Presentation is loading. Please wait.

Presentation is loading. Please wait.

George Washington University Research Education Forum September 25, 2013 Cortni Romaine Education and Outreach Coordinator- Office of Human Research Noor.

Published byDrusilla Owens Modified over 10 years ago

Similar presentations

Presentation on theme: "George Washington University Research Education Forum September 25, 2013 Cortni Romaine Education and Outreach Coordinator- Office of Human Research Noor."— Presentation transcript:

1 George Washington University Research Education Forum September 25, 2013 Cortni Romaine Education and Outreach Coordinator- Office of Human Research Noor Aarohi Senior Risk & Compliance Analyst- Division of IT Robert Donnally Director, Regulatory Affairs and Outreach - Office of the Vice President for Research

2 Define Data Use Agreements and Security Agreements Overview of IRB submission requirements What is required by Division of IT What is required by OVPR

3 What are they and why are they important?

4 A Data Use Agreement (DUA) is a legal binding agreement between the two institutions. May also be called Data Use Certification, Data Contract or other titles. The DUA serves as both a means of informing data users of these requirements and a means of obtaining their agreement to abide by these requirements. Additionally, the DUA serves as a control mechanism for tracking the location(s) of the data and the reason for the release of the data.

5 An agency may enter into a data use agreement with another entity if authorized by law. The agreement must indicate the legal and statutory authority for use of data. There may be multiple data use agreements in any given project.

6 The DUA may require: Institutional Review Board (IRB) to oversee data use activities, particularly if the data involves personally identifiable information. Informed consent documents for potential research participants. Members of joint projects to be trained on safeguards to protect confidential information.

7 Name Legal authority for data use Program authority for data use Purpose Background Mutual interest of entities Responsibilities of entities Funding information Costs and reimbursement Custodian of data Agency point of contact Data security procedures Inspecting security arrangements Data transfer, media and methods for the exchange of data Reporting requirements Records usage, duplication, re-disclosure restrictions Record keeping, retention and disposition of records Potential work constraints Ownership Conditions for reporting results and public release of data Policy and procedures for releasing data to researchers Penalties for unauthorized disclosure of information Term of the agreement Constraints, including performance standards, DUA review procedures, audit clause, liability issues, definition of a breach Resolution of conflicts Concurrences, including third party concurrence

8 Covered entities (if working with protected health information; PHI). National Institutes of Health (NIH) (usually on a study-by-study basis. One study may have multiple DUAs). Census Bureau University of Michigan (AddHealth Dataset) University of Chicago (National Opinion Research Center; NORC) **Note: Most agencies and organizations have their own DUA templates that must be used.

9 Records Limited Data Sets Security Agreements

10 The Department of Health and Human Services (HHS) defines a “record” as any item, collection, or grouping of information about an individual that is maintained by an agency. Records may include, but are not limited to: Name Education Criminal History Medical History Employment History Financial Transactions Any identifying number, symbol, or other identifier such as a finger print, voice print, or photograph

11 HIPAA allows access for research purposes to health information that includes a limited number of identifiers. This health information, called a Limited Data Set, can include dates, zip codes and city, and any other unique identifying number, characteristic, or code that is not expressly precluded. A limited data set can include dates of admission, discharge or other services; dates of birth or death; age of participant (including those over 90 years of age); full five digit zip code and any other geographic subdivision such as county, city, precinct, and equivalent geocode (except street address).

12 Elements that must be stripped: Name Social security number Street address Email address Telephone number Fax number Certificate/license number Vehicle identification number Personal Web page URL IP address Full-page photos or other comparable identifying images Medical record number Health plan beneficiary number Any other account number Medical device identifier or serial number Biometric identifiers include fingerprints and voice prints.

13 Some data sets require only a Security Agreement. These agreements may include language about the following: Network Security Data Security Data Storage Data Transmission Data Encryption Data Re-Use End of Agreement Data Handling Security Breach Notification

14 What to Submit When to Submit What to do After Approval

15 When obtaining a data set from an outside entity, it is important to know the review process. If you are unsure whether or not your study is human subjects research, submit a Determination Worksheet along with a copy of the Agreement to the Office of Human Research. OHR will provide you with a written determination and instruct you on the next steps.

16 Research is defined by 45 CFR 46.102(d) as: A systematic investigation designed to develop or contribute to generalizable knowledge (including research development, testing and evaluation) Systemized- having or involving a system, method or plan. Investigation- testing a hypothesis and permitting conclusions to be drawn (ie: detailed, careful examination) Intended to develop or contribute to generalizable knowledge (expressed in theories, principles and statements of relationships) Are you going to publish or present??

17 45 CFR 46.102(f): A human subject is a living individual about whom an investigator conducting research obtains Data through intervention or interaction with the individual OR -Identifiable private information

18 In some instances, data may be considered potentially identifiable due to deductive disclosure. This means discerning of an individual through the use of known characteristics. DUAs may be considered human subjects research due to this reason.

19 Submit as soon as possible for review if you a) know your study is human subjects research or b) once you receive your determination from OHR stating your study is human subjects research. An Agreement is not approved by OHR or the IRB. OHR will only review your study and provide you with additional information on how to obtain Agreement approval. Occasionally, the agency or organization will require the IRB to review and approve the data security plan.

20 After your study has been approved or you are provided with a non-human subjects research determination, you must contact the Division of IT and OVPR for final Agreement approval and implementation.

21 Dear Dr. ____, Per your Determination Worksheet submitted to the Office of Human Research on ____, 2013 for the study entitled, “______", a determination has been made that the activities described do not meet the definition of human subjects research. That is, a living individual about whom an investigator conducting research obtains: a) data through intervention or interaction with the individual or b) private identifiable information. This determination is being made as the data you are analyzing is not considered identifiable. These are: _____________. Further review by the GW Institutional Review Board (IRB) is not required. Please be advised that since Data Provider is providing you with the data set, they have required that you enter into a Data Use Agreement (DUA). Please contact Mr. Robert Donnally at the Office of the Vice President for Research in order to meet the DUA requirements. Should Data Provider require data security measures within the DUA, please contact Ms. Noor Aarohi in order to satisfy any IT requirements. Should your study change in a way that is does meet the definition of human subjects research, please contact this office before proceeding. Do not hesitate to contact us with any questions or concerns regarding this determination. Best regards, OHR

22

23 Different names : Data Security Plan, Data Agreement, MoU etc. These documents should be read thoroughly Be cognizant of terminology that refers to CFRs, regulatory requirements such as FISMA, FedRAMP, HIPAA, FERPA etc. Some examples are cited in the next slides

24 “The PI named in the DAR ( Data Access Request) has reviewed and understands the principles of research use and handling…as defined in …..”. “All data security practices and other terms of use defined in this agreement and the dbGaP Security Best Practices for the raw data..”dbGaP Security Best Practices

25 Restricted Use Data Procedures Manual Security Plan Form Example 3 – HRSA Uniform Data System

26 Data Management Support Services Data Management Template – helps you create artifacts that substantiate compliance with the requirements. Data Management Template Trusted advisor role and coordinator for acceptable ‘use-case’ conversations. Technology support – we advise on system configurations, confidentiality agreements, training etc. that will help you meet the requirements.

27 Reputation costs Loss of research and grants Notification costs, lawsuits and fines Civil and criminal fines and imprisonment Ethical and psychological impacts - the human factor

28 Additional Requirements

29 Coordinate DUA Requirements as far in advance as possible with rdonnall@gwu.edu, 202-994-9329 Please read the DUA thoroughly and ask any questions. Ensure that terms of the DUA do not conflict with project plan or any sponsored project agreement. Describe any special circumstances regarding how data will be used, processed, or stored. In parallel, please coordinate any data security issues and data security management plan issues with Noor Aarohi, IT Risk and Compliance, at naarohi@gwu.edu. Please complete a DUA Review Form and send it with an email to rdonnall@gwu.edu.

30

31 GW Office of Human Research for questions regarding human subjects research: ohrirb@gwu.edu or (202) 994-2715 ohrirb@gwu.edu GW Division of IT for questions regarding security arrangements: - naarohi@gwu.edu or (703) 726-3664naarohi@gwu.edu GW Office of the VP for Research (OVPR) for questions regarding securing institutional signatures on any agreements: rdonnall@gwu.edu or (202) 994-6255 rdonnall@gwu.edu

Download ppt "George Washington University Research Education Forum September 25, 2013 Cortni Romaine Education and Outreach Coordinator- Office of Human Research Noor."

Similar presentations

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.

NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
FERPA and IRB: Implications for Testing Centers Judith W. Grant, Ph.D.,CIP NCTA Conference San Antonio, Texas August 6, 2009.

FERPA and IRB: Implications for Testing Centers Judith W. Grant, Ph.D.,CIP NCTA Conference San Antonio, Texas August 6, 2009.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

Similar presentations

Ads by Google