IRB Policy for Security and Integrity of Human Research Data
|
|
- Emil Reeves
- 8 years ago
- Views:
Transcription
1 IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology
2 Overview of Presentation Regulatory Background Revised IRB Policy Investigator Responsibilities Requirements for Data Security and Integrity Investigator Resources REDCap
3 Regulatory Background
4 Regulatory Background 45 CFR Part 46 and 21 CFR Part 56 Criteria for IRB approval - When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. HIPAA Privacy Rule Privacy Rule Establishes national standards to protect individuals medical records and other personal health information and sets limits and conditions on the uses and disclosures of this information Breach Notification Rule Requires entities to provide notification following a breach of unsecured PHI Security Rule Establishes standards for security of e-phi HITECH Enforcement Rule Establishes categories of violations and penalties
5 Regulatory Background Institutional policies PSU and HMC PSU-AD20 Computer and Network Security PSU-AD23 Use of Institutional Data PSU-AD71 Data Categorization PSU ADG07 Data Categorization Examples HAM C-08 Confidentiality Disposal of Information, Sanitizing of Electronic Media, and Destruction of Hard Copy Documents HAM C-37 Confidentiality Electronic Storage of Sensitive Data IRB SOP Addendum: Security and Integrity of Human Research Data
6 Revised IRB Policy Addendum IRB SOP Addendum: Security and Integrity of Human Research Data
7 Revised IRB Policy IRB SOP Addendum: Security and Integrity of Human Research Data Became effective January 2012 Revision will be effective December 1, 2014 SOP is available on IRB website Under Resources/Investigator Resources
8 Revised IRB Policy What are the main changes: Defines Penn State Hershey researchers and external researchers Defines 2-level categorization for data Includes a new process for submitting plan Provides revised requirements for electronic and paper data storage Provides requirements for data transfer Requires data transfer agreements if data are transferred to and/or from any third party
9 Revised IRB Policy Penn State Hershey researcher: Employee, faculty or student of the PSU College of Medicine (COM) and/or Hershey Medical Center (HMC) External researcher: If the research uses/discloses protected health information (PHI): any researcher who is not an employee, faculty, or student of COM and/or HMC If the research does not use/disclose PHI: any researcher who is not an employee, faculty or student of Penn State University, COM, HMC
10 Revised IRB Policy Protected health information (PHI) Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity or its Business Associate Individually identifiable health information Health information, including demographic information Relates to an individual s physical or mental health or the provision of or payment for health care Identifies the individual Personally Identifiable information (PII) Information that can be used to uniquely identify a single person or group of individuals
11 Revised IRB Policy Policy defines 2 levels for human research data Level 1 De-identified research data about people De-identified data collected for a research study, such as an anonymous survey Publicly available datasets Level 2 Data about individually identifiable people Research data that include identifiable health information (PHI) collected for a clinical trial Research data that include identifiable non-health information (PII), such as test scores or student record information or employee records Research data that include identifiable non-health, non-sensitive information collected as part of a research study
12 18 HIPAA Identifiers Names All geographic subdivisions smaller than a State All elements of dates (except year) Telephone numbers Fax numbers addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers Device identifiers Web URLs Internet Protocol (IP) Biometric identifiers, finger and voice prints Full face photographic image Any other unique identifying number/characteristic/code Identifier added as part of SOP: Whole genomic sequence data
13 Revised IRB Policy Procedure: IRB Chair or designee reviews data security-integrity plan by expedited review process New studies plan reviewed during pre-review Reviewer determines if plan fulfills requirements for applicable security category If plan does not meet policy requirements, it is reviewed by the IT Security Group Provides guidance to IRB regarding changes needed to approve plan May recommend IRB approve of a variance Compliance is monitored by Research Quality Assurance Office as part of routine or directed postapproval reviews
14 Revised IRB Policy For research involving transfer of PHI or PII to and/or from any third party* IT Security must approve method of data transfer Ancillary review process in CATS IRB Written transfer agreements required for projects involving transfer of human research data to and/or from any third party* Agreements negotiated by OTD or ORA Ancillary review process in CATS IRB Written transfer agreements needed if PI is leaving PSH and plans to take data *Third party = external sponsor or external researcher
15 Investigator Responsibilities
16 Investigator Responsibilities Investigators are responsible for: Disclosing nature of data to be collected Submitting data security/integrity plan at initial review using Application Supplement Research Data Plan Review Form **NEW** Implementing & monitoring the plan upon IRB approval Ensuring all research personnel trained and signed confidentiality agreement Reporting breaches of confidentiality to IRB as RNI Contacting ORA or OTD to negotiate transfer agreements if applicable
17 Investigator Responsibilities New studies Submit Application Supplement-Research Data Plan Review Form with CATS IRB Upload form on Basic Information page question #7 along with protocol/psa Form will be stored in CATS IRB Library under Templates To avoid redundancy, do not include data security/integrity plan in protocol or protocol site addendum (PSA) State See the Research Data Plan Review Form in the Confidentiality, Privacy and Data Management section of protocol or PSA Section 10 of the protocol templates (HRP-591 and HRP-592) and Section 4 of the PSA (HRP-595) Ongoing active studies No action necessary Approved data security/integrity plan is in protocol
18 Investigator Responsibilities Research Data Plan Review Form Form format 15 questions What identifiers are recorded? Are data collected by mobile devices or internet? How are data stored? What is process for data integrity? Are data being transferred to/from PSH? If data transferred, how and what identifiers are being sent/received?
19 Requirements for Data Security and Integrity
20 Policy Recommendations Level 1 Data Hardcopy Stored securely in controlled environment Disposal in regular trash Electronic Good computer use practice (complex passwords, not sharing accounts, limiting access, etc.) Portable media secured when not in use (locked office or lock-down cables) Servers should have access controls Electronic devices may be disposed of following deletion of research data files
21 Policy Recommendations Level 1 Data Data transfer/sharing Requires a written agreement between PSH and the external institution Hardcopy Data may be transferred double-wrapped using secure chain of possession Electronic Data may be transferred by unprotected
22 Policy Requirements Level 2 Data Hardcopy Stored securely in controlled environment (e.g. at PSU/HMC) Data forms/code lists stored in locked file cabinets or limited access storage areas PI must maintain lists of staff with access to data Disposal by shredding
23 Policy Requirements Level 2 Data Electronic Stored on Secure file server supported and maintained by IT or PHS Secure database server supported and maintained by IT or PHS (such as REDCap or Oncore) Device not listed above is deemed unacceptable for storage of Level 2 information unless a variance is granted by the IRB based on recommendation of the IT Security Group Removable media (tracked, inventoried and physically managed) may only be used for either long-term archival storage or conveyance to another party
24 Policy Requirements Level 2 Data Electronic (cont.) Desktops and devices physically secured (locked offices and/or locked facilities with access restricted to study personnel and their guests) Electronic devices set to automatically log-off and lock after defined periods of inactivity Access controls PI keeps list of people with access to data Access must be removed if individual has no reason for access Access must be logged (identity of user, time & function) Data routinely backed up and the back-up copy physically secured if applicable
25 Policy Requirements Level 2 Data Electronic (cont.) Devices must undergo secure deletion of the disc at the end of life of the device or prior to recycling Data may not be stored, temporarily cached or otherwise accessed in a way that creates a local copy of the data on personal devices (PDAs, USB portable devices), or non-psu owned devices of any kind (home computers, personal laptops or public computers) Remote displaying permitted for remote access using applications where there are no persistent data copies when programs are remotely displayed (Citrix or Remote Desktop)
26 Policy Requirements Level 2 Data Data transfer/sharing Data must be de-identified before sharing with PSH study team members whenever the identifying information is not necessary Data must be de-identified or date shifted before transfer to external entities unless subjects have given authorization to disclose identifiers to external entities Requires data transfer agreement Mechanism of transfer must be approved by IT Security Group
27 Policy Requirements Level 2 Data Data transfer/sharing (cont.) No PHI or PII may leave PSH unless subjects have given authorization to disclose their PHI/PII or the data are a limited data set Requires written agreement Electronic transmission data must be encrypted C-37 HAM Transfer of portable media use a secure chain of possession Hardcopy double-wrapped using secure chain of possession Commercial carrier or hand-delivered by research team member
28 Policy Requirements Data Integrity Ensures that data are of high quality, correct, and consistent Examples of measures to ensure data integrity Data entry performed twice by two different people Edit checks Random, internal quality and assurance auditing PI must ensure that backup copies of human research data are made and stored If data stored on IT or PHS supported server backups can be assumed For others, backup copies maintained in a secure location
29 Investigator Resources
30 Investigator Resources For more information HMC/COM applications Call IT Helpdesk at x6281 PHS applications Call PHS Helpdesk at x7682 Contact
31
32 REDCap REDCap (Research Electronic Data Capture) Web-based application Supports data capture and management for research studies Designed to build and manage research data and surveys De-identification tools to protect PHI A build-it-yourself, intuitive user interface that allows study team members to create data collection forms without prior knowledge of database design
33 REDCap Data Security REDCap at PSU has been designed to respond to the PSU Audit of 2010 and to support this Data Security and Integrity policy. The application has been thoroughly: Scanned for security threats Evaluated for the probability and impact of risks Extra measures have been put in place to ensure the data is safe from potential attacks and data is stored in our internal network
34 REDCap HIPAA Compliance HIPAA compliant by providing: SOPs for role-based user access at the project level to insure minimum access necessary to perform the task User accounts that are centrally managed by IT Accounts Management Audit trails for every action to ensure proper alteration or destruction of data User training requirements A secure data center where the project data is easily available by a web application and backed up to a remote location, nightly. A dashboard showing users for each project on the Project Home page
35 REDCap Data Integrity Features addressing correctness of data entry Allows for stages of form completion (incomplete, unverified, complete, locked, e- signed) Data type validation and range checks Data Quality tool that supplies rules to search the data for missing, out of range, invalid values and also the ability for the user to create rules themselves. Double Data Entry module
36 REDCap Data Integrity (continued) Features addressing threats to data validity Access - Role-based access monitored by IT Accounts Management & the REDCap Systems Analyst Modify/Alter/Destroy Data - every interaction with data is logged in an easily accessible audit trail Automated data import and export procedures with de-identification tools Upgrade and testing SOPs
37 Data Migration from Excel to REDCap REDCap Build REDCap forms to match your existing Excel database. Download the REDCap Data Import template to Excel. Excel Copy and Paste existing data into columns of the Data Import template. REDCap Import data from Data Import template in Excel to REDCap. For a complete description of how to migrate your data from Excel to REDCap, please visit the REDCap Training webpage on our site at
38 For more information about REDCap View REDCap tutorials on the Vanderbilt University website: Visit our website at and select REDCap. Training offered biweekly on Tuesday afternoons (next session 8/28/12). Register for training by ing
HIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationWhat is Covered by HIPAA at VCU?
What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,
More informationHIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10
HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationPolicies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)
Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII) Effective Date: April 10, 2012 Prepared by: Joe Raschke (IT) Table of Contents Purpose
More informationMedical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions
Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA and Clinical Research
To Heal. To Teach. To Discover. HIPAA and Clinical Research 2011 Training Jennifer Edlind, UH Privacy Officer Ryan Terry, UH Information Security Officer 1 Agenda Research credentialing overview HIPAA
More informationResearch and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,
Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman, Department of Biomedical Informatics Vanderbilt University School
More informationData Security Basics: Helping You Protect You
Data Security Basics: Helping You Protect You Why the Focus on Data Security? Because ignoring it can get you: Fined Fired Criminally Prosecuted It can also impact your ability to get future funding, and
More informationHIPAA COMPLIANCE. What is HIPAA?
HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA-G04 Limited Data Set and Data Use Agreement Guidance
HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related
More informationBUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationHIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
More informationUniversity of Cincinnati Limited HIPAA Glossary
University of Cincinnati Limited HIPAA Glossary ephi System A system that creates accesses, transmits or receives: 1) primary source ephi, 2) ephi critical for treatment, payment or health care operations
More informationData Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series
Data Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series Denise Snyder, MS, RD, CSO, LDN Director, Research Management Team (RMT) Research Practices Manager, SON
More informationHIPAA COMPLIANCE INFORMATION. HIPAA Policy
HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas
More informationTriageLogic Information Security Policy
TriageLogic Information Security Policy What is HIPAA, and what information is protected by it? HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards
More informationINDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3
INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationTechnical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
More informationIRB Month Investigator Meeting April 2014
April 2014 AUDITS TRENDS EMR COMPLIANCE PRACTICES EMR FEDERAL REGULATIONS MONITORING REGULATORY SECURITY THREATS ACADEMI CINA BREACHES REVIEW COMPUTING MOBILE CLOUD HIPAA CENTER OPERATION S RESEARCH C
More informationIRB, HIPAA, and Clinical Research
IRB, HIPAA, and Clinical Research A presentation by CHS Privacy and Security Offices UAB Institutional Review Board UAB Health System UAB/UABHS HIPAA Operations Team 1 Getting Started HIPAA 2 3 A Quick
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationData Security in a Mobile, Cloud-Based World
Data Security in a Mobile, Cloud-Based World Jacob Buckley-Fortin CEO ehana What we ll cover Trends Risks Recommendations 1 Trends Mobile Has Taken Over Trend #1 2 3 450 million users worldwide Adopted
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationHealth Insurance Portability & Accountability Act (HIPAA) Compliance Application
Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT
More informationHIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets
HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationTips for Investigators ~eirb Submissions~ Department of Emergency Medicine Research Division. *Edwin D. Boudreaux, PhD; EM Division Director
Tips for Investigators ~eirb Submissions~ Department of Emergency Medicine Research Division *Edwin D. Boudreaux, PhD; EM Division Director * Virginia Ginger Mangolds, MS, FNP-C, BSEd. RN, CEN; EM Division
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationHIPAA Audit Risk Assessment - Risk Factors
I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your
More informationGrand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development
Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationComputer Security Incident Response Plan. Date of Approval: 23- FEB- 2015
Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE
BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties
More informationHow to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization
How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More information4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements 10200 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel
More informationHIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc hipaa@unityhealthcare.org 202-667-0016 - HIPAA Hotline
HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc hipaa@unityhealthcare.org 202-667-0016 - HIPAA Hotline Self-Study Module Requirements Read all program slides and complete test. Complete
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS
HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units
More informationHow to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008
How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationthe American Recovery and Reinvestment Act of 2009
Policy Title: Policy Number: HIPAA Information 9.1.10 Security Category: Effective Date: Policy Owner: Information 10/01/2013 Sr. VP Academic Affairs Technology Prior Effective Date: & Provost N/A Sr.
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA Privacy & Security Health Insurance Portability and Accountability Act
HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationWinthrop-University Hospital
Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationHIPAA OVERVIEW ETSU 1
HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationVirginia Commonwealth University Information Security Standard
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
More informationPREP Course #23: Privacy and IT Security for Researchers
PREP Course #23: Privacy and IT Security for Researchers Presented by: Emmelyn Kim, Office of Research Compliance & Debbie Wright, Office of Corporate Compliance CME Disclosure Statement The North Shore
More informationInformation Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT are the Guidelines? HOW is it to be done? WHY is it done? 1 WHAT are the guidelines O Be in compliance of Federal/State Laws O Federal: O HIPAA - 1996 O HITECH - 2009
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationHIPAA-Compliant Research Access to PHI
HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for
More informationUniversity of Pittsburgh Data Center Information Security
University of Pittsburgh Department of Critical Care Medicine CRISMA Center Data Management Core Standard Operating Procedures University of Pittsburgh Data Center Information Security CRISMA Data Management
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationDistrict of Columbia Health Information Exchange Policy and Procedure Manual
District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description
More informationGuadalupe Regional Medical Center
Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address
More informationSecurity standards PCI-DSS, HIPAA, FISMA, ISO 27001. End Point Corporation, Jon Jensen, 2014-07-11
Security standards PCI-DSS, HIPAA, FISMA, ISO 27001 End Point Corporation, Jon Jensen, 2014-07-11 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationSection C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT
Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by
More informationResearch Electronic Data Capture (REDCap)
Research Electronic Data Capture (REDCap) An Introduction and Training Seminar Kenna Whitley Center for Research Methods and Data Analysis What is REDCap? A secure, web based electronic data capture system
More information