1. Storing and discarding paper files and electronic data

Recommended Actions
Store completed data collection forms in a secure, locked cabinet when not in use.
Enter data into a secure, password-protected database, such as HAPID®, as soon as possible.

Destroy these documents immediately after entering the information into the designated database

  • Program Information Cover Sheet
  • Attendance Log
  • Participant Information Survey (and Post Session Survey for falls prevention programs)
  • Host and Implementation Site Organization Information Form
Keep electronic copies of data for at least three years past the last report date associated with the grant. Once the data is entered into the respective national database, NCOA is responsible for maintaining that data for at least three years.

2. Staff training and non-disclosure agreements

Recommended Actions Download
Centralize data management and limit the number of users accessing HAPID  
Create accountability for securing the safety of your program and participant-level data and conduct ongoing quality assurance.  
Train all staff handling data collection forms or entering program data in privacy and security basics. You do not need to provide additional training for personnel who have already undergone privacy and security training through their agency. Consider using these slides. Link
Require all staff handling data collection forms or entering program data to complete a Non-Disclosure Agreement (NDA). An NDA is an acknowledgement that participant information should not be shared with others and should be safeguarded appropriately. The grantee lead or the designee for data collection must keep NDAs in locked storage or store electronically scanned copies in a secure, password protected database for 3 years.

Link- English

Link- Spanish

3. Complying with HIPAA regulations and managing sensitive data

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI) or "personally identifiable information" (PII). 

Evidence-based program data may contain sensitive PHI/PII data that is protected by Privacy Act:

  • Personal Health Information (PHI) – physical/mental health condition
  • Personally Identifiable Information (PII) – name, ZIP code
Recommended Actions
Consult your IT department about security protocols.
Use a secure database to store information, like HAPID.
When sharing data with any other partner, follow the guidelines in Section IV below.
Communicate with NCOA about staff changes immediately to deactivate databases accounts. 
Securely discard forms (e.g. shredding) once the data is entered into a secure database.

4. Sharing participant-level data between vendors, data users, and NCOA

Recommended Actions Details
Share data in aggregate form whenever possible This does not require a data use agreement.
De-identify data if used in non-summarized form Remove any individual identifiers, including ZIP code, phone numbers, names, birthday/ages, and others. Review this list of 18 recognized identifiers
Set up a Data Use Agreement
  • A Data Use Agreement (DUA) is a contractual document used for data transfer developed by nonprofit, government, or private industry, where the data is non-public or is otherwise subject to some restrictions on its use. 
  • If you are working with a research/academic institution, an IRB may cover only some aspects of the data sharing and data security requirements. It is advisable that you set up a DUA even when de-identified data is shared with a research partner so that you spell out expectations about how the analyses, findings, and data files will be shared back with your organization once the research is complete, clarify whether you’ll be given an opportunity to review publications or other reports before they are released, and indicate how your organization will be acknowledged in reports. Learn more about  working with research institutions
Used Tools to Ensure the Safe Transmission of Data
  • Use email encryption software. Explore options with your IT staff, including cost, complexity, and compatibility with different systems.
  • Use password protection available for different file types. For example Microsoft Word’s feature to "Protect Document" and "Encrypt with Password."
  • Share files using a Safe File Transfer Protocol (SFTP) server. 
  • Require users to create strong passwords (e.g. minimum of eight characters, a mix of letters, case, and numbers) for email and database accounts.
  • Be wary of “social engineering," disguised attacks in the form of emails from hackers who manipulate users into providing personal information or enticing users to click on links, which then permit their entry into your computer system.

NCOA encrypts files with external users in several ways:

Tool Details
MoveIt from Ipswitch When receiving or sending data files with participant-level data, we use MoveIt from Ipswitch for any file exchange between services, systems and organizations. Users are added as temporary users and can email encrypted files to NCOA and vice versa. MoveIt encrypts files using secure File Transfer Protocols through automation, analytics and failover options. It is a HIPAA compliant system used widely by other healthcare organizations.  
Via OneDrive or SharePoint The receiver is required to sign-in with a Microsoft account to access file. Office 365 is compliant with several security certifications. This information can be found on the Office 365 Security site.
Via direct encrypted emails to other users We type the word “encrypt” in the Subject line of the email message. The receivers will be required to sign in using a Microsoft account and password before they can read the email. 
BitLocker NCOA laptops use BitLocker to encrypt the hard drives of laptops. Additional encryption software may be required based on contract requirements.

5. What is Salesforce’s data security model?

HAPID is hosted on the Salesforce.com platform. Therefore, they are automatically covered by the security guarantees that Salesforce provides across their entire platform. The additional methods listed above ensure that our legitimate users only see their own organization’s data.

  • Salesforce is fully HIPAA compliant.
  • Non-NCOA users are restricted from accessing data by:
    • Global limits on their user license types;
    • Record sharing policies set by NCOA;
    • Record type restrictions; and
    • Field level security.
  • To provide a security model that satisfies numerous, unique, real-world business cases, Salesforce provides a comprehensive and flexible data security model to secure data at different levels. All these data security models are strictly followed by NCOA.