Supporting HIPAA Compliant Healthcare Research at Georgia Tech
Dec 15, 2022 — Atlanta, GA
Many years ago, Georgia Tech’s Office of the Executive Vice President (EVPR), the Institute for People and Technology (IPaT), and the Georgia Tech Research Institute (GTRI) made a significant investment of people and resources to create a HIPAA compliant, highly secure, data-rich resource named the Protected Health Data Infrastructure (PHDI) which is currently housed in the Coda data center at Tech Square and jointly operated by IPaT and GTRI.
PHDI’s location is apt since Coda serves as the pinnacle of innovation for Midtown Atlanta’s Tech Square and houses some of Georgia Tech’s most cutting-edge research labs, including PHDI’s tightly controlled, highly specialized environment devoted to storing sensitive, complex, healthcare-related data. For example, the PHDI environment is outfitted with secure review rooms and layers of data security coupled with tightly-controlled access restrictions.
One of the big benefits of Georgia Tech’s PHDI and team, among many other benefits, is that researchers have access to many types of detailed, sensitive healthcare data including the Center for Medicaid and Medicare Services (CMS) Medicaid dataset from 2005-2016 with more CMS data (2017-2019) scheduled to be added.
Other health data stored include electronic medical records (EMR) from physicians including lab results, vital signs, demographics, diagnoses, and medical notes. Data held in Georgia Tech’s PHDI is not restricted to text and includes x-ray, magnetic resonance imaging (MRI), and computed tomography (CAT) scan data. Future collaborations with AI Caring whose mission is to develop the next generation of personalized collaborative AI systems will require new data types to be stored in the PHDI environment to further science in artificial intelligence as it relates to healthcare and aging. The amount of data stored in Georgia Tech’s PHDI environment grows each year.
According to Matt Sanders, director of research operations for IPaT and a key faculty member of the PHDI team, “Georgia Tech’s PHDI environment and support team is special for three reasons. First, PHDI is a secure enclave with very specific physical, technical, and administrative safeguards in place. Second, our PHDI (IPaT and GTRI) team members have in-depth experience supporting numerous and varied research projects dealing with sensitive healthcare data, and thirdly, our team serves as consulting experts to help Georgia Tech and industry researchers properly approach working with complex healthcare data that may or may not require the use of the PHDI environment which can help researchers save time and expenses.”
One of the valuable resources on the PHDI team, among many, is Richard Starr. Starr, a research scientist with IPaT, has acquired deep academic and industry expertise associated with health data management and healthcare research during his many years working to advance Georgia Tech healthcare research projects. He noted, “the original use case for this [PHDI] environment was the CMS Medicaid data set that Tech purchased which was focused on southern states and some other large states from 2005-2009. Today, we’re gathering data from across the United States and will eventually have the CMS data updated to 2019. We know how to properly collect data from other healthcare sources like hospital systems, or state health departments, and store it to meet HIPAA requirements. Georgia Tech spends more than $100,000 on healthcare data each year to improve PHDI as a resource for researchers. The startup cost to build PHDI was high because of the complex data and supporting infrastructure, and now we’re well equipped to assist with even more complex healthcare data research.”
OneGT Operating Model
PHDI has a OneGT operating model with support from Georgia Tech’s EVPR, IPaT, Pediatric Technology Center (PTC), GTRI-ICL, GTRC, OIT cybersecurity and network services, GTRI information systems, GTRI research security, and other Georgia Tech unit and lab IT and research professionals. The PHDI team provides healthcare data management, compliance, and domain expertise including: operational relationship and process management with sponsors and data owners; streamlined research pipelines through standard data transfer and ETL processes, databases and tools, training, software development, cohort and project identification/development; and streamlined Institutional Review Board (IRB) applications, data usage agreement(s) and contracting processing with Georgia Tech’s legal, contracting and partnerships work with GTRC, as well as HIPAA security and compliance assistance for project development and implementation.
PHDI is a Secure Enclave
PHDI supports projects, datasets, and users from any Georgia Tech or GTRI unit where PHI/PII compliance needs are required including HIPAA, HITECH, CMS, and sponsor specific requirements for fully identifiable, limited data sets, and de-identified data. PHDI is a secure enclave with modest compute and storage resources which can be provisioned to host project specific storage, applications, and services for analytics, research data collection, and systems integrations.
Researcher access to the environment requires CITI HIPS and IRB training and approval. Projects and/or data as well as all administrative, network, security, and compliance resources are segmented from one another with rigid role-based access, network, storage, and system controls. PHDI follows the HITRUST Common Security Framework as well as United States National Security Agency best practices to achieve HIPAA compliance, and undergoes an annual risk assessment, third party certification, and security penetration testing.
Protected data does not enter or leave the environment without agreed upon procedures and approvals (based on contracts, data usage agreements (DUAs), IRB requirements, etc.). Policies are enforced through the separation of roles (researchers, data management, compliance, administration). Data access models include secure review rooms, remote access over 2FA VPN, as well as secure mobile and web services utilizing web application firewalls (WAF). Restrictions and auditing of activities including file upload/download and cut/copy/paste are also provided.
Technical safeguards include multiple layers of differing security protocols protecting data in transit and data at rest with multiple vendor products as well as routine auditing, alerting, and reporting. The PHDI environment also mandates administrative safeguards and undergoes periodic (annually, or when significant change or threat merits) risk assessment and management processes to gauge the security of the environment and develop plans for mitigations of any deficiencies. Contact the PHDI team for more details about physical, technical, and administrative safeguards.
PHDI Healthcare Projects - Past and Present
- The PHDI team is currently supporting GTRI after they were contracted to serve as the system integrator for the Georgia Department of Community Health Medicaid Enterprise System Transformation (MEST) project. This project is focused on modularization and modernization of Georgia’s Medicaid Management Information System (MMIS). Integration costs for the State of Georgia will exceed several $100 million dollars to modernize the system and could take a decade to complete. PHDI serves as the model for several of the policies and procedures for the project. The team is also providing technical consultation and project work.
- During the covid pandemic, Georgia’s Department of Public Health (GDPH) needed the PHDI team’s help to automate high volume testing information coming from testing locations across the State into numerous private labs to determine whether a test was positive or negative for covid. Richard Starr’s involvement where he and GDPH dedicated many long days and a tremendous amount of hours helping create this very successful system. It automatically contacted individuals to give them their test results. This was an extraordinary, complex system modification of the existing GDPH system with Starr helping to modify the existing Oracle backend reporting and communications.
- The PHDI team, School of Computational Science and Engineering, and GTRI - Information and Communications Laboratory (ICL worked with UCB, a corporation headquartered in Belgium, looking at epilepsy drug data. UCB was seeking to produce a new first line treatment for epilepsy by looking at early success treatments modeled against patient profiles using claims data, EHR data and other data.
- Winship Cancer Center and Northside Hospital employed the PHDI team to assist in converting their data into a more research-friendly format called the Observational Medical Outcomes Partnership (OMOP) Common Data Model.
- The Centers for Disease Control (CDC) engaged the PHDI team to design and build proof of concepts to automate coroner reporting and sexually transmitted infections (STI) lab reporting across the U.S.
- Washington State’s Department of Health was looking for insight into mobility devices by looking at health data. The PHDI team supported this project.
- Oregon Health Science University sought the PHDI team’s assistance with building a training data set for use with machine learning related to cognitive impairment. Machine learning is enhanced when trained using better data. In this case, audio and visual data is part of the training data set being built in the PHDI environment.
- For more than 10 years, the PHDI team has been helping Children’s Healthcare of Atlanta (CHOA) with projects. Currently, the team is collecting their bedmaster cardiac intensive care unit (CICU) beds which stream real-time, smart data and other patient vitals to gain insight in the CICU. The PHDI team is also helping CHOA collect and examine medical data related to central line infections to gain insights. Another project involved using AI machine learning to look at medically complex patients as defined by CHOA to minimize further complications and improve treatment outcomes.
- Research is ongoing with Nicoleta Serban’s healthcare access and disparities research using CMS data. Serban is the Peterson Professor of Pediatric Research in the H. Milton Stewart School of Industrial and Systems Engineering at Georgia Tech.
- Jon Duke, director of the Center for Health Analytics and Informatics and principal research scientist at GTRI, has engaged the PHDI team to assist his lab with handling a large all payers claims database research project. All-payer claims databases (APCDs) are large State databases that include medical claims, pharmacy claims, dental claims, and eligibility and provider files collected from private and public payers.
- Internal faculty and staff at Georgia Tech from GTRI, the College of Computing, and Center for Inclusive Design and Innovation in the College of Design have engaged the PHDI team for projects.
Healthcare Data Consulting Expertise
In addition to leading or supporting healthcare data projects, the PHDI team also provides cybersecurity consulting services related to healthcare data. The team is available to both Georgia Tech and health-related industry research projects to help them pursue data-driven solutions in addition to solving a variety of issues—many examples of the PHDI’s team capabilities are mentioned in the projects above.
According to Sanders, “before the formation of IPaT more than 10 years ago, Georgia Tech had the Health Systems Institute along with disparate teams spread across campus working on diverse and important healthcare data projects. Since IPaT was formed to better integrate Tech’s overall healthcare research community, Georgia Tech has landed large research awards and industry projects because we now have better resources [such as PHDI] and expertise to win and manage very large, very diverse multi-year healthcare projects.”