HIPAA and Clinical Research



Similar documents
What is Covered by HIPAA at VCU?

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

What is Covered under the Privacy Rule? Protected Health Information (PHI)

IRB Month Investigator Meeting April 2014

HIPAA COMPLIANCE. What is HIPAA?

HIPAA OVERVIEW ETSU 1

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Welcome to the University of Utah Health Sciences HIPAA Privacy and Security Training Program

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

Data Security Considerations for Research

Patient Privacy and HIPAA/HITECH

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA-Compliant Research Access to PHI

2014 Core Training 1

HIPAA ephi Security Guidance for Researchers

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

Health Insurance Portability and Accountability Act (HIPAA) Compliance Training

IRB Policy for Security and Integrity of Human Research Data

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Compliance for Students

New HIPAA regulations require action. Are you in compliance?

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA and Mental Health Privacy:

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

BUSINESS ASSOCIATE AGREEMENT

OCR/HHS HIPAA/HITECH Audit Preparation

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Statement of Policy. Reason for Policy

HIPAA 101: Privacy and Security Basics

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA Privacy and Information Security Management Briefing

HIPAA Basics for Clinical Research

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Compliance Guide

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Winthrop-University Hospital

COMPLIANCE ALERT 10-12

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Application for an Off-Site Tissue Banking Waiver at a Non-Profit or Academic Institution

BUSINESS ASSOCIATE AGREEMENT

IRB, HIPAA, and Clinical Research

HIPAA Security Rule Compliance

The Institute of Professional Practice, Inc. Business Associate Agreement

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Memorandum. Factual Background

University Healthcare Physicians Compliance and Privacy Policy

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Standard Operating Procedures for Research Involving Human Subjects

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

BUSINESS ASSOCIATE ADDENDUM

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Lessons Learned from HIPAA Audits

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

The Impact of HIPAA and HITECH

Transcription:

To Heal. To Teach. To Discover. HIPAA and Clinical Research 2011 Training Jennifer Edlind, UH Privacy Officer Ryan Terry, UH Information Security Officer 1

Agenda Research credentialing overview HIPAA Privacy and Security Rules HITECH Act Case studies Next steps Questions

UH Research Credentialing Goal: Provide access to patient records for research UH-based title Research Faculty Ph.D. researchers at CWRU Research Associate all others UH log-in and email account Free access to UH-sponsored research training programs

Credentialing Process Checklist Employment or affiliation with a participating institution (CWRU SOM, VA, Metro, or Ursuline) Participation in valid research project Sponsorship of Department Chair Complete the HIPS modules on the CITI website Completed application & business associate agreement ( BAA ) Criminal background check HIPAA compliance training

HIPAA Privacy Rule & Research Key points about HIPAA and research: Applies in addition to Common Rule and FDA regulations Requires approved purpose for use or disclosure of protected health information (PHI) Permits research with IRB/RPB approval Generally requires patient authorization, unless exception or waiver Use or disclosure of data limited to terms of protocol and authorization Does not apply if data is de-identified

HIPAA Privacy Rule & Research Key points about research authorizations: Patients must sign authorization before PHI is used or disclosed Exceptions: Waiver or alteration of authorization Activities prepatory to research Research on decedents information Limited data sets De-identified data sets Minimum necessary standard applies unless authorization is obtained

Key Points About Data Identifiers The HIPAA 18 Names Geographic information smaller than a state (except first 3 of ZIP) All elements of dates (except year) relating to individual Telephone numbers Fax numbers E-mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/License numbers Vehicle identifiers, vehicle license numbers, serial numbers Device identifiers, serial numbers Web Universal Resource Locators (URL s) Internal Protocol Numbers (IP s) Biometric identifiers Full face or comparable images Any other unique identifying numbers, characteristics or code (may assign unique code if key kept separate)

De-Identified vs. Limited Data Sets De-identified data: all 18 identifiers removed Safe harbor method HHS creating new guidance on de-identification standard Limited data sets: remove all identifiers except City, State, ZIP code All elements of dates (DOB, admission/discharge date) Any other unique identifying number, characteristic or code Limited data sets may be disclosed for research purposes with data use agreement

Practical Applications Research databases Current HHS interpretation: creating research database/repository and future unknown use of data are separate research activities Challenge for clinical trials that also include creation of biospecimen storage Awaiting new regulations from HHS Data mining for potential research projects Requires prior patient authorization or IRB/RPB approval or waiver

Practical Applications Pre-screening process Submit form with protocol submission detailing what data is needed Follow protocol enrollment instructions Until subjects enrolled, no use or disclosure of data outside IRB-approved study team Contracting with third parties to provide data hosting or analysis May not provide identifiable data without prior written approval from UH and business associate agreement or data use agreement

HITECH Act (2009) Significant amendments to HIPAA New breach notification rule Report breaches of unsecured PHI to patients within 60 days Report to HHS and (potentially) the media Revised enforcement rule Penalty amounts significantly increased Individual criminal liability permitted State Attorneys General may enforce Mandatory HHS audits

HITECH Penalties for Entities/Individuals

HIPAA Security Rule & Research Key goals of information security are to Assure the confidentiality, availability and integrity of sensitive data, including PHI Assure the environments are free from virus or malicious activity Privacy and information security go hand in hand Today s focus is on electronic storage and access of PHI for research

Information Security & Research UH and CWRU are committed to providing secure access to PHI for research Joint project underway to create network architecture to protect patient/research data Key components: Encryption for mobile devices Secure access to UH network Secure transfer of PHI for research

Your Role in Information Security Need to inventory existing research data repositories at CWRU Databases, spreadsheets, etc. Network/personal servers Personal devices/back-up copies Information will be used by UH/CWRU to design new structure and safeguards Report to HelpDesk@uhhospitals.org Include location and approximate number of records

Case Studies: UNC (July 2009) Breach caused by hacker accessing Carolina Mammography Registry database Contained 163,000+ participants personal information, including Social Security numbers Investigation revealed viruses dating back to 2007 Consequences for the principal investigator were pay cut and demotion UNC found PI negligent for failing to properly secure data and obtaining PHI from UNC Hospitals without appropriate permissions

Case Study: UCLA (April 2010) Former researcher received 4-month prison sentence Researcher accessed medical records of colleagues and celebrities Pleaded guilty to 4 criminal misdemeanor counts of violating HIPAA No evidence of improper use or attempt to sell the information First example of jail time for HIPAA violations

Case Study: Univ. of Florida (May 2010) Breach notification case involving 2,047 patients in IRB-approved study Pediatric participants Social Security number and Medicaid numbers included on mailing labels for study mailing sent by vendor Participant information also provided to telephone survey vendor inappropriately Notifications to individuals required by federal and state law

What to do? Encrypt mobile devices (handhelds, UH laptops) Complete the data use/storage sections of the UH IRB Secure network access for non-uh assets: http://myapps.uhhospitals.org Identify data sources to HelpDesk@uhhospitals.org Obtain UH network id (part of credentialing) Use UH e-mail only for PHI - @uhhospitals.org Contact UH Help Desk for lost/stolen devices or security incidents: (216) 844-3327 or helpdesk@uhhospitals.org General questions or need help email InformationSecurity@uhhospitals.org

Questions? Jennifer Edlind Ryan Terry (216) 767-8226 (216) 767-8512 Jennifer.Edlind@uhhospitals.org Ryan.Terry@uhhospitals.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information