Honest Broker: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
 
(25 intermediate revisions by 3 users not shown)
Line 7: Line 7:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Compliance]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]] | [[International Research Policy]] | [[Honest Broker]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
<br /><br />
<br/><br/>
 
Policy No.: '''6074'''<br />
Policy No.: '''8015'''<br />
Effective Date: '''08/26/15'''<br />
Effective Date: '''DRAFT'''<br />
Revised Date: ''' '''<br />
Revised Date: ''' '''<br />
Reviewed Date: ''' ''' <br /><br />
Reviewed Date: ''' ''' <br /><br />


'''<big>Honest Broker Policy</big>''' <br /><br />
'''<big>Honest Broker Policy</big>''' <br /><br />
==Basis for Policy==
==Policy==
==Policy==
UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA.
UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA.
==Basis==
As a healthcare provider UNMC is committed to the appropriate use of protected health information pursuant to the HIPAA Privacy Rule.
==Purpose==
==Purpose==
The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements.
The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements.
==Definitions==
==Definitions==
===Affiliated Covered Entity (ACE)===
===Affiliated Covered Entity (ACE)===
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The [http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices] lists current ACE members.
===Business Associate===
===Business Associate===
A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.
A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
===De-identification===
===De-identification===
De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
===Honest Broker===
An Honest Broker is a neutral intermediary (person or system), who is a workforce member and is certified to collect specified health information from the tissue or data bank, remove all patient identifiers, and provide the de-identified health information or tissue to research investigators, clinicians, or other healthcare workforce members, in such a manner that it would not be reasonably possible for any individual to identify the patients directly or indirectly.
===Information Custodian===
===Information Custodian===
All application systems must have an information custodian '''''(IM17, Access Control to Information Technology Resources)''''' who performs the following functions:  '''''(IM29 - Information Custodian Roles and Responsibilities)'''''
All application systems must have an information custodian ([https://info.unmc.edu/its-security/policies/procedures/access-control.html Access Control to Information Technology Resources]) who performs the functions which specify the security properties associated with the application system. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.
*Ongoing day to day administration for departmentally owned information systems
 
*Coordination of system upgrades
*End user training
*First tier application support
*Business process owner
*System access and control
*Resource table configuration and application testing
*Business continuity coordination (downtime procedures)
*Interface troubleshooting and error management
*Report development
*Research and development of emerging technologies
*Primary vendor contact
*Change management documentation and communication
*Auditing requirements
*Other duties as mutually agreed upon
===Institutional Review Board (IRB)===
===Institutional Review Board (IRB)===
IRB means the Institutional Review Board of record for the ACE.
IRB means the Institutional Review Board of record for the ACE.
Line 60: Line 51:
A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets.   
A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets.   
===Protected Health Information (PHI)===
===Protected Health Information (PHI)===
Protected Health Information means any information whether oral or recorded in any medium created or received by a health care provider, health plan, employer or health care clearinghouse which relates to past, present or future physical or mental health or condition of an individual, or the past, present, or future payment for the provision of health care to an individual for which there is a reasonable basis to believe the information may be used to identify an individual.
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
 
* is created or received by UNMC/ACE; and
* relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
 
PHI includes genetic information, which includes information about:
 
* an Individual’s genetic tests;
* the genetic tests of an Individual’s family members; or
* the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
 
 
PHI excludes:
 
* individually identifiable health information of a person who has been deceased for more than fifty (50) years.
* education records covered by the Family Educational Rights and Privacy Act (FERPA); and
* employment records held by UNMC in its role as employer.
 
===IRB Requirements===
===IRB Requirements===
Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials.  
Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials.  
===Workforce Member===
===Workforce Member===
Workforce member refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct in the performance of work the ACE entities, or are under the direct control of an ACE entity.
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Procedures==
==Procedures==
===Honest Broker Requirements===
===Honest Broker Requirements===
Line 70: Line 78:
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.  
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.  
*'''Re-Identification Codes''': The information provided to the investigators/others by the Honest Broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the Honest Broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the Honest Broker and IRB approval.
*'''Re-Identification Codes''': The information provided to the investigators/others by the honest broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the honest broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the honest broker and IRB approval.
===Honest Broker Role===
===Honest Broker Role===
*An Honest Broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The Honest Broker will retain re-identification codes that permit only the Honest Broker to re-identify the data.
*An honest broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The honest broker will retain re-identification codes that permit only the honest broker to re-identify the data.
*The Honest Broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
*The honest broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
:*Introduce the research study;
:*Introduce the research study;
:*Ascertain their interest in study participation; and
:*Ascertain their interest in study participation; and
:*Facilitate contact with an investigator or obtain their written authorization to share their interest in study participation with the investigators and to be contacted by them. The Honest Broker would not directly contact the patient.
:*Obtain written authorization to share their interest in study participation with the investigators and allow patients to be contacted by researcher. The honest broker would not directly contact the patient.
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an Honest Broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research and Registries” for further information.
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an honest broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research” for further information.
*Honest Broker Data Requests: Individuals requesting PHI or de-identified data shall complete the [https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form] (research), the [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] (performance improvement) or another similar form.     
*Honest broker Data Requests: Individuals requesting PHI or de-identified data shall complete:
:*the [https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT UNMC/Nebraska Medicine Request for Electronic Health Data Form] (research),  
:*the Nebraska Medicine [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] (performance improvement) or  
:*another similar form.     
===Honest Broker Certification Criteria===
===Honest Broker Certification Criteria===
*Appointment: Honest Brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer.
*Appointment: honest brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer.
*Education and Training: The proposed Honest Brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application.  
*Education and Training: The proposed honest brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application.  
*The individual or the organization or team must submit an [http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form] to become part of the UNMC Honest Broker System.
*The individual or the organization or team must submit an [https://www.unmc.edu/hipaa/forms/docs/Honest-Broker-Application.pdf Application for Honest Broker Certification Form] to become part of the UNMC Honest Broker System.
:*The Honest Broker Certification applications are available at http://www.unmc.edu/hipaa/forms/index.html.
:*Applications should be submitted to the Privacy Officer for the ACE.  
:*Applications should be submitted to the Privacy Officer for the ACE.  
*Attestation of Agreement: All Honest Brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE Honest Broker certification criteria section of this policy.  
*Attestation of Agreement: All honest brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE honest broker certification criteria section of this policy.  
*Certification, Approval, and Maintenance
*Certification, Approval, and Maintenance
:*Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve Honest Broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria:
:*Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve honest broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria:
::*Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records;
::*Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records;
::*Written documentation of policies, procedures and controls necessary for:
::*Written documentation of policies, procedures and controls necessary for:
:::*Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable.
:::*Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable.
:::*Security and management of all PHI in the Honest Broker’s possession during the performance of Honest Broker functions;
:::*Security and management of all PHI in the honest broker’s possession during the performance of honest broker functions;
:::*Audits and/or quality checks related to determining the efficacy of de-identification mechanisms;
:::*Audits and/or quality checks related to determining the efficacy of de-identification mechanisms;
:::*Security and management of re-identification keys; and
:::*Security and management of re-identification keys; and
:::*Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.).   
:::*Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.).   
:::*Requests for data shall be retained for six (6) years.
:::*Requests for data shall be retained for six (6) years.
*Ongoing Review and Maintenance: Each certified Honest Broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an Honest Broker’s status should be reported immediately by the sponsoring investigator or team leader.
*Ongoing Review and Maintenance: Each certified honest broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an honest broker’s status should be reported immediately by the sponsoring investigator or team leader.
*Adding and/or Removing Brokers
*Adding and/or Removing Brokers
:*Adding Brokers:
:*Adding Brokers:
::*New brokers must first complete the education/certification modules as noted in the Honest Broker certification section above.
::*New brokers must first complete the education/certification modules as noted in the honest broker certification section above.
::*In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA).
::*In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA).
::*A complete revision of the each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents.  
::*A complete revision of each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents.  
:*Removing Brokers:  A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision.
:*Removing Brokers:  A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision.
*Duties and Other Requirements of the Honest Broker: In order for a certified Honest Broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the Honest Broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements:
*Duties and Other Requirements of the Honest Broker: In order for a certified honest broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the honest broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements:
:*Non-UNMC/Nebraska Medicine Honest Brokers must execute a Business Associate Agreement (BAA) with UNMC:
:*Non-UNMC/Nebraska Medicine honest brokers must execute a Business Associate Agreement (BAA) with UNMC:
::*The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an Honest Broker service. The UNMC/Nebraska Medicine BAA can be viewed at [http://www.unmc.edu/hipaa/forms/index.html http://www.unmc.edu/hipaa/forms/index.html].   
::*The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an honest broker service. The UNMC/Nebraska Medicine BAA can be viewed at [http://www.unmc.edu/hipaa/forms/index.html http://www.unmc.edu/hipaa/forms/index.html].   
:*All certified Honest Brokers must ensure that approval of the IRB of record has been obtained for a research study before the Honest Broker acts on a request for PHI (from an investigator that is served by the IRB of record).
:*All certified honest brokers must ensure that approval of the IRB of record has been obtained for a research study before the honest broker acts on a request for PHI (from an investigator that is served by the IRB of record).
:*All certified Honest Brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the Honest Broker will perform services.
:*All certified honest brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the honest broker will perform services.
:*If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set:
:*If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set:
::*The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set.
::*The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set.
::*An individual Honest Broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI.
::*An individual honest broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI.
==Additional Information==
==Additional Information==
*Contact the [mailto:tscrogin@unmc.edu Compliance Officer]
*Contact the [mailto:debrbishop@nebraskamed.edu Privacy Officer]
*Contact the Privacy Officer
*[http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices]
*[http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form]
*[https://www.unmc.edu/hipaa/forms/docs/Honest-Broker-Application.pdf Application for Honest Broker Certification Form]
*[http://www.unmc.edu/hipaa/_documents/attestation-of-honest-brokers-responsibilites.pdf Attestation of Honest Brokers Responsibilities Form]
*[http://www.unmc.edu/hipaa/_documents/attestation-of-honest-brokers-responsibilites.pdf Attestation of Honest Brokers Responsibilities Form]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=94TLJCCAAT UNMC/Nebraska Medicine Request for Electronic Health Data Form]  
*[http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form]
*Nebraska Medicine [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form]  
 
*[https://info.unmc.edu/its-security/policies/procedures/access-control.html Access Control to Information Technology Resources]


This page maintained by [mailto:dpanowic@unmc.ed dkp]
This page maintained by [mailto:dpanowic@unmc.ed dkp]

Latest revision as of 08:22, August 16, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training

Policy No.: 6074
Effective Date: 08/26/15
Revised Date:
Reviewed Date:

Honest Broker Policy

Policy

UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA.

Basis

As a healthcare provider UNMC is committed to the appropriate use of protected health information pursuant to the HIPAA Privacy Rule.

Purpose

The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Business Associate

A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.

De-identification

De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.

Honest Broker

An Honest Broker is a neutral intermediary (person or system), who is a workforce member and is certified to collect specified health information from the tissue or data bank, remove all patient identifiers, and provide the de-identified health information or tissue to research investigators, clinicians, or other healthcare workforce members, in such a manner that it would not be reasonably possible for any individual to identify the patients directly or indirectly.

Information Custodian

All application systems must have an information custodian (Access Control to Information Technology Resources) who performs the functions which specify the security properties associated with the application system. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.

Institutional Review Board (IRB)

IRB means the Institutional Review Board of record for the ACE.

Limited Data Sets

A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about:

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).


PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

IRB Requirements

Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials.

Workforce Member

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Procedures

Honest Broker Requirements

The ACE will comply with the HIPAA Privacy Rule requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and healthcare operations as well as any applicable related state laws that are not preempted by HIPAA and IRB Requirements.

  • De-identified health information must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
  • Limited Data Sets: If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.
  • Re-Identification Codes: The information provided to the investigators/others by the honest broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the honest broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the honest broker and IRB approval.

Honest Broker Role

  • An honest broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The honest broker will retain re-identification codes that permit only the honest broker to re-identify the data.
  • The honest broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
  • Introduce the research study;
  • Ascertain their interest in study participation; and
  • Obtain written authorization to share their interest in study participation with the investigators and allow patients to be contacted by researcher. The honest broker would not directly contact the patient.
  • After secondary review by the Associate Vice Chancellor for Clinical Research, an honest broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research” for further information.
  • Honest broker Data Requests: Individuals requesting PHI or de-identified data shall complete:

Honest Broker Certification Criteria

  • Appointment: honest brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer.
  • Education and Training: The proposed honest brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application.
  • The individual or the organization or team must submit an Application for Honest Broker Certification Form to become part of the UNMC Honest Broker System.
  • Applications should be submitted to the Privacy Officer for the ACE.
  • Attestation of Agreement: All honest brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE honest broker certification criteria section of this policy.
  • Certification, Approval, and Maintenance
  • Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve honest broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria:
  • Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records;
  • Written documentation of policies, procedures and controls necessary for:
  • Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable.
  • Security and management of all PHI in the honest broker’s possession during the performance of honest broker functions;
  • Audits and/or quality checks related to determining the efficacy of de-identification mechanisms;
  • Security and management of re-identification keys; and
  • Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.).
  • Requests for data shall be retained for six (6) years.
  • Ongoing Review and Maintenance: Each certified honest broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an honest broker’s status should be reported immediately by the sponsoring investigator or team leader.
  • Adding and/or Removing Brokers
  • Adding Brokers:
  • New brokers must first complete the education/certification modules as noted in the honest broker certification section above.
  • In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA).
  • A complete revision of each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents.
  • Removing Brokers: A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision.
  • Duties and Other Requirements of the Honest Broker: In order for a certified honest broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the honest broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements:
  • Non-UNMC/Nebraska Medicine honest brokers must execute a Business Associate Agreement (BAA) with UNMC:
  • The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an honest broker service. The UNMC/Nebraska Medicine BAA can be viewed at http://www.unmc.edu/hipaa/forms/index.html.
  • All certified honest brokers must ensure that approval of the IRB of record has been obtained for a research study before the honest broker acts on a request for PHI (from an investigator that is served by the IRB of record).
  • All certified honest brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the honest broker will perform services.
  • If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set:
  • The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set.
  • An individual honest broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI.

Additional Information

This page maintained by dkp