HIPAA P12 CMS Data Use Agreements & Data Management Plans

Similar documents
CLINICIAN S GUIDE TO HIPAA PRIVACY

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Privacy Board Standard Operating Procedures

HIPAA Policies and Procedures Manual

REQUEST TO ACCESS EXISTING MEDICAL RECORDS, CHARTS OR DATABASES FOR RESEARCH

Health Information Privacy Policies and Procedures

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

Title: HIPAA PRIVACY ADMINISTRATIVE

RESPONDING TO PATIENT COMPLAINTS AND OTHER PRIVACY-RELATED COMPLAINTS

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

INSTITUTIONAL REVIEW BOARD Investigator Guidance Series HIPAA PRIVACY RULE & AUTHORIZATION THE UNIVERSITY OF UTAH. Definitions.

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY TRAINING

Compliance Program Updated August 2017

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Provider Rights and Responsibilities

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE

Module: Research and HIPAA Privacy Protections ( )

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

ALABAMA MEDICAID AGENCY ADMINISTRATIVE CODE CHAPTER 560-X-45 MATERNITY CARE PROGRAM TABLE OF CONTENTS

Southwest Acupuncture College /PWFNCFS

Telemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix


Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

The Queen s Medical Center HIPAA Training Packet for Researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers

Anti-Fraud Plan Scripps Health Plan Services, Inc.

CCSS: HIPAA-Compliant Recruitment. Dennis Deapen, DrPH CCSS Annual Investigators Meeting Memphis, TN October 9-11, 2005

Use And Disclosure Of Protected Health Information (PHI) For Research

Chapter 9 Legal Aspects of Health Information Management

Privacy Rule Overview

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Family Cord Blood and Cord Tissue Banking Enrollment Documents Services Agreement

HIPAA Training

MCCP Online Orientation

Transition of Care Plan

Minimum Business Requirements To Administer the CAHPS Hospice Survey

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

System of Records Notice (SORN) Checklist

Blue Medicare Private-Fee-For-Service SM (PFFS) 2008 Medicare Advantage Terms and Conditions

INFORMED CONSENT TO PARTICIPATE IN A DIABETES RESEARCH REGISTRY

Business Risk Planning

2018 ABOS Part II Oral Examination

System-wide Policy: Use and Disclosure of Protected Health Information for Research

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

COMPLIANCE PLAN October, 2014

Recruiting subjects for clinical research outside the academic setting

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

INLAND EMPIRE HEALTH PLAN CODE OF BUSINESS CONDUCT AND ETHICS. Our shared commitment to honesty, integrity, transparency and accountability

Policy Number: Title: Abstract Purpose: Policy Detail:

Pennsylvania Office of Developmental Programs (ODP) Independent Monitoring for Quality (IM4Q) Manual. January 2016

The Arizona HIO Statute

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Access to Patient Information for Research Purposes: Demystifying the Process!

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

Learn about your letter at CONSENT TO RELEASE

Advanced HIPAA Communications and University Relations

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION (PHI)

SUNY DOWNSTATE MEDICAL CENTER POLICY AND PROCEDURE

HIPAA THE PRIVACY RULE

UNIVERSITY PHYSICIANS OF BROOKLYN POLICY AND PROCEDURE

Department of Health and Human Services. Centers for Medicare & Medicaid Services. Medicaid Integrity Program

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for NON-CHANNELERS

FAQs March 12, 2012 FREQUENTLY ASKED QUESTIONS

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

PATIENT ADVOCATE DESIGNATION FOR MENTAL HEALTH TREATMENT NOTICE TO PATIENT

CAPITAL SURGEONS GROUP, PLLC

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

CORPORATE COMPLIANCE POLICY AUDIT & CROSSWALK WHERE ADDRESSED

Wallace State Community College Health Science Division Background Check Policy. Guidelines for Background Check On Health Profession Students

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

CHI Mercy Health. Definitions

Compliance Policy C-FMS Clinical Research Project Approval Application

Clinical Compliance Program

FCSRMC 2017 HIPAA PRESENTATION

Notice of Privacy Practices

HIPAA COMPLIANCE APPLICATION

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

BIMO SITE AUDIT CHECKLIST

WHEREAS, School engages in organized interscholastic sporting events in which School's students participate;

Session Number G24 Responding to a Data Breach and Its Impact. Karen Johnson Chief Deputy Director California Department of Health Care Services

YORK REGION DISTRICT SCHOOL BOARD. Policy and Procedure #158.0, Information Access and Privacy Protection

A general review of HIPAA standards and privacy practices 2016

YALE UNIVERSITY THE RESEARCHERS GUIDE TO HIPAA. Health Insurance Portability and Accountability Act of 1996

1303A West Campus Drive

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

Subj: NAVY NUCLEAR DETERRENCE MISSION PERSONNEL RELIABILITY PROGRAM SELF-ASSESSMENT

AGENCY SPECIFIC RECORD SCHEDULE FOR: Vermont State Hospital

Alignment. Alignment Healthcare

PAGE R1 REVISOR S FULL-TEXT SIDE-BY-SIDE

Transcription:

HIPAA P12 CMS Data Use Agreements & Data Management Plans FULL POLICY CONTENTS Scope Reason for Policy Definitions Policy Statement ADDITIONAL DETAILS Additional Contacts Related Information History Effective: May 1, 2016 Last Updated: April 26, 2016 Responsible University Office: HIPAA Privacy and Security Compliance Office Responsible University Administrator Vice President for University Clinical Affairs Policy Contact: University HIPAA Privacy Officer Scope This policy applies to all personnel, regardless of affiliation, who intend to use identifiable data from the Centers for Medicare and Medicaid Services (CMS) for research purposes under the auspices of Indiana University. CMS requires compliance with these rules regardless of whether the recipient is part of a covered entity. The recipient must comply with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Reason for Policy Indiana University is committed to protecting the privacy of health information as required under the HIPAA Privacy and Security Rules. HIPAA states PHI can only be used for specific research purposes pursuant to a HIPAA Authorization, a Privacy Board approved Waiver of Authorization or if an exception applies. A covered entity such as CMS, may enter into an agreement with another entity and share their PHI as long as they obtain assurances the data will be protected as required under law.

Definitions See HIPAA Glossary for a complete list of terms. Policy Statements Any researcher, research team or unit who will request identifiable data from CMS for research purposes must comply with this policy. I. Data Use Agreement: A. Pursuant to the Board of Trustee Powers of Treasurer Resolution dated June 20, 1991, only the Treasurer of the Trustees of Indiana University and of the University and others acting in conjunction with the Treasurer are granted specific authority to execute certain documents on behalf of the University. 1. The Treasurer has designated the University HIPAA Privacy Officer to have signature authority for all Data Use Agreement (DUA). 2. The University HIPAA Privacy Officer will sign all CMS DUAs on behalf of the Trustees of Indiana University. B. The University HIPAA Privacy Officer will review and approve all CMS DUAs. C. The University HIPAA Privacy Officer will track all CMS DUAs. CMS DUAs will be tracked in REDCap database. Information recorded in REDCap will include: 1. DUA Number 2. Study Name/Title 3. IU s IRB number, if applicable 4. Name of IU s Principal Investigator 5. HIPAA training completed: Y/N 6. Confidentiality Agreement: Y/N 7. Date DUA signed 8. Date data received 9. Types of data received 10. Planned termination date 11. Date data are destroyed 12. Date Certificate submitted to CMS D. The research team and collaborators will comply with all requirements setforth in the CMS DUA. E. The research team and collaborators will not use the data received under the CMS DUA for any other purpose and will not use this data after the project is completed. CMS Data Use Agreement and Data Management Plans Page 2

II. Data Management Plan: The Principal Investigator will be responsible for developing and maintaining the Data Management Plan as required by CMS. A. Approval of Data Management Plan 1. IU s IRB will have responsibility to review all CMS Data Management Plans through the IRB protocol/study approval process: a. Initial review process; b. Continuing review process as designated in the IRB approval. 2. CMS will have final approval over all CMS Data Management Plans. B. Confidentiality Agreement: The Principal Investigator will ensure all members of the research team review and sign a confidentiality agreement that binds each member and ensures the privacy and security of the data received. C. Training: 1. CITI (Collaborative Institutional Training Initiative) All key personnel and any researcher directly interacting with human subjects are required to complete CITI training every three (3) years. 2. HIPAA Privacy and Security & Notification Requirement Training Pursuant to Indiana University s HIPAA Privacy and Security Compliance Plan, each member of the research team will complete HIPAA training annually. 3. Security of Mobile Devices Training Each member of the research team is required to complete Security of Mobile Devices training at least once. Employees will gain an understanding of how to properly protect information accessed or stored on mobile devices. The module also references Indiana University s IT 12.1 Mobile Device Security Standard. 4. New Employee Compliance Orientation (NECO) All new employees in the Health Science Schools are required to complete NECO within 90 days of employment. New employees will gain an understanding of their obligations for compliance and will be provided with resources needed to address and report compliance matters. D. Notification of project staffing changes: 1. Per Indiana University Standard Operating Procedures for Research Involving Human Subjects, Section 2.1.8, the Principal Investigator will ensure any changes in study team members will be reflected in the University IRB protocol. 2. The Principal Investigator will also notify CMS of any changes to the project staff listed on the CMS Executive Summary for Research Identifiable Data. E. Notification of project staff or collaborator who terminate from the project: 1. Per Indiana University Standard Operating Procedures for Research Involving Human Subjects, Section 2.1.8, the Principal Investigator will ensure any terminations of study team members will be reflected in the University IRB protocol. CMS Data Use Agreement and Data Management Plans Page 3

