Honest Broker: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 33: Line 33:
==Definitions==
==Definitions==
===Affiliated Covered Entity (ACE)===
===Affiliated Covered Entity (ACE)===
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The [http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices] lists current ACE members.
===Business Associate===
===Business Associate===
A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.
A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.
===De-identification===
===De-identification===
De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
De-identification refers to removal of all eighteen (18) of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
===Honest Broker===
An Honest Broker is a neutral intermediary (person or system), who is a workforce member and is certified to collect specified health information from the tissue or data bank, remove all patient identifiers, and provide the de-identified health information or tissue to research investigators, clinicians, or other healthcare workforce members, in such a manner that it would not be reasonably possible for any individual to identify the patients directly or indirectly.
===Information Custodian===
===Information Custodian===
All application systems must have an information custodian '''''(IM17, Access Control to Information Technology Resources)''''' who performs the following functions:  '''''(IM29 - Information Custodian Roles and Responsibilities)'''''
All application systems must have an information custodian ([http://www.unmc.edu/its/security/procedures/access-control.html Access Control to Information Technology Resources]) who performs the functions which specify the security properties associated with the application system. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.
*Ongoing day to day administration for departmentally owned information systems
*Coordination of system upgrades
*End user training
*First tier application support
*Business process owner
*System access and control
*Resource table configuration and application testing
*Business continuity coordination (downtime procedures)
*Interface troubleshooting and error management
*Report development
*Research and development of emerging technologies
*Primary vendor contact
*Change management documentation and communication
*Auditing requirements
*Other duties as mutually agreed upon
===Institutional Review Board (IRB)===
===Institutional Review Board (IRB)===
IRB means the Institutional Review Board of record for the ACE.
IRB means the Institutional Review Board of record for the ACE.
Line 70: Line 57:
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.  
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.  
*'''Re-Identification Codes''': The information provided to the investigators/others by the Honest Broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the Honest Broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the Honest Broker and IRB approval.
*'''Re-Identification Codes''': The information provided to the investigators/others by the honest broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the honest broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the honest broker and IRB approval.
===Honest Broker Role===
===Honest Broker Role===
*An Honest Broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The Honest Broker will retain re-identification codes that permit only the Honest Broker to re-identify the data.
*An honest broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The honest broker will retain re-identification codes that permit only the honest broker to re-identify the data.
*The Honest Broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
*The honest broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
:*Introduce the research study;
:*Introduce the research study;
:*Ascertain their interest in study participation; and
:*Ascertain their interest in study participation; and
:*Facilitate contact with an investigator or obtain their written authorization to share their interest in study participation with the investigators and to be contacted by them. The Honest Broker would not directly contact the patient.
:*Facilitate contact with an investigator or obtain their written authorization to share their interest in study participation with the investigators and to be contacted by them. The honest broker would not directly contact the patient.
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an Honest Broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research and Registries” for further information.
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an honest broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research and Registries” for further information.
*Honest Broker Data Requests: Individuals requesting PHI or de-identified data shall complete the [https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form] (research), the [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] (performance improvement) or another similar form.     
*honest broker Data Requests: Individuals requesting PHI or de-identified data shall complete the [https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form] (research), the [http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form] (performance improvement) or another similar form.     
===Honest Broker Certification Criteria===
===Honest Broker Certification Criteria===
*Appointment: Honest Brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer.
*Appointment: honest brokers shall not be a part of the research team for which they are performing honest broker services, unless approved by the ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer.
*Education and Training: The proposed Honest Brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application.  
*Education and Training: The proposed honest brokers responsible for a research data source must complete education and training, currently mandated by the IRB for all research investigators, prior to submitting an application.  
*The individual or the organization or team must submit an [http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form] to become part of the UNMC Honest Broker System.
*The individual or the organization or team must submit an [http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form] to become part of the UNMC Honest Broker System.
:*Applications should be submitted to the Privacy Officer for the ACE.  
:*Applications should be submitted to the Privacy Officer for the ACE.  
*Attestation of Agreement: All Honest Brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE Honest Broker certification criteria section of this policy.  
*Attestation of Agreement: All honest brokers must sign a written agreement that they will abide by all relevant ACE policies including continuing adherence to the ACE honest broker certification criteria section of this policy.  
*Certification, Approval, and Maintenance
*Certification, Approval, and Maintenance
:*Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve Honest Broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria:
:*Initial Review and Approval: The ACE Privacy Officer, the Associate Vice Chancellor for Clinical Research and the Chief, Quality/Outcomes Officer will review and approve honest broker applications and related documentation to determine that satisfactory evidence has been presented to meet or exceed the following certification criteria:
::*Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records;
::*Written documentation of the processes and/or systems to be used to develop both fully de-identified health information data sets and limited data sets, for both electronic and paper-based records;
::*Written documentation of policies, procedures and controls necessary for:
::*Written documentation of policies, procedures and controls necessary for:
:::*Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable.
:::*Compliance with HIPAA, and regulations for human subject protections (45 CFR 46), if applicable.
:::*Security and management of all PHI in the Honest Broker’s possession during the performance of Honest Broker functions;
:::*Security and management of all PHI in the honest broker’s possession during the performance of honest broker functions;
:::*Audits and/or quality checks related to determining the efficacy of de-identification mechanisms;
:::*Audits and/or quality checks related to determining the efficacy of de-identification mechanisms;
:::*Security and management of re-identification keys; and
:::*Security and management of re-identification keys; and
:::*Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.).   
:::*Maintenance and retention of work-product documentation for all work performed (for whom, what was provided, IRB approval info, etc.).   
:::*Requests for data shall be retained for six (6) years.
:::*Requests for data shall be retained for six (6) years.
*Ongoing Review and Maintenance: Each certified Honest Broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an Honest Broker’s status should be reported immediately by the sponsoring investigator or team leader.
*Ongoing Review and Maintenance: Each certified honest broker’s individual status will be reviewed at least annually by the Privacy Office. Changes in an honest broker’s status should be reported immediately by the sponsoring investigator or team leader.
*Adding and/or Removing Brokers
*Adding and/or Removing Brokers
:*Adding Brokers:
:*Adding Brokers:
::*New brokers must first complete the education/certification modules as noted in the Honest Broker certification section above.
::*New brokers must first complete the education/certification modules as noted in the honest broker certification section above.
::*In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA).
::*In accordance with UNMC/Nebraska Medicine policy, applicants who are not UNMC/Nebraska Medicine employees must complete and sign a business associate agreement (BAA).
::*A complete revision of the each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents.  
::*A complete revision of the each unit’s application must be submitted to the Privacy Office with any brokers to be added reflected in the revision. A copy of any relevant BAAs must accompany the revision documents.  
:*Removing Brokers:  A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision.
:*Removing Brokers:  A complete revision of the application must be submitted to the Privacy Office with any brokers to be removed and the reason for the removal reflected in the revision.
*Duties and Other Requirements of the Honest Broker: In order for a certified Honest Broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the Honest Broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements:
*Duties and Other Requirements of the Honest Broker: In order for a certified honest broker to work on behalf of investigators to de-identify PHI that is owned/held by UNMC, the honest broker must perform the following UNMC/Nebraska Medicine-defined duties and adhere to the following -defined requirements:
:*Non-UNMC/Nebraska Medicine Honest Brokers must execute a Business Associate Agreement (BAA) with UNMC:
:*Non-UNMC/Nebraska Medicine honest brokers must execute a Business Associate Agreement (BAA) with UNMC:
::*The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an Honest Broker service. The UNMC/Nebraska Medicine BAA can be viewed at [http://www.unmc.edu/hipaa/forms/index.html http://www.unmc.edu/hipaa/forms/index.html].   
::*The terms of the BAA will specify continuing confidentiality requirements, duties and other expectations UNMC/Nebraska Medicine has of an honest broker service. The UNMC/Nebraska Medicine BAA can be viewed at [http://www.unmc.edu/hipaa/forms/index.html http://www.unmc.edu/hipaa/forms/index.html].   
:*All certified Honest Brokers must ensure that approval of the IRB of record has been obtained for a research study before the Honest Broker acts on a request for PHI (from an investigator that is served by the IRB of record).
:*All certified honest brokers must ensure that approval of the IRB of record has been obtained for a research study before the honest broker acts on a request for PHI (from an investigator that is served by the IRB of record).
:*All certified Honest Brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the Honest Broker will perform services.
:*All certified honest brokers must adhere to any and all terms and conditions specified by the IRB of record for any research study for which the honest broker will perform services.
:*If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set:
:*If an investigator requests a Limited Data Set, rather than a fully/completely de-identified data set:
::*The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set.
::*The IRB of record may require evidence of a completed Data Use Agreement for a Limited Data Set as part of its application process for approval of the proposed research involving the use of a Limited Data Set.
::*An individual Honest Broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI.
::*An individual honest broker for the investigator must obtain (and retain) evidence of an appropriately executed Data Use Agreement in order to be granted access to the UNMC/Nebraska Medicine-held PHI.
==Additional Information==
==Additional Information==
*Contact the [mailto:tscrogin@unmc.edu Privacy Officer]
*Contact the [mailto:tscrogin@unmc.edu Privacy Officer]
*[http://www.unmc.edu/hipaa/about/notice-privacy-practices.html Notice of Privacy Practices
*[http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form]
*[http://www.unmc.edu/hipaa/_documents/application-for-honest-broker-certification.pdf Application for Honest Broker Certification Form]
*[http://www.unmc.edu/hipaa/_documents/attestation-of-honest-brokers-responsibilites.pdf Attestation of Honest Brokers Responsibilities Form]
*[http://www.unmc.edu/hipaa/_documents/attestation-of-honest-brokers-responsibilites.pdf Attestation of Honest Brokers Responsibilities Form]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form]
*[https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM UNMC/Nebraska Medicine EHR Service Request Form]
*[http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form]
*[http://newintranet.nebraskamed.com/AnalyticsRequest/Login.aspx?ReturnUrl=%2fanalyticsrequest%2f Analytics Request Form]
 
*[http://www.unmc.edu/its/security/procedures/access-control.html Access Control to Information Technology Resources]


This page maintained by [mailto:dpanowic@unmc.ed dkp]
This page maintained by [mailto:dpanowic@unmc.ed dkp]