Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rebecca Hulea, MS, JD Director of Regulatory Compliance UMHS Compliance Office Education Series, 101 Data Management.

Similar presentations


Presentation on theme: "Rebecca Hulea, MS, JD Director of Regulatory Compliance UMHS Compliance Office Education Series, 101 Data Management."— Presentation transcript:

1 Rebecca Hulea, MS, JD Director of Regulatory Compliance UMHS Compliance Office Education Series, 101 Data Management

2 Understand data management principles with a law and policy mindset. Understand your role in complying with data management compliance in daily research activities. Identify ways that you can take to assure compliance with law and policy.

3 3 The DHHS entered HIPAA settlements totaling nearly $2 million with two covered entities that reported relatively small breaches involving stolen unencrypted laptop computers.HIPAAbreachesunencrypted The DHHS entered HIPAA settlements totaling nearly $2 million with two covered entities that reported relatively small breaches involving stolen unencrypted laptop computers.HIPAAbreachesunencrypted 2013 – Researcher downloaded PHI to personal unencrypted laptop while part of research team at UMHS, data stored on laptop after employment ended. Researcher no longer a collaborator on the study. Laptop stolen. 384 patients/research subjects notified – Researcher downloaded PHI to personal unencrypted laptop while part of research team at UMHS, data stored on laptop after employment ended. Researcher no longer a collaborator on the study. Laptop stolen. 384 patients/research subjects notified & 2014 (2 unrelated incidents) Research coordinator sent mass containing PHI to all research subjects – addresses viewable by all recipients. 85 and 63 patients/subjects notified, respectively & 2014 (2 unrelated incidents) Research coordinator sent mass containing PHI to all research subjects – addresses viewable by all recipients. 85 and 63 patients/subjects notified, respectively.

4 Each Word has Significance Health -"individually identifiable health information" created, held or transmitted by UMHS in any form or media, (electronic, paper, or oral). Insurance - simplify the administration of health insurance Portability – improve availability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage. Accountability – appropriately protect and secure health information.

5 PHI Privacy Barrier Privacy Rule permits UMHS to disclose Patient PHI for research, under certain circumstances. ` Research TPO UM IRB approval for project & data Patient gives his or her permission to use certain data IRB approved HIPAA Waiver of Authorization required. Minimum necessary only De-identify to extent possible (stripped of all direct & indirect identifiers). Research justification for PHI. Data Use Agreement is in place. Data Management Plan is in place identifying how the study team will address data privacy & security protections through life cycle of project.

6 Privacy & Security Protection Considerations

7 7 ALWAYS CONSULT IT SERVICES (MCIT OR MSIS) No matter where sensitive data is stored – it must be secured, it must be protected... HIPAA Requires the Strongest Encryption Methods available.

8 8 All HIPAA violations are PRESUMED a BREACH All HIPAA incidents must be analyzed by the UMHS Compliance Office using a 4-prong test to overcome the presumption of a Breach, Documentation is retained for 6 years. (Do NOT do this analysis yourself!) Your Role: Report all actual and suspected HIPAA privacy or information security violations! 4-prong test: 1. Nature and extent of information involved, including the types of identifiers and risk of re- identification 2. Unauthorized person who used the PHI or to whom it was disclosed 3. Whether the PHI was actually acquired or viewed 4. Extent to which risk to the PHI has been mitigated

9 Planning will avoid HIPAA Non-compliance throughout the life cycle of the Project Project Planning Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Project Phase Know who has your Data Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Know who has your Data Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Project Wrap-Up Minimize risk to institution – destroy data if no longer needed Obtain certification of external collaborators data destruction. Engage IT for long-term data storage – Budgets should have included costs for long- term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions Minimize risk to institution – destroy data if no longer needed Obtain certification of external collaborators data destruction. Engage IT for long-term data storage – Budgets should have included costs for long- term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions Project Planning Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Project Phase Know who has your Data at all times Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Know who has your Data at all times Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Project Wrap-Up Minimize improper disclosures – secure data throughout storage period. Destroy data if it is no longer needed. If data was shared externally, obtain certification of external collaborators data destruction. Engage IT for long-term data storage options – Budgets should include cost for long-term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions Minimize improper disclosures – secure data throughout storage period. Destroy data if it is no longer needed. If data was shared externally, obtain certification of external collaborators data destruction. Engage IT for long-term data storage options – Budgets should include cost for long-term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions

10 Compliance is a Partnership, Together We Make it Work. Questions? Thank You! 10

11 Contact the Compliance Office Phone: Website: Hot Line or Web Form Submission (Anonymous): (866) or 11


Download ppt "Rebecca Hulea, MS, JD Director of Regulatory Compliance UMHS Compliance Office Education Series, 101 Data Management."

Similar presentations


Ads by Google