Protected Health Data Infrastructure PHDI is a Secure Enclave

PHDI supports projects, datasets, and users from any Georgia Tech or GTRI unit where PHI/PII compliance needs are required including HIPAA, HITECH, CMS, and sponsor specific requirements for fully identifiable, limited data sets, and de-identified data. PHDI is a secure enclave with compute and storage resources which can be provisioned to host project specific storage, applications, and services for analytics, research data collection, and systems integrations.

Researcher access to the environment requires CITI HIPS and IRB training and approval. Projects and/or data as well as all administrative, network, security, and compliance resources are segmented from one another with rigid role-based access, network, storage, and system controls. PHDI follows the HITRUST Common Security Framework to achieve HIPAA compliance, and undergoes an annual risk assessment, third party certification, and security penetration testing.

Protected data does not enter or leave the environment without agreed upon procedures and approvals (based on contracts, data usage agreements (DUAs), IRB requirements, etc.). Policies are enforced through the separation of roles (researchers, data management, compliance, administration). Data access models include secure review rooms, remote access over 2FA VPN, as well as secure mobile and web services utilizing web application firewalls (WAF). Restrictions and auditing of activities including file upload/download and cut/copy/paste are also provided.

Technical safeguards include multiple layers of differing security protocols protecting data in transit and data at rest with multiple vendor products as well as routine auditing, alerting, and reporting. The PHDI environment also mandates administrative safeguards and undergoes periodic risk assessment and management processes to gauge the security of the environment and develop plans for mitigations of any deficiencies.

Protected Health Data Infrastructure PHDI - OneGT Operating Model

PHDI has a OneGT operating model with support from Georgia Tech’s EVPR, IPaT, Pediatric Technology Center (PTC), GTRI-ICL, GTRC, OIT cybersecurity and network services, GTRI information systems, GTRI research security, and other Georgia Tech unit and lab IT and research professionals. The PHDI team provides healthcare data management, compliance, and domain expertise including: operational relationship and process management with sponsors and data owners; streamlined research pipelines through standard data transfer and ETL processes, databases and tools, training, software development, cohort and project identification/development; and streamlined Institutional Review Board (IRB) applications, data usage agreement(s) and contracting processing with Georgia Tech’s legal, contracting and partnerships work with GTRC, as well as HIPAA security and compliance assistance for project development and implementation.
 

If you are a Georgia Tech Researcher in need of secure data services, or a corporate / industry partner interested in working with Georgia Tech researchers on projects that might protected data services please contact: phdi@gatech.edu