|
Regulation, Specification, or Guidance
|
Requirement
|
▪ 45 CFR Part 164 Subpart E
▪ ACMG Technical Standards for Clinical Genetics Laboratories G17.2
▪ ASTM E1578-18 S-5-1
▪ CAP Laboratory Accreditation Manual
▪ NIST 800-53, Rev. 5, PT-2 and PT-2(2)
|
27.1 The system shall comply with privacy protection compliance like that found in HIPAA provisions (e.g., when handling medical marijuana user data).
|
▪ 10 CFR Part 20.2106 (d)
▪ 45 CFR Part 164.105
▪ 45 CFR Part 164 Subpart C
▪ 45 CFR Part 170.315 (d)
▪ ASTM E1578-18 S-5-2
▪ ICH GCP 2.11
▪ NIST 800-53, Rev. 5, PT-2 and PT-2(2)
▪ NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
▪ WADA International Standard for Laboratories (ISL) 5.3.8.3
▪ WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) (throughout)
|
27.2 The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
|
▪ 45 CFR Part 164.514
▪ ACMG Technical Standards for Clinical Genetics Laboratories C5.5
▪ CAP Laboratory Accreditation Manual
▪ NIST 800-53, Rev. 5, SI-19
▪ WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) 10.3
|
27.3 The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
|
▪ 45 CFR Part 164 Subpart E ▪ NIST 800-53, Rev. 5, AC-6 ▪ NIST 800-53, Rev. 5, SI-19
|
27.4 The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
|
NIST 800-53, Rev. 5, SI-19(7)
|
36.5 The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms.
|
NIST 800-53, Rev. 5, PT-4 and PT-4(3)
|
36.6 The system should provide tools or mechanisms for recording the consent—and revocation of consent—of individuals who wish to allow—or disallow—their personally identifiable information to be processed, stored, and otherwise managed.
|