Memorandum. Factual Background

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Memorandum. Factual Background"

Transcription

1 Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to evaluate whether ispecimen s handling of specimens and the accompanying clinical data complies with the Health Insurance Portability and Accountability Act ( HIPAA ) regulations, 1 the Department of Health and Human Services ( HHS ) regulations governing human subjects research (called the Common Rule ), and Food and Drug Administration ( FDA ) regulations. 2 As we explain below, we conclude that ispecimen structures its specimen and data collection and distribution in a manner that complies with these regulations. Our analysis is based on the following factual background. If it is inaccurate in any manner, please let us know so that we can reevaluate our conclusions. Factual Background ispecimen provides researchers with on-demand access to clinically annotated specimens. Through its arrangements with clinical laboratories, hospitals and other health care providers that collect specimens during the provision of clinical care (the Provider Network Participants ), ispecimen uses its proprietary software to identify specimens that meet specific requirements for researchers and instructs the Provider Network Participants on processing and shipping those specimens. ispecimen installs its proprietary software behind the Provider Network Participant firewall. Once the ispecimen software is installed in the Provider Network Participant data center, ispecimen personnel access it only for software maintenance. The ispecimen software collects information about the specimens available at a Provider Network Participant, de-identifies the data according to HIPAA rules (with the exception of the specimen collection date that is used to determine when a specimen is ready for discard), and sends the data to ispecimen s data center. The specimens are also given new, coded ispecimen IDs at this time. The software at the data center matches these specimens against those desired by researchers. When a match is identified, the system sends a message to the Provider Network Participant to pull that specimen and process it according to ispecimen instructions. The specimen is re-tubed and the ispecimen software generates a new, deidentified specimen label that contains the ispecimen ID, order information, and matrix. No information identifying the patient is physically attached to the specimen when it is shipped. Limited personal identifiers, such as the original specimen ID, are stored behind the Participant s firewall with links to the ispecimen ID to ensure that the correct specimens are picked by the Participant s technicians. These limited identifiers are only visible to the Participant, cannot be accessed by ispecimen and are never released to ispecimen customers. Additionally, at the Provider Network Participant s request, these links may be completely broken once specimens are shipped to researchers, ensuring that the specimens are truly 1 45 C.F.R. Part 160 and Part 164, Subpart E C.F.R. Part 46, Subpart A.

2 anonymized and not even the Provider Network Participant could re-identify a patient from whom the specimens came. The ispecimen software also pulls clinical data associated with patients. The amount of clinical data will vary according to ispecimen s arrangement with each Provider Network Participant and might include data such as current and past diagnoses, medications, encounters and treatments, hospitalizations and surgical history, allergies and sensitivities, immunizations, and family and social histories of the patient. No HIPAA identifiers are transferred to the ispecimen datacenter in this process other than the dates of service related to the patient (such as the date a particular diagnosis was made, which aids in the selection of specimens). As with the specimens, each patient is assigned a unique ispecimen Patient ID during the process so that the patient cannot be re-identified by ispecimen or the researchers who receive data. ispecimen enters into written agreements with its research customers to ensure that a customer uses the specimens and data for scientific research and development purposes only; does not transfer the specimens to a third party unless the third party agrees to be bound by the same rules surrounding specimen use as the research customer; and uses, retains, and destroys the specimens and accompanying data in accordance with all applicable laws. Research customers must also agree to never re-identify patients from whom specimens originated, even if technology and databases are available in the future which would allow that. Analysis 1. HIPAA Compliance Under HIPAA, covered entities (health plans, health care clearinghouses, and most heath care providers) may use or disclose individually identifiable health information (also called protected health information or PHI ) only as expressly permitted by the HIPAA Privacy Rule. 3 This memorandum discusses the application of the HIPAA Privacy Rule, as amended on January 25, 2013 to implement the Health Information Technology for Economic and Clinical Health Act (the HITECH Act ). 4 As described below, we conclude that the ispecimen method of handling specimens and associated clinical data complies with HIPAA. ispecimen access to PHI behind the customer s firewall complies with HIPAA. As explained above, the ispecimen software has access to PHI behind the Provider Network Participant firewall to identify appropriate specimens and to pull clinical data associated with those specimens. The ispecimen software assigns a code to the specimen and strips all HIPAA identifiers 5 from the associated clinical data, except for limited dates of service. The ispecimen 3 See 45 C.F.R. Part 160 and Part 164, Subpart E. 4 See 78 Federal Register ( Fed. Reg. ) (Jan. 25, 2013). 5 See 45 C.F.R (the HIPAA identifiers include all of the following data about individuals and their family members, household members, or employers: name; street address, city, county, precinct, or zip code (unless only the first three digits of the zip code are used and the area has more than 20,000 residents); the month and day of dates directly related to an individual, such as birth date, admission date, discharge date, dates of service, or date of death; age if over 89 (unless aggregated into a single category of age 90 and older); telephone numbers; fax numbers; addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers, serial numbers, and license plate numbers; device identifiers and serial numbers; web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses; biometric identifiers, such as fingerprints; full-face photographs and any comparable images; or any other unique identifying number, characteristic, or code). 2

3 software thus creates a Limited Data Set, as defined by HIPAA, because the data includes dates related to patients. 6 In the Preamble to the final amendments to the HIPAA regulations, the HHS Office for Civil Rights ( OCR ) explained that because de-identification and the creation of a Limited Data Set for research purposes are health care operations, a covered entity is permitted to disclose PHI to a third party for such purposes under a HIPAA Business Associate Agreement. 7 ispecimen integrates a HIPAA-compliant Business Associate Agreement into its agreement with Provider Network Participants so that it may de-identify and create Limited Data Sets on behalf of the Participants. ispecimen use of the Limited Data Set to process the specimens complies with HIPAA. The ispecimen software gathers dates of specimen collection and other healthcare events so that it can ensure that the specimen meets the requirements of the researchers. ispecimen s use of this Limited Data Set is permitted for two reasons. One, ispecimen uses dates in performance of its Business Associate functions on behalf of its customers, to match the customers specimens with researchers. Two, ispecimen may use the Limited Data Set for these research purposes because its agreements with Provider Network Participants include a Data Use Agreement, which provides assurance that ispecimen will use the PHI only for those purposes. 8 ispecimen completely de-identifies the specimens and associated clinical data before providing them to researchers, complying with HIPAA. ispecimen uses the Limited Data Set only to ensure that specimens meet the researchers requirements, and then strips the dates from the specimens and associated clinical data before providing them to the researcher. ispecimen sends only fully de-identified data to researchers. 9 Disclosure of de-identified data complies with HIPAA. Specimens without accompanying HIPAA identifiers are not themselves treated as PHI. Where specimens provided for research are not associated with the HIPAA identifiers, the specimens themselves are not treated as PHI and the release of the specimens is not governed by HIPAA. 10 The OCR has concluded that specimens themselves are not PHI unless they are associated with HIPAA identifiers. 11 The ispecimen process does not trigger the need for an accounting. Because Provider Network Participants disclose only a Limited Data Set to ispecimen and because 6 See 45 C.F.R (c) (A Limited Data Set is partially de-identified patient information. A Limited Data Set excludes all of the direct identifiers in the regulations, except that a Limited Data Set may include: (1) geographic designations above the street level or P.O. Box; (2) dates directly related to a patient, such as dates of service, birth date, admission date, discharge date, or date of death; or (3) any other unique identifying number, characteristic, or code that is not expressly listed as an identifier ). 7 See 78 Fed. Reg (Jan. 25, 2013) C.F.R (e)(4) (listing requirements for a Data Use Agreement). 9 See 45 C.F.R (a)-(b). 10 See Research Repositories, Databases, and the HIPAA Privacy, at 3 (OHRP and NIH, Jan. 12, 2004), (found at 11 Id. at 11 ( Under the Privacy Rule, neither blood nor tissue, in and of itself, is considered individually identifiable health information; therefore, research involving only the collecting of blood or tissue would not be subject the Privacy Rule s requirements. Remember, however, blood and tissue are often labeled with information (e.g. admission date or medical record number) that the Privacy Rule considers individually identifiable and thus, PHI. A covered entity s use or disclosure of this information for research results from an analysis of blood and tissue, if containing or associated with individually identifiable information would be PHI. ). 3

4 ispecimen s agreements with Provider Network Participants contain a Data Use Agreement, Provider Network Participants do not have an obligation to include disclosures to ispecimen in response a patient s request for an accounting. 12 Revenue sharing with ispecimen customers is not a prohibited sale of PHI. Section 13405(d) of the HITECH Act 13 and the final HIPAA regulations provide that a covered entity may not directly or indirectly receive remuneration from or on behalf of the PHI recipient, in exchange for the PHI, unless the covered entity obtains an individual s authorization. 14 The final HIPAA regulations incorporate a number of exceptions where authorization is not required, including an exception where for research purposes pursuant to (i) [IRB waiver of HIPAA authorization, reviews to prepare for research, or research involving decedents] or (e) [use or disclosure of Limited Data Sets], the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. 15 We believe the OCR would conclude that no remuneration flows to the Provider Network Participants for PHI in the current arrangement. The only PHI that flows to ispecimen are dates, which are used by ispecimen only for the purpose of ensuring that the specimens meet the researchers requirements, but which then are stripped from the data before transmission to the researchers. The OCR explained that the transmission of PHI by a covered entity to a research sponsor in a clinical trial is not prohibited by this rule, because the payment to the covered entity is not primarily for the PHI: [W]e do not consider sale of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes. (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.) In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless C.F.R (a) ( An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: (viii) as part of a limited data set. ). 13 Codified at 42 U.S.C (d). 14 See 45 C.F.R (a)(5)(ii). 15 Id. 4

5 the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below). 16 We think the OCR would come to the same conclusion here. ispecimen is compensating Provider Network Participants for the services involved in the procurement of the specimens and associated de-identified clinical data that it provides to researchers. While dates are important to verify the specimen can be used for research, the compensation is by no means primarily for the dates (which are stripped before providing the specimens to the end user researchers). 2. Common Rule Compliance The use of de-identified specimens is not human subjects research. The Common Rule regulations govern human subjects research funded or conducted by a federal agency or research that is subject to an institution s Federalwide Assurance (a contract that permits an institution to conduct federally-funded research). 17 Human subjects include living individual(s) about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable personal information. 18 The HHS Office for Human Research Protections ( OHRP ) has provided guidance that if specimens are not collected for currently proposed research and investigators cannot readily ascertain the identity of the subjects, the release of those specimens to investigators is not human subjects research. 19 Under the ispecimen model, Provider Network Participants are not conducting human subjects research by permitting the use of their specimens and de-identified clinical data for research. First, the specimen and data are created for clinical care purposes, not research. Second, the end user researchers (the investigators) do not obtain any identifiable personal information about the patients and thus cannot readily ascertain the identity of the individual. Moreover, even if a Provider Network Participant maintains a link between the patient s identity and the code assigned by the ispecimen software to the specimen and clinical data, that does not mean the Provider Network Participant is itself conducting human subjects research. OHRP does not consider providing coded information or specimens as engagement in human subjects research, as long as the institution is prohibited from releasing the code to the investigators. 20 HIPAA prohibits the Provider Network Participants from releasing the code to the investigators under the current arrangement Fed. Reg. at 5607, C.F.R (a) C.F.R (f). 19 See Guidance on Research Involving Coded Private Information or Biological Specimens (Oct. 16, 2008) (found at 20 Id. at 3-4 ( OHRP does not consider research involving only coded private information or specimens to involve human subjects as defined under 45 CFR (f) if the following conditions are both met: (1) the private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example: (a) the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased (note that the HHS regulations do not require the IRB to review and approve this agreement); (b) there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or (c) there are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased. 5

6 The HHS Advance Notice of Proposed Rulemaking. On July 26, 2011, OHRP issued an Advance Notice of Proposed Rulemaking ( ANPRM ) a request for public comment before a proposed rule is issued to revamp the Common Rule. 21 While the ANPRM sought public comment on whether consent should be required to use de-identified specimens for research, OHRP also suggested that a general consent in a conditions of admission form would be sufficient if consent is required in the future. 22 Of course, the ANPRM is not yet a proposed rule, and could be changed substantially before it is finalized. Moreover, any new rule would be applied prospectively only to specimens collected after the date of any final rule. 23 We do not recommend a change in procedures in response to the ANPRM. 3. FDA Compliance Specimens procured through the ispecimen Network may be used for FDAregulated IVD studies. The FDA regulates clinical investigations conducted in support of applications for research or marketing permits for products regulated by the FDA. 24 The FDA regulations define clinical investigation as any experiment that involves a test article and one or more human subjects where the researcher is required to submit the data to the FDA for approval. 25 Human subject means an individual who is or becomes a participant in research, either as a recipient of the test article or as a control. 26 The FDA regulations on Investigational Device Exemptions ( IDE ) apply the FDA human subject protection regulations to the use of human specimens. 27 In general, the FDA requires informed consent from an individual before he or she can be used as a subject in research regulated by the FDA. 28 However, in 2006, FDA issued guidance that it will permit the use of de-identified human specimens without informed consent when the specimens are used for FDA-regulated in vitro diagnostic device ( IVD ) investigations, in the following circumstances: 29 a) The investigation meets the IDE criteria at 21 C.F.R (c) (3) (a diagnostic device, if the sponsor complies with applicable requirements in (c) and if the testing: (i) is noninvasive, (ii) does not require an invasive sampling procedure that presents significant risk, (iii) does not by design or intention introduce energy into a subject, and 21 See 76 Fed. Reg (July 26, 2011) (found at 26/pdf/ pdf). 22 See 76 Fed. Reg (explaining the proposal to require written consent for research use of any specimens collected for clinical purposes after the effective date of the new rules (such as research with excess pathological specimens). Such consent could be obtained by use of a brief standard consent form agreeing to generally permit future research. This brief consent could be broad enough to cover all specimens to be collected related to a particular set of encounters with an institution. ). 23 Id C.F.R C.F.R. 50.3(c) C.F.R (p) C.F.R (p) C.F.R ( No investigator may involve a human being as a subject in research covered by these regulations unless the investigator has obtained the legally effective informed consent of the subject or the subject's legally authorized representative. ). 29 Guidance on Informed Consent for In Vitro Diagnostic Device Studies Using Leftover Human Specimens That Are Not Individually Identifiable, 4 (Apr. 25, 2006) ( FDA IVD Guidance ) (found at pdf). 6

7 (iv) is not used as a diagnostic procedure without confirmation of the diagnosis by another, medically established diagnostic product or procedure). b) The study uses leftover specimens. These include remnants of specimens collected for routine clinical care or analysis that would have been discarded, specimens obtained from specimen repositories, or leftover specimens that were previously collected for other research purposes. c) The specimens are not individually identifiable, in that the identity of the subject is not known to and may not readily be ascertained by the investigator or any other individuals associated with the investigation, including the sponsor (the study personnel ). If the specimen is coded, it is not individually identifiable if the study personnel cannot link the specimen to the subject. d) Any clinical information accompanying the specimens does not make the specimen source identifiable to the study personnel. e) The individuals caring for the patients are different from and do not share information about the patient with the study personnel. f) The specimens are provided to the investigator(s) without identifiers and the supplier of the specimens has established policies and procedures to prevent the release of personal information. g) The study has been reviewed by an IRB in accordance with 21 CFR Part 56 [with exception omitted]. ispecimen s process allows researchers to use specimens and their accompanying clinical data for use in IRB-approved IVD studies that are exempt from IDE regulations, in conformance with this FDA IVD Guidance. As described above, the specimens are leftover and the specimens and any clinical data are de-identified and are in no way identifiable to the investigators or other study personnel. In addition, with third party researchers, the individuals caring for the patients are different than those conducting the investigation. If a Provider Network Participant uses the specimens it produces for its own research, the Participant would need to evaluate whether those specimens could be used for IVD studies. 7

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA PRIVACY RULE & AUTHORIZATION

HIPAA PRIVACY RULE & AUTHORIZATION HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Institutional Review Board (IRB) IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Overview The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations,

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS 1. Overview IRB approval and participant informed consent are required to collect biological specimens for research purposes. Similarly, IRB approval

More information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager HIPAA, Research, and the IRB Michelle Brown, BBA Biomedical IRB Manager Agenda Brief History of HIPAA How Did We Get Here? When Does HIPAA Apply to Research? How Do Researchers Access & Share PHI Under

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance  De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " " D even McGraw " Director, Health Privacy Project January 15, 201311 HIPAA Scope Does not cover all health data Applies

More information

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc.

