TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Similar documents
Privacy Board Standard Operating Procedures

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Module: Research and HIPAA Privacy Protections ( )

The Impact of The HIPAA Privacy Rule on Research

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Privacy Rule Overview

The HIPAA Privacy Rule and Research: An Overview

The Queen s Medical Center HIPAA Training Packet for Researchers

1. Department of Defense (DoD) Human Subjects Protection Regulatory Requirements

Yale University Institutional Review Boards

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

HIPAA Privacy Regulations Governing Research

HIPAA Policies and Procedures Manual

System-wide Policy: Use and Disclosure of Protected Health Information for Research

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

Use And Disclosure Of Protected Health Information (PHI) For Research

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Office of Human Research Office of Human Research Policy and Procedure Manual. Version: 4/4/18

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

SECNAVINST E ONR Dec 2017 SECNAV INSTRUCTION E. From: Secretary of the Navy. Subj: HUMAN RESEARCH PROTECTION PROGRAM

Human Subject Regulations Decision Charts

RESEARCH SUPPORTED BY A DEPARTMENT OF DEFENSE (DOD) COMPONENT

HIPAA COMPLIANCE APPLICATION

EXEMPT RESEARCH. 1. Overview

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense INSTRUCTION

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

IRB 04. Research Supported by the Department of Defense

SCREENING PROCEDURES: WHAT IS COVERED BY A

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Recruiting subjects for clinical research outside the academic setting

Access to Patient Information for Research Purposes: Demystifying the Process!

Southwest Acupuncture College /PWFNCFS

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

SECRETARY OF THE AIR FORCE 10 SEPTEMBER 2014

The United States Army Combined Arms Center Education (CAC-E) BULLETIN 940. Research Review and Approval

INDIANA STATE UNIVERSITY POLICIES AND PROCEDURES FOR THE REVIEW OF RESEARCH INVOLVING HUMAN SUBJECTS

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

Appendix (v ) Page 1 of 7

The SOP applies to all human subject research falling under the purview of the University of Missouri Institutional Review Board.


RESEARCH SUPPORTED BY A DEPARTMENT OF DEFENSE (DOD) COMPONENT

The HIPAA privacy rule and long-term care : a quick guide for researchers

HIPAA PRIVACY TRAINING

Chapter 2: Guiding Principles Chapter 3: Authority and Delegation

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

ETHICAL AND REGULATORY CONSIDERATIONS

Geisinger IRB Member Orientation Session 2. Debra L. Henninger, MHS RN CCRC Associate Director, Research Compliance

Strategies for Achieving Regulatory Compliance and Economies in DoD-Supported Research

NOVA SOUTHEASTERN UNIVERSITY

Common Rule Overview (Final Rule)

I. Preamble: II. Parties:

Record or Document Type Retention Period Relevant Legal Citation(s) IRB Records: Training Records;

Health Information Privacy Policies and Procedures

FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

Patient Privacy Requirements Beyond HIPAA

Changes to the Common Rule

AAHRPP Accreditation Procedures Approved April 22, Copyright AAHRPP. All rights reserved.

NOTICE OF PRIVACY PRACTICES

Compliance Policy C-FMS Clinical Research Project Approval Application

"Getting Your Protocol Through the IRB"

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

Research Audits PGR. Effective: 12/04/2013 Reviewed: 12/04/2015. Name of Associated Policy: Palmetto Health Administrative Research Review

USING SMART IRB AND SINGLE IRB REVIEW

Utilizing the NCI CIRB

Consent Form Requirements for Multicenter studies when CHOP Relies on an external IRB

RFP No. FY2017-ACES-02: Advancing Commonwealth Energy Storage Program Consultant

REGULATORY AND FUNDING CHANGES FOR HUMAN SUBJECTS RESEARCH

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

UA New Common Rule Implementation

OFFICE OF THE SECRETARY OF DEFENSE 1950 Defense Pentagon Washington, DC

Subrecipient Risk Assessment and Monitoring of Northeastern University Issued Subawards

(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone

1303A West Campus Drive

Implementing the Revised Common Rule Exemptions with Limited IRB Review

SAINT AGNES MEDICAL CENTER CLINICAL RESEARCH CENTER Fresno, California. STANDARD OPERATING PROCEDURES Institutional Review Board

SAMPLE CARE COORDINATION AGREEMENT

(Type inside gray boxes, cells will expand) A. EIGHT POINT CRITERIA for IRB Review

DO I NEED TO SUBMIT FOR THIS?... & OTHER FREQUENTLY ASKED QUESTIONS. March 2015 IRB Forum

PRIVACY IMPACT ASSESSMENT (PIA) For the

WHAT IS AN IRB? WHAT IS AN IRB? 3/25/2015. Presentation Outline

PRIVACY IMPACT ASSESSMENT (PIA) For the

RESEARCH POLICY MANUAL

Good Documentation Practices. Human Subject Research. for

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Title: Investigator Responsibilities. SOP Number: 1501 Effective Date: June 2, 2017

Grambling State University Application for Human Subjects Review IRB Protocol. 1. Principal Investigator [Last Name, First Name, Middle Initial]

Effective Date: November 12, 2015 Policy Number: MHC_RP0306. Corporate Director, HRPP Institutional Official, HRPP

U. S. ARMY MEDICAL RESEARCH ACQUISITION ACTIVITY GENERAL TERMS AND CONDITIONS FOR ASSISTANCE AWARDS TABLE OF CONTENTS. 1 May 2008

PRIVACY IMPACT ASSESSMENT (PIA) For the

FINANCE-315 7/1/2017 SUBRECIPIENT COMMITMENT FORM

EMORY UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICIES AND PROCEDURES 7/01/2016

HIPAA Privacy Test Overview

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, DC

Genesis Health System. Institutional Review Board. Standard Operating Procedures

OREGON HIPAA NOTICE FORM

Transcription:

Human Protections Administrators Conference Fort Detrick August 29, 2012 s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

Overview (TMA) Privacy and Civil Liberties Office (Privacy Office) Functions Human Research Project Program (HRPP) Data Sharing Agreement (DSA) Program TMA Privacy Board s Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Reviews 2

TMA Privacy Office Functions HIPAA Privacy HIPAA Security Privacy Act Breach Response Complaint Oversight Privacy Investment Reviews Freedom of Information Act E-Government Act HRPP DSA Program Civil Liberties Program Records Management Training and Awareness Emerging Technology 3

HRPP Reviews compliance with: Department of Health and Human Services (HHS) Regulation, Projection of Human Subjects, 45 CFR 46, also known as the Common Rule DoD Regulation, Protection of Human Subjects, 32 CFR 219 DoD Instruction (DoDI) 3216.02, Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research In mid-2011, the TMA HRPP Program transitioned from Defense Health Cost Analysis and Program Evaluation (DHCAPE) to the TMA Privacy Office Enhances collaboration on research compliance issues Provides greater opportunity to provide joint guidance and streamline business practices 4

HRPP Reviews and Services Beginning 1 October 2012, all protocols (not just new ones) must be submitted through IRBNet in order to obtain any type of review. Human Subject and/or Research Determination Review protocols to determine if they meet the criteria for human subjects research Exemption Determination Review protocols to determine if criteria for exemption from Institutional Review Board (IRB) review are met Reinforce understanding that exempt protocols must still adhere to the ethical standards set forth in the Common Rule 5

HRPP Reviews and Services (cont.) Human Research Protection Official s (HRPO s) Review Review studies approved by IRBs with Federal-wide Assurance from HHS and agreement with TMA attesting to its understanding of and adherence to DoD-specific protections Includes: Initial review of approved protocols Requests to modify previously approved protocols Requests to continue a study beyond the expiration date of a previous approval Guidance and Assistance Guidance and advice during all stages of research, including protocol development 6

HRPP New Developments New HRPP Web page within the TMA Privacy Office Web site http://tricare.mil/tma/privacy/hrpp Instructions for requesting reviews Forms/templates Additional guidance and information New Researchers Guide to Using MHS Data Overview of the Military Health System (MHS) Types of Data within the MHS (including detailed appendices) Human Subjects for Research and their Protections Requesting HRPP Review Requesting TMA Data The DSA Process 7

