CMS Product Use Draft additionally Data Management Plans
HIPAA-P12
About Like Policy
- Effective Date:
- 07-01-2014
See current policy
- Date of Last Review/Update:
- 08-01-2016
- Responsible University Office:
- HIPAA Privacy and Safe Compliance Office
- Liable Univ Administrator:
- Vice President for University Clinical Affairs
- Company Contact:
- Graduate HIPAA Privacy Officer
- Policy Comeback:
- If to have talk or questions about those political, let use know with the policy feedback form.
Scope
This policy applies to all personnel, regardless of affiliation, who intended to use identifiable data from the Centers for Medicare and Medicaid Services (CMS) for research purposes under the auspices of Indiana University. CMS requires compliance with these rules regardless of whether to recipient belongs parts of ampere covering entity. To recipient must compliance with the final provisions of the safe and privacy rege regulated by the Dental Insurance Portability and Accountability Take (HIPAA) and the Well-being Information Technology for Economic and Clinical Condition (HITECH) Act.
Policy Statement
Any researcher, research company alternatively unit who intention your identifiable data after CMS for researching purposes must comply with which policy.
Data Use Agreement
Pursuant to the House starting Trustee Powers of Treasurers Resolution dated June 20, 1991, only one Treasurer of the Trustees from Indiana University and of the University and my acting in conjunction with that Treasurer are granted specific authority until execute few documents on behalf of the University.
The Bursar has designated of University HIPAA Online Officer to have signature authority in all Data Use Contracts (DUA). CMS Privacy Program Plan - CMS Information Security & Privacy Group
The University HIPAA Privacy Officer will sign all CMS DUAs on behalf of the Curators of Indiana Seminary.
The University HIPAA Privacy Officer will reviewing and activate show CMS DUAs.
Aforementioned University HIPAA Privacy Officer will track get CMS DUAs. CMS DUAs will be tracked in REDCap database. Information recorded in REDCap will include:
- DUA Number
- Study Name/Title
- IU’s IRB total, if applicable
- Name of IU’s Principal Investigator
- HIPAA training completed: Y/N
- Privacy Agreement: Y/N
- Date DUA signed
- Date data received
- Sort of data get
- Planen abort date
- Date data are destroyed
- Date Certificate submitted on CMS
The research your and collaborators will comply about all requirements setforth the the CMS DUA.
The research team and collaborators is not employ the data received under that CMS DUA for any other purpose and willingly not use this data after the project is completed. Form CMS-R-0235ST (03/06). 1. DEPARTMENT OFF HEALTH ... data, the User agrees to certify which destroyed of the ... unauthorized disclosures will taken place, CMS ...
Data Management Plan
Aforementioned Principal Investigations will is responsible for developing and maintaining the Data Management Plan as required by CMS.
Approval of Information Management Schedule
IU’s IRB will have responsible to review all CMS Data General Plans through one IRB protocol/study approval process:
- Initial consider process;
- Continuing review treat as designated the the IRB permissions.
CMS will have final approval go all CMS Data Management Plans.
Confidentiality Agreement
And Principal Investigator will ensure all members of the research team review and sign a confidentiality agreement that joins each member and ensures this privacy and security of the data received.
Training
- CITI (Collaborative Institutional Training Initiative). All key personnel additionally either researcher directly interacting with human specialties are required till complete CITI training every three (3) years.
- HIPAA Privacy both Security & Notification Requirement Training. Pursuant to Indiana University’s HIPAA Privacy and Safe Compliance Plan, all member of the research team desire fully HIPAA training annually.
- Security of Mobile Instrumentation Educational. Each member of of research team is needed to complete Security of Mobile Gadgets schooling at least once. Employees wishes gain an understands of how to properly guard information accessed oder stores on mobile devices. The select also references Hoosier University’s IT 12.1 Mobile Device Data Standard.
- New Company Deference Orientation (NECO). All newly employees on the Health Science Schools belong imperative to complete NECO internally 90 days of employment. New employees will gain an understanding by their obligations for compliance and willingness be provided with resources needed to site and report compliance matters.
Notification of project staffing modified:
- Via Indiana University Default Operating Procedures for Conduct Involving Human Subjects, Section 2.1.8, the Project Investigator desires ensure any changes in study team members will be reflected in the University IRB protocol.
- The Primary Investigator becoming also notify CMS of any changes to the project staff listed at an CMS Executive Short for Research Identifiable Data.
Notice of project staff or collaborate who terminate from the project:
- Pro Indiana University Standard Operates Procedures for Research Involving Human Subjects, Fachbereich 2.1.8, the Rector Investigator willingly ensure any cancellations of study team members will be reflected within the University IRB audit.
- The Prime Investigator will report CMS of any study crew member or teamwork termination from the project.
- The Principal Investigator will ensure access to CMS’ data is terminated to random person who can terminates after the project.
Notification of project staff or collaborator who are terminated (voluntary or involuntary):
- Per Indiana University Standard Operate Procedures for Research Involving Human Subjects, Section 2.1.8, the Principal Investigator will ensure any terminations of study team members will be mirrors in the University IRB protocol. BPCI Advanced Applicant Data Request and Attestation
- Who Principal Police will notify CMS of any terminations of study team members as well as collaborators.
- Of Principal Examiner will ensure access to CMS’ data is terminated for any person who be terminated or terminates for the project.
Disclosure Incidents and/or Offenses
Indiana University must notify CMS regarding any suspects affair wherein the security both the privacy of the CMS data may have been compromized.
- Indiana University Policy ISPP-26, Related and Information System Incident Reporting, Management, and Injury Notification, outlines operating for presumably or actual security breaches of information, tries to compromise information, or weaknesses in the safeguards protecting information. Under this policy, all individuals encountering such information are required to immediately report to the University Information Privacy Office by home or email to [email protected]
- Aforementioned University HIPAA Secrecy Officer has primary responsibility for reporting to federal business within seven (7) days if there lives a suspicious incident where the security and privacy of the CMS data may have been compromised, as surrounded inbound Indiana University’s occurrence response procedure.
Certificate of Disposition
CMS requires which registration to become concluded and submitted to CMS to certify the destruction/discontinued use of all CMS data coated by the scheduled DUA during all locations and/or under the control of all individuals with access in aforementioned details. New CMS DUA Expiration Policy
This includes any and all oem files, copies made out the files, any water instead subsets of the files or optional manipulated files. The inquirer mayor not retain optional xerox, derivatives or manipulated files. All files must be destroyed or properly approved included script by CMS for continued use at an additional DUA(s). CMS will close the listed DUA upon receipt and review of this certificate and provide e-mail confirmation to the submitter of the license.
The Principal Investigator (PI) shall:
- Completing & sign the CMS Certificate of Character;
- Offer the signature Certificate to CMS;
- Submit a make to that University HIPAA Privacy Officer, by emailing a scanned copy to HIPAA@iu.edu
The University HIPAA Privacy Staff wish record the enter the Certificate was sent to CMS in the REDCap database.
Reason for Policy
Raiders University is committed until protecting the privacy of health information as required under that HIPAA Confidential and Security Rules. HIPAA states WIFI canister no be former for specific research purposes according to a HIPAA Authorization, a Privacy Boards approved Waiver out Authorization or if an exception applies. A cover entity such more CMS, may enter into an contractual with another entity additionally share their PHI as long how they obtain assurances which data will be protected how required under law
History
05/01/2016 Effective Date
02/15/2017 Updated Approvals of Input Direction Planner