New Uses for ROCKET: HIPAA Compliant Workspaces and Other Developments

Tara HelmerResearch Services ConsultantJuly 12, 2013

What is ROCKET(Research, Organization, and Collaboration Knowledge Exchange Toolkit) ?

ROCKET is a web-based tool for sharing information and documents, allowing members of a workspace to collaborate by building and sharing web pages. ROCKET workspaces are meant to be dynamic and user-friendly, allowing for two-way sharing of information between members. ROCKET is also self-serving in that the members can edit and maintain the workspace per the needs of the group.

Starting with a blank slate, members can add and organize • files and images• headers, text, dividers, and lists (bulleted, numbered, and checklists)• tables• as well as additional pages

Who can access ROCKET?

Anyone!

• Any member of the Vanderbilt and Meharry communities (with a valid VUNet ID and password) can access ROCKET and create a workspace on StarBRITE.

• External users can access a workspace if they are added as a member by a Vanderbilt or Meharry workspace owner/admin. External users cannot create their own workspaces.

Access to Workspaces

• Anyone can access ROCKET and Anyone with a VUNet ID can create new Workspaces

• Access to Workspaces is managed in Workspace Membership• Admins/Creators of a space can add new members and give them specific

rights. The different user rights include:• Admin – Manage users on the workspace; has all user privileges(Create/Read/Write/Delete/Sort),

Can Lock pages, Can create Short URLs, Delete a Workspace for all users o Creators of a Workspace are an Admin by default o Only other Admins can remove an Admin’s user rights

• Create - Add/create pages• Read (default) –Read-only view• Write – Create content on the pages; Can Clone workspaces to new workspaces, send Notifications

to Workspace Members• Delete - Delete pages within the workspace• Sort - Sort pages in your workspace Table of Contents

Features on your Dashboard

New PHI Safe Workspaces

Manage Workspaces

Your Dashboard provides a place to Create New, Search Workspaces, Organize Workspace, and receive Notifications.

Note, notifications are messages sent from Workspaces. To guarantee you also receive these via email, check the “Send emails” option over your Notifications.

Receive and Manage notices from your Workspaces

Use Case of ROCKET Workspaces – The VICTR Studio Program

Public (green) & Private (blue) Workspaces

Workspace Tools

HIPAA Compliant Workspaces

ROCKET is built so that creating, accessing, and sharing content can occur easily and efficiently.

New HIPAA Workspaces now allow for users to apply this in sharing content in a way that PHI content is protected.

The HIPAA Security Rule requires that workforce members adhere to controls and safeguards to ensure 1. Integrity of information – the medical record must be accurate2. Confidentiality – The medical record should only be seen by those with a

need to know and all uses of that data should be knowable by the individual.

3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime

For additional information on VUMC information security policies and practices, visit the Info Security Page.

What does HIPAA cover? HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

• Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).

• Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.

• Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.

• Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.

• Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

What are requirements needed to be HIPAA compliant?

What are specific protections offered through ROCKET?

• Only invited users can access PHI Protected Workspaces, and thus download or access an information on the site.

• Numerous warning at various points in the space to remind users of their obligation to protect patient data

• ROCKET application only allows unique user IDs and includes measures for an emergency access procedure, automatic log off and encryption and decryption.

• Tracking logs exist in the application to best monitor behavior in the workspaces

• ROCKET team is easily able to recover any information placed on the Workspaces

• Additional measures within ROCKET prevent users from shared data on ROCKET to unauthorized users. Usual features such as exporting pages to email and making pages public have been deactivated

Why might one what to use ROCKET to help protect patient information?

• Project teams are not physically located in the same place.• Needing a single location to access information related to work as well as

reviewed MRNs or Patient data relevant to the study/project• Needing members to have immediate and returned access to the data, but also

the need to expire access after a particular point(ROCKET allows admins to give access up to a specified expiration date if need be)

• Minimizing number of steps to access and the dispose of current available data for the work.

Getting Started: Creating a HIPAA Compliant Workspace

New PHI Safe Workspaces

Note, only Workspace Admins can make a workspace PHI Safe. Select “Settings” in the tool icon pop up.

Selecting PHI Protection

By selecting the checkbox for PHI Protection, your workspace will be HIPAA compliant. Please note, this action can not be undone. Once you have selected the Workspace to be PHI protected, all pages in the workspace will be made private. You are given the option to move all public pages in the workspace to a new non-PHI space if you would like.

Final Verification before activating the PHI status

HIPAA Compliant Workspaces

Features not Available in HIPAA Compliant Workspaces:• Copying Pages into Non-PHI

protected workspaces• Exporting content to email• Public Pages

Other Uses for HIPAA Compliant Workspaces

• Sharing Study Data across Multiple Institutions• Multiple department collaborations• PHI protected workspaces may be useful for teams for reason other

than sharing PHI data.• …

Other Uses for ROCKET

• Fostering Multi-Institution Projects• Grant Submission Collaboration• Manuscript Development• Committee Operations Planning• Course Development and Communication• Program/Project Management• ….

Example of a Workspace to Share information about Tools

Other ways to using Pictures in ROCKET

One example of putting more than one image in block, is by placing more than one image in a file block you can illustrate instructions using screenshots.

Using ROCKET to Define Standards

Sticky Notes and How They Add in Editing Information

Manuscript Development

• Collect all the information in a quick and easy display for all Authors

• Can use creative ways to move/structure your pages to organize what content to consider

What’s next?

• REDCap on ROCKET • Templates• …

ROCKET has evolved greatly in the past six months and this is largely due to suggestions and needs from its users. Please let us know using the Provide Feedback link what YOU would like in ROCKET so that ROCKET can continue to evolve.

Further Questions about ROCKET?

• In your ROCKET workspaces, there is a “Provide Feedback” and “Report a Bug” which will allow you to immediate let someone on the team know of any issues, questions, or suggestions you might have for the resource

• Or feel free to contact me at Jacqueline.Kirby@Vanderbilt.edu