A Guide to Compliant Data Management Rebecca Hulea, MS, JD Director of Regulatory Compliance UMHS Compliance Office Education Series, 101 Data Management
Learning Objectives Understand data management principles with a law and policy mindset. Understand your role in complying with data management compliance in daily research activities. Identify ways that you can take to assure compliance with law and policy.
Governmental Enforcement The DHHS entered HIPAA settlements totaling nearly $2 million with two covered entities that reported relatively small breaches involving stolen unencrypted laptop computers. 2013 –Researcher downloaded PHI to personal unencrypted laptop while part of research team at UMHS, data stored on laptop after employment ended. Researcher no longer a collaborator on the study. Laptop stolen. 384 patients/research subjects notified. 2013 & 2014 (2 unrelated incidents) Research coordinator sent mass e-mail containing PHI to all research subjects – email addresses viewable by all recipients. 85 and 63 patients/subjects notified, respectively.
Each Word has Significance HIPAA is a powerful law Health -"individually identifiable health information" created, held or transmitted by UMHS in any form or media, (electronic, paper, or oral). Insurance - simplify the administration of health insurance Portability – improve availability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage. Accountability – appropriately protect and secure health information. Each Word has Significance
Privacy Rule permits UMHS to disclose Patient PHI for research, under certain circumstances. ` UM IRB approval for project & data Patient gives his or her permission to use certain data IRB approved HIPAA Waiver of Authorization required. Minimum necessary only De-identify to extent possible (stripped of all direct & indirect identifiers). Research justification for PHI. Data Use Agreement is in place. Data Management Plan is in place identifying how the study team will address data privacy & security protections through life cycle of project. PHI Privacy Barrier Research ≠ TPO
Privacy & Security Protection Considerations
Let’s Talk Technical Safeguards for a Minute…. No matter where sensitive data is stored – it must be secured, it must be protected... HIPAA Requires the Strongest Encryption Methods available. ALWAYS CONSULT IT SERVICES (MCIT OR MSIS)
What if I suspect PHI is inappropriately disclosed? All HIPAA violations are PRESUMED a “BREACH” 4-prong test: Nature and extent of information involved, including the types of identifiers and risk of re-identification Unauthorized person who used the PHI or to whom it was disclosed Whether the PHI was actually acquired or viewed Extent to which risk to the PHI has been mitigated All HIPAA incidents must be analyzed by the UMHS Compliance Office using a 4-prong test to overcome the presumption of a Breach, Documentation is retained for 6 years. (Do NOT do this analysis yourself!) Your Role: Report all actual and suspected HIPAA privacy or information security violations!
Planning will avoid HIPAA Non-compliance throughout the life cycle of the Project Project Planning Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Project Phase Know who has your Data at all times Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators’ institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Project Wrap-Up Minimize improper disclosures – secure data throughout storage period. Destroy data if it is no longer needed. If data was shared externally, obtain certification of external collaborators data destruction. Engage IT for long-term data storage options – Budgets should include cost for long-term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions Project Planning Know Data Elements Know Data Source (incoming/outgoing) Follow Minimum Necessary Principles Define User Roles Understand privacy & security requirements Store data in a HIPAA compliant environment Engage IT Early in the discussions Budget for privacy & security costs through data life cycle. Obtain Date Use Agreements Understand UM is the data owner Ask questions Project Phase Know who has your Data Monitor data security environment periodically Monitor & Track PHI use Account for all PHI disclosures (applies if PHI obtained via a HIPAA Waiver) Amend IRB Application EARLY when investigators plan to leave the project or the institution. Obtain signed DUA from external collaborators’ institution. Retrieve data from departing investigators. Report suspected security & privacy concerns to IRB & UMHS Compliance Office Ask questions Project Wrap-Up Minimize risk to institution – destroy data if no longer needed Obtain certification of external collaborators’ data destruction. Engage IT for long-term data storage – Budgets should have included costs for long- term storage and security. Report suspected security & privacy concerns to UMHS Compliance Office. Ask questions
Compliance is a Partnership, Together We Make it Work. Questions? Thank You!
How to Report Concerns Contact the Compliance Office Phone: 734-615-4400 Email: Compliance-group@med.umich.edu Website: http://med.umich.edu/u/compliance/index.htm Hot Line or Web Form Submission (Anonymous): (866) 990-0111 or http://www.tnwinc.con/WebReport/