The George Washington University Hospital

Similar documents
The George Washington University Hospital

Principal Investigator Responsibilities for Education and Social/Behavioral Researchers

Attachment B HIPAA-P03 Instructions for Completing IU s Authorization for Research Purposes

HIPAA ephi Security Guidance for Researchers

What is Covered by HIPAA at VCU?

HIPAA and Clinical Research

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

BUSINESS ASSOCIATE AGREEMENT. Recitals

Business Associate Agreement

2014 Metrics on Human Research Protection Program Performance

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution

Overview of the HIPAA Security Rule

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Instructions for Form: Application for Claim of Exemption

Claim of Exemption Form Page 1 of 6

BUSINESS ASSOCIATE AGREEMENT

The HIPAA Audit Program

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA Privacy Board Overview

Eligibility to Serve as a Principal Investigator for Research Involving Human Subjects

HIPAA FOR HUMAN RESOURCE EXECUTIVES. Stuart Miller, Esq. Gerry Hinkley, Esq. Davis Wright Tremaine LLP

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA? 6/28/2012

Business Associate Agreement

University of Hawai i Human Studies Program. Guidelines for Developing a Clinical Research Protocol

AAHRPP DOCUMENT # 84 UNIVERSITY OF ALABAMA HUMAN RESEARCH PROTECTIONS PROGRAM FORM: NOTIFICATION TO IRB OF EMERGENCY USE OF A TEST ARTICLE

Model Business Associate Agreement

The following list consists of a few tips and tricks to use when navigating eirb.

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

Authorized. User Agreement

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

Breast Cancer Registry of Greater Cincinnati (BCRGC) APPLICATION for ACCESS to INFORMATION/DATA

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

BUSINESS ASSOCIATE AGREEMENT

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

BUSINESS ASSOCIATE AGREEMENT

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Georgia Immunization Registry (GRITS)

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

HIPAA Business Associate Addendum

University Healthcare Physicians Compliance and Privacy Policy

The Institute of Professional Practice, Inc. Business Associate Agreement

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) support@max.md Page 1of 10

Frequently Asked Questions regarding Nurse Practitioners and Protocol Agreements

Reliance Agreement for Institutions Utilizing Stony Brook University s Institutional Review Board(s)

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

What do you need to know?

HIPAA Privacy Summary for Self-insured Employer Groups

UNIVERSITY OF CALIFORNIA, SAN DIEGO HUMAN RESEARCH PROTECTIONS PROGRAM. DoD/DON-funded Research

HIPAA Audits For Covered Entities and Business Associates

Healthcare Coordination

Interpreting the HIPAA Audit Protocol for Health Lawyers

New HIPAA regulations require action. Are you in compliance?

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

COMPLIANCE ALERT 10-12

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

BUSINESS ASSOCIATE AGREEMENT

Investigator responsibilities for research conducted under the authority of the UTHSCSA Institutional Review Board (IRB)

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Isaac Willett April 5, 2011

Commonwealth of Massachusetts Center for Health Information & Analysis (CHIA) Non-Government Agency Application for Data

Security Awareness Training

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Tips for Investigators ~eirb Submissions~ Department of Emergency Medicine Research Division. *Edwin D. Boudreaux, PhD; EM Division Director

Architecture, Implementations, Integrations, and Technical Overview

Use of Electronic Health Record Data in Clinical Investigations

UNIVERSITY OF CALIFORNIA, SAN DIEGO HUMAN RESEARCH PROTECTIONS PROGRAM HUMAN SUBJECT PROTECTION TRAINING

Appendix : Business Associate Agreement

Sponsored Programs Guidance Cradle to Grave

University of Mississippi Medical Center Office of Integrity and Compliance

CSU INFORMATION SECURITY. Presentation for 2012 CSU Auxiliary Conference January 11, 2012

Musculoskeletal Sonography Certificate Admissions Requirements

NATIONWIDE HIPAA NOTICE OF PRIVACY PRACTICES

Investigational Drugs: Investigational Drugs and Biologics

I. INTRODUCTION DEFINITIONS AND GENERAL PRINCIPLE

HIPAA Medical Billing Requirements For Research

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY

Northwest Cardiology Associates 400 W. Northwest Hwy Barrington, IL Fax HIPAA Notice of Privacy Practices ( Notice )

A USER S GUIDE TO THE RASCAL HIPAA MODULE

What s New with HIPAA? Policy and Enforcement Update

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Document Management Policy and Procedure

HIPAA Security Education. Updated May 2016

SOP Number: OCR-HIP-001 Effective Date: August 2013 Page 1 of 5

Transcription:

The George Washington University Hospital Information Access Management to support clinical Research Protocol Specification Effective January 1, 2012 1

Introduction The George Washington University Hospital s Information Security & Privacy compliance committee has developed this protocol that facilitates the education and adoption of an improved information access process for current and future research projects underway at the hospital. The process outlined in this proposal, serves as a general guideline to estimate time frames, required documentation as well as controls that need to be in place in order to ensure proper privacy and security of ephi that will be needed to support the research activities. Scope The audience of this document includes but is not limited to: 1. Hospital Administration 2. University Administration responsible for clinical research 3. Principle investigators / Researchers 4. Hospital IT Documentation The Information Security & Privacy Compliance committee at the hospital has outlined the following process in order to improve the time required to review the application. Please Note: At this time, the following documentation is only required for Investigator led research projects. For sponsored projects, please contact the Hospital Privacy/Security officer first, before submitting your documentation for approval. REQUIRED documentation to be considered for review a. IRB approval document b. HIPAA Full/Partial waiver as applicable, requiring GWUH privacy (and security officer if applicable) signature(s) to start research c. Research Protocol Synopsis d. Research Protocol e. In case only limited data sets/de-indentified PHI is used for studies that are multi-agency and multi-location based i. Copy of Data Use agreement (or similar) needs to be submitted if that data is going to be shared with others outside researchers/entity f. In case limited data sets/de-identified PHI cannot be used, provide documentation that specifies the following: 2

i. Location where PHI will be stored. (Specify who owns the computers where ephi will be stored) ii. Contact information for the Information technology resources responsible to maintain security on computers where ephi is stored iii. Methods to restrict access and protect data backups iv. Date or time interval after which ephi will be destroyed v. Evidence of HIPAA security and privacy training for staff that will have access to identifiable ephi/hospital information systems vi. Start and End dates for individual access to hospital IT systems g. Except for GWUH credentialed physicians, please provide position descriptions pertaining to research, of MFA employees that will be working ONSITE at the hospital. Proof of credentials need to be provided in case of clinical care. i. In case research staff includes staff that are 3 rd party employees not affiliated with the MFA, please contact the Privacy/Security officer of GWUH for further guidance. h. Information System Access Request Form if needed i. All documents and forms NEED to have appropriate physical or electronic signatures prior to submission for review. Processing Time Frames: a. Submission for Review: i. At the current time, processing time frame for hospital decision is at most 10 15 business days. 1. During review if the application is missing required information, the application will be sent back to the PI/IRB for update. b. There may be communications sent out to the PI for additional information. In this case, response is requested with 5 business days in order to avoid delays in processing of the application c. For applications that are sent for pre-review (i.e. parallel submission for initial feedback with the IRB), time line for review is the same as stated above. Submission of Documentation All application and supporting documents need to be sent to the following address: Sumit Sehgal Director, Information Security Information Technology The George Washington University Hospital 900 23 rd Street N.W. Washington, D.C 20037 3

Review Process Once the application is received the following detailed reviews are performed during the 10-15 business days time frame. 1. Completeness of Information 2. Subject Selection / Screening Criteria and process impact on operations/patient satisfaction 3. Data required from Hospital Information Systems 4. Staff requiring access to Hospital Information Systems 5. Appropriateness of access 6. Security and privacy of identifiable ephi if applicable 7. Data backup process 8. Data scrubbing and removal process 9. Hospital HR approval 10. Privacy officer review and approval Upon completion of the required steps, the PI will be notified by email of approval following which they need to contact Hospital HR for scheduling the following tests for any MFA employees (credentialed physicians are exempt from this requirement) that will be onsite for research: 1. Criminal Background check and Physical (required by DC Law) 2. Drug Screen (Required by UHS policy) The requirements above have been developed in collaboration with both the Hospital and MFA HR departments. Parallel to this process, the PI will be provided a GWUH IT ticket # assigned to issue access to Hospital IT systems. Hospital IT will need proof of completion from HR before login information will be issued to research staff. Audits The Hospital Information Security and privacy staff have the authority to ask for (written request) proof of security measures specified in the proposal to prove effectiveness of controls. In the event of completion/expiration of a study, the PI may be asked to produce evidence of destruction of data as stated in the proposal. Every occurrence of a reported or identified (in an audit) security or privacy incident will be investigated. The access of parties during that time shall be disabled during the assessment of facts and analysis. 4

Contact Information For questions or concerns please contact: Sumit Sehgal Director, Information Security Security/Privacy Officer 202-715-4511 Sumit.Sehgal@gwu-hospital.com Supporting Documentation: 1. Information System Access Request Form 2. Consent to Drug Screen and background Check Form 3. Information Security Agreement 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information