EXAMPLE 3-JOINT PRIVACY AND SECURITY CHECKLIST

Similar documents
EXAMPLE 2-JOINT PRIVACY AND SECURITY CHECKLIST

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

HIPAA and HIPAA Compliance with PHI/PII in Research

POLICY. Create a governance process to manage requests to extract de- identified data from the Information Exchange (IE).

Introduction/Instructions

University of Mississippi Medical Center Data Use Agreement Protected Health Information

HIPAA Federal Security Rule H I P A A

Universal Patient Key

Security Overview. Joseph Balberde North Country Community Mental Health Information Technology Director

HIPAA 101: What All Doctors NEED To Know

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Health Link Frequently Asked Questions

AUTHORIZATION TO RELEASE HEALTH INFORMATION

Overview of Datavant's De-Identification and Linking Technology for Structured Data

Privacy Preserving Data Mining: An approach to safely share and use sensible medical data

HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

Attachment B Newtopia Wellness Program and Genetic Testing. The Health Risk Assessment also invites individuals to undergo genetic testing.

IRBManager Quick Start Guide INITIAL APPLICATION - OVERVIEW

Compliance & HIPAA Annual Education

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

ENCRYPTED . Copyright UT Health 1

Institutional Review Board. Application for Research Using Humans

HARMONY HAUS SOBER LIVING MEMBER APPLICATION HARMONY HAUS, LLC.

The NIH Collaboratory Distributed Research Network: A Privacy Protecting Method for Sharing Research Data Sets

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

University of Wisconsin-Madison Policy and Procedure

Data Governance & Classification Policy A Data Classification and Data Types

An Employer s Guide to the

Beam Technologies Inc. Privacy Policy

Information Technology Standards

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Companion Guide Benefit Enrollment and Maintenance 834

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

If this is your first time submitting a protocol for review, see FAQs for information to consider beforehand.

Best Practices. Contents. Meridian Technologies 5210 Belfort Rd, Suite 400 Jacksonville, FL Meridiantechnologies.net

Family Medicine Residents HIPAA Highlights May 2016 Heather Schmiegelow, JD

RelayHealth Legal Notices

Provider Portal User Guide. For the Provider Portal External Use

Authorization Agreement

TIES Usage Policies. for University of Pittsburgh. Authors. University of Pittsburgh

Privacy Shield Policy

Reviewers Guide on Clinical Trials

HIPAA For Assisted Living WALA iii

Security and Privacy Breach Notification

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

icare s Provider Portal Guide

Cite: CTSA NIH Grant UL1- RR024982

NOTICE OF PRIVACY PRACTICES

The Relationship Between HIPAA Compliance and Business Associates

EDI ENROLLMENT AGREEMENT INSTRUCTIONS

HIPAA & Privacy Compliance Update

What is a Dataset? Information Security and Privacy Office (ISPO) Risk Assessment Program August 2018 Version 1.1

American Association of Nurse Anesthetists Membership Mailing List Rental Instructions Research Purposes Only

Admission Application: Intensive Residential Rehabilitation / Community Residence / Supportive Living COVER PAGE

Vision Services Application Overview

Companion Guide Institutional Billing 837I

Introduction to. Sponsored by the Pediatric Research Office (PRO)

OnCore Enterprise Research. Subject Administration Full Study

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

ANY INTERNET azcu2.atsusers.com The system works best with Internet Explorer or Firefox. azcu2.atsusers.com DO NOT azcu2.atsusers.

Defining Business Requirements

PATIENT ACCESS REQUEST FOR MEDICAL RECORDS

Detention/Hold Have the parents been notified? Yes - No By Whom Time: Officer/s Involved: Reason(s) for placement/offense: Person transporting:

Data Type and Format (Not all data elements require a format specification)

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Online Services for Employers User Guide. Mayo Clinic Health Solutions

ICD-10 Compliance Project November 2013 update

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Maryland Health Care Commission

Edition. MONTEREY COUNTY BEHAVIORAL HEALTH MD User Guide

PRIVACY STATEMENT. Effective Date 11/01/17.

Revision History. Document Version. Date Name Comments /26/2017 Training and Development Initial Creation

(Provide name and role/title as identified in the study protocol, (a backup data custodian is recommended but not required))

Physician Office Name Ambulatory EHR Security Risk Analysis

FEDERAL BUREAU OF PRISONS National Provider Identifiers Registry

UNITED CAREGIVERS, INC. National Provider Identifiers Registry

General Social Survey (GSS) NORC

American Academy of Audiology Responses to Questions from HIPAA Webinar

Overview of the Multi-Payer Claims Database (MPCD)

Annenberg Public Policy Center Sensitive National Annenberg Election Survey Data 1 Access: Application

Information Classification & Protection Policy

HIPAA Privacy and Security Training Program

Mobile security: Tips and tricks for securing your iphone, Android and other mobile devices

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

IRBManager Quick Start Guide AMENDMENT SUBMISSION - CHANGE IN PERSONNEL

Medical Office Workflow

Completing & Submitted the IRB Approval of Human Subjects Form

HIPAA Tips and Advice for Your. Medical Practice

Applying E-Consent to Studies. Presenters: Haemar Kin, MHA, Melissa Scotti, PhD, Lara Lechtenberg, MPH

Privacy Impact Assessment (PIA) Tool

HIPAA & RESEARCH DATA SECURITY FOR BU RESEARCHERS CHARLES RIVER CAMPUS. November 14, 2017

NJ MEMORY AND BEHAVIORAL CARE National Provider Identifiers Registry

(10/17) PATIENT GUIDE

TEXAS MEDICARE (TRAILBLAZERS) CHANGE FORM MR085

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

EPIC HEALTH SERVICES, INC. National Provider Identifiers Registry

Privacy and Security for the Medical Student. HIPAA Compliance Audit and Compliance Services Mount Sinai Health System

Health Analytic Group. Research Data Management

Transcription:

Purpose: The purpose of this Checklist is to evaluate your proposal to use or disclose Protected Health Information ( PHI ) for the purpose indicated below and allow the University Privacy Office and Office of Cybersecurity to jointly review and provide guidance on the information privacy and security controls associated with your proposal. This Checklist is meant to be used in a variety of projects including IRB research, educational activities, any project involving vendors who will receive Institutional PHI or any project where you will be receiving PHI from another entity for a reason other than treatment. Instructions: Please complete this form with as much detail as you are able and return it via email to the email address listed at the end of this form. After we receive the completed Checklist, we will evaluate your responses and respond to you with next steps (if any). Should you have any questions about completing this form, please email them to the University X Privacy Officer at privacyofficer@universityx.edu or by phone at 555-555-5555. PI or Project Leader Name & Title: Dr. Sandy Shu, Geriatrics and Gerontology PI or Project Leader Contact Information: Phone Number: 608-555-1221 Email: sandy.shu@universityx.edu School/Department: Geriatrics and Gerontology Your contact information (name/phone/email) if you are not the PI or project leader: Ron Mott, Administrator; 608-555-6342 Purpose of this Request: Check all that apply Student education Quality improvement/quality assessment University administration and/or operations (including HR) Medical/clinical care IRB approved research (Protocol no. 12321) Fundraising or marketing Other (describe: Click here to enter text.) If you have IT support in your department or as part of this project, please list their name and contact information here: Jim Alcoa; jim.alcoa@universityx.edu 1. Briefly describe your project and the timeline in which you hope to begin your project: Multi-site, multi-year study involving collection of identifiable patient data from large cohort of Medicare-enrollees for purpose of creating large limited data set to permit population health analytics. University X will share identifiable patient data with third party (Re-Claimz) under BAA (to be negotiated). Re-Claimz will cross-link the identifiable data it receives from research sites with identifiable claims data it receives from CMS. Re- Claimz will then generate limited data set that it will share with coordinating site (University K) under DUA. Limited data set will be stored for duration of study in secure data warehouse (DW) located on premises at University K. All participating sites will enter into joint DUAs with University K so that all participating sites may have access to limited 1

data set. 2. Will any data be disclosed to, or received from, a 3 rd party? ( A third party is any person outside the PI s research team, or outside of the Project leader s internal team. 3 rd parties including people from elsewhere at University, or from another institution altogether)? If yes, please describe: Yes, we will receive data: Please describe from where/whom and how the data will be transferred? University X will receive data directly from study participants (stored in EMR/EHR), as well as have access to limited data set (stored in University K s secure DW). Yes, we will disclose data: Please describe to where/whom and how the data will be transferred? Fully-identifiable data to third-party (Re-Claimz) will be transferred use HTTPS to secure server (server meets FISMA high controls). University X will negotiate a BAA with Re- Claimz. No, we will not be transmitting data to any 3 rd party, nor will we receive data from any 3 rd party. 3. Check all that are identifiers that will be created, accessed, analyzed, transmitted, stored, received or disclosed as part of this research or project: Check all that apply. Names Geographic subdivisions smaller than a state: Please list exactly what geographic identifiers will be received and/or disclosed (state, city, county, street address, zip code): Click here to enter text.) Dates: (except year) directly related to an individual, including DOB, health care service, admission, or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89: Please list the types of dates (ex., date of service) and format of any dates (month/year) being received or disclosed: Dates of birth, dates of services Telephone numbers, fax numbers, and/or email addresses Social security numbers Medical record numbers Health insurance ID number(s), account numbers, and/or plan beneficiary numbers Certificate/driver s license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Uniform Resource Locators (URLs) and/or Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code 2

Student data (demographics, grades, other Click here to enter text. ) Faculty or staff employment documents (personnel files, salary, benefits, etc.) University ID numbers, student or employee ID numbers Donor information (from University X fundraising) Research data from other IRB approved studies Medical Records: Describe (ex: diagnosis and treatment information, lab results, physician notes, diagnostic images, prescription information, sensitive medical conditions (STDs, HIV, mental health records, alcohol and drug treatment information), etc.) labs, diagnosis/procedure codes Other (describe) Click here to enter text. 4. For all data elements listed above, list the location(s) where the data will be 1) collected/created, 2) stored, 3) accessed from and/or analyzed, and 4) how it will be shared or released? (Include details covering both physical locations and electronic systems. Include system IDs if possible. Make special note if a system is mobile, such as a laptop, external hard drive or thumb drive.) If you are able to submit a data life cycle or data flow diagram with this Checklist, it will greatly improve our ability to analyze your proposal. A data life cycle or data flow diagram will list specifically the security controls in place at each stage of the data during its collection, storage, use (by all internal parties), release (including security controls used in planned transmissions of the data) as well as storage and ultimately archival and destruction. Third-party vendor (Re-Claimz) business associate will provide a secure, FISMA-high compliant environment to receive identifiable patient record information; will crosslink with CMS claims data, will generate limited data set and will transmit limited data set using HTTPS to University K and stored in secure data warehouse (DW). Coordinating Site (University K) store limited data set within secure data warehouse platform for duration of specific research project and future research purposes. University X and University K will enter into a DUA so that University X may access full limited data set. 5. Describe the population of individuals whose data will be collected, accessed, stored, transmitted, processed, released (e.g. University Hospital patients, clinical research participants, students, etc.) and provide an estimate of the number of persons and number of unique records per person for each category (e.g. All Medicare recipients living in the state of Wisconsin so roughly 1.5 million who have three types of records collected as part of this project each year over three years resulting in the collection of roughly 4.5 million different records, each year). Types of individuals whose data will be involved in this project: Males and females > 18 and < 85 enrolled in federally funded CMS programs. Total number of individuals who whose data will be involved with this project 3

(please estimate if this is a multiyear project please provide an estimate over multi-year intervals): Several hundred thousand over multi-year (five year) period. Years 1-3 will involve initial collection phase from participating sites, updated periodically on annual basis with additional subjects by end of Year 5. 6. Will a vendor or third party perform any service as part of this research project on your behalf or at your request? If so, please list the name, address and contact information for the vendor or individual and describe the service they will perform and how data will be transmitted to this vendor. (Examples: using a survey system not owned and operated by the researcher team; using computer systems for storage, backup, or statistical analysis, providing data to another party for geo coding, etc ) Re-Claimz, 313 Main Street, Silicon Valley, CA, Janice Hattinger; cross-linkage with claims data and creation of limited data set; providing limited data set to coordinating site (University K) for long term storage of limited data set repository. 7. Will any data need to be shared with collaborators (internal or external to University X)? YES NO a. If YES, list the collaborators and their institution: University K, Dr. Shawn Cole University W, Dr. Chris Jameson University I, Dr. Janet Draeger University Y, Dr. Tom Nelson b. Indicate how the data will be shared with collaborators? Limited data sets, stored at University K, accessible by co-collaborator teams; limited data will be transferred using end-to-end encryption 8. Is there an agreement (executed or in draft form) for the data sharing with the collaborator(s)? YES - If yes, please attach a copy (*Still negotiating) NO 9. Have all University X employees involved with this project, including all IT staff supporting your systems, completed this current year s annual HIPAA training? YES NO Unknown Please return this form and any attachments as follows: University X Privacy Officer at privacyofficer@universityx.edu 4

5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback