433
edits
No edit summary |
Mhurlocker (talk | contribs) |
||
(28 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td> | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | <td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color: | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Compliance]]</td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | <td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color: | <td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | <td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td> | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | <td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td> | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td> | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | |||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | |||
width="20">[[Faculty]]</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
<br /> | <br /> | ||
[[ | [[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | ||
<br /><br /> | <br/><br/> | ||
Policy No.: '''6074'''<br /> | |||
Policy No.: ''' | Effective Date: '''08/26/15'''<br /> | ||
Effective Date: ''' | |||
Revised Date: ''' '''<br /> | Revised Date: ''' '''<br /> | ||
Reviewed Date: ''' ''' <br /><br /> | Reviewed Date: ''' ''' <br /><br /> | ||
'''<big>Honest Broker</big>''' <br /><br /> | '''<big>Honest Broker Policy</big>''' <br /><br /> | ||
==Policy== | ==Policy== | ||
UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA. | UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA. | ||
==Basis== | |||
As a healthcare provider UNMC is committed to the appropriate use of protected health information pursuant to the HIPAA Privacy Rule. | |||
==Purpose== | ==Purpose== | ||
The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements. | The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements. | ||
==Definitions== | ==Definitions== | ||
===Affiliated Covered Entity (ACE)=== | ===Affiliated Covered Entity (ACE)=== | ||
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. | Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The [http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices] lists current ACE members. | ||
===Business Associate=== | ===Business Associate=== | ||
A | A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing. | ||
===De-identification=== | ===De-identification=== | ||
De-identification refers to removal of all 18 of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients. | De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients. | ||
===Honest Broker=== | |||
An Honest Broker is a neutral intermediary (person or system), who is a workforce member and is certified to collect specified health information from the tissue or data bank, remove all patient identifiers, and provide the de-identified health information or tissue to research investigators, clinicians, or other healthcare workforce members, in such a manner that it would not be reasonably possible for any individual to identify the patients directly or indirectly. | |||
===Information Custodian=== | ===Information Custodian=== | ||
All application systems must have an information custodian | All application systems must have an information custodian ([https://info.unmc.edu/its-security/policies/procedures/access-control.html Access Control to Information Technology Resources]) who performs the functions which specify the security properties associated with the application system. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact. | ||
===Institutional Review Board (IRB)=== | ===Institutional Review Board (IRB)=== | ||
IRB means the Institutional Review Board of record for the ACE. | IRB means the Institutional Review Board of record for the ACE. | ||
Line 60: | Line 51: | ||
A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets. | A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets. | ||
===Protected Health Information (PHI)=== | ===Protected Health Information (PHI)=== | ||
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that: | |||
* is created or received by UNMC/ACE; and | |||
* relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. | |||
PHI includes genetic information, which includes information about: | |||
* an Individual’s genetic tests; | |||
* the genetic tests of an Individual’s family members; or | |||
* the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history). | |||
PHI excludes: | |||
* individually identifiable health information of a person who has been deceased for more than fifty (50) years. | |||
* education records covered by the Family Educational Rights and Privacy Act (FERPA); and | |||
* employment records held by UNMC in its role as employer. | |||
===IRB Requirements=== | ===IRB Requirements=== | ||
Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials. | Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials. | ||
===Workforce Member=== | ===Workforce Member=== | ||
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC. | |||
==Procedures== | ==Procedures== | ||
===Honest Broker Requirements=== | ===Honest Broker Requirements=== | ||
Line 70: | Line 78: | ||
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly. | *'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly. | ||
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions. | *'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions. | ||
*'''Re-Identification Codes''': The information provided to the investigators/others by the | *'''Re-Identification Codes''': The information provided to the investigators/others by the honest broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the honest broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the honest broker and IRB approval. | ||
===Honest Broker Role=== | ===Honest Broker Role=== | ||
*An | *An honest broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The honest broker will retain re-identification codes that permit only the honest broker to re-identify the data. | ||
*The | *The honest broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to: | ||
:*Introduce the research study; | :*Introduce the research study; | ||
:*Ascertain their interest in study participation; and | :*Ascertain their interest in study participation; and | ||
:* | :*Obtain written authorization to share their interest in study participation with the investigators and allow patients to be contacted by researcher. The honest broker would not directly contact the patient. | ||
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an | :*After secondary review by the Associate Vice Chancellor for Clinical Research, an honest broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research” for further information. | ||
*Honest broker Data Requests: Individuals requesting PHI or de-identified data shall complete: | |||
UNMC | :*the [https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT UNMC/Nebraska Medicine Request for Electronic Health Data Form] (research), | ||
:*the Nebraska Medicine [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] (performance improvement) or | |||
Nebraska Medicine | :*another similar form. | ||
===Honest Broker Certification Criteria=== | |||
*Appointment: honest brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer. | |||
*Education and Training: The proposed honest brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application. | |||
*The individual or the organization or team must submit an [https://www.unmc.edu/hipaa/forms/docs/Honest-Broker-Application.pdf Application for Honest Broker Certification Form] to become part of the UNMC Honest Broker System. | |||
:*Applications should be submitted to the Privacy Officer for the ACE. | |||
*Attestation of Agreement: All honest brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE honest broker certification criteria section of this policy. | |||
*Certification, Approval, and Maintenance | |||
:*Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve honest broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria: | |||
::*Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records; | |||
::*Written documentation of policies, procedures and controls necessary for: | |||
:::*Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable. | |||
:::*Security and management of all PHI in the honest broker’s possession during the performance of honest broker functions; | |||
:::*Audits and/or quality checks related to determining the efficacy of de-identification mechanisms; | |||
:::*Security and management of re-identification keys; and | |||
:::*Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.). | |||
:::*Requests for data shall be retained for six (6) years. | |||
*Ongoing Review and Maintenance: Each certified honest broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an honest broker’s status should be reported immediately by the sponsoring investigator or team leader. | |||
*Adding and/or Removing Brokers | |||
:*Adding Brokers: | |||
::*New brokers must first complete the education/certification modules as noted in the honest broker certification section above. | |||
::*In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA). | |||
::*A complete revision of each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents. | |||
:*Removing Brokers: A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision. | |||
*Duties and Other Requirements of the Honest Broker: In order for a certified honest broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the honest broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements: | |||
:*Non-UNMC/Nebraska Medicine honest brokers must execute a Business Associate Agreement (BAA) with UNMC: | |||
::*The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an honest broker service. The UNMC/Nebraska Medicine BAA can be viewed at [http://www.unmc.edu/hipaa/forms/index.html http://www.unmc.edu/hipaa/forms/index.html]. | |||
:*All certified honest brokers must ensure that approval of the IRB of record has been obtained for a research study before the honest broker acts on a request for PHI (from an investigator that is served by the IRB of record). | |||
:*All certified honest brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the honest broker will perform services. | |||
:*If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set: | |||
::*The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set. | |||
::*An individual honest broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI. | |||
==Additional Information== | |||
*Contact the [mailto:debrbishop@nebraskamed.edu Privacy Officer] | |||
*[http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices] | |||
*[https://www.unmc.edu/hipaa/forms/docs/Honest-Broker-Application.pdf Application for Honest Broker Certification Form] | |||
*[http://www.unmc.edu/hipaa/_documents/attestation-of-honest-brokers-responsibilites.pdf Attestation of Honest Brokers Responsibilities Form] | |||
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT UNMC/Nebraska Medicine Request for Electronic Health Data Form] | |||
*Nebraska Medicine [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] | |||
*[https://info.unmc.edu/its-security/policies/procedures/access-control.html Access Control to Information Technology Resources] | |||
This page maintained by [mailto:dpanowic@unmc.ed dkp] | This page maintained by [mailto:dpanowic@unmc.ed dkp] |