2. The Principal Investigator will notify CMS of any study team member or collaboration termination from the project. 3. The Principal Investigator will ensure access to CMS data is terminated for any person who is terminates from the project. F. Notification of project staff or collaborator who are terminated (voluntary or involuntary): 1. Per Indiana University Standard Operating Procedures for Research Involving Human Subjects, Section 2.1.8, the Principal Investigator will ensure any terminations of study team members will be reflected in the University IRB protocol. 2. The Principal Investigator will notify CMS of any terminations of study team members as well as collaborators. 3. The Principal Investigator will ensure access to CMS data is terminated for any person who is terminated or terminates from the project. III. IV. Reporting Incidents and/or Breaches: Indiana University must notify CMS of any suspected incident wherein the security and the privacy of the CMS data may have been compromised. A. Indiana University Policy ISPP-26, Information and Information System Incident Reporting, Management, and Breach Notification, outlines procedures for suspected or actual security breaches of information, attempts to compromise information, or weaknesses in the safeguards protecting information. Under this policy, all individuals encountering such information are required to immediately report to the University Information Privacy Office by phone or email to it-incident@iu.edu B. The University HIPAA Privacy Officer has primary responsibility for reporting to federal agencies within seven (7) days if there is a suspected incident where the security and privacy of the CMS data may have been compromised, as outlined in Indiana University s incident response procedure. Certificate of Disposition CMS requires this certificate to be completed and submitted to CMS to certify the destruction/discontinued use of all CMS data covered by the listed DUA at all locations and/or under the control of all individuals with access to the data. This includes any and all original files, copies made of the files, any derivatives or subsets of the files and any manipulated files. The requester may not retain any copies, derivatives or manipulated files. All files must be destroyed or properly approved in writing by CMS for continued use under an additional DUA(s). CMS will close the listed DUA upon receipt and review of this certificate and provide e-mail confirmation to the submitter of the certificate. A. The Principal Investigator shall: 1. Complete & sign the CMS Certificate of Disposition; 2. Submit the signed Certificate to CMS; 3. Submit a copy to the University HIPAA Privacy Officer Email a scanned copy to: HIPAA@iu.edu B. The University HIPAA Privacy Officer will record the date the Certificate was submitted to CMS in the REDCap database. CMS Data Use Agreement and Data Management Plans Page 4

Related Information HIPAA Privacy Rule 45 CFR 164.530(c) 45 CFR 164.530(e) HIPAA Security Rule 45 CFR 164.310 45 CFR 164.310(d)(2)(i) and (ii) Related IU Policies/Guidance Documents HIPAA-G01: HIPAA Sanctions Guidance HIPAA-G04: Limited Data Sets and Data Use Agreements HIPAA-P02: Applicability of Minimum Necessary HIPAA-P08: Removal and Transport of PHI and ephi History 05/01/2016 Effective Date 02/15/2017 Updated section II.A. 06/xx/2017 Published on University policy site CMS Data Use Agreement and Data Management Plans Page 5

CERTIFICATE OF DESTRUCTION The information described below was destroyed in the normal course of business pursuant to Indiana University s retention schedule and destruction policy and procedures. Date of Destruction: Authorized By: Description of the Information Destroyed/Disposed of: Dates Covered: METHOD OF DESTRUCTION: Burning Pulping Overwriting Pulverizing Shredding Reformatting Other: Records Destroyed By: Witnessed By: Unit/Department Manager: *If records are destroyed by a vendor, the IU HIPAA Affected Area must confirm that a contract/business associate agreement exists. Retain certificate of destruction permanently. CMS Data Use Agreement and Data Management Plans Page 6

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback