• No results found

IRB Month Investigator Meeting April 2014

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IRB Month Investigator Meeting April 2014"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

SECURITY

RESEARCH

PRIVACY

SHARING

AMC

DATA

FISMA

CLOUDCOMPUTING MOBILE HIPAA

OP

ER

AT

ION

S

CINABREACHES REVIEW

ACADEMI C

THREATS CENT

ER

REGULATORY FEDERAL REGULATIONS

EMR

CO

MPL

IA

NC

E

MONITORING

PRACTICES TRENDS AUDITS EM R

IRB Month Investigator Meeting

(2)

IRB Monthly Investigator Meeting

HIPAA OMNIBUS

New HIPAA requirements effective

September 23, 2013

Office of HIPAA Compliance April 15, 2014

(3)

Omnibus Update

Compliance required by September 23, 2013

Notice of Privacy Practices

New Notice distributed to Practice Managers 10/11/2013

http://www.cumc.columbia.edu/hipaa/pdf/Notice_of_Privacy_Practices.pdf

New Patient Rights

Electronic access to medical records

Patient out of pocket payments / Do not bill health plan

Fundraising

Breach Notification

Authorization for Use of PHI for Sale / Marketing

May 14, 2014 Omnibus HIPAA Update – Office of

(4)

Omnibus Update

Business Associate Agreements

New BAA created April 2013

Approx. 150 business associates need new BAA by Sept. 23, 2014

Must not share data without a BAA in place

Must get BAA if non-workforce member will access PHI

BAA now required for

quality / registries

Revised policies

Fundraising

Privacy Program

Authorization to Disclose Medical Records

(5)

Omnibus Update - Research Authorization

The Final Rule provisions discussed above have important

implications for research:

– The changes concerning compound authorizations will alleviate

administrative burdens on clinical trial subjects and researchers and facilitate harmonization with the Common Rule and global

requirements for research documentation.

– The revised interpretation regarding authorization for future research use will remove barriers on researchers' ability to use data for future research purposes – some of which cannot even be contemplated at the time the data is gathered, but which could hold great promise to advance science and medical care.

– The declassification as "PHI" of certain information of decedents over time will ease researchers' ability to perform research using such

information.

(6)

Business Associates

Claims processing or administration; data analysis,

processing or administration; utilization review; quality

assurance; billing; benefit management; practice

management; and pricing.

Signed agreement required to share information

outside CUMC (INCLUDING RESEARCH DATA)

Must comply with Minimum Necessary

Must follow terms as established in contract

Must secure data during transmission

(7)

Breach Requirements

Definition:

An impermissible use or disclose of protected health

information that compromises the security or privacy of PHI

Now includes limited datasets

Requires report to the government

Can include

substantial fines and penalties

Examples

Theft of laptop

Presentation includes PHI posted on internet

Faxing records to the wrong location

Disclosing PHI to sponsor

USB lost in the mail

May 14, 2014 Footer text is edited under "view/header

(8)

HITECH Act (ARRA)

Breach Notification Rule

8

New Federal Breach Notification Law – Effective Sept 2009

Applies to all electronic

“unsecured Protected Health Information” - “encryption required

Requires immediate (60 days) notification to the Federal

Government if more than 500 individuals effected

Annual notification if less that 500 individuals

Requires notification to patients & appropriate remediation

May Require notification to a major media outlet and listing

(9)

May 14, 2014 Footer text is edited under "view/header

(10)

Questions

• If a patient (research subject) emails us do we need to respond with an encrypted (#encrypt) email in our reply? Exchange account (Outlook)

• Do our cumc.columbia.edu accounts allow us to email to Gmail accounts or do we always have to do "#encrypt" to ensure delivery?

• Can we access email on a non-encrypted computer (e.g. Home desktop)?

• Can we access other Columbia sites that require UNI logon from non-encrypted computers?

• After the HIPAA training we were asked to attest to not using our UNI as a sign-in for social websites, some non-social websites use an email as the username eg. nyp's patient portal. Do we have to remove our columbia.edu emails as user names on all websites or just social ones?

(11)

Dear Karen,

On August 1, the CUMC Information Security Office and Office of HIPAA Compliance introduced Sight Training, our new online training system for learning about major changes to HIPAA regulations, updated security requirements, and related Columbia University policies. Sight Training is tailored to address the information security and privacy issues most relevant to our community.

All CUMC faculty, staff, and students are required to complete this training. Sight Training makes the process straightforward and convenient. You may take the courses on any computer;each course should take no more than 30-45 minutes. All courses must be completed by November 1, 2013. You have been assigned the following courses:

• Security Essentials CUMC

• HIPAA Privacy Rules

Please take the time in the next few days to complete this training. It should take no more than 45 minutes.

To access the course(s), go to https://columbia.sighttraini ng.com/ and log in with your UNI and password.

Failure to complete the training by November 1may result in: A) notification of your departmental administrator

B) loss of access to clinical systems, such as CROWN, IDX, and WebCIS; or

(12)

Research Reminders

ENCRYPT EVERYTHING

• #Encrypt • Laptops • Desktops • Home computers • Student devices

• ANYONE who will access to your data

May 14, 2014 Footer text is edited under "view/header

(13)

P

rotected

H

ealth

I

nformation

(PHI)

Protected Health Information is any information that :

“ is created or received by a health care provider, health plan, public

health authority, employer, life insurer, school or university, or

health care clearinghouse"; and

“ relates to the past, present, or future physical or mental health or

condition of an individual; the provision of health care to an

individual; or the past, present, or future payment for the provision

of health care to an individual”

All information whether maintained

in electronic, paper or

oral format

(14)

HIPAA FORMS REVIEWED AND

APPROVED IN RASCAL

FORM Label FORM TITLE REVIEW COMMENTS

HIPAA Form A Authorization for Research High Volume

HIPAA form B Waiver of Authorization Significant Review time required *Usually retrospective

HIPAA form C Recruitment Waiver Rare Directly approach subject without treatment provider relationship

HIPAA form D Preparatory to Research Important for NYP Data

HIPAA form E Decedent Data Not needed unless all subjects are deceased

HIPAA form F Data Use Agreement Significant Review time required

CUMC Data Recipient or Disclosing Data?

(15)

Research HIPAA FAQ

Waiver of Authorization

Only for Columbia data

Do not answer N/A

Primarily for retrospective data analysis

State data collection timeframe

Data Use Agreements

When disclosing data outside of CUMC must have

some form of agreement (DUA, BAA etc.)

When received data from another organization must

include their agreement within the protocol

May 14, 2014 Footer text is edited under "view/header

(16)

De-identified vs. Coded Data

Coded data

contains an

assigned code

so even though the information has been

stripped of identifiers, the health information can be linked back to

the individual by the research team.

De-identified data

Stripped data with

no code

.

It cannot be linked back to the subject.

A re-identification code can be assigned to a de-identified dataset

by a covered entity; however, members of the research team may

not have the access to the means/method of re-identification.

If a member of the research team has access to the re-identification

key/method, the data is not considered to be de-identified.

(17)

18 identifiers as defined by the HIPAA

Privacy Rule:

1. Name

2. Geographic Location (including city, state, zip)

3. Elements of Dates

4. Telephone Number 5. Fax Number

6. E-mail Address

7. Social Security Number

8. Medical Record or Prescription Numbers 9. Health Plan Beneficiary Number

10. Account Number

11. Certificate/license Number

12. VIN and Serial Numbers, License Plate Number 13. Device identifiers, serial numbers

14. Web URLs

15. IP Address Numbers

16. Biometric Identifiers (finger prints) 17. Full face, comparable photo images

18. Unique Identifying numbers (e.g. CODED DATA)

(18)

HIPAA Privacy Program Elements

http://privacyruleandresearch.nih.gov/ http://www.cumc.columbia.edu/hipaa/

https://secure.cumc.columbia.edu/cumcit/secure/security/

• See website for policies and procedures • See website for HIPAA forms

• See website for educational material

• All staff are required to complete HIPAA Privacy & IT Security education

• Contact the Privacy Officer for questions or reports HIPAA@columbia.edu or (212) 305-7315.

• Contact Information Security Officer for questions about HIPAA Information Security

(19)

19 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu HIPAA@columbia.edu (212) 305-7315

References

Download now ( PDF - 19 Page - 1.23 MB )

Related documents

HIPAA Security Training Manual

If you have any questions regarding the use or access of electronic patient information you should talk with your supervisor, Department Director, or the HIPAA Security Officer..

Dogma Bulk Sms Proposal

 Bulk Voice is simple communication technology that blasts a recorded voice message to hundreds or even thousands of call recipients in a very short period of time.. Often used

Impure Public Goods and Technological Interdependencies

In contrast to the unambiguous impacts of the increase in p s predicted by the analytical impure public good model, the model’s forecasts of effects of a change in the level s of

UCIT Office of Information Security Standard Operation Procedure: HIPAA Privacy and Security Basics Training

a. The link will be found below Tools & Resources on the left side of the web-page. 4) Enter your UC Username and Password. 5) Upon logging in, click on the Courses link.

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection.. How SEA’s Solution Suite Ensures HIPAA Security Rule

An extra-memetic empirical methodology to accompany theoretical memetics

Where the applications of memetics to organisations and the empirical studies reviewed above naively assume the existence of memes, a narrative approach is more likely

CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT

The SCO will be responsible for establishing and maintaining an official repository of all security documentation including policies, procedures, plans, inventory,

140305 Laloux Reinventing Organizations

 Is it already possible to describe their structures, practices, processes, and cultures (in other words, to conceptualize the organizational model) in useful detail, to help other