- Joined
- Oct 11, 2006
- Messages
- 10,436
- Reaction score
- 14,712
Maybe.I have a serious question. If a medical student has stored PHI on a research file that has a password required to enter it and on a laptop that is encrypted (yet not owned by the hospital where the phi came from yet owned by a different medical institution) and has a password, are they in severe trouble? They essentially claim to have no knowledge of the information being in a non secure location on the laptop and that they thought the computer is actually safer than other places given that it is encrypted by a medical institution.
Essentially, could it boil down to the student losing access to medical records? Could it even be bigger than that and result in some lawsuit or legal action against the student?
The student told me they were asked to report an IRB deviation for now.
When doing work with a PHI containing database, the IRB application usually addresses how and where the data will be stored. If it is stored elsewhere, that can be considered a breach of the IRB process. It sounds unlikely there was any exposure of PHI so would not be reportable to local authorities, but still could be a huge problem. This is commonly a problem for medical students -- the IRB insists that the data stay on hospital hardware, and the student moves the data to university hardware. It's a real problem, and the student could get anything from a slap on the wrist to something more serious. I think it's unlikely that they would have all medical record access pulled, but details and intent matter. There won't be a lawsuit or legal action.
For example, if the student were told not to do this and then did it anyway, that would make things worse.
And even in the example you are talking about, how did they get the data from one place to another? Email? Flash drive? Both of those may be highly insecure. And if this data is now on a university laptop, there's some chance that the data is backed up on university servers -- where it absolutely can't be.