EXAMPLE 2-JOINT PRIVACY AND SECURITY CHECKLIST

Similar documents
EXAMPLE 3-JOINT PRIVACY AND SECURITY CHECKLIST

HIPAA and HIPAA Compliance with PHI/PII in Research

POLICY. Create a governance process to manage requests to extract de- identified data from the Information Exchange (IE).

Introduction/Instructions

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Security Overview. Joseph Balberde North Country Community Mental Health Information Technology Director

HIPAA Federal Security Rule H I P A A

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Health Link Frequently Asked Questions

Universal Patient Key

HIPAA 101: What All Doctors NEED To Know

AUTHORIZATION TO RELEASE HEALTH INFORMATION

University of Wisconsin-Madison Policy and Procedure

Completing & Submitted the IRB Approval of Human Subjects Form

Attachment B Newtopia Wellness Program and Genetic Testing. The Health Risk Assessment also invites individuals to undergo genetic testing.

IRBManager Quick Start Guide INITIAL APPLICATION - OVERVIEW

HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

ENCRYPTED . Copyright UT Health 1

Privacy Preserving Data Mining: An approach to safely share and use sensible medical data

Institutional Review Board. Application for Research Using Humans

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

(Provide name and role/title as identified in the study protocol, (a backup data custodian is recommended but not required))

OnCore Enterprise Research. Subject Administration Full Study

Overview of Datavant's De-Identification and Linking Technology for Structured Data

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Compliance & HIPAA Annual Education

Best Practices. Contents. Meridian Technologies 5210 Belfort Rd, Suite 400 Jacksonville, FL Meridiantechnologies.net

If this is your first time submitting a protocol for review, see FAQs for information to consider beforehand.

Domestic Violence Client Intake Form

Frequently Asked Questions

Vision Services Application Overview

Beam Technologies Inc. Privacy Policy

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Admission Application: Intensive Residential Rehabilitation / Community Residence / Supportive Living COVER PAGE

NOTICE OF PRIVACY PRACTICES

Provider Portal User Guide. For the Provider Portal External Use

Office of Human Research

TIES Usage Policies. for University of Pittsburgh. Authors. University of Pittsburgh

University of North Florida

RelayHealth Legal Notices

(10/17) PATIENT GUIDE

Admission, Discharge, Update Client Data and Associated Forms

ProviderConnect Registered Services Autism Service Provider User Manual ASD Behavioral Assessment, Treatment Plan and Program Book Development

Cite: CTSA NIH Grant UL1- RR024982

IRBManager Quick Start Guide AMENDMENT SUBMISSION - CHANGE IN PERSONNEL

Data Governance & Classification Policy A Data Classification and Data Types

USER GUIDE. TABLE OF CONTENTS What is My Westmed? Registering for My Westmed

Companion Guide Benefit Enrollment and Maintenance 834

CYBER Overview. Updated 10/3/17 #00895

Patient Portal Enrollment Guide

ecare Vault, Inc. Privacy Policy

SFDPH Annual Privacy and Data Security Training Module

Physician Office Name Ambulatory EHR Security Risk Analysis

Family Medicine Residents HIPAA Highlights May 2016 Heather Schmiegelow, JD

CYBER Overview Training for New Providers in the New Jersey Children s System of Care

Reviewers Guide on Clinical Trials

Social Security Number Protection Policy.

Detention/Hold Have the parents been notified? Yes - No By Whom Time: Officer/s Involved: Reason(s) for placement/offense: Person transporting:

Student Confirmation Packet

Security and Privacy Breach Notification

Privacy and Security for the Medical Student. HIPAA Compliance Audit and Compliance Services Mount Sinai Health System

Privacy Shield Policy

When your registration has been completed, you will receive an invitation to create your account.

GUADALUPE ENT, P.A. JENNIFER G. HENNESSEE, M.D. MAANSI DOSHI, D.O. LISA M. WRIGHT, PA

General Social Survey (GSS) NORC

University Hospitals UH Personal Health Record User Guide

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Informational Guide for the NewSTEPs Data Repository

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Helpful Hints: Request an Initial Authorization

Spectrum Wellness Privacy Statement

Mobile security: Tips and tricks for securing your iphone, Android and other mobile devices

Therapy Provider Portal. User Guide

ANY INTERNET azcu2.atsusers.com The system works best with Internet Explorer or Firefox. azcu2.atsusers.com DO NOT azcu2.atsusers.

Patient Registration

Subject Area Data Element Examples Earliest Date Patient Demographics Race, primary language, mortality 2000 Encounters

Privacy by Design: Product Development Guidelines for Engineers & Product Managers. Purpose:

Provider Secure Portal User Manual

Information Classification & Protection Policy

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

GROUP ASSURANCE EDUCATION GUARDIAN BENEFITS CLAIM FORM

Mobile Application Privacy Policy

HIPAA & RESEARCH DATA SECURITY FOR BU RESEARCHERS CHARLES RIVER CAMPUS. November 14, 2017

Covisint DocSite Enterprise

PRIVACY STATEMENT. Effective Date 11/01/17.

DHCS PPSDS. End User Guide. Applies to: California DHCS. WITS Version 18.0+

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Introduction to. Sponsored by the Pediatric Research Office (PRO)

ICD-10 Compliance Project November 2013 update

EHR Connectivity Integration Specification

Maryland Health Care Commission

Applying E-Consent to Studies. Presenters: Haemar Kin, MHA, Melissa Scotti, PhD, Lara Lechtenberg, MPH

Use MyThedaCare to Schedule Your Appointment. Easy, Convenient 24/7 access!

Edition. MONTEREY COUNTY BEHAVIORAL HEALTH MD User Guide

Fannin County High School 360 Rebel Circle, Blue Ridge, Georgia Phone (706) Fax (706)

HARMONY HAUS SOBER LIVING MEMBER APPLICATION HARMONY HAUS, LLC.

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

icare s Provider Portal Guide

If you have any questions or concerns about this Privacy Policy, please Contact Us.

Transcription:

Purpose: The purpose of this Checklist is to evaluate your proposal to use or disclose Protected Health Information ( PHI ) for the purpose indicated below and allow the University Privacy Office and Office of Cybersecurity to jointly review and provide guidance on the information privacy and security controls associated with your proposal. This Checklist is meant to be used in a variety of projects including IRB research, educational activities, any project involving vendors who will receive Institutional PHI or any project where you will be receiving PHI from another entity for a reason other than treatment. Instructions: Please complete this form with as much detail as you are able and return it via email to the email address listed at the end of this form. After we receive the completed Checklist, we will evaluate your responses and respond to you with next steps (if any). Should you have any questions about completing this form, please email them to the University X Privacy Officer at privacyofficer@universityx.edu or by phone at 555-555-5555. PI or Project Leader Name & Title: Dr. Patricia Patterson, Developmental Behavioral Pediatrician PI or Project Leader Contact Information: Phone Number: 608-555-7117 Email: ppatterson@universityx.edu School/Department: Pediatrics Your contact information (name/phone/email) if you are not the PI or project leader: Rex Alman, Administrator; 608-555-3434 Purpose of this Request: Check all that apply Student education Quality improvement/quality assessment University administration and/or operations (including HR) Medical/clinical care IRB approved research (Protocol no. 56789) Fundraising or marketing Other (describe: Click here to enter text.) If you have IT support in your department or as part of this project, please list their name and contact information here: Sid Foley; sid.foley@universityx.edu 1. Briefly describe your project and the timeline in which you hope to begin your project: Development of autistic children through various behavioral therapies. Studying social behaviors of children diagnosed with Autism Spectrum Disorder (ASD) using wearable technology (Google Glass) by measuring instances of eye contact with the researcher and/or parent to examine participant social behaviors. Study will examine variety of conditions, including differences between interaction with minor subject and his/her parent (bonded relationship) and minor subject and researcher (non-bonded relationship) to examine any behavioral patterns over time. 2. Will any data be disclosed to, or received from, a 3 rd party? ( A third party is any person outside the PI s research team, or outside of the Project leader s internal 1

team. 3 rd parties including people from elsewhere at University X, or from another institution altogether)? If yes, please describe: Yes, we will receive data: Please describe from where/whom and how the data will be transferred? University X will receive data directly from study participants (raw video footage between child and researcher and/or child and parent). Yes, we will disclose data: Please describe to where/whom and how the data will be transferred? University X will transmit video files to collaborating institution (University G) for analysis. No, we will not be transmitting data to any 3 rd party, nor will we receive data from any 3 rd party. 3. Check all that are identifiers that will be created, accessed, analyzed, transmitted, stored, received or disclosed as part of this research or project: Check all that apply. Names Geographic subdivisions smaller than a state: Please list exactly what geographic identifiers will be received and/or disclosed (state, city, county, street address, zip code): Click here to enter text.) Dates: (except year) directly related to an individual, including DOB, health care service, admission, or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89: Please list the types of dates (ex., date of service) and format of any dates (month/year) being received or disclosed: Dates of birth, dates of services Telephone numbers, fax numbers, and/or email addresses Social security numbers Medical record numbers Health insurance ID number(s), account numbers, and/or plan beneficiary numbers Certificate/driver s license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Uniform Resource Locators (URLs) and/or Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code Student data (demographics, grades, other Click here to enter text. ) Faculty or staff employment documents (personnel files, salary, benefits, etc.) University ID numbers, student or employee ID numbers Donor information (from University fundraising) Research data from other IRB approved studies 2

Medical Records: Describe (ex: diagnosis and treatment information, lab results, physician notes, diagnostic images, prescription information, sensitive medical conditions (STDs, HIV, mental health records, alcohol and drug treatment information), etc.) Click here to enter text. Other (describe) Raw video footage of minor children diagnosed with Autism 4. For all data elements listed above, list the location(s) where the data will be 1) collected/created, 2) stored, 3) accessed from and/or analyzed, and 4) how it will be shared or released? (Include details covering both physical locations and electronic systems. Include system IDs if possible. Make special note if a system is mobile, such as a laptop, external hard drive or thumb drive.) If you are able to submit a data life cycle or data flow diagram with this Checklist, it will greatly improve our ability to analyze your proposal. A data life cycle or data flow diagram will list specifically the security controls in place at each stage of the data during its collection, storage, use (by all internal parties), release (including security controls used in planned transmissions of the data) as well as storage and ultimately archival and destruction. Raw video between study participants and parent/researcher will be temporarily stored locally on one of three sets of Google Glasses. Raw footage will be uploaded from mobile device via USB cable to a department-issued encrypted desktop and uploaded to an encrypted portal hosted by collaborating institution University G and stored on an encrypted server with University G s data warehouse. Local copy of video on Google Glass will be deleted upon confirmation that upload was successful to encrypted portal. University G researchers will analyze the video using study-specific metrics. University G researchers will share analysis with University X researchers. University G will archive the data for the duration of the project and approximately three years thereafter to meet statutory, regulatory and institutional records retention requirements. 5. Describe the population of individuals whose data will be collected, accessed, stored, transmitted, processed, released (e.g. University Hospital patients, clinical research participants, students, etc.) and provide an estimate of the number of persons and number of unique records per person for each category (e.g. All Medicare recipients living in the state of Wisconsin so roughly 1.5 million who have three types of records collected as part of this project each year over three years resulting in the collection of roughly 4.5 million different records, each year). Types of individuals whose data will be involved in this project: Males and females > 8 and <16 with Autism Spectrum Disorder (ASD). Total number of individuals who whose data will be involved with this project (please estimate if this is a multiyear project please provide an estimate over multi-year intervals): 3

Approximately 30 subjects (from University X). Longitudinal study to span approximately 3 years. 6. Will a vendor or third party perform any service as part of this research project on your behalf or at your request? If so, please list the name, address and contact information for the vendor or individual and describe the service they will perform and how data will be transmitted to this vendor. (Examples: using a survey system not owned and operated by the researcher team; using computer systems for storage, backup, or statistical analysis, providing data to another party for geo coding, etc ) University G (collaborating institution) will store raw video obtained from Google Glass sessions on device. 7. Will any data need to be shared with collaborators (internal or external to University X)? YES NO a. If YES, list the collaborators and their institution: University G, Dr. Jillian Goke, Department of Pediatrics b. Indicate how the data will be shared with collaborators? University G will provide encrypted portal and local servers to store raw video footage and perform analysis using systematic methodology developed between the collaborating institutions. 8. Is there an agreement (executed or in draft form) for the data sharing with the collaborator(s)? YES - If yes, please attach a copy NO 9. Have all University X employees involved with this project, including all IT staff supporting your systems, completed this current year s annual HIPAA training? YES NO Unknown Please return this form and any attachments as follows: University X Privacy Officer at privacyofficer@universityx.edu 4

5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback