Honest Broker: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
(Created page with "<table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0"> <tr> <td style="padding:0.5em; background-color:#e5e5e5; font-siz...")
 
No edit summary
Line 37: Line 37:
A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.
A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.
===De-identification===
===De-identification===
De-identification refers to removal of all'''18''' of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
De-identification refers to removal of all 18 of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.
===Information Custodian===
All application systems must have an information custodian '''''(IM17, Access Control to Information Technology Resources)''''' who performs the following functions:  '''''(IM29 - Information Custodian Roles and Responsibilities)'''''
*Ongoing day to day administration for departmentally owned information systems
*Coordination of system upgrades
*End user training
*First tier application support
*Business process owner
*System access and control
*Resource table configuration and application testing
*Business continuity coordination (downtime procedures)
*Interface troubleshooting and error management
*Report development
*Research and development of emerging technologies
*Primary vendor contact
*Change management documentation and communication
*Auditing requirements
*Other duties as mutually agreed upon
===Institutional Review Board (IRB)===
IRB means the Institutional Review Board of record for the ACE.
===Limited Data Sets ===
A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets. 
===Protected Health Information (PHI)===
Protected Health Information means any information whether oral or recorded in any medium created or received by a health care provider, health plan, employer or health care clearinghouse which relates to past, present or future physical or mental health or condition of an individual, or the past, present, or future payment for the provision of health care to an individual for which there is a reasonable basis to believe the information may be used to identify an individual.
===IRB Requirements===
Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials.
===Workforce Member===
Workforce member refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct in the performance of work the ACE entities, or are under the direct control of an ACE entity.
==Procedures==
===Honest Broker Requirements===
The ACE will comply with the HIPAA Privacy Rule requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and healthcare operations as well as any applicable related state laws that are not preempted by HIPAA and IRB Requirements.
*'''De-identified health information''' must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
*'''Limited Data Sets''': If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.
*'''Re-Identification Codes''': The information provided to the investigators/others by the Honest Broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the Honest Broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the Honest Broker and IRB approval.
===Honest Broker Role===
*An Honest Broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The Honest Broker will retain re-identification codes that permit only the Honest Broker to re-identify the data.
*The Honest Broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
:*Introduce the research study;
:*Ascertain their interest in study participation; and
:*Facilitate contact with an investigator or obtain their written authorization to share their interest in study participation with the investigators and to be contacted by them. The Honest Broker would not directly contact the patient.
:*After secondary review by the Associate Vice Chancellor for Clinical Research, an Honest Broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research and Registries” for further information.
c. Honest Broker Data Requests: Individuals requesting PHI or de-identified data shall complete the UNMC/Nebraska Medicine EHR Service Request form (research), the Analytics Request form (performance improvement) or another similar form.   
UNMC EHR Service Request form (research) currently at
                    https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM
Nebraska Medicine Analytics Request Form (performance improvement currently at:              http://newintranet.nebraskamed.com/analyticsrequest/
 
 
 


==Additional Information==
==Additional Information==

Revision as of 12:07, July 13, 2015

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property


Compliance Program | Compliance Hotline | Investigations by Third Parties | Research Integrity | Copyright | Export Control | Code of Conduct | Use of Human Anatomical Material | Clinical Trial Fee Billing Procedures | Contracts Policy | Conflict of Interest | Red Flag Identity Theft Prevention Program | Principles of Financial Stewardship | Human Tissue Use & Transfer | International Research Policy | Honest Broker

Policy No.: 8015
Effective Date: DRAFT
Revised Date:
Reviewed Date:

Honest Broker

Basis for Policy

Policy

UNMC Affiliated Covered Entity (ACE) shall implement an “honest broker” program to ensure compliance with the HIPAA Privacy rules and requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and Healthcare Operations as well as any applicable related state laws that are not preempted by HIPAA.

Purpose

The purpose of the Honest Broker Policy is to establish standard operating procedures for de-identification of PHI for the purpose of safely and securely linking together or sharing clinical data to support research in compliance with HIPAA and IRB requirements.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities have designated themselves as a single covered entity for the purpose of HIPAA Compliance. Current UNMC ACE members are: UNMC, Nebraska Medicine, UNMC Physicians, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Business Associate

A person or entity, other than a member of the workforce of a covered entity, who performs functions on behalf of a covered entity per 45 CFR 160 is a business associate.

De-identification

De-identification refers to removal of all 18 of the HIPAA identifiers or any other identifiers which would allow the reasonable possibility for investigators or others to identify patients directly or indirectly to prevent re-identification of patients.

Information Custodian

All application systems must have an information custodian (IM17, Access Control to Information Technology Resources) who performs the following functions: (IM29 - Information Custodian Roles and Responsibilities)

  • Ongoing day to day administration for departmentally owned information systems
  • Coordination of system upgrades
  • End user training
  • First tier application support
  • Business process owner
  • System access and control
  • Resource table configuration and application testing
  • Business continuity coordination (downtime procedures)
  • Interface troubleshooting and error management
  • Report development
  • Research and development of emerging technologies
  • Primary vendor contact
  • Change management documentation and communication
  • Auditing requirements
  • Other duties as mutually agreed upon

Institutional Review Board (IRB)

IRB means the Institutional Review Board of record for the ACE.

Limited Data Sets

A Limited Data Set means a set of identifiable patient information, as defined by HIPAA, which has limited identifiable information which may be used solely for the purpose of research, public health, or health care operations. A Limited Data Set should be shared only upon execution of a Data Use Agreement, which is an agreement which addresses HIPAA-mandated conditions related to subsequent uses and disclosures of Limited Data Sets.

Protected Health Information (PHI)

Protected Health Information means any information whether oral or recorded in any medium created or received by a health care provider, health plan, employer or health care clearinghouse which relates to past, present or future physical or mental health or condition of an individual, or the past, present, or future payment for the provision of health care to an individual for which there is a reasonable basis to believe the information may be used to identify an individual.

IRB Requirements

Use of human biological, samples, specimens and data or the like shall be consistent with the requirements, regulations, laws for use of such information and materials.

Workforce Member

Workforce member refers to faculty, staff, volunteers, trainees, students, independent contractors and other persons whose conduct in the performance of work the ACE entities, or are under the direct control of an ACE entity.

Procedures

Honest Broker Requirements

The ACE will comply with the HIPAA Privacy Rule requirements pertaining to the use and disclosure of protected health information (PHI) and de-identification of PHI used for research and healthcare operations as well as any applicable related state laws that are not preempted by HIPAA and IRB Requirements.

  • De-identified health information must not include any of the eighteen identifiers defined by HIPAA, or any other identifiers, that would allow a reasonable possibility for any person to identify the patients directly or indirectly.
  • Limited Data Sets: If the health information provided to research investigators is based on a Limited Data Set the investigators must complete and obtain Institutional Review Board (IRB) approval of a UNMC/Nebraska Medicine If the investigator requests changes to the Data Use agreement, the Privacy Office shall review and approve the revisions.
  • Re-Identification Codes: The information provided to the investigators/others by the Honest Broker may incorporate linkage codes to permit information collation and/or subsequent inquiries (i.e., a “re-identification code”), however the information linking this re-identification code to the patient’s identity must be retained by the Honest Broker, secured and separate from research/other documents; all subsequent inquiries must be conducted through the Honest Broker and IRB approval.

Honest Broker Role

  • An Honest Broker will provide a research investigator with a de-identified listing of the health information of potential eligible research subjects. The Honest Broker will retain re-identification codes that permit only the Honest Broker to re-identify the data.
  • The Honest Broker may facilitate identification of potential research subjects by contacting patients’ personal physicians who would contact the patients to:
  • Introduce the research study;
  • Ascertain their interest in study participation; and
  • Facilitate contact with an investigator or obtain their written authorization to share their interest in study participation with the investigators and to be contacted by them. The Honest Broker would not directly contact the patient.
  • After secondary review by the Associate Vice Chancellor for Clinical Research, an Honest Broker may provide the research investigator with a list of potentially eligible patients who have agreed to be contacted for research studies they are eligible for based on their election on the Conditions of Treatment form or consistent with the Human Research Protection Program Policy #3.4 “Use of Protected Health Information in Research and Registries” for further information.

c. Honest Broker Data Requests: Individuals requesting PHI or de-identified data shall complete the UNMC/Nebraska Medicine EHR Service Request form (research), the Analytics Request form (performance improvement) or another similar form. UNMC EHR Service Request form (research) currently at

                    https://unmcredcap.unmc.edu/redcap/surveys/?s=9TsTE2UGsM 

Nebraska Medicine Analytics Request Form (performance improvement currently at: http://newintranet.nebraskamed.com/analyticsrequest/



Additional Information

This page maintained by dkp