Rebecca Hulea, MS, JD
Director of Regulatory Compliance
UMHS Compliance Office
Education Series, 101 Data Management



Understand data management principles with
a law and policy mindset.
Understand your role in complying with data
management compliance in daily research
activities.
Identify ways that you can take to assure
compliance with law and policy.
The DHHS entered HIPAA settlements totaling
nearly $2 million with two covered entities that
reported relatively small breaches involving
2013
PHI to personal
stolen–Researcher
unencrypteddownloaded
laptop computers.
unencrypted laptop while part of research team
2013
& 2014
(2stored
unrelated
incidents)
at
UMHS,
data
on laptop
after employment
ended.
Researcher
nosent
longer
a collaborator
on
Research
coordinator
mass
e-mail
the
study. Laptop
stolen.
containing
PHI to all
research subjects – email
addresses
viewable bysubjects
all recipients.
384
patients/research
notified.
85 and 63 patients/subjects notified, respectively.
3

Health

Insurance - simplify the administration of health insurance

Portability

Accountability – appropriately protect and secure health
-"individually identifiable health information"
created, held or transmitted by UMHS in any form or media,
(electronic, paper, or oral).
– improve availability and continuity of health
insurance coverage in the group and individual markets, to
combat waste, fraud, and abuse in health insurance and health
care delivery, to promote the use of medical savings accounts,
to improve access to long-term care services and coverage.
information.
Each Word has Significance
Privacy Rule permits UMHS to disclose Patient PHI
for research, under certain circumstances.
`
 UM IRB approval for project & data
 Patient gives his or her permission to
use certain data
PHI Privacy Barrier
 IRB approved HIPAA Waiver of
Authorization required.
 Minimum necessary only
 De-identify to extent possible (stripped
of all direct & indirect identifiers).
 Research justification for PHI.
Research
≠ TPO
 Data Use Agreement
is in place.
 Data Management Plan is in place
identifying how the study team will
address data privacy & security
protections through life cycle of
project.
Privacy & Security Protection Considerations
No matter where
HIPAA Requires the
sensitive data is
Strongest
stored – it must be
Encryption Methods
secured, it must be
available.
protected...
ALWAYS CONSULT IT SERVICES (MCIT OR MSIS)
7
All HIPAA violations are PRESUMED a “BREACH”
4-prong test:
All HIPAA incidents must be analyzed by the
UMHS Compliance Office using a 4-prong test
to overcome the presumption of a Breach,
Documentation is retained for 6 years.
(Do NOT do this analysis yourself!)
1.
Nature and extent of
information involved,
including the types of
identifiers and risk of reidentification
2.
Unauthorized person who
used the PHI or to whom
it was disclosed
3.
Whether the PHI was
actually acquired or
viewed
4.
Extent to which risk to
the PHI has been
mitigated
Your Role:
Report all actual and suspected HIPAA privacy
or information security violations!
8
Project Planning
Project Phase
Project Wrap-Up
Project Planning











Project Phase
Project Wrap-Up
 Know who has your Data at all times
 Know Data Elements
 Monitor data
security
environment

Know who has your Data

Know
Data
Source
(incoming/outgoing)
Know Data Elements periodically  Minimize improper disclosures – secure data

Monitor data security
Know
Source Minimum Necessary
 Data
Follow
Principles
environment
periodically
throughout
storage period.
 Monitor & Track
PHI
use
(incoming/outgoing)

Minimize risk to institution –

Monitor
&
Track
PHI
use
 Define User
Roles for all PHI disclosures
Follow Minimum Necessary
 Account
(applies
if
data if no longer
Destroy
needed.
  Account
for alldata
PHI if it is no longerdestroy
Principles
needed
 Understand
privacy
& security
disclosures
(applies
if PHI
PHI
obtained
via
a HIPAA
Waiver)

If
data
was
shared
obtain
Define User Roles

Obtain
certification of
obtained via a HIPAA Waiver) externally,
requirements

Amend
IRB
Application
EARLY
when
external collaborators’
Understand privacy &
certification
of external collaborators
data data

Amend
IRB Application
 Store
datainvestigators
in a HIPAA compliant
destruction.
security
requirements
EARLY when
investigators
plan
to leave
the project or
destruction.

Engage IT for long-term data
Store data
in
a
HIPAA
plan
to
leave
the
project
or
environment
the
institution.
– Budgets should
compliant environment
the
institution.
discussions
Engage
IT for long-term datastorage
storage
options –

Engage
IT
Early
in
the
have included costs for long Obtain signed
DUAsigned
fromDUA
external
Engage IT Early in the

Obtain
from
Budgets
should include cost for
termlong-term
storage and security.
discussions
external
collaborators’
 Budget forcollaborators’
privacy & security
costs
institution.

Report suspected security &
institution.
storage and security.
Budget for privacy & security
through
data
life
cycle.
privacy concerns to UMHS
data
from
costs through datalife Retrieve
cycle.

Retrievedeparting
data from departing
Compliance
Office.
 investigators.
Report suspected security & privacy
concerns
 Date
Obtain
Date
Use Agreements
Obtain
Use Agreements
investigators.

Ask questions
to UMHS
Compliance
Office.

Report
suspected
security &
Understand UM is the data

Understand
UM
is
the
data
owner

Report
suspected
security
&
privacy
privacy concerns to IRB &
owner

Ask
questions
UMHS
Compliance
Office
concerns to IRB
& UMHS
Compliance
Ask questions
Askquestions

Ask questions
Office
 Ask questions
Compliance is a Partnership,
Together We Make it Work.
Questions?
Thank You!
10
 Contact the Compliance Office
Phone: 734-615-4400
Email: Compliance-group@med.umich.edu
Website: http://med.umich.edu/u/compliance/index.htm
 Hot Line or Web Form Submission (Anonymous):
(866) 990-0111 or http://www.tnwinc.con/WebReport/
11