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA as it Pertains to IRBs and Research Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA Acronym for the Health Insurance Portability and Accountability Act of 1996

More information

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption

More information

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

IRB RESEARCH REPOSITORY

IRB RESEARCH REPOSITORY IRB RESEARCH REPOSITORY COMPLIANCE PROGRAM: INFORMATION FOR BASIC SCIENTISTS Susan Burner Bankowski, MS, JD Chair, OHSU IRB Why a Policy Now? The regulations have always included oversight for research

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues

Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues Office for Human Research Protections (OHRP) Department of Health and Human Services (HHS) Guidance on Withdrawal of Subjects from Research: Data Retention and Other Related Issues This guidance represents

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

What is Covered under the Privacy Rule? Protected Health Information (PHI)

What is Covered under the Privacy Rule? Protected Health Information (PHI) HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,

More information

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set. IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements 10200 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel

More information

Children's Hospital, Boston (Draft Edition)

Children's Hospital, Boston (Draft Edition) Children's Hospital, Boston (Draft Edition) The Researcher's Guide to HIPAA Evervthing You Alwavs Wanted to Know About HIPAA But Were Afraid to Ask 1. What is HIPAA? 2. What is the Privacy Rule? 3. What

More information

HIPAA Basics for Clinical Research

HIPAA Basics for Clinical Research HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining

More information

The HIPAA privacy rule and long-term care : a quick guide for researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers Scholarly Commons at Miami University http://sc.lib.miamioh.edu Scripps Gerontology Center Scripps Gerontology Center Publications The HIPAA privacy rule and long-term care : a quick guide for researchers

More information

University of Mississippi Medical Center Office of Integrity and Compliance

University of Mississippi Medical Center Office of Integrity and Compliance Office of Integrity and Effective Date: 2005 By: Committee 1.0 PURPOSE The purpose of this policy is to guide (UMMC) employees, who are involved with research, in obtaining an authorization for the use

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

IRB Application for Medical Records Review Request

IRB Application for Medical Records Review Request Office of Regulatory Research Compliance Institutional Review Board FORM B1 : Medial Records Review Application FORM B1 IRB Application for Medical Records Review Request Principal Investigator: Email:

More information

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant

More information

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution INSTRUCTIONS This form may be filled in and saved using Adobe Reader version 7.0 or higher. The full version of

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

STANDARD OPERATING POLICY AND PROCEDURE

STANDARD OPERATING POLICY AND PROCEDURE STANDARD OPERATING POLICY AND PROCEDURE SUBJECT: Biospecimen Request and Release Policy Number: 500.0 Policy Date: 1/16/2009 Amendment Date: N/A Revision Date: 5-3-2010 I. INTRODUCTION AND PURPOSE The

More information

Guidance for Sponsors, Institutional Review Boards, Clinical Investigators and FDA Staff

Guidance for Sponsors, Institutional Review Boards, Clinical Investigators and FDA Staff Guidance for Sponsors, Institutional Review Boards, Clinical Investigators and FDA Staff Guidance on Informed Consent for In Vitro Diagnostic Device Studies Using Leftover Human Specimens that are Not

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

The George Washington University Office of Human Research IRB Forum June 20, 2012

The George Washington University Office of Human Research IRB Forum June 20, 2012 The George Washington University Office of Human Research IRB Forum June 20, 2012 Types of Chart Reviews Exempt vs. Expedited Protected Health Information Consent Requirements HIPAA Chart reviews are a

More information

HIPAA Privacy Common Questions: Definitions

HIPAA Privacy Common Questions: Definitions Brought to you by Momentous Insurance Brokerage, Inc. HIPAA Privacy Common Questions: Definitions What is a Covered Entity under the HIPAA Privacy Rules? The following organizations are governed by this

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

HUMAN SUBJECTS AND HIPAA

HUMAN SUBJECTS AND HIPAA Research Compliance Tipsheet HIPAA Basics Last Revised: September 11, 2009 When we work with Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA),

More information

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA

More information

Limited Data Set Background Information

Limited Data Set Background Information Limited Data Set Background Information 1. A limited data set is protected health information that excludes certain identifiers but permits the use and disclosure of more identifiers than in a de-identified

More information

Institutional Review Board

Institutional Review Board Institutional Review Board Collection and/or Study of Human Specimens Policy APPLICABILITY These guidelines apply to: 1. De-Identified, coded, and identified specimens. 2. Existing and prospectively collected

More information

CancerLinQ Data Quality Management Policies

CancerLinQ Data Quality Management Policies CancerLinQ Data Quality Management Policies I. Introduction CancerLinQ is committed to conquering cancer through appropriate, secure and ethical usage of health information entrusted to the CancerLinQ

More information

North Shore LIJ Health System, Inc. Facility Name

North Shore LIJ Health System, Inc. Facility Name North Shore LIJ Health System, Inc. Facility Name POLICY TITLE: The Medical Record POLICY #: 200.10 Approval Date: 2/14/13 Effective Date: Prepared by: Elizabeth Lotito, HIM Project Manager ADMINISTRATIVE

More information

HIPAA SELF STUDY TRAINING GUIDE

HIPAA SELF STUDY TRAINING GUIDE HIPAA SELF STUDY TRAINING GUIDE I have received the LifeWays HIPAA SELF STUDY TRAINING GUIDE. I understand that I will be accountable for the information contained in the guide. If I have questions I may

More information

BUMC Clinical Research Seminar: What would YOU do? Put your IRB hat on!

BUMC Clinical Research Seminar: What would YOU do? Put your IRB hat on! BUMC Clinical Research Seminar: What would YOU do? Put your IRB hat on! Mary-Tara Roth, RN, MSN, MPH BUMC Clinical Research Resources Office (CRRO) Mary Banks, RN, BSN Senior Analyst II, BUMC IRB September

More information

IRB REVIEW OF USE OF RESEARCH REPOSITORIES

IRB REVIEW OF USE OF RESEARCH REPOSITORIES IRB Review of Research Data Repositories at the Portland VA Medical Center IRB REVIEW OF USE OF RESEARCH REPOSITORIES 1. PURPOSE: To set policies and procedures for appropriate establishment, review, approval,

More information

QOPI CERTIFICATION PROGRAM

QOPI CERTIFICATION PROGRAM QOPI CERTIFICATION PROGRAM QCP Initial Chart Documentation Submission Guide American Society of Clinical Oncology 2318 Mill Rd., Suite 800 Alexandria, VA 22314 E: qopicertification@asco.org http://qopi.asco.org/certification

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

In Vitro Diagnostic (IVD) Devices: How they Differ from Other Devices and How FDA Regulates Them

In Vitro Diagnostic (IVD) Devices: How they Differ from Other Devices and How FDA Regulates Them In Vitro Diagnostic (IVD) Devices: How they Differ from Other Devices and How FDA Regulates Them IRB Education Conference, Columbia University April 2007 Sally Hojvat, Ph.D. Director of Microbiology Devices

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

Medical Research Law & Policy Report

Medical Research Law & Policy Report Medical Research Law & Policy Report Reproduced with permission from Medical Research Law & Policy Report, 12 MRLR 98, 02/06/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association DISCLAIMER This general information fact sheet is made available

More information

Considerations for Waivers of Informed Consent and Authorization

Considerations for Waivers of Informed Consent and Authorization Considerations for Waivers of Informed Consent and Authorization Contents: Waiver of Informed Consent... 1 Office for Human Research Protections (OHRP) regulations... 1 Government projects... 1 All other

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 6 I. Policy A limited data set is protected health information that excludes direct identifiers. The UW HCC units may use or disclose a limited data set only for the purposes of public health

More information

Information Privacy and Security Program Title:

Information Privacy and Security Program Title: 1 Page: 1 of 5 I. PURPOSE: 1 The purpose of this standard is to identify and define the standards for implementing contracting provisions related to those individuals and organizations identified as Business

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1611 Ethics & Compliance SUBJECT: Use and Disclosure of Protected Health Information (PHI) For Research Purposes Pursuant to the HIPAA Privacy

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

University of Cincinnati Limited HIPAA Glossary

University of Cincinnati Limited HIPAA Glossary University of Cincinnati Limited HIPAA Glossary ephi System A system that creates accesses, transmits or receives: 1) primary source ephi, 2) ephi critical for treatment, payment or health care operations

More information

2 Applicability: Effective Date: 1/15/2010 Revised: 8/13/2010, 9/10/10, 5/9/14

2 Applicability: Effective Date: 1/15/2010 Revised: 8/13/2010, 9/10/10, 5/9/14 2 Applicability: Effective Date: 1/15/2010 Revised: 8/13/2010, 9/10/10, 5/9/14 NDSU research may involve the collaboration or assistance of other research institutions, schools, hospitals, clinics, private

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Standard Operating Procedures for Research Involving Human Subjects

Standard Operating Procedures for Research Involving Human Subjects Section I: Introduction v07/2015 Standard Operating Procedures Indiana University and its affiliates are dedicated to protecting the rights and welfare of human participants recruited to participate in

More information

Business Associate and Other Agreements

Business Associate and Other Agreements Section 4.3 Implement Business Associate and Other Agreements This tool identifies the types of agreements that may be necessary for a community-based care coordination (CCC) program to have in place in

More information

Department of Veterans Affairs VHA HANDBOOK 1200.12. Washington, DC 20420 March 9, 2009 USE OF DATA AND DATA REPOSITORIES IN VHA RESEARCH

Department of Veterans Affairs VHA HANDBOOK 1200.12. Washington, DC 20420 March 9, 2009 USE OF DATA AND DATA REPOSITORIES IN VHA RESEARCH Department of Veterans Affairs VHA HANDBOOK 1200.12 Veterans Health Administration Transmittal Sheet Washington, DC 20420 March 9, 2009 USE OF DATA AND DATA REPOSITORIES IN VHA RESEARCH 1. REASON FOR ISSUE.

More information

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records. PRIVACY 11.0 DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery Research A. General Rules. There are four pathways for covered entities ( CEs ) to obtain permission under the Health Insurance

More information

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution [B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution The 18 th Annual Meeting of the Applied Research Ethics National Association 1 Faculty John Falletta, MD Duke University

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures HIPAA Privacy Compliance Plan for Research University of South Alabama IRB Guidance and Procedures Office of Research Compliance and Assurance CSAB 140 460-6625 Adopted: 4/2/2003 2 HIPAA PRIVACY COMPLIANCE

More information

Use of Electronic Health Record Data in Clinical Investigations

Use of Electronic Health Record Data in Clinical Investigations Use of Electronic Health Record Data in Clinical Investigations Guidance for Industry DRAFT GUIDANCE This guidance document is being distributed for comment purposes only. Comments and suggestions regarding

More information

Regulatory Changes to HIPAA under HITECH and GINA

Regulatory Changes to HIPAA under HITECH and GINA HIPAA FINAL OMNIBUS RULE Fact Sheet Regulatory Changes to HIPAA under HITECH and GINA The U.S. Department of Health and Human Services released the Health Insurance Portability and Accountability Act (HIPAA)

More information

HIPAA Privacy Rule Primer for the College or University Administrator

HIPAA Privacy Rule Primer for the College or University Administrator HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule

More information

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Session Objectives Examine the value of realistic information in research and software testing Explore the challenges of de-identifying health

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear : [Insert Name and Address of Data Recipient] Re: Data Use Agreement Dear : The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

DATA USE AGREEMENT RECITALS

DATA USE AGREEMENT RECITALS DATA USE AGREEMENT This Data Use Agreement (the Agreement ), effective as of the day of, 20, is by and between ( Covered Entity ) and ( Limited Data Set Recipient or Recipient ) (collectively, the Parties

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

Data Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series

Data Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series Data Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series Denise Snyder, MS, RD, CSO, LDN Director, Research Management Team (RMT) Research Practices Manager, SON

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

De-Identification of Clinical Data

De-Identification of Clinical Data De-Identification of Clinical Data Sepideh Khosravifar, CISSP Info Security Analyst IV TEPR Conference 2008 Ft. Lauderdale, Florida May 17-21, 2008 1 1 Slide 1 cmw1 Craig M. Winter, 4/25/2008 Background

More information