Reminder: Credit Card Numbers Are Account Numbers (and thus not permitted in non-business systems).

A quick reminder that credit card numbers are protected PII at LBNL. This means that credit card numbers, and devices which collect them, are only permitted in the web-facing Institutional Business Systems. You may not attach a credit card terminal to any LBNL network, nor collect credit card numbers of LBNL workstations or servers (except those managed as part of the Business Systems). More info: http://www.lbl.gov/CIO/Privacy/

Impact of HIPAA on US Medical / Public Health Research

Interesting article in Science this week reporting on a study in JAMA on the impact of the HIPAA Privacy Rule on Epidemiological researchers:

About 68% said the Privacy Rule has made research a great deal more difficult; half reported major delays; and nearly 40% faced much higher costs (see table). Only one-quarter said the rule has greatly improved confidentiality. Of those who modified a protocol to comply with HIPAA, two-thirds said it was much harder to recruit subjects.

The article goes on to talk about how the impacts come not just from the actual rule, but from uncertainty about how to apply the rule and, of course, cautiousness (risk-aversion).

For those who follow the micro-level of cyber security policy, this is not surprising but is always worth paying attention to. The impact of cyber security policy is not just felt in the rule itself, but in uncertainty regarding how far to take it and the over-cautiousness some rules and organizational relationships seem to impart.

Obviously, we want end users and developers to be aware of the risks they face, but in a research environment, the impact of this kind of uncertainty can lead to direct impacts on innovation and effective research.

RPM 5.02 Updated

We have updated RPM 5.02 on scientific and technical publications, mostly for readability and clarification. As you may or may know, the policy on division review (that is, review of published work within divisions) was modified after almost a year of discussion. The final version was approved by the SLC. That modification clarified the expectations for internal review of published work as follows:

E. REVIEW OF SCIENTIFIC AND TECHNICAL PUBLICATIONS

LBNL values the role of peer review in ensuring the integrity of scientific research. Researchers are expected to seek ongoing internal review of their work before publication. It is expected that employees will adhere to the highest ethical standards in their publishing, including those detailed in the University’s Statement of Ethical Values, especially as regards to the integrity and originality of work, and the recognition of the contributions of colleagues. Researchers must ensure that any information of a nonpublishable nature (such as that protected by human subjects protocol or a nondisclosure agreement) is excluded from publication. Per Section 5.03 of the RPM, researchers must identify potentially patentable discoveries to the Technology Transfer and Intellectual Property Management prior to any form of publication.

All publications must be reviewed within a division before receiving an LBNL/PUB or LBID number. Each division will ensure that (1) a reasonable scientific process has been followed, (2) papers include proper crediting of affiliations and acknowledgments as required by DOE, and (3) any other requirements indicated by their Division Director have been met. Divisional procedures must ensure that the review is fair and unbiased, and that freedom of scientific inquiry is not unfairly constrained.

Basically, this policy statement set the minimum expectation for internal division review; a brief review for scientific process, ensuring citations and credit line are correct, and any other expectations set by the Division Director. It's important to understand that the role previously played by RCO, which attempted to provide assurance of some of these things, will now entirely be the responsibility of the divisions.

There are some potential pitfalls to avoid with regards to the internal division procedures. Specifically, it's important to avoid any potential discriminatory biases in the review, as well as avoid the appearance of any kind of review for certain kinds of content. This is further explained here.

Further guidance is also forthcoming on the RCO Website.