HIPAA-G04 Limited Data Set and Data Use Agreement Guidance



Similar documents
HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA COMPLIANCE. What is HIPAA?

What is Covered by HIPAA at VCU?

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

HIPAA-Compliant Research Access to PHI

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Winthrop-University Hospital

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

University of Mississippi Medical Center Office of Integrity and Compliance

HIPAA Medical Billing Requirements For Research

Statement of Policy. Reason for Policy

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy

Limited Data Set Background Information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

UPMC POLICY AND PROCEDURE MANUAL

Administrative Services

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA OVERVIEW ETSU 1

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

This form may not be modified without prior approval from the Department of Justice.

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties.

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

COMPLIANCE ALERT 10-12

HIPAA 101: Privacy and Security Basics

Virginia Commonwealth University Information Security Standard

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

TriageLogic Information Security Policy

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

Information Privacy and Security Program Title:

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Model Business Associate Agreement

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC

University of Cincinnati Limited HIPAA Glossary

Health Insurance Portability and Accountability Policy 1.8.4

Presented by Jack Kolk President ACR 2 Solutions, Inc.

FirstCarolinaCare Insurance Company Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

what your business needs to do about the new HIPAA rules

January Employers must be prepared for their obligations under the HIPAA Privacy Rules

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA 101. March 18, 2015 Webinar

Breach Notification Decision Process 1/1/2014

IRB Application for Medical Records Review Request

Business Associate and Data Use Agreement

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

Burn Model Systems National Data and Statistical Center STANDARD OPERATING PROCEDURE 601. Data Use Agreement

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HIPAA Compliance for Students

DEPARTMENT: POLICY DESCRIPTION: HealthTrust Ethics and Compliance. PHI: Managing Protected Health Information

Memorandum. Factual Background

BUSINESS ASSOCIATE AGREEMENT

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC

STANDARD ADMINISTRATIVE PROCEDURE

University Healthcare Physicians Compliance and Privacy Policy

HIPAA ephi Security Guidance for Researchers

SaaS. Business Associate Agreement

HIPAA BREACH RESPONSE POLICY

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

BUSINESS ASSOCIATE AGREEMENT

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Breach Notification Regulations

BUSINESS ASSOCIATE AGREEMENT

IAPP Practical Privacy Series. Data Breach Hypothetical

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

October 22, CFR PARTS 160 and 164

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

IRB Month Investigator Meeting April 2014

DATA USE AGREEMENT RECITALS

The ReHabilitation Center Buffalo Street. Olean. NY

Patient Privacy and HIPAA/HITECH

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Transcription:

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related Information History Effective: July 1, 2014 Last Updated: January 28, 2014 Responsible University Office: HIPAA Privacy and Security Office Responsible University Administrator Vice President for University Clinical Affairs Contact: University HIPAA Privacy Officer University HIPAA Security Officer Scope This guidance applies to all personnel, regardless of affiliation, who create, access or store Protected Health Information ( PHI ) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Please refer to the HIPAA Affected Areas document for a full list of units impacted within Indiana University. This guidance supplements the Human Subjects Office Standard Operating Procedures and HIPAA- P06, Use and Disclosure of De-identified Data and Limited Data Sets. Reason for Guidance Indiana University is committed to protecting the privacy of health information as required under the HIPAA Privacy and Security Rules. HIPAA states PHI can only be used for research purposes pursuant to a HIPAA Authorization, a Privacy Board approved Waiver of Authorization or if an exception applies. One exception is the use of data in the form of a Limited Data Set (LDS) pursuant to a Data Use Agreement (DUA). A DUA or document with similar language is required even if the 1

subjects of the data are patients of the covered entity or providers in the covered entity who are the data recipient(s). A covered entity can use and disclose information in the form of a limited data set without the individual s authorization for purposes of research, public health or healthcare operations provided the data are released in conjunction with a Data Use Agreement. The Data Use Agreement ensures the proper protections are applied to the data as required under HIPAA. Guidance Statement If an entity will be using, sending or receiving data in the form of a limited data set a Data Use Agreement must be signed by each party, the owner of the data and the recipient, prior to sharing the data. I. Limited Data Set A. A limited set is information from which facial identifiers have been removed. Specifically, as it relates to the individual or his or her relative, employers or household members, all of the following identifiers must be removed in order for health information to be a limited data set : 1. Names. 2. Street addresses or RR numbers (other than town, city, state and zip code) 3. Telephone numbers 4. Fax numbers 5. E-mail addresses 6. Social Security numbers 7. Medical record numbers 8. Health plan beneficiary numbers 9. Account numbers 10. Certificate/license numbers 11. Vehicle identifiers and serial numbers, including license plate number 12. Device identifiers and serial numbers 13. Web Universal Resource Locators (URLs) 14. Internet Protocol (IP) address numbers 15. Biometric identifiers (including finger and voice prints). 16. Full-face photographic images. B. Health information that may remain in the information disclosed includes: 1. Dates such as date of birth, date of death, and admission, discharge, service dates; 2. City, state, five digit zip code; 3. Gender, ethnicity; 4. Ages in years, months, days or hours; and 5. Unique identifying numbers, characteristics or codes provided the unique identifiers cannot reasonable be used to identify an individual II. Completing a Data Use Agreement (DUA) When an individual, School/Department/Unit/Area within Indiana University will be using, sending or receiving data in the form of a limited data set as defined above, the parties involved must enter into a Data Use Agreement (DUA). 2

It is the responsibility of the individual or School/Department/Unit/Area using, sending or receiving data in the form of a limited data set to ensure the DUA is reviewed and accepted by all parties involved. Research Purposes Questions regarding a DUA for research purposes should be addressed to the staff in the Human Subjects Office. As deemed necessary they may refer you to the University HIPAA Privacy Officer. The DUA should be reviewed by the Human Subjects Office, the University HIPAA Privacy Officer, the individual or School/Department/Unit/Area using, sending or sharing the data as well as any external parties who may use, send or receive the data. Public Health or Health Care Operations Questions regarding a DUA for purposes other than research should be addressed to the University HIPAA Privacy Officer. The DUA should be reviewed by the University HIPAA Privacy Officer, the individual or School/Department/Unit/Area using, sending or sharing the data as well as any external parties who may use, send or receive the data. Template DUAs can be found on the Human Subjects website: http://researchadmin.iu.edu/humansubjects/hs_forms.html A. Data sent outside of Indiana University: IU is the covered entity sharing PHI in the form of a limited data set with an organization outside Indiana University. Data Use Agreement Template IU CE Dec 2013 Complete the sections highlighted in yellow: 1. Date and Parties involved in the agreement (page 1 top section) Enter: the day of the month, month and year into the agreement Enter: The Trustees of Indiana University on behalf of the unit or department and the PI s name or other Recipient (could include a specific individual such as the PI or a project lead) 2. Definition/description of the limited data set (page 1 Section I) Enter: a meaningful description of the data to be shared. (e.g. city, state, dates of service, diagnosis, age, sex, ethnicity, etc.) This information is used to ensure the data are in the form of a limited data set. 3. Study/Project Title and IRB Protocol number, if applicable (page 2 Section II-3.) Enter: IU s study information or Project information Enter Recipient s study/project information (e.g. IRB study number) This information will be used to ensure the proper permissions have been obtained, as required. 4. Persons or class of persons permitted to use or receive the data (page 2 Section III-1.) List the data recipients, individual names or class of individuals (e.g. study team members for study listed above) 5. Secure methods for sharing data (page 2 Section III-2.) Provide specific method data will be shared with other institution (e.g. slashtmp, encrypted email, encrypted file transfer) Note electronic sharing of data must be encrypted. 6. Contact from each entity (page 2 Section IV-1.) 3

In case there is a breach of other notification is required must list contact information Contact at IU including contact information such as email address Contact at data recipient including contact information 7. Termination Date (page 3 Section VI-3.) Specific Date or event agreement will terminate This agreement must have some timeframe for termination, but can be renewed if necessary (It is not like an authorization, so cannot be indefinite) 8. Signatures will be required from the University HIPAA Privacy Officer and the Recipient or the authorized representative of the Recipient. B. IU Data used within Indiana University: Group uses data in the form of a limited data set, data is from own patients, IU, IUHP or Practice Plan. Data Use Agreement Template IU Internal Dec 2013 Complete the sections highlighted in yellow: 1. Enter the PI s Name or other Recipient (if not for research), printed or typed, (page 1, top) 2. Check how the limited data set will be used (research, public health or health care operations) 3. Enter a meaningful description of the data to be shared. This information is used to ensure the data are in the form of a limited data set. (page 1) 4. Enter how data will be shared and stored securely (page 1, middle) 5. Enter begin and end date for study or an event (page 2, top) 6. Enter IRB assigned number and Study Title if being used for research purposes or a meaningful description of the use if not for research purposes (page 2, top) 7. Signatures will be required from a representative of the Department such as the HIPAA Liaison/Privacy Officer, the Principal Investigator or other recipient as well as the University HIPAA Privacy Officer. C. IU is the data recipient receiving data in the form of a limited data set from an organization outside Indiana University. If not provided a DUA use Data Use Agreement Template IU Recipient Dec 2013 Complete the sections highlighted in yellow: 1. Date and Parties involved in the agreement (page 1 top section) Enter the day of the month, month and year entered into the agreement Enter the name of the Covered Entity sharing the information with IU, may also be on behalf of a specific person within that organization. The Trustees of Indiana University on behalf of the unit or department and the PI s name or other Recipient (the person or group who will be the actual recipient). 2. Definition/description of the limited data set (page 1 Section I) Enter a meaningful description of the data to be shared. This information is used to ensure the data are in the form of a limited data set. 3. Study Title and IRB Protocol number or Project information (if not for research) (page 2 Section II-3.) Enter IU s study information Enter Recipient s study information (acts as documentation recipient has proper approvals 4. Persons or class of persons permitted to use or receive the data (page 2 Section III-1.) List the IU data recipients, individual names or class of individuals (e.g. study team members for IU study listed above) 4

5. Secure methods for sharing data (page 2 Section III-2.) Provide specific method data will be share with other institution (e.g. slashtmp, encrypted email, encrypted file transfer) Note electronic sharing of data must be encrypted. 6. Contact from each entity (page 2 Section IV-1.) In case there is a breach of other notification is required must list contact information Contact at covered entity including contact information such as email address Contact at IU (recipient) including contact information 7. Termination Date (page 3 Section VI-3.) Specific Date or event agreement will terminate This agreement must have some timeframe for termination, but can be renewed if necessary (It is not like an authorization, so cannot be indefinite) 8. Signatures will be required from the authorized representative of the Covered Entity providing the data, the IU Recipient of the data (PI) as well as the University HIPAA Privacy Officer. D. IU is the data recipient receiving data the form of a limited data set from an organization outside Indiana University. If a DUA is provided: Complete the document to the best of your ability. The Human Subjects Office with assistance from the University HIPAA Privacy Officer will review and provide a redlined version to be submitted to the Covered Entity by the group requesting the data. 1. Recipient information IU will be the recipient if the research or use of the limited data set is under the auspice of Indiana University: The recipient on the DUA will be listed as: The Trustees of Indiana University on behalf of [Department/Unit & PI or other Recipient Name] 2. Signatures are typically required from the authorized representative of the Covered Entity (the authorized representative of Indiana University is the University HIPAA Privacy Officer) as well as the PI or representative of the Data Recipient group. III. Obtaining Signatures Only an authorized representative can sign on behalf of Indiana University. Currently the University HIPAA Privacy Officer is the authorized representative who signs Data Use Agreements on behalf of Indiana University. Principal Investigators or other representatives of a School/Department/Unit/Area do not have signature authority. It is the responsibility of the individual or School/Department/Unit/Area using, sending or receiving data in the form of a limited data set to ensure all appropriate signatures are obtained. Once signatures are obtained, a scanned copy should be sent to the University HIPAA Privacy Officer. The original should be retained by the individual or School/Department/Unit/Area. Once the agreement has been reviewed and accepted by all parties: A. IU is the covered entity sharing PHI in the form of a limited data set 1. Obtain the signature of the official representative from the recipient; 2. Obtain the signature of the University HIPAA Privacy Officer B. IU Data in the form of a limited data set used within Indiana University 1. Obtain the signature of a representative of the School/Department/Unit/Area who holds the data (e.g. Privacy Officer, HIPAA Liaison, administrator); 2. Obtain the signature of the PI or representative of the group using the data; 3. Obtain the signature of the University HIPAA Privacy Officer C. IU is the Recipient of the limited data set 5

1. Obtain the signature of the PI or representative of the group receiving the data; 2. Obtain the signature of the University HIPAA Privacy Officer; 3. Obtain the signature of the authorized representative from the Covered Entity providing the limited data set IV. Reporting an Incident In the event any data in the form of a limited data set may be at risk for improper use or disclosure, the individual or School/Department/Unit/Area should immediately notify the University HIPAA Privacy and/or Security Officers. If this Data Use Agreement is for research purposes, you must also contact the Human Subjects Office. Notification should be made if: Data were sent in an unsecured manner (e.g. via unencrypted email, unencrypted thumb drive); Data were sent to the wrong person; Data stored on an unencrypted laptop; Device used for storing data is lost or stolen; Data in paper form unaccounted for or missing Definitions Breach The acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted under HIPAA which compromises the security or privacy of the protected health information. IU HIPAA Affected Areas (IU HAAs) Any covered entity or business associate function within IU that is subject to HIPAA, as documented in the HIPAA-P07A - IU HIPAA Hybrid Entity Designation Statement. Unsecured Protected Health Information Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L. 111-5. Forms Attachment 1 Data Use Agreement Template IU CE Dec 2013 Attachment 2 Data Use Agreement Template IU Internal June 2014 Attachment 3 Data Use Agreement Template IU Recipient Dec 2013 Web Address for this Guidance http://www.xxxxxxxxxxxxxxxxxxxxxxx 6

Related Information HIPAA Privacy and Security Rules 45 CFR 160 and 164 HITECH Act - Amended 45 CFR 160 and 164 Related IU Policies HIPAA-G01 HIPAA Sanctions Guidance HIPAA-P01 Uses & Disclosures of Protected Health Information Policy HIPAA-P02 Minimum Necessary Policy PA/SS 6.4 Corrective Action Policy (non-union) University HIPAA Privacy and Security Compliance Plan IRB SOPs IU Standard Operating Procedures for Research Involving Human Subjects Section 3.3.1.2 Limited Data Set History 11/12/2013 Draft to HIPAA Privacy and Security Compliance Council 07/01/2014 Final 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information