Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIPAA #160

Closed
bendichter opened this issue May 11, 2018 · 0 comments
Closed

HIPAA #160

bendichter opened this issue May 11, 2018 · 0 comments
Milestone
Future

Comments

@bendichter
Copy link
Contributor

bendichter commented May 11, 2018
edited

Let's talk about HIPAA. HIPAA is a pretty strict and very serious set of rules for sharing human data designed to protect the identity of medical patients. It's not within the scope of NWB to enforce HIPAA rules, and users should not be under the impression that any NWB file is automatically HIPAA compliant. That said, there are several human-subject labs that are interested in using NWB, and it is important to structure NWB to be HIPAA-able, i.e. there are no constraints that would make it impossible to be both NWB and HIPAA-compliant and a knowledgeable and careful user could achieve both. I'd like to use this thread as a place to bring up HIPAA related concerns. Here are some that have already come up:

  1. Inform users. As soon as we start to talk about HIPAA, we need a very clear warning to users that it is their responsibility to follow the HIPAA rules. All we do is provide tools, not ensure HIPAA compliance. Many of the meta-data we support are in fact not compliant with HIPAA and we can help users a bit but ultimately it is up to them to refer to the rules and obey them. What is the best way to get this message across?

  2. Dates and age (see (optionally?) change subject.age to subject.dob (date of birth) #145):

All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

So session_start_time can have year, hour, minute, second, but not day or month. The standard way of removing that information is with an 'x' or a '-' e.g. 2008-x-xT15:53:00+05:00. Then perhaps all other dates (date_of_birth, surgery_date, etc.) could optionally be added in pynwb as datetime.timedelta objects which would be relative to the true (i.e. unmasked) session start time. Or maybe it would be better to have the root time be surgery_date, so it doesn't keep changing. It looks like the standard way to represent durations as strings is e.g. 'P2Y5M6DT5H' and this post is a good start at converting datetime.timedelta to the standard. Age is a tricky one because it is considered protected information if it is >85. Could we add str as an accepted type for this? How do we create these tools so that they are easy to discover and use, but do not give a false sense of confidence to users about HIPAA compliance (see 1)?
@oruebel oruebel added this to the NWB 2.x milestone May 18, 2018
@rly rly modified the milestones: NWB 2.x, Future Nov 15, 2019
@rly rly closed this as completed Nov 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future
Development

No branches or pull requests
3 participants
@rly @bendichter @oruebel