Difference between revisions of "Template:LIMSpec/Information privacy"

From LIMSWiki
Jump to navigationJump to search
m (Spacing issues)
m (NIST tweaks)
 
(3 intermediate revisions by the same user not shown)
Line 8: Line 8:
   ! style="color:brown; background-color:#ffffee; width:700px;"| Requirement
   ! style="color:brown; background-color:#ffffee; width:700px;"| Requirement
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://www.acmg.net/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards.aspx ACMG Technical Standards for Clinical Genetics Laboratories G17.2]<br />[https://www.astm.org/e1578-18.html ASTM E1578-18 S-5-1]<br />[https://elss.cap.org/elss/ShowProperty?nodePath=/UCMCON/Contribution%20Folders/DctmContent/education/OnlineCourseContent/2017/LAP-TLTM/misc/lam.pdf CAP Laboratory Accreditation Manual]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://www.acmg.net/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards.aspx ACMG Technical Standards for Clinical Genetics Laboratories G17.2]<br />[https://www.astm.org/e1578-18.html ASTM E1578-18 S-5-1]<br />[https://elss.cap.org/elss/ShowProperty?nodePath=/UCMCON/Contribution%20Folders/DctmContent/education/OnlineCourseContent/2017/LAP-TLTM/misc/lam.pdf CAP Laboratory Accreditation Manual]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PT-2 and PT-2(2)]
   | style="background-color:white;" |'''36.1''' The system shall comply with privacy protection compliance like that found in HIPAA provisions.
   | style="background-color:white;" |'''36.1''' The system shall comply with privacy protection compliance like that found in HIPAA provisions.
  |-
  |-
Line 18: Line 18:
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-5-2]<br />
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-5-2]<br />
[https://ichgcp.net/ ICH GCP 2.11]<br />
[https://ichgcp.net/ ICH GCP 2.11]<br />
[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PT-2 and PT-2(2)]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-laboratories-isl WADA International Standard for Laboratories (ISL) 5.3.8.3]<br />
[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-laboratories-isl WADA International Standard for Laboratories (ISL) 5.3.8.3]<br />
[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-protection-privacy-and-personal WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) (throughout)]
[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-protection-privacy-and-personal WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) (throughout)]
   | style="background-color:white;" |'''36.2''' The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
   | style="background-color:white;" |'''36.2''' The system should be provisioned with enough security to automatically enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/164.514 45 CFR Part 164.514]<br />[https://www.acmg.net/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards.aspx ACMG Technical Standards for Clinical Genetics Laboratories C5.5]<br />[https://elss.cap.org/elss/ShowProperty?nodePath=/UCMCON/Contribution%20Folders/DctmContent/education/OnlineCourseContent/2017/LAP-TLTM/misc/lam.pdf CAP Laboratory Accreditation Manual]<br />
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/164.514 45 CFR Part 164.514]<br />[https://www.acmg.net/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards/ACMG/Medical-Genetics-Practice-Resources/Genetics_Lab_Standards.aspx ACMG Technical Standards for Clinical Genetics Laboratories C5.5]<br />[https://elss.cap.org/elss/ShowProperty?nodePath=/UCMCON/Contribution%20Folders/DctmContent/education/OnlineCourseContent/2017/LAP-TLTM/misc/lam.pdf CAP Laboratory Accreditation Manual]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-19]<br />[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-protection-privacy-and-personal WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) 10.3]
[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-protection-privacy-and-personal WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) 10.3]
   | style="background-color:white;" |'''36.3''' The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
   | style="background-color:white;" |'''36.3''' The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-6]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-6]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-19]
   | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
   | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-19(7)]
   | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-19(7)]
   | style="background-color:white;" |'''36.5''' The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms.
   | style="background-color:white;" |'''36.5''' The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms.
|-
  | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PT-4 and PT-4(3)]
  | style="background-color:white;" |'''36.6''' The system should provide tools or mechanisms for recording the consent—and revocation of consent—of individuals who wish to allow—or disallow—their personally identifiable information to be processed, stored, and otherwise managed.
  |-
  |-
|}
|}
|}
|}

Latest revision as of 22:37, 14 March 2023

Regulation, Specification, or Guidance Requirement
45 CFR Part 164 Subpart E
ACMG Technical Standards for Clinical Genetics Laboratories G17.2
ASTM E1578-18 S-5-1
CAP Laboratory Accreditation Manual
NIST 800-53, Rev. 5, PT-2 and PT-2(2)
36.1 The system shall comply with privacy protection compliance like that found in HIPAA provisions.

10 CFR Part 20.2106 (d)
45 CFR Part 164.105
45 CFR Part 164 Subpart C
45 CFR Part 170.315 (d)
ASTM E1578-18 S-5-2
ICH GCP 2.11
NIST 800-53, Rev. 5, PT-2 and PT-2(2)
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
WADA International Standard for Laboratories (ISL) 5.3.8.3
WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) (throughout)

36.2 The system should be provisioned with enough security to automatically enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.
45 CFR Part 164.514
ACMG Technical Standards for Clinical Genetics Laboratories C5.5
CAP Laboratory Accreditation Manual
NIST 800-53, Rev. 5, SI-19
WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) 10.3
36.3 The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
45 CFR Part 164 Subpart E
NIST 800-53, Rev. 5, AC-6
NIST 800-53, Rev. 5, SI-19
36.4 The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
NIST 800-53, Rev. 5, SI-19(7) 36.5 The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms.
NIST 800-53, Rev. 5, PT-4 and PT-4(3) 36.6 The system should provide tools or mechanisms for recording the consent—and revocation of consent—of individuals who wish to allow—or disallow—their personally identifiable information to be processed, stored, and otherwise managed.