission is to minimize Harvard’s risk and protect the research community through the development, oversight and monitoring of a robust data security and compliance program with respect to research information and human subjects research. HCPCO provides support and guidance to all department employees in navigating the complex regulatory environment unique to health policy research and adherence to compliance codes of conduct, policies and best practices.

The Director of Compliance is responsible for aligning HCP’s research practices with Harvard University policies; developing new departmental policies and internal controls; identifying and developing opportunities for training and outreach; serving as a liaison to the University community, fostering partnerships with other departments, schools and central offices. The Director is also responsible for incident response including assessment, escalation, reporting, documentation, and remediation; and providing guidance and support in the implementation and enforcement of ever-evolving federal and state privacy and security regulations.

HCPCO assists researchers in all stages of the acquisition, use, and disposition of research data and advises on compliance with data use agreements (DUAs) and IRB protocol submissions as well as in the creation of security plans for access to electronic files and storage of physical media. HCPCO trains department staff in the use of Harvard administrative systems that serve as systems of record for data use agreements and protections for human subjects.  He/she ensures that data acquired, gathered, stored, accessed, or shared are documented and cross-referenced with the Institutional Review Board (IRB) to ensure program effectiveness.

In 2016, HCP created the Center for Healthcare Data Analytics (CHDA),  an overarching entity of faculty and staff whose work involves data analytics on large private and public data.  The CHDA created a new secure data enclave for restricted private data that includes high risk confidential and healthcare data from the Center for Medicare & Medicaid Services (CMS).  The Center's data enclave is compliant with the Federal Information Security Management Act (FISMA) regulations implemented in 2002. FISMA is one of the most important regulations for federal data security standards and guidelines. to reduce the security risk to federal information and data while managing federal spending on information security.  The Center received FISMA certification and accreditation in 2018.

All HCP servers are certified annually for storing Level 4 data (see details on Harvard University Information Security Protocols) by Harvard University Information Technology (HUIT). As such, all research data housed on HCP servers, regardless of sensitivity level, are treated at a minimum as level-4 data.   The requirements are sets of security controls that correspond to each data security level. This policy applies to all research data regardless of the storage medium (e.g., disk drive, electronic tape, cartridge, disk, CD, DVD, external drive, paper, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.), physically housed at Harvard or stored remotely under the management of Harvard researchers.

In addition, HCPCO provides data security and compliance training to all members of HCP, including health information privacy and confidentiality. All new members of HCP are required to meet with a member of HCPCO to complete the data security training as part of their introduction to HCP. Other HCP faculty and staff who work with data directly are required to take a refresher of the rules and regulations annually. In addition, all employees involved in research must complete subjects training prior to participating in any research project. Training certification records are maintained by HCPCO.

The HCPCO publishes and maintains a compliance toolkit, Research Data Privacy & Security Compliance: Policies & Guidance for use by all researchers that have access to HCP data. The toolkit facilitates informed compliance with data use agreements (DUAs) and establish departmental best practices for secure data use consistent with and building upon the Harvard University Information Security Policy and the Harvard Research Data Security Policy (HRDSP).  The toolkit includes chapters on the following:

  1. Data Types and Classification
  2. Data Ownership
  3. Data Use Agreements (DUAs)    
  4. Protection of Human Subjects
  5. Permissions for Data Use
  6. Data Storage Life Cycle
  7. Data Destruction
  8. Incident Reporting
  9. Computing Environment
  10. Privacy and Security Policies and Training
  11. HCP Personnel Procedures