HRPP New Developments (cont.) New agreements are under development with certain multi-service markets providing IRB and HIPAA services Forms/templates used for HIPAA reviews must be reviewed and agreed upon, as we move to standardizing documentation and processes Efforts to move HIPAA reviews currently provided by the TMA Privacy Board to IRBs with an acceptable HIPAA review program in place Efforts to shift certain DSA reviews to IRBs in an effort to streamline business processes Details of the agreement between the TMA Privacy Office and these multi-service markets are still being considered and negotiated 8

HRPP Questions? 9

DSA Program Reviews requests for managed by TMA for compliance with various data sharing requirements, including: DoD Privacy Program (DoD 5400.11-R), which implements the Privacy Act of 1974, as amended DoD Health Information Privacy Regulation (DoD 6025.18-R), which implements the HIPAA Privacy Rule DoD Health Information Security Regulation (DoD 8580.02-R), which implements the HIPAA Security Rule NOTE: Data access and extractions are handled through separate offices within the MHS, but prior approval of the data request is required by the TMA Privacy Office 10

Structure of the DSA Program Following a restructuring initiative, new web information, processes, and templates were launched in the latter part of 2011 A workgroup was developed of regulatory experts, TMA data and system experts, and DSA analysts with three primary goals Gain clearer and specific information needed for review More closely align the data sharing process with the HIPAA Privacy Rule and DoD 6025.18-R and streamline analysis with other laws Enhance regulatory compliance and accountability Products of the workgroup included a new Data Sharing Agreement Application (DSAA), Data Request Templates, new DSAs, and new supporting documents 11

Utilizing the DSAA The DSAA is an application designed to assist in reviewing a data request for compliance with applicable regulatory requirements and must be initiated by the following: Applicant the individual who will provide primary oversight and responsibility for the handling of the requested data For contract-driven requests, the Applicant must be an employee of the prime contractor For projects with more than one prime contractor, a DSAA must be completed by each prime contracting organization that will have custody of the requested data Government Sponsor the Point of Contact (POC) within TMA or the respective Armed Service who assumes responsibility for the contract, grant, project, or Cooperative Research and Development Agreement (CRADA) 12

Time Saving Steps for Research-Related DSAAs The TMA HRPP will accept a completed DSAA in place of the data management section of a protocol A research-related DSAA can be submitted while a protocol is pending HRPP review, but it cannot be approved until HRPP review is complete Shortly after a DSAA is submitted, the data elements requested are reviewed, and the DSA Team directs research-related data requests seeking protected health information (PHI) greater than a limited data set to the TMA Privacy Board for a compliance review in accordance with the HIPAA Privacy Rule and DoD 6025.18-R The TMA Privacy Board will promptly contact the Principal Investigator (PI) and Government Sponsor to begin the HIPAA review, as discussed in the next section 13

DSAA and Concurrent Reviews The DSA team will review a DSAA upon submission and assist in identifying any outstanding needs, including: Data Request Templates (DRTs) A comprehensive listing of data elements requested for a research study from systems owned and/or managed by TMA Status of HRPP review Human subject research determination, exemption determination, and/or HRPO review TMA Privacy Board, if applicable DRTs are reviewed, and research studies that require PHI are sent to the TMA Privacy Board for HIPAA-research review 14

DSAA and Concurrent Reviews (cont.) DHCAPE s TRICARE Survey Program review, if applicable Required for studies involving surveys, interviews, focus groups or similar information collection requests System Security Verification (SSV) review, if applicable Required when data will be stored, transmitted, processed, or otherwise maintained on an information system that has not been granted a DoD Authorization to Operate (ATO) or an Interim Authorization to Operate (IATO) in order to review for compliance with DoD 8580.02-R and (DTM) 08-027, Security of DoD Information on Non-DoD Owned or Controlled Information Systems While the above applicable reviews are in progress, the DSA team also conducts its internal review of the DSAA for compliance Appropriateness of the Applicant and Government Sponsor 15

DSAA and Concurrent Reviews (cont.) Determining whether data requested appears to meet HIPAA s minimum necessary standard, when applicable Helping to obtain an Addendum documenting approval from a respective Service s data sharing POC when a contract, grant, CRADA, or other project that is the subject of a DSAA is sponsored by a Uniformed Service Helping to obtain any necessary approvals from other offices (e.g., approval for data from Patient Administration Systems and Biostatistics Activity (PASBA), which resides with the Program Analysis and Evaluation Directorate within the Army Office of the Surgeon General) Understanding the data flow and management and ensuring a logical relationship between various sections of the DSAA and other related DSAAs 16

DSAA and Concurrent Reviews (cont.) Obtaining confirmation that Business Associate Agreement language, when required, is included in an underlying contract, grant, CRADA, or other project documentation Required for data requestors outside of the MHS organized health care arrangement, such as contractors, that are providing a service to DoD and/or TMA and require PHI to perform a the service Conducting Privacy Act compliance review Determination as to whether the data request accesses or utilizes a System of Records, and if so, whether an appropriate System of Records Notice (SORN) is in place or if a SORN needs to be updated or a new SORN created DSAAs cannot be approved until all required compliance reviews are complete 17

DSAs and Tracking System A DSA is an agreement that will be fully executed by the Applicant, Government Sponsor, and the TMA Privacy Office only after a DSAA is approved An approved DSAA will be incorporated in an executed DSA Applicant will become the data recipient in the DSA A base number is assigned to a DSAA upon submission (e.g., DSAA # 14-737) and the same number is used for the executed DSA once the DSAA is approved and incorporated into the agreement (e.g., DSA # 14-737). All further references will be made to the DSA # (e.g., DSA # 14-737) 18

The Purpose of DSAs Identify the type of data managed by TMA that is required to meet a specific data request Ensure compliance with applicable DoD regulations and privacy laws Set forth permissible uses and disclosures in accordance with regulatory requirements Document the agreed upon responsibilities of the Applicant/Recipient and Government Sponsor Provide clear terms and conditions for approving the data request Researchers are prohibited from using or disclosing PHI received under a DSA for a specific research project(s) for other or future projects. 19

Types of DSAs Four types of DSAs specific to the type of data requested DSA for De-identified Data DSA for PII excluding PHI DSA for a Limited Data Set, known as a Data Use Agreement (DUA) under the HIPAA Privacy Rule and DoD 6025.18-R DSA for PHI An executed DSA will remain in force and all data subject to a DSA may be retained for whichever date is the earliest: One (1) year from the effective date of the DSA The expiration date of the underlying contract, grant, project, or CRADA that necessitates the recipient s need for the data, or When notified that a study has been suspended 20

DSA Supporting Documents Supporting documents developed to correspond with the DSAs include: Change of Applicant/Recipient and Change of Government Sponsor Internal Addendum for Projects Sponsored by an Armed Service Renewal Request Modification Request Extension Request Certificate of Destruction Expedited process is available for renewing, modifying, and extending DSAs without any substantive changes 21

DSA Program Questions? 22

The TMA Privacy Board HIPAA compliance reviews and documentation are required by an IRB or Privacy Board, set up in accordance with the HIPAA regulations, when PHI is used and/or disclosed for research purposes TMA does not have an IRB; therefore, the TMA Privacy Office sought and obtained approval for the establishment of a HIPAA Privacy Board, otherwise known as the TMA Privacy Board The TMA Privacy Board is critical for TMA s compliance with the HIPAA Privacy Rule and DoD 6025.18-R The TMA Privacy Board will accept and rely on HIPAA reviews conducted by DoD or outside IRBs provided that the IRB s HIPAA required documentation meets regulatory requirements 23

Federal Regulation DoD Implementing Regulation Primary Purpose Threshold Requirement Enforcement The Common Rule Protection for Human Subjects (45 CFR 46) Protection of Human Subjects (32 CFR 219); Protection of Human Subjects and Adherence to Ethical Standards in DoD-Supported Research (DoDI 3216.02) Protect individuals who are the subject of research projects. Consideration is given to how various aspects of the research project, including privacy, confidentiality, data collection, data maintenance and data retention, impact physical, emotional, financial, and informational harms. Informed consent from each research participant (oral and/or written) Office for Human Research Protections, HHS, and DoD Assistant Secretary of Defense for Research and Engineering The HIPAA Privacy Rule HIPAA Privacy Rule (45 CFR 160 and 164) DoD Health Information Privacy Regulation (DoD 6025.18-R) Protect individuals against information harm while allowing the necessary flow of health information with specific rules pertaining to the privacy and security of PHI. HIPAA Authorization from each research participant (must be written and signed) Office for Civil Rights, HHS Administration IRBs IRBs or HIPAA Privacy Boards Exemptions IRBs can exempt certain research projects from review in accordance with 32 CFR 219.101(b) None. All research projects seeking PHI from a HIPAA covered entity, including TMA, must comply with the TRICARE HIPAA Management Privacy Activity Rule 24

