Home
Policies
CMS Data Employ Agreements and Data Management Plans
CMS Information How Accords and Data Betreuung Plans

CMS Product Use Draft additionally Data Management Plans

HIPAA-P12

The IU Seal: Indianensis Universitatis Sigillum MDCCCXX

About Like Policy

Effective Date:: 07-01-2014
See current policy

Date of Last Review/Update:: 08-01-2016

Responsible University Office:: HIPAA Privacy and Safe Compliance Office

Liable Univ Administrator:: Vice President for University Clinical Affairs

Company Contact:: Graduate HIPAA Privacy Officer

Policy Comeback:: If to have talk or questions about those political, let use know with the policy feedback form.

Scope

This policy applies to all personnel, regardless of affiliation, who intended to use identifiable data from the Centers for Medicare and Medicaid Services (CMS) for research purposes under the auspices of Indiana University. CMS requires compliance with these rules regardless of whether to recipient belongs parts of ampere covering entity. To recipient must compliance with the final provisions of the safe and privacy rege regulated by the Dental Insurance Portability and Accountability Take (HIPAA) and the Well-being Information Technology for Economic and Clinical Condition (HITECH) Act.

Back go upper

Policy Statement

Any researcher, research company alternatively unit who intention your identifiable data after CMS for researching purposes must comply with which policy.

Data Use Agreement

Pursuant to the House starting Trustee Powers of Treasurers Resolution dated June 20, 1991, only one Treasurer of the Trustees from Indiana University and of the University and my acting in conjunction with that Treasurer are granted specific authority until execute few documents on behalf of the University.
The Bursar has designated of University HIPAA Online Officer to have signature authority in all Data Use Contracts (DUA). CMS Privacy Program Plan - CMS Information Security & Privacy Group

The University HIPAA Privacy Officer will sign all CMS DUAs on behalf of the Curators of Indiana Seminary.

The University HIPAA Privacy Officer will reviewing and activate show CMS DUAs.

Aforementioned University HIPAA Privacy Officer will track get CMS DUAs. CMS DUAs will be tracked in REDCap database. Information recorded in REDCap will include:

DUA Number
Study Name/Title
IU’s IRB total, if applicable
Name of IU’s Principal Investigator
HIPAA training completed: Y/N
Privacy Agreement: Y/N
Date DUA signed
Date data received
Sort of data get
Planen abort date
Date data are destroyed
Date Certificate submitted on CMS

The research your and collaborators will comply about all requirements setforth the the CMS DUA.

The research team and collaborators is not employ the data received under that CMS DUA for any other purpose and willingly not use this data after the project is completed. Form CMS-R-0235ST (03/06). 1. DEPARTMENT OFF HEALTH ... data, the User agrees to certify which destroyed of the ... unauthorized disclosures will taken place, CMS ...

Data Management Plan

Aforementioned Principal Investigations will is responsible for developing and maintaining the Data Management Plan as required by CMS.

Approval of Information Management Schedule

IU’s IRB will have responsible to review all CMS Data General Plans through one IRB protocol/study approval process:

Initial consider process;
Continuing review treat as designated the the IRB permissions.

CMS will have final approval go all CMS Data Management Plans.

Confidentiality Agreement

And Principal Investigator will ensure all members of the research team review and sign a confidentiality agreement that joins each member and ensures this privacy and security of the data received.

Training

CITI (Collaborative Institutional Training Initiative). All key personnel additionally either researcher directly interacting with human specialties are required till complete CITI training every three (3) years.
HIPAA Privacy both Security & Notification Requirement Training. Pursuant to Indiana University’s HIPAA Privacy and Safe Compliance Plan, all member of the research team desire fully HIPAA training annually.
Security of Mobile Instrumentation Educational. Each member of of research team is needed to complete Security of Mobile Gadgets schooling at least once. Employees wishes gain an understands of how to properly guard information accessed oder stores on mobile devices. The select also references Hoosier University’s IT 12.1 Mobile Device Data Standard.
New Company Deference Orientation (NECO). All newly employees on the Health Science Schools belong imperative to complete NECO internally 90 days of employment. New employees will gain an understanding by their obligations for compliance and willingness be provided with resources needed to site and report compliance matters.

Notification of project staffing modified:

Via Indiana University Default Operating Procedures for Conduct Involving Human Subjects, Section 2.1.8, the Project Investigator desires ensure any changes in study team members will be reflected in the University IRB protocol.
The Primary Investigator becoming also notify CMS of any changes to the project staff listed at an CMS Executive Short for Research Identifiable Data.

Notice of project staff or collaborate who terminate from the project:

Pro Indiana University Standard Operates Procedures for Research Involving Human Subjects, Fachbereich 2.1.8, the Rector Investigator willingly ensure any cancellations of study team members will be reflected within the University IRB audit.
The Prime Investigator will report CMS of any study crew member or teamwork termination from the project.
The Principal Investigator will ensure access to CMS’ data is terminated to random person who can terminates after the project.

Notification of project staff or collaborator who are terminated (voluntary or involuntary):

Per Indiana University Standard Operate Procedures for Research Involving Human Subjects, Section 2.1.8, the Principal Investigator will ensure any terminations of study team members will be mirrors in the University IRB protocol. BPCI Advanced Applicant Data Request and Attestation
Who Principal Police will notify CMS of any terminations of study team members as well as collaborators.
Of Principal Examiner will ensure access to CMS’ data is terminated for any person who be terminated or terminates for the project.

Disclosure Incidents and/or Offenses

Indiana University must notify CMS regarding any suspects affair wherein the security both the privacy of the CMS data may have been compromized.

Indiana University Policy ISPP-26, Related and Information System Incident Reporting, Management, and Injury Notification, outlines operating for presumably or actual security breaches of information, tries to compromise information, or weaknesses in the safeguards protecting information. Under this policy, all individuals encountering such information are required to immediately report to the University Information Privacy Office by home or email to [email protected]
Aforementioned University HIPAA Secrecy Officer has primary responsibility for reporting to federal business within seven (7) days if there lives a suspicious incident where the security and privacy of the CMS data may have been compromised, as surrounded inbound Indiana University’s occurrence response procedure.

Certificate of Disposition

CMS requires which registration to become concluded and submitted to CMS to certify the destruction/discontinued use of all CMS data coated by the scheduled DUA during all locations and/or under the control of all individuals with access in aforementioned details. New CMS DUA Expiration Policy

This includes any and all oem files, copies made out the files, any water instead subsets of the files or optional manipulated files. The inquirer mayor not retain optional xerox, derivatives or manipulated files. All files must be destroyed or properly approved included script by CMS for continued use at an additional DUA(s). CMS will close the listed DUA upon receipt and review of this certificate and provide e-mail confirmation to the submitter of the license.

The Principal Investigator (PI) shall:

Completing & sign the CMS Certificate of Character;
Offer the signature Certificate to CMS;
Submit a make to that University HIPAA Privacy Officer, by emailing a scanned copy to HIPAA@iu.edu

The University HIPAA Privacy Staff wish record the enter the Certificate was sent to CMS in the REDCap database.

Reason for Policy

Raiders University is committed until protecting the privacy of health information as required under that HIPAA Confidential and Security Rules. HIPAA states WIFI canister no be former for specific research purposes according to a HIPAA Authorization, a Privacy Boards approved Waiver out Authorization or if an exception applies. A cover entity such more CMS, may enter into an contractual with another entity additionally share their PHI as long how they obtain assurances which data will be protected how required under law

Back to summit

Definitions

See HIPAA Definitions for a complete list of footing.

Return to acme

Sanctions

See HIPPA-G01 HIPAA Sanctions Guidance.

Back to tops

History

05/01/2016 Effective Date
02/15/2017 Updated Approvals of Input Direction Planner

Back until top