Protected Environment (PE) at CHPC
This page refers to the refreshed PE that was funded partially by a NIH Shared Instrumentation Grant (1S10OD021644-01A1) Award received April 2017. The award allowed CHPC to deploy a complete refresh of the existing PE, and in the process expand the capabilities and increase the security relative to the initial CHPC PE deployment. In addition, the refreshed PE is configured to allow for expansion in a condominium fashion, in both the storage and in the HPC components. The different components of the new PE were made accessible to users as they were deployed, most during the first quarter of 2018.
CHPC operates a protected environment (PE) for researchers with sponsored research projects and work with data that is sensitive in nature, including projects involving human genomic data. These resources have been reviewed and vetted by the Information Security Office and the Compliance Office as being an appropriate place to work with Protected Health Information (PHI). If you have data that has other compliance requirements, please let us know well in advance so that we may ensure that our PE meets the requirements needed for your project. Please follow the recommendations below when requesting access to a resource in the PE.
NOTE: If you decide to work with protected &/or regulated data outside of CHPC's designated protected environment please know that you'll need to investigate any required agreement(s) that must be in place in accordance with the HIPAA privacy rule prior to creating, processing, maintaining, or transmitting ePHI/PII (protected health information &/or personally Identifiable info), such as a Business Associate Agreement or, in the case of research purposes, a valid IRB or other agreement, as appropriate. The Privacy Office contact information can be found at http://privacy.utah.edu/ and IRB office athttp://irb.utah.edu/ for guidelines and more information. If CHPC resources are used, we will assist you with the requirements. NOTE: A list of existing BAA's with the UofU (for those allowed via role based security) can be found via the following URL: https://pulse.utah.edu/site/comser/infpriv/Pages/Business-Associates.aspx
- Only CHPC Staff system administrators will have root to hosts in the protected environment.
- Only sponsored research projects with HIPAA/PHI or other specific data restrictions will be provisioned in the PE.
Protected Environment FAQ
As mentioned above, the new PE allows for growth of the HPC cluster as well as both the project and archive storage in a condominium style, similar to that in the general environment.
For the cost of adding an owner node to Redwood, please contact chpc at email@example.com.
For the cost of purchasing additional project space(each project is given, at no cost, 250GB) or archive space, see the PE storage page.
With the new VM farm, PE VMs will no longer be free. See the VM page for current pricing.
The use of allocations started July 1, 2018.
Unlike apexarch which was run unallocated, there will be an allocation process for time on redwood general resources. Allocation requests can be made using the PE allocation request form.
As in our general environment, users in groups without allocation can run in the freecycle mode on general nodes or as guest on the owner nodes, subject to preemption by jobs with allocation or owner jobs, respectively. Priority for allocation will be given to NIH funded research for the duration of the NIH Shared Instrumentation Grant (until Spring 2022). Allocations will be reviewed and awards made by the Protected Environment Policy Allocation Committee.
As in the general environment, a group may request up to four quarters at a time such that they only need to complete this process once per year. However, should needs change, groups can re-apply at any of the quarterly request windows even if they have an existing award.
There is one request allowed per research group – if your group has multiple projects, please be sure to select all projects that will make use of redwood in the request. Requests can be made by the PI of the project or his/her delegate, provided the delegate also has a PE account. If you have the ability to complete this form, when you log into the chpc website, www.chpc.utah.edu, there will be a section under “User Roles” for “PI/Delegate in the PE”.
- Step 1: Determining if your project fits in REDCAP or the University's instance of Box
- Step 2: Needs Assessment
- Step 3: Requesting access to a PE resource
Step 1: Determining if your project fits in REDCAP or Box
REDCAP: It may be that your project needs can be served by using the REDCAP (Research Electronic Data Capture) tool. REDCAP can be used to create web accessible forms, a secure database with continuous auditing, and a flexible reporting system. More information can be found at https://redcap01.brisc.utah.edu/ccts/redcap/index.php?action=training. To determine if the REDCAP tool fits with your project, require assistance or have any questions about REDCap, please contact REDCap Support or see https://uofu.service-now.com/cf/kb_view.do?sysparm_article=KB0001008 for more information.
Box: One can put PHI on the University instance of Box, http://box.utah.edu. The reference for the acceptable use of Box for PHI can be found at University of Utah Box User Agreement.pdf. Please refer to this page and see the section at the bottom about storage of regulated information. To use
the Box instance for PHI, users need to create a specific University Box account.
Personal accounts cannot be used. The UofU Box service doesn't fit the needs for all
use cases; if you only need a storage space of under 50GB, then it may be a good fit.
If the needs are to store and process (HTC/HPC/SQL etc) or use SAS/SPSS and other
applications, the needs are likely better served via CHPC’s Protected Environment
If the data is de-identified, there are no regulatory restrictions or mandates to use the Protected Environment. For more information on what information is protected, please see http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.
