Data privacy and security are of paramount concern to the FDA and to all Sentinel Collaborating Institutions. Sentinel's privacy and data security policies are described in greater detail in the Sentinel statement of Principles and Policies (available upon request). A white paper addressing compliance under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Common Rule for data sources participating in the Sentinel Initiative can be found at the link below:
- Sentinel Initiative Principles and Policies: HIPAA and Common Rule Compliance in the Sentinel Initiative
The Sentinel System is a distributed network, made up of a web portal from which queries are sent, and a local application, (DataMart Client) in which queries are executed. Data remains behind data partners’ local firewalls and in most cases, query results are returned to the web portal in aggregate form. When individual level information is provided, all direct identifiers, such as names, addresses, and phone numbers, are removed before information is shared with the Sentinel Operations Center or the FDA for further analysis. Furthermore, all communications between the DataMart Client application and the web portal use HTTP/SSL/TLS connections to securely transfer queries and results. Sentinel participants adhere to federal and state privacy-related laws and regulations.
The Sentinel System is subject to the security requirements of the Federal Information Security Management Act of 2002 (FISMA) and has implemented policies and procedures to ensure the utmost data security, including an annual assessment process to ensure compliance. FISMA compliance requires a comprehensive suite of security policies and procedures, including, among other requirements, (a) physical access controls and 24x7 monitoring of data center access points; (b) clear separation of operational responsibilities; (c) active intrusion detection, secure firewalls, and regular scanning for points of potential vulnerability; (d) encryption of all data held within the data center as well as encryption of data when transmitted to a browser or other computer system, (e) stringent password standards and forced password expiration dates; and (f) logging of all network and database activity, with regular reviews of the logs. FDA and the Sentinel System are continually working to identify emerging issues and improve the rigorous security controls already in place.