Purpose: The purpose of this Checklist is to evaluate your proposal to use or disclose Protected Health Information ( PHI ) for the purpose indicated below and allow the University Privacy Office and Office of Cybersecurity to jointly review and provide guidance on the information privacy and security controls associated with your proposal. This Checklist is meant to be used in a variety of projects including IRB research, educational activities, any project involving vendors who will receive Institutional PHI or any project where you will be receiving PHI from another entity for a reason other than treatment. Instructions: Please complete this form with as much detail as you are able and return it via email to the email address listed at the end of this form. After we receive the completed Checklist, we will evaluate your responses and respond to you with next steps (if any). Should you have any questions about completing this form, please email them to the University X Privacy Officer at privacyofficer@universityx.edu or by phone at 555-555-5555. PI or Project Leader Name & Title: Dr. Sandy Shu, Geriatrics and Gerontology PI or Project Leader Contact Information: Phone Number: 608-555-1221 Email: sandy.shu@universityx.edu School/Department: Geriatrics and Gerontology Your contact information (name/phone/email) if you are not the PI or project leader: Ron Mott, Administrator; 608-555-6342 Purpose of this Request: Check all that apply Student education Quality improvement/quality assessment University administration and/or operations (including HR) Medical/clinical care IRB approved research (Protocol no. 12321) Fundraising or marketing Other (describe: Click here to enter text.) If you have IT support in your department or as part of this project, please list their name and contact information here: Jim Alcoa; jim.alcoa@universityx.edu 1. Briefly describe your project and the timeline in which you hope to begin your project: Multi-site, multi-year study involving collection of identifiable patient data from large cohort of Medicare-enrollees for purpose of creating large limited data set to permit population health analytics. University X will share identifiable patient data with third party (Re-Claimz) under BAA (to be negotiated). Re-Claimz will cross-link the identifiable data it receives from research sites with identifiable claims data it receives from CMS. Re- Claimz will then generate limited data set that it will share with coordinating site (University K) under DUA. Limited data set will be stored for duration of study in secure data warehouse (DW) located on premises at University K. All participating sites will enter into joint DUAs with University K so that all participating sites may have access to limited 1
data set. 2. Will any data be disclosed to, or received from, a 3 rd party? ( A third party is any person outside the PI s research team, or outside of the Project leader s internal team. 3 rd parties including people from elsewhere at University, or from another institution altogether)? If yes, please describe: Yes, we will receive data: Please describe from where/whom and how the data will be transferred? University X will receive data directly from study participants (stored in EMR/EHR), as well as have access to limited data set (stored in University K s secure DW). Yes, we will disclose data: Please describe to where/whom and how the data will be transferred? Fully-identifiable data to third-party (Re-Claimz) will be transferred use HTTPS to secure server (server meets FISMA high controls). University X will negotiate a BAA with Re- Claimz. No, we will not be transmitting data to any 3 rd party, nor will we receive data from any 3 rd party. 3. Check all that are identifiers that will be created, accessed, analyzed, transmitted, stored, received or disclosed as part of this research or project: Check all that apply. Names Geographic subdivisions smaller than a state: Please list exactly what geographic identifiers will be received and/or disclosed (state, city, county, street address, zip code): Click here to enter text.) Dates: (except year) directly related to an individual, including DOB, health care service, admission, or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89: Please list the types of dates (ex., date of service) and format of any dates (month/year) being received or disclosed: Dates of birth, dates of services Telephone numbers, fax numbers, and/or email addresses Social security numbers Medical record numbers Health insurance ID number(s), account numbers, and/or plan beneficiary numbers Certificate/driver s license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Uniform Resource Locators (URLs) and/or Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code 2
Student data (demographics, grades, other Click here to enter text. ) Faculty or staff employment documents (personnel files, salary, benefits, etc.) University ID numbers, student or employee ID numbers Donor information (from University X fundraising) Research data from other IRB approved studies Medical Records: Describe (ex: diagnosis and treatment information, lab results, physician notes, diagnostic images, prescription information, sensitive medical conditions (STDs, HIV, mental health records, alcohol and drug treatment information), etc.) labs, diagnosis/procedure codes Other (describe) Click here to enter text. 4. For all data elements listed above, list the location(s) where the data will be 1) collected/created, 2) stored, 3) accessed from and/or analyzed, and 4) how it will be shared or released? (Include details covering both physical locations and electronic systems. Include system IDs if possible. Make special note if a system is mobile, such as a laptop, external hard drive or thumb drive.) If you are able to submit a data life cycle or data flow diagram with this Checklist, it will greatly improve our ability to analyze your proposal. A data life cycle or data flow diagram will list specifically the security controls in place at each stage of the data during its collection, storage, use (by all internal parties), release (including security controls used in planned transmissions of the data) as well as storage and ultimately archival and destruction. Third-party vendor (Re-Claimz) business associate will provide a secure, FISMA-high compliant environment to receive identifiable patient record information; will crosslink with CMS claims data, will generate limited data set and will transmit limited data set using HTTPS to University K and stored in secure data warehouse (DW). Coordinating Site (University K) store limited data set within secure data warehouse platform for duration of specific research project and future research purposes. University X and University K will enter into a DUA so that University X may access full limited data set. 5. Describe the population of individuals whose data will be collected, accessed, stored, transmitted, processed, released (e.g. University Hospital patients, clinical research participants, students, etc.) and provide an estimate of the number of persons and number of unique records per person for each category (e.g. All Medicare recipients living in the state of Wisconsin so roughly 1.5 million who have three types of records collected as part of this project each year over three years resulting in the collection of roughly 4.5 million different records, each year). Types of individuals whose data will be involved in this project: Males and females > 18 and < 85 enrolled in federally funded CMS programs. Total number of individuals who whose data will be involved with this project 3
(please estimate if this is a multiyear project please provide an estimate over multi-year intervals): Several hundred thousand over multi-year (five year) period. Years 1-3 will involve initial collection phase from participating sites, updated periodically on annual basis with additional subjects by end of Year 5. 6. Will a vendor or third party perform any service as part of this research project on your behalf or at your request? If so, please list the name, address and contact information for the vendor or individual and describe the service they will perform and how data will be transmitted to this vendor. (Examples: using a survey system not owned and operated by the researcher team; using computer systems for storage, backup, or statistical analysis, providing data to another party for geo coding, etc ) Re-Claimz, 313 Main Street, Silicon Valley, CA, Janice Hattinger; cross-linkage with claims data and creation of limited data set; providing limited data set to coordinating site (University K) for long term storage of limited data set repository. 7. Will any data need to be shared with collaborators (internal or external to University X)? YES NO a. If YES, list the collaborators and their institution: University K, Dr. Shawn Cole University W, Dr. Chris Jameson University I, Dr. Janet Draeger University Y, Dr. Tom Nelson b. Indicate how the data will be shared with collaborators? Limited data sets, stored at University K, accessible by co-collaborator teams; limited data will be transferred using end-to-end encryption 8. Is there an agreement (executed or in draft form) for the data sharing with the collaborator(s)? YES - If yes, please attach a copy (*Still negotiating) NO 9. Have all University X employees involved with this project, including all IT staff supporting your systems, completed this current year s annual HIPAA training? YES NO Unknown Please return this form and any attachments as follows: University X Privacy Officer at privacyofficer@universityx.edu 4
5