Third Party Registry: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
 
(14 intermediate revisions by 2 users not shown)
Line 20: Line 20:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
width="20">[[Intellectual Property]]</td>
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
 
<br /><br />
<br /><br />
Policy No.: '''6300'''<br />
Policy No.: '''6300'''<br />
Effective Date: '''Draft'''<br />
Effective Date: '''06/27/16'''<br />
Revised Date: <br />
Revised Date: '''draft 09/20/22'''<br />
Revised Date: <br />
Revised Date: <br />
<br />
<br />
<big>'''Third Party Registry Selection Policy'''</big><br /><br />
<big>'''Third Party Registry Selection Policy'''</big><br /><br />
==Purpose of Policy==
==Basis for Policy ==
The purpose of this policy is to describe the organization’s requirements for selecting a third party registry to securely and efficiently submit data to in order to achieve organizational goals.
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
==Policy==
==Policy==
The following serve as the guiding principles to follow when selecting a vendor:
The following serve as the guiding principles to follow when selecting a third-party vendor:
===Organizational Goals===
#Organizational Goals - the envisioned goals of the submission shall be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission should proceed.
The envisioned goals of the submission should be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission should proceed.
##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve.
====Incentive Bonus====
##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty.
The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve incentive bonus.
##Accreditation - Criteria required to obtain/retain accreditation
====Penalty Avoidance====
##Quality Objective - Quantifiable benefits due to specified quality goals
The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty.
##Research Objective - Quantifiable benefits due to specified research goals
====Accreditation====
#Data is efficiently collected.
Criteria required to obtain/retain accreditation.
##Data quality
====Quality Objective====
###The third-party vendor will provide a quality assurance process to ensure that the collected data is accurate prior to submission.
Quantifiable benefits due to specified quality goals is the quality objective.
###The third party vendor will provide a data dictionary that clearly documents the data elements collected and how they will use those data elements.
====Research Objective====
##Workflow
Quantifiable benefits due to specified research goals is the research objective.
###The data elements documented within the data dictionary will need to be collected as part of a clinical workflow within OneChart.
===Data Collection===
#Data Security
Data is efficiently collected.
##All vendors and sub-contractors that transfer or store Protected Health Information (PHI) need to be covered under a Business Associate Agreement (BAA) (see UNMC Policy No. 8009, [[Contracts]]).
===Secure Storage===
##Ability to track and audit all entities that were sent and accessed files. This includes secondary usages of the data that the third party may be conducting. 
All vendors and sub-contractors that transfer or store PHI need to be covered under a business associate agreement (BAA).
###Must be able to comply with Audit of Electronic Protected Health Information (ePHI) in Information Systems
===Data Policy Committee===
##Transferred and stored files must be encrypted with at least 128-bit and a unique encryption key that is not stored on the server
The Data Policy Committee will review requests and determines if the benefits of participating within the submission outweighs the risk.
###Must comply with File Transfer of Confidential Information Guidelines
##Access to the system needs to use user authentication through integration with Active Directory or LDAP
##Transferred and stored data shall not be portable and there shall be restrictions on the usage of portable storage methods like USB drives or exports to flat files
##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios:
###Allowing, or failing to prevent, unauthorized access to the system
###Costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers
###Costs associated with restoring, updating or replacing assets stored electronically
###Business interruption and extra expense related to a security or privacy breach
###Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media
###Expenses related to cyber extortion or cyber terrorism
###Coverage for expenses related to regulatory compliance for errors
##PHI protections
###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method
####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes).
###Upon the event of terminating the relationship with a third party, all PHI data shall be removed from the system.
###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party).
###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party.
==Procedures==
#The requestor submits a request that documents how the third-party registry will comply with the principles above.
#The Data and Governance Policy Committee (Subcommittee of IM Governance Cabinet Research Committee) reviews the requests and determines if the benefits of participating within the submission outweighs the risk.
==Definitions==
==Definitions==
'''Affiliated Covered Entity (ACE)''' - legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
===Affiliated Covered Entity (ACE)===
 
Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
'''Data Elements''' – the items collected by a third party registry.
 
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
*is created or received by ACE and
*relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
 
'''Registry''' - an organized system that uses observational study methods to collect uniform data (clinical and other) to evaluate specified outcomes for a population defined by a particular disease, condition, or exposure, and that serves a predetermined scientific, clinical, or policy purpose(s) - Workman, T. (n.d.). Retrieved November 10, 2015, from [http://www.ncbi.nlm.nih.gov/books/NBK164514/ http://www.ncbi.nlm.nih.gov/books/NBK164514/].
 
'''Third Party Registry''' – an external entity that collects data for quality or research objectives.


===Data Elements===
The items collected by a third-party registry.
===Organization===
'''Do you want to define? It's only used twice, but if it's going to be used, should it be? Or should it be taken out and replaced with "Nebraska/Medicine or ACE in the text?'''
===Protected Health Information (PHI)===
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests;
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
*employment records held by UNMC in its role as employer.
===Registry===
An organized system that uses observational study methods to collect uniform data (clinical and other) to evaluate specified outcomes for a population defined by a particular disease, condition, or exposure, and that serves a predetermined scientific, clinical, or policy purpose(s). (Workman, T.A. (n.d.). Retrieved September 20, 2022, from [http://www.ncbi.nlm.nih.gov/books/NBK164514/ http://www.ncbi.nlm.nih.gov/books/NBK164514/]).
===Third Party Registry===
An external entity that collects data for quality or research objectives.
==Additional Information==
==Additional Information==
*Contact [mailto:infosecurity@unmc.edu infosecurity@unmc.edu] or 402.559.2545.
*Contact [https://support.security.unmc.edu Office of Information Security] or 402.559.2545.
*UNMC Policy No. 6045, [http://wiki.unmc.edu/index.php?title=Privacy/Confidentiality Privacy, Confidentiality and Information Security]
*UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy/Confidentiality]
*UNMC Policy No. 6051, [http://wiki.unmc.edu/index.php?title=Computer_Use/Electronic_Information Computer Use and Electronic Information Security]
*UNMC Policy No. 6051, [https://wiki.unmc.edu/index.php/Computer_Use/Electronic_Information Computer_Use/Electronic_Information]
*[http://www.unmc.edu/its/security/procedures/thirdparty.html Third Party Registry Procedure]
*UNMC Policy No. 8009, [https://wiki.unmc.edu/index.php/Contracts Contracts]
*[http://www.unmc.edu/its/security/forms.html Third Party Registry Form]
*Procedure for UNMC Policies No. 6051 and 6057, [https://info.unmc.edu/its-security/policies/procedures/electronic-comm-phi.html Electronic Communication of Protected Health Information]
*[https://info.unmc.edu/its-security/policies/procedures/thirdparty.html Third Party Registry Procedure]
*[https://wiki.unmc.edu/index.php/Business_Associate_Agreements_and_Addendums_Procedures Business Associate Agreements and Addendums Procedures]
*[https://app1.unmc.edu/forms/its/third_party_registry.cfm Third Party Registry Form]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996] (HIPAA)
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Latest revision as of 15:10, August 1, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6300
Effective Date: 06/27/16
Revised Date: draft 09/20/22
Revised Date:

Third Party Registry Selection Policy

Basis for Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

The following serve as the guiding principles to follow when selecting a third-party vendor:

  1. Organizational Goals - the envisioned goals of the submission shall be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission should proceed.
    1. Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve.
    2. Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty.
    3. Accreditation - Criteria required to obtain/retain accreditation
    4. Quality Objective - Quantifiable benefits due to specified quality goals
    5. Research Objective - Quantifiable benefits due to specified research goals
  2. Data is efficiently collected.
    1. Data quality
      1. The third-party vendor will provide a quality assurance process to ensure that the collected data is accurate prior to submission.
      2. The third party vendor will provide a data dictionary that clearly documents the data elements collected and how they will use those data elements.
    2. Workflow
      1. The data elements documented within the data dictionary will need to be collected as part of a clinical workflow within OneChart.
  3. Data Security
    1. All vendors and sub-contractors that transfer or store Protected Health Information (PHI) need to be covered under a Business Associate Agreement (BAA) (see UNMC Policy No. 8009, Contracts).
    2. Ability to track and audit all entities that were sent and accessed files. This includes secondary usages of the data that the third party may be conducting.
      1. Must be able to comply with Audit of Electronic Protected Health Information (ePHI) in Information Systems
    3. Transferred and stored files must be encrypted with at least 128-bit and a unique encryption key that is not stored on the server
      1. Must comply with File Transfer of Confidential Information Guidelines
    4. Access to the system needs to use user authentication through integration with Active Directory or LDAP
    5. Transferred and stored data shall not be portable and there shall be restrictions on the usage of portable storage methods like USB drives or exports to flat files
    6. The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios:
      1. Allowing, or failing to prevent, unauthorized access to the system
      2. Costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers
      3. Costs associated with restoring, updating or replacing assets stored electronically
      4. Business interruption and extra expense related to a security or privacy breach
      5. Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media
      6. Expenses related to cyber extortion or cyber terrorism
      7. Coverage for expenses related to regulatory compliance for errors
    7. PHI protections
      1. Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method
        1. The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes).
      2. Upon the event of terminating the relationship with a third party, all PHI data shall be removed from the system.
      3. The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party).
      4. The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party.

Procedures

  1. The requestor submits a request that documents how the third-party registry will comply with the principles above.
  2. The Data and Governance Policy Committee (Subcommittee of IM Governance Cabinet Research Committee) reviews the requests and determines if the benefits of participating within the submission outweighs the risk.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.

Data Elements

The items collected by a third-party registry.

Organization

Do you want to define? It's only used twice, but if it's going to be used, should it be? Or should it be taken out and replaced with "Nebraska/Medicine or ACE in the text?

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Registry

An organized system that uses observational study methods to collect uniform data (clinical and other) to evaluate specified outcomes for a population defined by a particular disease, condition, or exposure, and that serves a predetermined scientific, clinical, or policy purpose(s). (Workman, T.A. (n.d.). Retrieved September 20, 2022, from http://www.ncbi.nlm.nih.gov/books/NBK164514/).

Third Party Registry

An external entity that collects data for quality or research objectives.

Additional Information

This page maintained by dkp.