Four Types of TMA Privacy Board Reviews Required Representations for Research on Decedent s Information Use or disclosure of PHI solely for research on decedents Required Representations for Review Preparatory to Research Use or disclosure of PHI solely for preparing a research protocol or for similar purposes Researchers agree not to remove the PHI from TMA in the course of the review Studies that Must Obtain HIPAA Authorizations Studies that Require a Waiver of Authorization or an Altered Authorization 25

HIPAA Authorizations Presumed to be Required Researchers are required to obtain a written and signed HIPAA Authorization from every participant in the research study Authorizations must contain all core elements and required statements set forth in the HIPAA Privacy Rule and DoD 6025.18-R PIs are required to initial and sign a certification assuring: That the signed authorization of each research participant whose PHI is used or disclosed will be maintained electronically and/or in hard copy for a period of six years from the date the Authorization expires; and, That any and all of the signed Authorizations will be provided to TMA immediately upon request 26

Waiver of Authorization Where it is impossible or impracticable to obtain a written Authorization from each and every research participant Two types of waivers Full: waiving authorizations for the entire study Partial: waiving authorizations for part of the project (e.g., for recruiting or screening potential research participants), thereafter PHI is no longer needed or Authorizations can be obtained at that point from each research participant Documentation by an IRB or Privacy Board of approval of a waiver must contain all required criteria set forth in the HIPAA Privacy Rule, 45 CFR 164.512(i)(2) and DoD 6035.18-R, C.7.9.2 27

Altered Authorization Appropriate when a research study requires a need to modify or remove some, but not all, required elements from an Authorization (e.g., to remove the core element that describes each purpose of the requested use or disclosure where the identification of the specific study would affect the results of the project) Documentation by an IRB or Privacy Board of approval of an alteration to the Authorization must contain all required criteria set forth in the HIPAA Privacy Rule, 45 CFR 164.512(i)(2) and DoD 6035.18-R, C.7.9.2 An approved alteration only applies to the study for which it is requested and cannot be used for any subsequent use or disclosure of PHI in a different project 28

Modifications, Extensions, and Renewals TMA Privacy Board approvals document HIPAA compliance in support of a specific research-related DSA When a DSA is modified, extended and/or renewed, the TMA Privacy Board is contacted and will e-mail the PI to determine if the study has changed and if the responses or representations in any documents/templates approved or accepted by the TMA Privacy Board remain the same Any substantial changes in the previous information reviewed and relied upon by the TMA Privacy Board will require further review in support of a modification, extension, and/or renewal 29

New Developments of the TMA Privacy Board Coming Soon: TMA Privacy Board Web page within the TMA Privacy Office Web site Authority for the Establishment of the TMA Privacy Board Board Members The Difference Between the HIPAA Privacy Rule and the Common Rule Prerequisites to TMA Privacy Board Review (including a flow chart) TMA Privacy Board Review Process (including a flow chart) Limits on the Use and Disclosure of PHI Obtained for the Purposes of Research Templates (viewable, but not available for completion until directed) Frequently Asked Questions 30

TMA Privacy Board / Overall Questions 31

Additional Resources Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx DSA Program Web page, http://www.tricare.mil/tma/privacy/duas.aspx HPRR Web page, http://tricare.mil/tma/privacy/hrpp TMA Privacy Board Web page, coming soon E-mail DSA.mail@tma.osd.mil for DSA related questions E-mail TMA_HRPP@tma.osd.mil for HRPP related questions E-mail tmaprivacyboard@tma.osd.mil for HIPAA research related questions 32

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback