local
effectiveness assessment project (LEAP): A case study of a local
jurisdiction providing hiv services to msm
Draft
Data Security Plan
Contract
# 200-2013-57339
February
9th, 2015
Prepared
for:
Monique
Carry, PhD
Prevention
Research Branch
Submitted
by: Atlas
Research 3240
Prospect Street, NW, Suite 100 Washington,
DC 20007
Division of HIV/AIDS Prevention
Centers
for Disease Control & Prevention
1600 Clifton Road,
Mailstop E-37
Atlanta, GA 30333
1. Data Security Contact Information 2
3. Description of Study Data and Study Procedures (Narrative) 4
Study Team Contacts:
Sean Owen
Director, Information Security
4550 Montgomery Ave #800N
Bethesda, MD 20814
Phone: 301-347-5734
Cynthia Klein
Senior Associate
Abt Associates
2200 Century Parkway, Suite 950
Atlanta, GA 30345
Phone: 404-946-6310
Alex Mijares
Senior Analyst
Abt Associates
2200 Century Parkway, Suite 950
Atlanta, GA 30345
Phone: 404-946-6378
Jamie Hart
Executive Vice President
Atlas Research
3240 Prospect Street NW, Suite 100
Washington, DC 20007
Phone:
202.717.8716
[email protected]
Client Contact:
Monique Carry, Ph.D. (Technical Monitor) and James Carrey, Ph.D. (COR)
Operational Research Team, Prevention Research Branch
Division of HIV/AIDS Prevention, NCHHSTP
1600 Clifton Road, Mailstop E-37
Atlanta, GA 30333
Phone: 404.639.1903
2.1 Overview
Our objective in the development and implementation of this written data security plan is to create effective administrative, technical, and physical safeguards for the protection of data from the CDC Local Effectiveness Project (LEAP): A Case Study of Local Jurisdiction Providing HIV Services to MSM. This plan is for use by the study team (including CDC), Institutional Review Board, and information security team.
The sections that follow in this document outline the type of data we will be safeguarding and our approach to protecting this information 1) commensurate with the level of sensitivity of the data and 2) in accordance with requirements from relevant regulations.
Please note that reference to “Atlas” within this document refers to the broader “Atlas Team” which includes both Atlas Research and Abt Associates.
This is a living document that will be updated as needed throughout the study and lifecycle of the data.
Exhibit 1. Basic Study Information |
||
|
Study Title and Nickname |
Long: Local Effectiveness Project (LEAP): A Case Study of Local Jurisdiction Providing HIV Services to MSM Short: CDC LEAP |
|
Contract Number |
200-2013-57339 |
|
IRB Number and Status |
Pending |
|
Division |
Public Health and Epidemiology |
|
Client Organization Name |
CDC |
|
Prime Contractor |
Atlas Research |
Exhibit 2. Key Study Dates |
||
|
Start Date |
End Date |
Study |
09/05/2014 |
3/4//2016 |
Data Collection |
~08/2015 |
~12/2015 |
Exhibit 3. Study Partner Information |
|||
Organization |
Point of Contact |
Contract Number |
Data Agreement #, if any |
Atlas Research |
Jamie Hart |
200-2013-57339 |
None |
3.1 Types of Study Data
The study will rely on 4 primary sources of data to inform the barriers and facilitators of HIV Care experienced by providers.
Primary data collection
Key Participant Interview (KPI) Guides – We will collect data using three interview guides tailored to each level of the Modified Social Ecological Model. The interview guide will include open-ended questions that allow for in-depth inquiry of the factors that issues and accomplishments in HIV prevention for MSM in the selected jurisdiction. The structured response questions will capture demographic characteristics and assist in contextualizing participant’s open-ended responses
Structured response questions – Data will be collected via a brief structured response questionnaire on such items as a gender/transgender status, sexual orientation, languages spoken, years in position, and organizational affiliations. Demographic data will not be linked to qualitative interview data, will not be delivered directly to CDC, and will only reported in aggregate summary form.
Observation Data – Observational data will be collected on: engagement in risk behaviors (e.g. observations dating sites), and prevention activities (e.g. HIV testing/awareness events).
Document Review Tool – Additional data will be recorded through the review of key documents to aid in identifying features and issues of the local jurisdiction that influence policy and prevention programming for MSM.
Procedures to maintain the confidentiality of data:
The Atlas team will collect all data during site visits to Philadelphia, PA. Data will be collected using approved devices and via secured systems.
The following outlines procedures for each data source:
Provider interview data will be collected by the Atlas Team. One hour interviews will be conducted with each participant in a private setting (e.g. participant’s office). All interview data will be recorded by Atlas using secured digital audio-recorder (not video-tape) with the consent of interview participants. Upon completion of the site visit, Atlas staff will securely upload interview recordings. Notes will also be taken using encrypted laptops in MS Word. Participants will be reminded by the interviewer not to use full names or identifying information during the discussion. Atlas will perform the transcription of all audio-recordings. Any reference to full name or other identifying information that arises unintentionally during the discussion will be redacted from the transcripts by Atlas, and reviewed for quality assurance by Abt staff. All qualitative analyses will be conducted by Atlas and Abt using the redacted interview data on NVivo 10 (stand-alone version). All transcripts and NVivo datasets will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via secured transfer.
Structured response questions All questionnaire data will be recorded manually onto paper forms by participants during the site visit as part of the interview. The hard copy information will be entered by Atlas into SPSS which will be stored on secured laptops. At the end of the contract, Abt will deliver the SPSS datasets to CDC via secured data transfer. Atlas will destroy the hard copy questionnaire forms.
Observation data. No PII will be collected. Observational data will be collected on: engagement in risk behaviors (i.e. observations of gay dating website), and prevention activities and service delivery (e.g. HIV testing/awareness events)
Dating site observations: The Atlas Team will conduct observations at 3-4 time periods of promotion of local events and risk behaviors on gay dating websites (using a separate computer that does not contain study data).. Adam4adam website will be observed, this will require the study team to register/log in. The page on the website that will be reviewed will be “Parties & Events”. The “AREA filter” will be set for “North America/Pennsylvania/Philadelphia. The terms and conditions for this website does not prohibit researchers observing these website without identifying themselves. Text of event postings will be copied in to a word document. The event planners will be given a unique identifier. Any reference to full name or other identifying information will be redacted from postings by Atlas, and reviewed for quality assurance by Abt staff. All qualitative analyses will be conducted by Atlas and Abt using the redacted observation data on NVivo 10 (stand-alone version) on a computer different from the one used to collect the postings and that is not connected to the network. . All observation data and NVivo datasets will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. At the end of the contract, redacted observation data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the observation data.
Events with HIV Prevention Activities: The Atlas Team will conduct observations at 2-3 events that include HIV prevention activities. If approached by someone asking about our observation, staff will inform about the purpose of the study based on language in the consents. The event data will be collected on hard copy forms and entered into SPSS, and stored on encrypted and password-protected laptops that will not be connected to a server or the internet. Data will be entered by one staff member and reviewed by another staff member for quality assurance. T he hardcopies will be stored in locked file cabinets in Atlas and Abt secured facilities.
Further, location and types of events and risk behaviors will be given a unique identifier and mapped by neighborhood or zip code for web-posts that provide a location, and for special events. At the end of the contract, Abt will deliver the SPSS file, and maps to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms.
Document review data. No PII will be collected of patients, providers or staff. As available, data reviewed may include: local policies, planning documents, Medicaid expansion related policy documents, local jurisdiction surveillance documents, local jurisdiction viral load documents, government agency reports, organizational reports and web-site or social media content from local NGOs and private providers, epidemiological research in local jurisdiction, and others. This is a document review therefore interviews will not be conducted to collect this data. However, organization staff can be consulted for specific clarifying questions as necessary. The data will be collected on hard copy forms and entered into to SPSS, and stored on secured laptops. The hardcopies will be stored in locked file cabinets in Atlas secured facilities. At the end of the contract, the team will deliver the SPSS datasets to CDC via secured data transfer, and Atlas Abt will destroy the hard copy forms.
The following steps will be taken to minimize the risk of breach of confidentiality during recruitment:
The Atlas Team is committed to conducting research in conformity with basic ethical principles, and federal and other regulatory requirements that govern research involving human subjects, as well as information security regulations. We protect the confidentiality of data through the following processes:
Data security – We utilize password protected and encrypted laptops, digital recorders and cameras for this project that are not connected to the network, internet or cloud. Additionally, we will store in locked and separate facilities at least two back-ups of all study data.
Physical security – Access to the data processing areas is controlled, with only authorized personnel allowed in the offices. Locked storage areas are protected by assigned group memberships, passwords and other techniques (e.g., Access Control Lists), which prohibit access by unauthorized users.
Prior to data collection, key staff from Atlas Research and Abt Associates will 1) complete study-specific data collection trainings, 2) receive a copy of the data security plan, and 3) complete the following general trainings to promote data security and compliance. Management of trainings is handled within each organization and occurs annually or biannually. A list of some of the trainings completed by Abt Associates and their partner organizations is provided in Exhibit 4.
Exhibit 4. Annual or Bi-annual Trainings |
|
Team Member |
Topic |
Abt Associates |
|
Atlas Research |
|
All project staff will be trained on the project-specific data security plan (which includes the regulations and requirements for handling data for the study).
Monitoring and supervision of the staff who are handling data and/or are interviewing program staff at Abt Associates and Atlas Research will allow for additional opportunities to identify and correct any security or procedural issues. All project staff will be made aware of the project-specific data regulations and best practices associated with handling data for the study. These practices will be incorporated in the study protocol and will be detailed in training plans for interviewers, as well as for support and data analytic staff.
The following are key deliverables associated with tasks relevant to this data security plan. In all reports no PII will be included and all reported data will be aggregated at either the site or multi-site level. Interview data will include programmatic information alone.
Exhibit 5. Deliverables |
||
Data Source |
Deliverable |
Deliverable Date |
None |
Draft data collection instruments |
11/7/14 |
None |
Draft sampling plan |
11/07/14 |
None |
Draft data plan |
11/07/14 |
None |
Draft study protocol |
11/21/14 |
None |
IRB submission |
12/18/14 |
None |
OMB submission |
1/24/15 |
All: Structured response questions, KPIs (i.e., redacted interview transcripts), Observation Data, and Document Review Data. |
Submit final dataset and supporting documents to CDC |
2/19/16 |
Within two weeks of the end of the task order, we will provide CDC with all data collected as part of this project, to include but not be limited to: Sampling Plan, Data Plan and Study Protocol; IRB/OMB documents; redacted interview transcripts, document review/observation checklist data, results of any literature reviews and any other guidance. If a participant refuses audio-recording, notes will be taken, and redacted for coding. Raw interview notes will not be shared or transitioned to CDC during or at the conclusion of the project.
Quantitative data will be delivered as datasets that are compatible with SPSS. Qualitative data will be delivered in NVivo 10.0 (stand alone, non-network version) compatible datasets unless otherwise specified by CDC. A data dictionary will be developed and delivered to document data files to include a listing and description of the data files and the variables in each data file, and, for interview or form data, and annotated questionnaires/forms. Each data source collected will be given a unique participant and facility ID:
Observations tools will be given a unique identifier. Completed observation tools will have establishment/organization/event ID and if applicable will be linked to transcripts, and document review data. They will have the following form of ID: OT (observation tool), first letter of city, and # of organization (same for all data points). For example: OTP01.
Exhibit 6. Linked variables between structured response questions and interview transcripts |
|
Variable |
Description |
Type of Key Participant |
|
Type of Organization |
Government, NGO, private |
Final report to CDC will include:
Summary demographic data – Aggregate demographic data will be reported by city/facility type and type of provider.
Interview data – Data will be reported by themes analyzed. Quotes used in report only include type of provider, city, type of facility location (urban, rural, suburban), type of facility (Ryan White vs. Non-Ryan White) and amount of time providing care for HIV infected patients.
Observation data – Data will be reported by themes analyzed and descriptive quantitative summaries. Facility data will be linked to provider transcripts and document review data via facility identifier. Observation results will be reported by type of facility, city, and type of facility location.
Document review data – Data will be reported by themes analyzed and descripted quantitative summaries. Facility data will be linked to provider transcripts and observation data via facility identifier. Document review data will be reported by type of facility, city and type of facility location.
The report will be submitted to CDC as a final deliverable. Summary data may also be analyzed for manuscript publication in academic journals and/or poster and oral presentations at conferences (e.g. American Public Health Association) as feasible.
Physical Record Lifecycle
Pathway of Physical Records |
||||||
Source |
Data Types |
Destination |
Transport |
Storage (Destination) |
Destruction (Destination) |
|
Atlas Team Site Visit Data – Structured Response Questions |
Structured Response Data (hard copy which will then be recorded electronically into SPSS) |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive
|
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Atlas Team Site Visit Data – Observation Tool |
Observation tool data (hard copy which will then be recorded electronically into SPSS) |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive
|
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Atlas Team Site Visit Data – Document Review Tool |
Document Review Tool data (hard copy which will then be recorded electronically into SPSSs) |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive |
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Atlas Team Site Visit Data – Roster of Potential Participants |
Roster of potential participants (hard copy either faxed or picked up in person or delivered to Atlas or Abt offices) |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive |
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Atlas Team Site Visit Data – Schedule of Interviews |
Schedule of potential participants |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive |
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Atlas Team Observation Data – Roster of Dating Website Event Planner |
Roster of dating website event planner |
Atlas Research/Abt |
Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive |
USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member |
Locked file cabinets in Atlas/Abt secured facilities |
At the end of the contract
|
Electronic Record Lifecycle
Pathway of Electronic Records |
|||||
Source |
Information Types |
Destination |
Transport |
Storage System |
Destruction Date |
Atlas Team Site Visit Data – Structured Response Questions |
Structured Response data (SPSS dataset) |
Abt/Atlas |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, Abt will deliver the SPSS datasets to CDC via an encrypted flash drive. Both Atlas and Abt will destroy the hard copy questionnaire forms. |
Atlas Team Site Visit Data – Interview Data |
Interview recordings (transcripts and NVivo datasets) |
Abt/Atlas |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the interview recordings. |
Atlas Team Site Visit Data – Observation Data |
Observation Data (SPSS and NVivo dataset) |
Abt/Atlas |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, Abt will deliver the SPSS files to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms. |
Atlas Team Site Visit Data – Document Review Data |
Facility Document Review Data (SPSS dataset) |
Abt/Atlas |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, Abt will deliver the SPSS datasets to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms. |
Atlas Team Site Visit Data – Schedule of Interviews |
Schedule of potential participants (Word or Excel file) |
Atlas Research/Abt |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, Atlas and Abt will destroy the hard copy forms and delete electronic versions. |
Atlas Team Observation Data – Roster of Dating Website Event Planner |
Roster of dating website event planner |
Atlas Research/Abt |
Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive |
Locked file cabinets in Atlas and Abt secured facilities |
At the end of the contract, Atlas and Abt will destroy the hard copy forms and delete electronic versions. |
Physical Security
Physical Access Chart |
|||
Organization |
Building Access |
Room Access |
Media Access |
Atlas Research |
Key card
Biometric imprint
Other method: _____________
|
Key card
Biometric imprint
Other method: _____________
|
Key card
Biometric imprint
Other method: Secure/lock doors; locked file cabinets
|
Atlas Research |
Key card
Biometric imprint
Other method: _____________
|
Key card
Biometric imprint
Other method: _____________
|
Key card
Biometric imprint
Other method: Secure/lock doors; locked file cabinets_____________
|
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Alex Mijares |
File Modified | 0000-00-00 |
File Created | 2021-01-30 |