The Privacy team of the Duke University Compliance Program focuses on information privacy and plays a key infrastructure role in supporting Duke’s commitment to responsible information asset management. Through outreach, unit reviews, incident assessments and collaborations, the Privacy team:
- Promotes good stewardship of information assets
- Identifies privacy concerns and provides management guidance
- Provides best practice guidance for safeguarding information assets
- Supports compliance with federal and state privacy laws, regulations and Duke policies
The Privacy team is responsible for:
- Outreach and training
- Privacy/IT Security Research Reviews of Institutional Review Board approved data security and management plans
- Privacy/IT Security Reviews of Duke units with sensitive and/or regulated information
- Privacy Incident Assessments and breach investigations, including HIPAA investigations
- Collaborating and consulting with partners institution-wide on privacy related initiatives
- Providing subject matter expertise
Privacy at Duke
Duke is committed to appropriate oversight and takes safeguarding sensitive and/or regulated information seriously, promoting responsible stewardship of information assets institution-wide.
Privacy Incident Assessments
The Privacy team is responsible for Privacy Incident Assessments and investigates allegations of regulatory violations and impermissible disclosures of regulated information, including Protected Health Information (PHI) as defined and regulated by Health Insurance Portability and Accountability Act of 1996 (HIPAA), to assure timely compliance with federal and state breach investigation and reporting requirements.
Every Privacy Incident Assessment involves the following:
- A thorough investigation of the alleged violation and of the information allegedly disclosed
- An evaluation of the use and adequacy of the privacy and IT security controls implemented for safeguarding the information at issue
- Breach remediation and mitigation assistance
- Cooperation with and recommendations to Human Resources and/or management
- Training and guidance to educate and/or reinforce best practices for safeguarding information assets to ensure compliance with federal and state laws and regulations and Duke policies
Privacy/IT Security Reviews
The Privacy team performs independent selected and requested Privacy/IT Security Reviews to promote good stewardship of Duke’s information assets and provide privacy and IT security best practice guidance for safeguarding those assets. Any office, program, division, department, school, center, institute or other organization affiliated with Duke that works with sensitive and/or regulated information may be reviewed.
Privacy/IT Security Research Reviews
The Privacy team performs independent Privacy/IT Security Research Reviews of selected security plans for research data associated with protocols approved by Duke Institutional Review Boards (IRB). Reviews may be of protocols from any school, department, division, center, or institute, and may involve any Duke Principal Investigator associated with studies accessing, storing and/or transmitting highly sensitive, and/or regulated information.
- Compare actual management of research data against the IRB approved plan for consistency
- Ensure that research data is being managed utilizing privacy and IT security best practices (including collection, access, transmission, storage, retention and/or destruction)
- Verify that sensitive and/or regulated information is managed in compliance with any applicable federal and state laws and regulations, as well as Duke policies
- Assess the confidentiality, integrity and availability of study-specific research data
- Serve as a measure of quality assurance to mitigate risks to the study and the institution
IT security and privacy are often mistakenly considered to be interchangeable. Information security and privacy are not the same, and the difference is critical. Privacy assesses what information needs to be protected and security addresses how to protect it. Privacy looks at the characterization of the information and identifies the protections that may be required. Security addresses the controls necessary to electronically protect the information. Duke’s Privacy and IT Security teams work closely together to ensure appropriate safeguarding of Duke’s information assets. Links to information security offices at Duke are: