Winthrop-University Hospital

Size: px
Start display at page:

Download "Winthrop-University Hospital"

Transcription

1 Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR (i), (a-c) and in connection with the implementation of the HIPAA Compliance Plan, Winthrop-University Hospital has developed and will implement this Policy for the application of HIPAA to all research activities. Winthrop- University Hospital currently relies upon two institutional review boards ( IRB(s) ), the Winthrop-University Hospital Institutional Review Board ( WUH IRB ) and the Western Institutional Review Board ( Western IRB ), to ensure that all human research projects conducted at Winthrop University Hospital are performed in compliance with the federal regulations (e.g., the Common Rule) and will continue to rely upon these two institutional review boards to ensure compliance with HIPAA as well. 1 This Policy is designed to ensure that any such research conducted at Winthrop-University Hospital under the authority of either the WUH IRB or the Western IRB will be conducted in full compliance with HIPAA. A General Application of HIPAA to Research. 2 HIPAA applies to all research studies which involve the use or disclosure of individually identifiable protected health information ( PHI ). HIPAA applies regardless of the source of funding for the research. Research studies affected by HIPAA include: (i) record research (i.e., research using previously existing PHI, such as research involving a review of previously created medical records or previously collected tissue specimens); (ii) research not involving research related treatment; and (iii) research involving treatment 3 of research participants such as clinical trials. 1 Note: The Western IRB reviews all human research studies which are sponsored by pharmaceutical companies and involve out patients of Winthrop-University Hospital. WUH IRB reviews all other human research studies. 2 Note: Research is defined, under HIPAA, as systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. 3 Note: Treatment is defined, under HIPAA, as the provision, coordination, or management of health care and related services by one or more health care providers, including (i) coordination or management of health care by a health care provider with a third party, (ii) consultation between health care providers relating to a patient, and (iii) the referral of a patient for health care from one health care provider to another.

2 When an investigator conducts a research study that is subject to both HIPAA and the Common Rule, the investigator must comply with the regulations under both laws. Additionally, where applicable, a research study must also comply with the Federal Drug Administration s human subjects regulations. Winthrop-University Hospital requires that any investigator conducting a research study involving the use or disclosure of PHI must ensure the receipt of a HIPAA authorization, approved by either the WUH IRB or the Western IRB, from each research participant prior to using or disclosing PHI for research purposes unless with prior review and approval by either the WUH IRB or the Western IRB one of the following five exceptions under which research can be conducted using PHI without first obtaining an authorization exists: a. the investigator is only conducting a review preparatory to future research; b. the research study uses only PHI of deceased individuals; c. the investigator uses only a limited data set in conducting the research study and obtains a data use agreement from all recipients of the limited data set; d. the investigator uses only de-identified PHI in conducting the research study; or e. the investigator obtains a waiver of the authorization requirement from the WUH IRB prior to commencing the research study. Note: If the research involves treatment of the patient, the patient will also need to receive a privacy notice and sign an acknowledgment, where applicable, as discussed in Section G below. Winthrop-University Hospital requires that, whenever PHI is being used or disclosed for research purposes pursuant to an exception from the authorization requirement by either the WUH IRB or the Western IRB, the investigator shall comply with Winthrop-University Hospital s minimum necessary policies, procedures and requirements. In order to comply with the minimum necessary requirements, the investigator shall make reasonable efforts to limit the uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the purpose(s) of the research study. (See Minimum Necessary Policy) B Research Authorization. In those instances where an investigator s research study does not fit into one of the exceptions to obtaining an authorization (as discussed in Section C through G below) and the investigator intends to use or disclose PHI during the conduct of his/her research study, the investigator should ensure that a valid, executed authorization is obtained from each research participant or his/her legally authorized representative. All research authorizations shall be reviewed and approved by either the WUH IRB or the Western IRB during the appropriate IRB s initial review of the investigator s research request (as discussed in Section H below) unless the investigator complies with one of the above-mentioned exceptions.

3 1 Requirements for All Authorizations. All research authorizations shall be written in plain language and contain at least the following: a. A meaningful and specific description of the individually identifiable health information to be used in the research study; b. A list of all persons (or classes of persons) who may use or disclose the individually identifiable health information; c. A list of the persons (or classes of persons) to whom the individually identifiable health information may be disclosed; d. The expiration date or event of the authorization. For research purposes this statement can be end of the research or none (especially with respect to research data bases, repositories); e. A statement that the research participant has a right to revoke the authorization at any time and a description of how to revoke the authorization; f. A statement noting that used or disclosed individually identifiable health information may be subject to re-disclosure and no longer protected by the law; g. The signature and date of the research participant or his/her authorized representative. If signed by an authorized representative, a statement of such representative s authority to act for the research participant; h. A statement of each purpose of the use or disclosure of the individually identifiable health information; and i. For research not involving research-related treatment: A statement that the research subject has right to refuse to sign the authorization without being denied treatment and that participation is conditioned on the research participant executing the authorization. The authorization should be witnessed by any competent adult, included in the research participant s medical record and each research participant should be provided with an executed copy. For a discussion of authorizations where Winthrop-University Hospital seeks an individual s written legal permission to obtain PHI about the individual from another covered entity that maintains the PHI to make a disclosure of the PHI, see Winthrop-University Hospital Policy on Authorizations for Uses and Disclosures of Patient Information. 2 For Studies which Include Treatment. Where the research study is, however, being conducted in connection with research-related treatment of the research participant, the research

4 authorization may contain a statement that provision of the research-related treatment is conditioned on the research participant executing the authorization. Where a research study that includes treatment is being conducted as part of a clinical trial, the research participant can be denied the right to access the individually identifiable health information obtained in the course of that clinical trial (the Research Information ). In order to deny the research participant access to Research Information: a. The research authorization must contain a statement informing the research participant that he/she will be denied access to the Research Information during the course of the clinical trial. b. The research participant must agree to the denial of access to Research Information when he/she consents to participation in the clinical trial. c. The clinical trial must be ongoing when the request for access is made. The research participant must also be advised of his/her right to be provided access to the Research Information once the clinical trial is completed. The investigation must, however, maintain a high level of ethical consideration for the welfare of the research participants and provide access in the appropriate circumstances. While conducting a clinical trial, the investigator shall comply with the limited scope of permissible uses and disclosures for the Research Information. Additionally, the investigator shall be allowed certain disclosures of PHI relevant to a clinical trial, including disclosures to public health agencies, health oversight agencies and persons required or directed to report information to the Federal Drug Administration and the Office of Human Research Protection. Any such parties should be identified in the HIPAA authorization. Unless an investigator is conducting a review preparatory to a research study (discussed below), he/she must obtain an authorization prior to reviewing previously collected PHI in connection with treatment, to determine an individual s eligibility for participation in research. Since, however, Winthrop-University Hospital can disclose PHI to the individual who is the subject of the PHI, a Winthrop-University Hospital physician may discuss the option of enrolling in a research study without first obtaining a research authorization or waiver of the authorization requirement by either the WUH IRB or Western IRB. Once the PHI needs to be disclosed to a third-party investigator for the purposes of recruitment into the research study, Winthrop- University Hospital must obtain an authorization or waiver of authorization (as discussed in Section G below). Compound Authorizations. Generally, both the WUH IRB and Western IRB will require an authorization for the use or disclosure of PHI in a research study (e.g., research authorization) be combined with an informed consent document for the same research to create a compound authorization.

5 At times and only when approved by the WUH IRB or Western IRB, as appropriate, a research authorization may be separate from the Informed Consent document or an authorization combined with an authorization for a different purpose, except for an authorization for the disclosure of psychotherapy notes; provided, however, that with such a compound authorization, the provision of treatment of the research participant cannot be conditioned on the signing of authorization. For further discussion of compound authorizations, see Winthrop-University Hospital Policy on Authorizations for Uses and Disclosures of Patient Information. For Winthrop-University Hospital purposes, a research authorization should only be separate from an Informed Consent document in special circumstances as specifically approved by the WUH IRB or Western IRB, as appropriate, in connection with their review of the proposed research study, as discussed in Section I below. C Review Preparatory to Future Research. An investigator can conduct a review of PHI in preparation for future research without first obtaining a research authorization. Before conducting any such preparatory review, however, the investigator shall obtain approval from the WUH IRB, as described in this Section C. All such preparatory review requests shall be made in writing to the WUH IRB. Before approving any preparatory review request, the WUH IRB shall obtain from the investigator written and signed documentation of the following representations: 1 The use and disclosure of the individually identifiable health information is necessary to the future research. 2 The individually identifiable health information will be reviewed solely for the narrow purpose of preparing for the future research. 3 No individually identifiable health information will be removed from its source by the investigator in the course of the preparatory review (although information can be recorded in de-identified form). The purpose of each preparatory review shall be either to aid in the development of a research hypothesis and/or to aid the recruitment of research participants. All approvals of preparatory research shall be documented and if the preparatory review results in a disclosure of an individual s individually identifiable health information, it shall be tracked and documented as a disclosure. The WUH IRB shall rely on representations of the investigator that the review is being conduct solely in preparation for a research study. D Research Involving a Deceased Individual. An investigator can use and disclose PHI of a deceased person for research purposes without first obtaining a research authorization. Before conducting any such research study, however, the investigator must obtain approval from the WUH IRB. All such research requests shall be made in writing to the WUH IRB. Before approving any such research request, the WUH IRB shall obtain in writing from and signed by the investigator the following representations: 1 The use and disclosure of the individually identifiable health information contained in the medical records is necessary for research purposes.

6 2 The use or disclosure is sought solely for research of individually identifiable health information of deceased persons. Before approving any such research request, the WUH IRB may request documentation of the death of each research subject from the investigator. All approvals of research studies involving deceased persons shall be documented and each disclosure of an individual s PHI shall be tracked and documented. The WUH IRB may rely on representations of the investigator that the research solely involves deceased person(s). E Limited Data Sets. Where, in conducting a research study, an investigator uses health information to create a limited data set, the investigator will not be required to obtain a research authorization provided the investigator obtains a data use agreement from any intended recipient of the limited data set. Before utilizing a limited data set in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on Deidentifying and Re-identifying Patient Health Information and Creation of a Limited Data Sets regarding the method and means he/she intends to employ in creating the limited data set. The investigator must also utilize only a Winthrop-University Hospital approved form of data use agreement in connection with the disclosure of the limited data set and must obtain approval of the WUH IRB prior to using the limited data set. 1 A limited data set is a set of protected health information from which all of the following direct identifiers of the individual and relatives, employers, or household members of the individual have been removed: a. Names; b. Postal address information, other than town or city, State, and zip code; c. Telephone numbers; d. Fax number; e. Electronic mail addresses; f. Social security numbers; g. Medical records numbers; h. Health plan beneficiary numbers; i. Account numbers; j. Certificate or license numbers; k. Vehicle identifiers or serial numbers, including license plate numbers; l. Device identifier or serial number;

7 m. Web universal resource locators (URL s); n. Internet protocol (IP) address numbers; o. Biometric identifiers, including finger and voice prints; and p. Full face photographic images. 2 The data use agreement will list the purposes for which the recipient of the limited data set can use the patient information and provide the WUH IRB and Winthrop-University Hospital with satisfactory assurance that the recipient of the limited data set will only use or disclose the patient information for the purposes listed. Each data use agreement must contain the following: a. A statement indicating whether the limited data set was created for research, public health or health care operations; b. A statement of the purposes for which the recipient can use or disclose the patient information being provided in the limited data set. These purposes must be consistent with the reason the data use set was originally created in (1); c. A list of the names of all individuals or entities being provided permission to receive the limited data set under the data use agreement; d. A statement that the recipient agrees not to use or further disclose the patient information in the limited data set other than as agreed to in the data use agreement or as requirement by the law; e. A statement that the recipient agrees to use appropriate safeguards to prevent the use or disclosure of the patient information in the limited data set in any manner other than as agreed to in the data use agreement; f. A statement that the recipient agrees to report to the WUH IRB if it becomes aware of any use or disclosure of the patient information in the limited data set outside of the agreed upon uses in the limited data set; g. A statement that the recipient agrees to ensure any agents, including any subcontractors, who it provides the limited data set to will follow the same restrictions and conditions with respect to the use, disclosure and protection of the data use set; h. A statement that the recipient agrees to not identify the information in the limited data set or attempt to contact the individuals; and i. A statement that Winthrop-University Hospital can terminate the data use agreement and use of the limited data set by the recipient if it becomes aware of any pattern of behavior or activity or practice of the recipient which materially breaches or violates the data use agreement. The statement should further indicate Winthrop-University

8 Hospital will report any such breach or violation to the Secretary of the Department of Health and Human Services. Winthrop-University Hospital requires that the investigator continue to comply with the Hospital's minimum necessary policies, procedures and requirements in using and disclosing the patient information included in the limited data set. F De-identified Information. Where, in conducting a research study, an investigator uses health information that has been rendered not individually identifiable or de-identified, the investigator will not be required to obtain a research authorization. The goal of de-identification of health information is to reduce the possibility that the de-identified information can be cross-referenced with other identifiable information in order to link a de-identified health record with an individual. 1 Health information may be determined to not be individually identifiable or deidentified health information if the investigator removes the identifiers of the individual or the relatives, employers, or household members of the individual that are specified below from the health information. 2 In order to de-identify health information, all of the following specified information must be removed from the research records: a. Names; b. All geographic subdivisions small than a state, except for 3-digit zip codes (e.g., address); c. All elements of dates except the year (e.g. birth date, admission date, discharge date, date of death and all ages over 89); d. Telephone numbers; e. Fax numbers; f. Electronic mail addresses; g. Social security numbers; h. Medical records numbers; i. Health plan beneficiary numbers; j. Account numbers; k. Certificate or license numbers; l. Vehicle identifiers or serial numbers, including license plate numbers;

9 m. Device identifier or serial number; n. Web universal resource locators (URL s); o. Internet protocol (IP) address numbers; p. Biometric identifiers, including finger and voice prints; q. Full face photographic images; and r. Other unique identifying number, characteristics, or code (e.g. tissue or DNA samples), excluding a re-identification code created as provided below. Other identifying information which the investigator should also consider removing includes family information, employment information, race, religion and ethnic information, and medical diagnosis that directly or indirectly identifies an individual. Before deciding to deidentify health information in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on De-identifying and Re-identifying Patient s Health Information and Creation of Limited Data Sets regarding the method and means he/she intends to employ in performing the de-identification and obtain the approval of the WUH IRB. Additionally, the investigator may create a code that allows him/her to re-identify health information, provided that: The code is not derived from or related to information about the individual; The code is not capable of being translated so as to identify the individual; and The code or mechanism for re-identification is not used for any other purpose than reidentification of the health information. Before deciding to re-identify health information in connection with a research study, the investigator should consult Winthrop-University Hospital Policy on De-identifying and Re-identifying Patient s Health Information and Creation of Limited Data Sets regarding the method and means he/she intends to employ in performing the reidentification and obtain the approval of the WUH IRB. Any re-identification code should comply with Winthrop-University Hospital Policy on De-identifying and Reidentifying Patient s Health Information and Creation of Limited Data Sets and should be approved by the WUH IRB. G Alteration or Waiver of Authorization. An investigator may obtain an alteration or waiver of the authorization requirement for the use and disclosure of individually identifiable health information. The investigator must obtain either the WUH IRB or the Western IRB approval of any such alteration or waiver request. All such alteration or waiver requests shall be made in writing to the WUH IRB or the Western IRB. In connection with a request for approval of an alteration or a waiver of the authorization requirement for proposed research, the WUH IRB or

10 the Western IRB shall consider whether the proposed research study satisfies the following criteria: 1 The use or disclosure of individually identifiable health information will involve no more than a minimal risk to the privacy of the research participants based on the presence of the following elements: a. An adequate plan exists to protect the identifiers from improper use and disclosure; b. An adequate plan exists to destroy the identifiers at the earliest opportunity consistent with conduct of the research unless there is a health or research justification that makes retention necessary or such retention is otherwise required by law; and c. There are adequate written assurances that the individually identifiable health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the proposed research, or for other research for which use or disclosure of individually identifiable health information is permitted by HIPAA. 2 The proposed research study could not practicably be conducted without waiver or alteration of authorization. 3 The proposed research study could not practicably be conducted without access to and use of the individually identifiable health information. 4 Upon any approval of an alteration or waiver request, the WUH IRB shall prepare a written approval statement which: a. Identifies the WUH IRB or the Western IRB, as appropriate; b. Indicates the date on which the alteration or waiver of authorization was approved; c. States that the WUH IRB or the Western IRB, as appropriate has determined the alteration or waiver of authorization for the proposed research study satisfies all the criteria listed above; d. provides a brief description of the individually identifiable health information for which use or access has been determined by the WUH IRB or the Western IRB, as appropriate, to be necessary; and e. specifies whether action was taken by the WUH IRB or Western IRB under normal or expedited review procedures. This written approval statement will be signed by Chairman of the WUH IRB or Western IRB or his/her designee. The WUH IRB and Western IRB regularly approve conducting research through the waiver of the authorization requirement. As a result, Winthrop University Hospital routinely

11 uses and discloses individually identifiable health information for research purposes without obtaining an authorization and Winthrop-University Hospital is required to include a statement in its general HIPAA Notice advising patients of this practice. H HIPAA Notice. HIPAA requires that each patient receive a written notice that describes Winthrop University Hospital s privacy practices, the patient s individual rights under HIPAA, and the types of uses of PHI that may be made. Where a patient participating in a research study is receiving treatment, investigators shall use the appropriate Winthrop-University Hospitaldesignated HIPAA Privacy Notice form for healthcare services provided by Winthrop University Hospital personnel and/or, as applicable, the privacy notice developed for any facility or organized healthcare arrangement involved in the treatment of the patient (e.g., a hospital, clinic or physician office). Each investigator shall also make a good faith attempt to obtain an acknowledgment of the privacy notice from the research participant prior to commencing treatment. If this acknowledgment does not cover the investigator or the investigator is providing healthcare services outside of Winthrop University Hospital, the investigator should obtain a separate acknowledgment as well. In either case, where the investigator cannot obtain an acknowledgment executed by the participant in the clinical trial, such failure shall be documented by the investigator in the appropriate medical record, along with the reason for the failure (e.g., the research participant refused to execute the acknowledgment). I WUH IRB Review. As a Privacy Board for Winthrop University Hospital under HIPAA, the WUH IRB meets the composition requirements under the Common Rule. The WUH IRB will also follow the voting requirements of the Common Rule or the expedited review procedures of the Common Rule. Under Winthrop University Hospital policy, all investigators interested in conducting human research studies, except those human research studies sponsored by pharmaceutical companies and involving outpatients of Winthrop University Hospital, are required to submit their research requests to the WUH IRB for review and approval. In connection with HIPAA, the WUH IRB shall include in its review of each research request or proposed research study, which already includes a review of the protocol and informed consent form to be used in connection with the proposed research study, a review of each of the following, where applicable, (i) the research authorization, (ii) the HIPAA notice and acknowledgment, (iii) requests for the alteration or waiver of authorization, (iv) requests to conduct preparatory research reviews; (v) methods of creating a limited data set or de-identifying information; (vi) a data use agreement; and (vii) requests to conduct research involving a deceased individual s health information. In any event however, all, requests to (i) conduct preparatory research reviews; (ii) review methods of creating a limited data set or de-identifying information; (iii) review a data use agreement; and (iv) conduct research involving a deceased individual s health information shall be reviewed by the WUH IRB and not the Western IRB. Whenever possible, the WUH IRB shall ensure that an investigator use the standard WUH IRB Consent form language which includes the information required by HIPAA and the HIPAA compliant notice and acknowledgment approved by Winthrop University Hospital. For HIPAA purposes, Winthrop University Hospital shall rely on the WUH IRB s representation that a research protocol meets HIPAA documentation and minimum necessary requirements (where applicable).

12 J Western IRB Review. As a Privacy Board for Winthrop University Hospital under HIPAA, the Western IRB meets the composition requirements under the Common Rule. The Western IRB will also follow the voting requirements of the Common Rule or the expedited review procedures of the Common Rule. Under Winthrop University Hospital policy, all investigators interested in conducting human research studies, which involve outpatients of Winthrop University Hospital and are sponsored by pharmaceutical companies, are required to submit their research requests to the Western IRB for review and approval. In connection with HIPAA, the Western IRB shall include in its review of each research request or proposed research study, which already includes a review of the protocol and informed consent form to be used in connection with the proposed research study, a review of each of the following, where applicable, (i) the research authorization, (ii) the HIPAA notice and acknowledgment, and (iii) requests for the alteration or waiver of authorization. Whenever possible, the Western IRB shall ensure that an investigator use the standard Winthrop University Hospital Consent form language, which includes the information required by HIPAA. The Western IRB shall always ensure the investigator utilizes the HIPAA compliant notice and acknowledgment approved by Winthrop University Hospital. For HIPAA purposes, Winthrop University Hospital shall rely on the Western IRB s representation that a research protocol meets HIPAA documentation and minimum necessary requirements (where applicable). K Training. All members of the research workforce of Winthrop University Hospital shall participate in a HIPAA training program. The HIPAA training program for members of the research workforce of Winthrop University Hospital shall include both HIPAA basics training and research specific training. HIPAA basics training shall cover general privacy and general security requirements under HIPAA and shall be conducted as described in [Insert Name of Winthrop University Hospital Policy on Training]. 1 Research Specific Training. The research specific portion of the HIPAA training for the research workforce shall include: a. The research specific HIPAA rules and processes discussed under this Policy; b. Policies and procedures for the management of information collected by the research workforce when conducting research; c. Compliance procedures; d. Policies and procedure for the maintenance of research information, including both paper and computer electronic records; and e. Policies and procedures regarding computer security. 2 WUH IRB. Members of the WUH IRB shall undergo the same training as the researchers. In addition, they shall be trained in their specific responsibilities under HIPAA including: a. The specific elements of a HIPAA authorization;

13 b. The necessary additions to consents and notices under HIPAA; c. The elements to be reviewed when considering an alteration or waiver of authorization; d. The other exceptions to authorization including reviews preparatory to research and research involving deceased individuals; e. The steps necessary to de-identify information under HIPAA; and f. The steps necessary to create a limited data set for research purpose and the requirements of a data use agreement. 3 Western IRB. Members of the Western IRB shall conduct training sufficient to ensure they are competent to perform these specific responsibilities under HIPAA and meet the nursing requirements of HIPAA.

University of Mississippi Medical Center Office of Integrity and Compliance

University of Mississippi Medical Center Office of Integrity and Compliance Office of Integrity and Effective Date: 2005 By: Committee 1.0 PURPOSE The purpose of this policy is to guide (UMMC) employees, who are involved with research, in obtaining an authorization for the use

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set. IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements 10200 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel

More information

HIPAA PRIVACY RULE & AUTHORIZATION

HIPAA PRIVACY RULE & AUTHORIZATION HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc.

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA as it Pertains to IRBs and Research Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA Acronym for the Health Insurance Portability and Accountability Act of 1996

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units

More information

What is Covered under the Privacy Rule? Protected Health Information (PHI)

What is Covered under the Privacy Rule? Protected Health Information (PHI) HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,

More information

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Institutional Review Board (IRB) IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Overview The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations,

More information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

The George Washington University Office of Human Research IRB Forum June 20, 2012

The George Washington University Office of Human Research IRB Forum June 20, 2012 The George Washington University Office of Human Research IRB Forum June 20, 2012 Types of Chart Reviews Exempt vs. Expedited Protected Health Information Consent Requirements HIPAA Chart reviews are a

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager HIPAA, Research, and the IRB Michelle Brown, BBA Biomedical IRB Manager Agenda Brief History of HIPAA How Did We Get Here? When Does HIPAA Apply to Research? How Do Researchers Access & Share PHI Under

More information

The HIPAA privacy rule and long-term care : a quick guide for researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers Scholarly Commons at Miami University http://sc.lib.miamioh.edu Scripps Gerontology Center Scripps Gerontology Center Publications The HIPAA privacy rule and long-term care : a quick guide for researchers

More information

Children's Hospital, Boston (Draft Edition)

Children's Hospital, Boston (Draft Edition) Children's Hospital, Boston (Draft Edition) The Researcher's Guide to HIPAA Evervthing You Alwavs Wanted to Know About HIPAA But Were Afraid to Ask 1. What is HIPAA? 2. What is the Privacy Rule? 3. What

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

HIPAA Privacy Common Questions: Definitions

HIPAA Privacy Common Questions: Definitions Brought to you by Momentous Insurance Brokerage, Inc. HIPAA Privacy Common Questions: Definitions What is a Covered Entity under the HIPAA Privacy Rules? The following organizations are governed by this

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association DISCLAIMER This general information fact sheet is made available

More information

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures HIPAA Privacy Compliance Plan for Research University of South Alabama IRB Guidance and Procedures Office of Research Compliance and Assurance CSAB 140 460-6625 Adopted: 4/2/2003 2 HIPAA PRIVACY COMPLIANCE

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 6 I. Policy A limited data set is protected health information that excludes direct identifiers. The UW HCC units may use or disclose a limited data set only for the purposes of public health

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

IRB Application for Medical Records Review Request

IRB Application for Medical Records Review Request Office of Regulatory Research Compliance Institutional Review Board FORM B1 : Medial Records Review Application FORM B1 IRB Application for Medical Records Review Request Principal Investigator: Email:

More information

Limited Data Set Background Information

Limited Data Set Background Information Limited Data Set Background Information 1. A limited data set is protected health information that excludes certain identifiers but permits the use and disclosure of more identifiers than in a de-identified

More information

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

Research Provisions. Covered entities may use and disclose PHI for research:

Research Provisions. Covered entities may use and disclose PHI for research: Research Research Provisions Covered entities may use and disclose PHI for research: with individual authorization, or without individual authorization under limited circumstances 45 CFR 164.508, 164.512(i)

More information

HIPAA Basics for Clinical Research

HIPAA Basics for Clinical Research HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1611 Ethics & Compliance SUBJECT: Use and Disclosure of Protected Health Information (PHI) For Research Purposes Pursuant to the HIPAA Privacy

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel

More information

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption

More information

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution

[B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution [B3] How IRBs are Implementing HIPAA: Finding the Best Fit for Your Institution The 18 th Annual Meeting of the Applied Research Ethics National Association 1 Faculty John Falletta, MD Duke University

More information

Memorandum. Factual Background

Memorandum. Factual Background Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear : [Insert Name and Address of Data Recipient] Re: Data Use Agreement Dear : The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred

More information

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel &

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

HIPAA Privacy Rule Primer for the College or University Administrator

HIPAA Privacy Rule Primer for the College or University Administrator HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

IRB RESEARCH REPOSITORY

IRB RESEARCH REPOSITORY IRB RESEARCH REPOSITORY COMPLIANCE PROGRAM: INFORMATION FOR BASIC SCIENTISTS Susan Burner Bankowski, MS, JD Chair, OHSU IRB Why a Policy Now? The regulations have always included oversight for research

More information

HIPAA Policies and Procedures

HIPAA Policies and Procedures HIPAA Policies and Procedures William T. Chen, MD, Inc. General Rule 164.502 A Covered Entity may not use or disclose PHI except as permitted or required by the privacy regulations. Permitted Disclosures:

More information

HUMAN SUBJECTS AND HIPAA

HUMAN SUBJECTS AND HIPAA Research Compliance Tipsheet HIPAA Basics Last Revised: September 11, 2009 When we work with Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA),

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

Standard Operating Procedures for Research Involving Human Subjects

Standard Operating Procedures for Research Involving Human Subjects Section I: Introduction v07/2015 Standard Operating Procedures Indiana University and its affiliates are dedicated to protecting the rights and welfare of human participants recruited to participate in

More information

SOP Number: OCR-HIP-001 Effective Date: August 2013 Page 1 of 5

SOP Number: OCR-HIP-001 Effective Date: August 2013 Page 1 of 5 Title: HIPAA Research Policy: General Nova Southeastern University Standard Operating Procedure for GCP Version # 1 SOP Number: OCR-HIP-001 Effective Date: August 2013 Page 1 of 5 PURPOSE: Federal privacy

More information

focus on Medical Privacy June 2001 HIPAA and the Federal Privacy Standards for Health Information Overview

focus on Medical Privacy June 2001 HIPAA and the Federal Privacy Standards for Health Information Overview focus on Medical Privacy June 2001 HIPAA and the Federal Privacy Standards for Health Information Overview On December 28, 2001, the Department of Health and Human Services ("HHS") published the long-awaited

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

HIPAA Privacy Officer Sonya Middleton. HIPAA Security Officer Joan Kellner

HIPAA Privacy Officer Sonya Middleton. HIPAA Security Officer Joan Kellner HIPAA Privacy Officer Sonya Middleton HIPAA Security Officer Joan Kellner Humboldt Workshop & Residential Services, Inc., mc, INC. POLICIES FOR PROTECTION OF THE PRIVACY OF PROTECTED HEALTH INFORMATION

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant

More information

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance  De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " " D even McGraw " Director, Health Privacy Project January 15, 201311 HIPAA Scope Does not cover all health data Applies

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties.

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties. DATA USE AGREEMENT This Data Use Agreement ( Agreement ) is entered into by and between The Regents of the University of California, on behalf if its San Francisco campus ( UCSF or Data User ), and [full

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Considerations for Waivers of Informed Consent and Authorization

Considerations for Waivers of Informed Consent and Authorization Considerations for Waivers of Informed Consent and Authorization Contents: Waiver of Informed Consent... 1 Office for Human Research Protections (OHRP) regulations... 1 Government projects... 1 All other

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

PROTECTED HEALTH INFORMATION AND THE JHSPH

PROTECTED HEALTH INFORMATION AND THE JHSPH PROTECTED HEALTH INFORMATION AND THE JHSPH The Health Insurance Portability and Accountability Act (HIPAA) protects individually identifiable health information, or Protected Health Information ( PHI ),

More information

A. HIPAA Privacy Authorizations and Exceptions for Use of Identifiable Protected Health Information

A. HIPAA Privacy Authorizations and Exceptions for Use of Identifiable Protected Health Information Protected Health Information and the JHSPH The Health Insurance Portability and Accountability Act (HIPAA) protects individually identifiable health information, or Protected Health Information ( PHI ),

More information

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

1. Privacy Officer shall mean the superintendent or the superintendent s designee.

1. Privacy Officer shall mean the superintendent or the superintendent s designee. POLICY TITLE: HIPAA Privacy Rule Compliance ABERDEEN SCHOOL DISTRICT #58 POLICY NO: 864 PAGE 1 of 4 PRIVACY RULE COMPLIANCE The federal Privacy Rule of the Health Insurance Portability and Accountability

More information

DATA USE AGREEMENT RECITALS

DATA USE AGREEMENT RECITALS DATA USE AGREEMENT This Data Use Agreement (the Agreement ), effective as of the day of, 20, is by and between ( Covered Entity ) and ( Limited Data Set Recipient or Recipient ) (collectively, the Parties

More information

North Shore LIJ Health System, Inc. Facility Name

North Shore LIJ Health System, Inc. Facility Name North Shore LIJ Health System, Inc. Facility Name POLICY TITLE: The Medical Record POLICY #: 200.10 Approval Date: 2/14/13 Effective Date: Prepared by: Elizabeth Lotito, HIM Project Manager ADMINISTRATIVE

More information

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution INSTRUCTIONS This form may be filled in and saved using Adobe Reader version 7.0 or higher. The full version of

More information

References to Business Associates in HIPAA-HIPAA regulations

References to Business Associates in HIPAA-HIPAA regulations Title 45: Public Welfare PART 160 GENERAL ADMINISTRATIVE REQUIREMENTS 160.103 Definition Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means a person

More information

HIPAA s Impact on Research and Clinical Trials. Tom Merchant, Esq., GlaxoSmithKline Leigh-Ann Patterson, Esq., Nixon Peabody LLP

HIPAA s Impact on Research and Clinical Trials. Tom Merchant, Esq., GlaxoSmithKline Leigh-Ann Patterson, Esq., Nixon Peabody LLP HIPAA s Impact on Research and Clinical Trials Tom Merchant, Esq., GlaxoSmithKline Leigh-Ann Patterson, Esq., Nixon Peabody LLP The PharmaCongress Philadelphia, PA November 13, 2002 2002 Overview of Presentation

More information

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery Research A. General Rules. There are four pathways for covered entities ( CEs ) to obtain permission under the Health Insurance

More information

DALLAS ALLERGY & ASTHMA CENTER

DALLAS ALLERGY & ASTHMA CENTER DALLAS ALLERGY & ASTHMA CENTER Gary N. Gross, MD Michael E. Ruff, MD 5499 Glen Lakes Dr., Suite 100 Dallas, TX 75231 Dania A. Wierzbicki, MD Phone: (214) 691-1330 Jane Zepeda, PA-C FAX: (214) 691-6405

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

VENDOR / CONTRACTOR. Privacy Basics

VENDOR / CONTRACTOR. Privacy Basics VENDOR / CONTRACTOR Privacy Basics Introduction Premera s mission is to provide our customers with peace of mind about their healthcare. This requires that everyone who works with or for Premera (the Company

More information

APPENDIX 1: Frequently Asked Questions

APPENDIX 1: Frequently Asked Questions APPENDIX 1: Frequently Asked Questions Practice Name Q: What is the HIPAA Privacy Rule? A: The HIPAA Privacy Rule controls the use and disclosure of what is known as Protected Health Information (PHI).

More information

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by: UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE Subject: ALCOHOL & SUBSTANCE ABUSE INFORMATION Page 1 of 10 No: Prepared by: Shoshana Milstein Original Issue Date: NEW Reviewed by: HIPAA Policy

More information

YALE UNIVERSITY RESEARCHER S GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996 Handbook

YALE UNIVERSITY RESEARCHER S GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996 Handbook YALE UNIVERSITY RESEARCHER S GUIDE TO HIPAA Health Insurance Portability and Accountability Act of 1996 Handbook Table of Contents I. INTRODUCTION... 2 What is HIPAA?... 2 What is PHI?... 2 II. HIPAA s

More information

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY Table of Contents I. Overview... 3 II. Legal Authority for NHCS... 3 III. Requirements of the HIPAA Privacy Rule... 3 IV. Extra Safeguards and

More information

Glossary and Terms. Affiliated Covered Entity: Legally separate covered entities that are associated in business.

Glossary and Terms. Affiliated Covered Entity: Legally separate covered entities that are associated in business. Glossary and Terms Affiliated Covered Entity: Legally separate covered entities that are associated in business. Asset Any tangible or intangible thing or characteristic that has value to an organization.

More information

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Session Objectives Examine the value of realistic information in research and software testing Explore the challenges of de-identifying health

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Talksoft is BA with Covered Entity BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is made this day of, and entered into between, ( Covered Entity ) having its principal place of

More information

PEPPERDINE UNIVERSITY HIPAA Policies Procedures and Forms Manual

PEPPERDINE UNIVERSITY HIPAA Policies Procedures and Forms Manual PEPPERDINE UNIVERSITY HIPAA Policies Procedures and Forms Manual 1 Table of Contents I. INTRODUCTION... 4 A. GENERAL POLICY... 4 B. SCOPE... 4 II. DEFINITIONS... 5 III. GENERAL POLICIES AND PROCEDURES...

More information

CancerLinQ Data Quality Management Policies

CancerLinQ Data Quality Management Policies CancerLinQ Data Quality Management Policies I. Introduction CancerLinQ is committed to conquering cancer through appropriate, secure and ethical usage of health information entrusted to the CancerLinQ

More information

Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL 60010 847.382.4600 Fax 847.382.1771. HIPAA Notice of Privacy Practices ( Notice )

Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL 60010 847.382.4600 Fax 847.382.1771. HIPAA Notice of Privacy Practices ( Notice ) Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL 60010 847.382.4600 Fax 847.382.1771 HIPAA Notice of Privacy Practices ( Notice ) THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY

More information

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy HIPAA-P01 Uses and Disclosures of Protected Health Information Policy FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions Sanctions ADDITIONAL DETAILS Additional Contacts Web Address

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

University of California Policy

University of California Policy University of California Policy HIPAA Patients Rights Responsible Officer: Senior Vice President/Chief Compliance and Audit Officer Responsible Office: Ethics, Compliance and Audit Services Effective Date:

More information

Releasing Information

Releasing Information Releasing Information There are 3 kinds of release situations now: our original Release of Information and it s uses under Colorado Law and Professional Ethical Standards; HPAA s Consent to release information

More information

HIPAA SELF STUDY TRAINING GUIDE

HIPAA SELF STUDY TRAINING GUIDE HIPAA SELF STUDY TRAINING GUIDE I have received the LifeWays HIPAA SELF STUDY TRAINING GUIDE. I understand that I will be accountable for the information contained in the guide. If I have questions I may

More information

HIPAA Compliance for Students

HIPAA Compliance for Students HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

More information