For NEW projects, please submit the NEEDS ASSESSMENT FORM with all required information. We will respond to your request as soon as possible.
In the meantime, please feel free to CONTACT US with any questions.
NOTE: If you don't have a uNID, please see https://www.chpc.utah.edu/documentation/policies/1.2AccountPolicies.php
If you already submitted needs assessment form, please click here to see status.
NOTE: PLEASE be sure to read and follow all steps in this section. You must first have a 'general' CHPC account . Then you can get a 'protected' CHPC account. If you encounter any problems don't hesitate to contact us by sending an email to firstname.lastname@example.org
Complete HIPAA Annual Compliance Training (proof of CITI training is acceptable as well). Please upload or email your training via the CHPC PE account request web form or by sending email to 2018_HI.email@example.com. Below are instruction of how to locate your training certificate.
a) For faculty and staff, visit https://hrit.utah.edu/lms/#/ and complete the HIPAA training. You must submit proof of completion to CHPC. If you are not assigned the training already, the modules are now searchable in the LMS (learning module systems) and can be assigned to new faculty and staff by their manager. You can also self-enroll. Please refer to the FAQ at https://pulse.utah.edu/site/LMS-selfhelp for further instruction. If you don't have the training assigned, or can't self-enroll via https://pulse.utah.edu/site/LMS-selfhelp/how-to/register-for-a-class or have a manager enroll you, your best course of action is to contact LMS @ https://pulse.utah.edu/site/LMS-selfhelp . If you have problems getting the training req done via the staff/faculty method then please use the student method below instead.
b) For non-employees, e.g., students, vendors (Business associates) or others: Navigate to this web page http://healthsciences.utah.edu/privacy-office/ to read/understand & adhere to the HIPAA privacy and security training then submit the certificate to CHPC when you request a PE account.
Acquire an account for the CHPC protected environment:
NOTE: The project PI must have an account provisioned in the protected environment before any project user accounts can be created.
a) If you do not have an existing CHPC account, then you need to apply for a general CHPC account first via the following URL: (if you already have a CHPC general account go to the next step, 2b) https://www.chpc.utah.edu/apps/profile/account_request.php
NOTE: If you don't have a uNID, please see https://www.chpc.utah.edu/documentation/policies/1.2AccountPolicies.php
b) If you have an existing CHPC general account and need access to the CHPC PE (protected env) then you also need to request a Protected Environment/HIPAA CHPC account https://www.chpc.utah.edu/role/user/requestPE.php NOTE: You'll need to reference your project #, ask your PI if you don't know it.
Get a DUO security account: This is an additional authentication step for additional security. If you don't have a DUO security account setup already then you'll need to do the following:
a) If you don't already use DUO security, you will need to go to the following URL and register your device. Visit: https://ese.idm.utah.edu/duo-management to add your device to the campus DUO two factor authentication service.
b) Then notify CHPC that you've completed the DUO registration - then we will request UIT to affiliate your DUO account to the proper CHPC PE group(s) and we will notify you when it's complete. see CHPC's DUO software page for more information.
Once you've completed the previous steps (and have been notified by CHPC that your CHPC PE account is provisioned) - you can follow this URL for instructions of how to access the CHPC PE: https://wiki.chpc.utah.edu/pages/viewpage.action?pageId=541163529
If resource needs are already met with existing infrastructure (narwhal, redwood, an existing protected environment VM, etc.) you are ready to start. Any new desired protected environment virtual machine requests must come from the PI (or co PI). See 1.4.2 Virtual Machine Allocation Policy
Please see the Protected Environment FAQ for more information about what resources are available in the CHPC protected environment.
If this is a new project you'll need to work with CHPC and the Information Security and Privacy office (ISPO) (http://privacy.utah.edu/) to satisfy security requirements:
- Depending upon the scope of the project, a security assessment by the Information Security Office (ISO) as well as ISPO may need to take place. A risk assessment and mitigation plan must be approved by ISPO.
- Satisfactory scan report from ISPO http://it.utah.edu/departments/iso/index.php
- If there is any information sharing with third parties, an information sharing assessment (ISAF) needs to be initiated with the UofU privacy office to determine if a Business Associates Agreement needs to be on file. Please send CHPC your BAA if you have one already, otherwise The ISAF must be completely filled out (Typed) by the requesting department and returned for evaluation to determine the need for a Business Associate Agreement or other agreement to protect the information being shared. ISAF form can be found at https://pulse.utah.edu/site/comser/infpriv/Pages/Business-Associates.aspx Please refer to the UofU privacy office for details and help (and keep CHPC informed) http://healthsciences.utah.edu/privacy-office/index.php