COPD Patient-Powered Research Network (COPD PPRN)
Privacy Policy and Data Security Measures

We at www.copdpprn.org, led by the COPD Foundation, a patient run organization, have taken many steps to protect your privacy. Health information is private under federal law. However, by joining www.copdpprn.org and agreeing to our informed consent form, you are giving permission for the following people and groups to see, use, and share your identifiable health information:

• Approved groups that helped create the COPD PPRN
• Researchers approved by the COPD PPRN Governing Board

To learn more about how the COPD PPRN will be sharing information, with whom and under what circumstances, please review the COPD PPRN Governance Policy for Data Sharing and Use.

USE OF INFORMATION FOR RESEARCH:

The COPD PPRN will help research in the following ways:

1. Provide de-identified data to researchers for data analysis.
   In this circumstance, participants' identifying information (contact information) is not provided to the researcher and the de-identified data cannot be linked to any individual.
2. Contact individuals in the COPD PPRN to see if they are interested in a study.
   In this circumstance, the COPD Foundation (see key players section for description of COPD Foundation) will send an email or letter to a participant in the COPD PPRN who qualifies for a research study. The communication will include the researcher’s contact information so the individual can decide whether they want to contact the researcher directly for more information about the study or to participate in the study. The researcher will not have contact information of individuals in the COPD PPRN until the patient contacts the researcher and voluntarily provides that information himself/herself.

• We will not share your identifying health information:
  Although we will be looking at your personal health information, we will not share it with others outside the COPD PPRN or PCORnet (see key players section for definition of PCORnet). The study results may be published for others to learn from, but when used this way, individual patients will not be identified. We will only summarize what we learn.
• We will not share your identifying information:
  We will never sell, rent, or lease your identifying information, and we will never voluntarily share identifying information about you without your permission. We may share your de-identified health data with other researchers for the purpose of research. No identifying information will be used when aggregate information collected by the COPD PPRN is shared for research purposes. In no circumstance does the COPD Foundation provide the contact information of an individual in the COPD PPRN to a researcher.
• Limits to Confidentiality:
  We may learn that keeping your health information private would immediately put your health, or you or someone else, in danger. (For example, a medical emergency, child abuse, elder abuse, or information about harm to you or to others). In these situations, we are required by law to tell someone who can help keep you or others safe.
• Electronic Security and Adherence to the HIPAA Privacy Rule:
  The COPD PPRN Study follows the general security guidelines of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). All study data is transmitted, stored, and processed in a secure environment.

While we cannot provide an absolute data security guarantee or completely protect against all computer or human errors, we will do all that we can to reduce the chance of a mistake or breach of confidentiality. Your information will be transmitted and stored using security systems similar to those that protect websites used by banks and electronic health systems. For any questions, please contact copdpprn@copdfoundation.org or the C.O.P.D. Information Line at 1-866-316-COPD (2673).

KEY PLAYERS:

COPD Foundation: The COPD Foundation's mission is to prevent and cure Chronic Obstructive Pulmonary Disease and to improve the lives of all people affected by COPD. The COPD PPRN is governed by a Board of COPD patients and researchers, who work directly with the COPD Foundation. You can get more information about the COPD Foundation at www.copdfoundation.org or by calling 1-866-316-COPD (2673).

PCORI: The COPD Patient-Powered Research Network is funded in part by the Patient-Centered Outcomes Research Institute (PCORI). PCORI is an independent, non-profit organization created by Congress in 2010 to develop a new, larger research network. PCORI’s mission is to pay for research that will give patients, their caregivers, and doctors’ information to help them make well-informed health care decisions.

PCORnet: A new large research network of Patient-Powered Research Networks (including the COPD PPRN) and clinical data research networks, which are hospital and health-center based, created by PCORI.

DATA SECURITY MEASURES

The following is a technical explanation of the measures we take to protect your data. If you have any questions about this information, please contact us by email at copdpprn@copdfoundation.org.

The COPD PPRN Study team will take the following data security measures:

• Username and Password:
  In order to access the COPD PPRN and complete surveys securely we will require the creation of usernames and passwords before registration.
• Data Transmission:
  All data is transmitted from the client site through the internet to one of REDCap Cloud utilized AWS data centers located in the primary data center location (US, EU, or Canada). To adhere to REDCap Cloud compliance requirements all data is encrypted with at least 256 bits using TLS 1.2 or higher. REDCap Cloud aligns with the FIPS 140-2 cryptographic standard, this underscores our commitment to maintaining the highest level of security and integrity for sensitive information.
System Administration:
Administrators with a business need to access the servers are reqiured to use multi-factor authentication to gain access to host servers. These servers are systems that are specifically designed, built, configured and hardened to protect our clients' separation of data. All such access is logged and audited. When an REDCap Cloud employee no longer has a business need to access the servers, the privileges and access to these hosts and relevant systems are revoked.
• Secure Servers:
  REDCap Cloud servers are hardened in adherence with NIST 800-44: Guidelines on Securing Public Web Servers through a series of strategic and technical measures. These include conducting regular security assessments to identify vulnerabilities in the web server and its connections, applying necessary security patches and updates to server software, and ensuring that only the minimum requires services and ports are accessible.
• Datacenter Security:
  24x7x365 Monitored Secured Facility. Data Centers are staffed by AWS personnel, which are trained and certified on security procedures. The following physical protections are in place in all REDCap Cloud AWS data centers: • AWS data centers are housed in nondescript facilities. • Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. • Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. • All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. • AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. • When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. • All physical access to data centers by AWS employees is logged and audited routinely.
• Firewall:
  The REDCap Cloud infrastructure on AWS uses firewalls (AWS Security Groups), a single DMZ, and multiple VLANs. The AWS security groups provides ingress network filtering from the broader Internet. By default, all access is denied with only explicitly defined ports (22, 80, and 443) and protocols permitted. This layered defense strategy and isolation between all the different networks provides strong infrastructure security controls against external threats. The Network Access Control Lists contain ordered rules to allow or deny traffic based upon IP protocols, by service port, as well as source/destination IP address. The AWS Security groups are stateful — responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa. The AWS Security Groups along with network ACLs as an additional layer of defense and a mitigation technique to reduce the impact of future misconfigurations, intrusions, vulnerabilities, etc. All access is prohibited by default and only authorized access is enabled. The databases are located in an isolated private subnet and physically and logically segregated from '3rd party' facing DMZ. Real-time logging from AWS Security Groups (firewalls) are captured in AWS CloudWatch.
• Intrusion Detection & Prevention:
  REDCap Cloud's IDS offers protection from both external and internal attackers—where traffic doesn't go past the firewall at all. We use AWS VPC Flows, and Wazuh (OSSEC) to analyze all traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization. Application and network traffic signature pattern matching is used to identify potential security weaknesses. Protocol anomaly traffic detection analyzes network traffic for known attacks and variations of those attacks. Updated network traffic signature files are automatically implemented upon release by the vendor.
• This is how we nPhase, Inc. dba REDCap Cloud handle the above-mentioned data security points with respect to their systems.

*Policy effective as of April 3, 2015

*Policy updated on June 25, 2024