This Article Full Text (PDF) Alert me when this article is cited Alert me if a correction is posted Services Email this article to a colleague Similar articles in this journal Similar articles in Web of Science Alert me to new issues of the journal Download to citation manager Request Permissions Citing Articles Citing Articles via Google Scholar Google Scholar Articles by Avidan, A. Articles by Sprung, C. L. Search for Related Content PubMed Articles by Avidan, A. Articles by Sprung, C. L.

---

LETTER TO THE EDITOR

Web-Based Data Collection: Security Is Only as Good as the Weakest Link

Department of Anesthesiology and Critical Care Medicine, Hadassah–Hebrew University Medical Center, Jerusalem, Israel, alex{at}avidan.co.il

In Response:

We agree with Dr. van Oostrom that it is ideal to have research data, or any confidential patient data, sent over the Internet in encrypted form. These data acquisition systems should also comply with any national laws protecting patients’ privacy (like the Health Insurance Portability and Accountability Act [HIPAA] in the United States). Kline et al. (1) implemented such a system successfully for a research project in the field of emergency medicine.

But we do not agree with Dr. van Oostrom’s statement that the system described in our paper would not be acceptable under HIPAA. The patients’ data were totally anonymous. The patients were identified only with consecutive numbers and the key was kept with the centers. The data sent over the Internet in an unsecured form consisted only of numbers (except of a few free text fields that were not violating the patients’ privacy) and the key was with the study centers also. If intercepted, the data would be absolutely useless for the interceptor. The information entered through the website could not identify any individual person, nor any of the data. Therefore, the system we built complied fully with HIPAA (2).

Although FrontPage (Microsoft, Redmond, WA) in general supports data encryption, the built-in functions (so called FrontPage extensions) do not work properly with SSL technique (this is information that can be found in various FrontPage support forums and on FAQ pages of web hosting companies). In addition, there is no possibility to have the data being sent by email in encrypted form with the FrontPage extensions. Further third-party products or extensive programming skills are necessary to accomplish a 100% secured and encrypted system with FrontPage. But if the research data are sent in coded form and no information identifying the patients is used, an effective, HIPAA-compliant and inexpensive Internet data collection system for research projects can be built as described in our article.

References

1. Kline JA, Johnson CL, Webb WB, Runyon MS. Prospective study of clinician-entered research data in the emergency department using an internet-based system after the HIPAA Privacy Rule. BMC Med Inform Decis Mak 2004;4:17.[Medline]
2. Annas GJ. Medical privacy and medical research: judging the new federal regulations. N Engl J Med 2002;346:216–20.[Free Full Text]

This Article Full Text (PDF) Alert me when this article is cited Alert me if a correction is posted Services Email this article to a colleague Similar articles in this journal Similar articles in Web of Science Alert me to new issues of the journal Download to citation manager Request Permissions Citing Articles Citing Articles via Google Scholar Google Scholar Articles by Avidan, A. Articles by Sprung, C. L. Search for Related Content PubMed Articles by Avidan, A. Articles by Sprung, C. L.