![]() ![]() BU Student Health Services (records are protected under FERPA).The following BU components have some health information, and may provide clinical services, but have not been designated as HIPAA Covered Components by BU therefore, BU researchers using data from these sources will not have HIPAA obligations: These sources of data are not covered by HIPAA BU components not covered by HIPAA If a physician’s office releases PHI to researchers at the Danielsen Institute, that research remains PHI because both the physician’s office and the Danielsen Institute are HIPAA Covered Entities.If BMC discloses PHI to a researcher at the BU School of Medicine or School of Public Health, it is Restricted Use Data under BU policy, but is not PHI.However, once released to researchers outside the Covered Entity, the data will be subject to HIPAA only if it is disclosed to another Covered Entity. ![]() Other health care providers participating in the BMC Health NetworkĬovered Entities will require either a patient Authorization or a waiver of Authorization to release their PHI to a BU researcher. ![]() Any medical practice belonging to the Boston University Medical Group.This Policy does not attempt to list all non-BU entities that are Covered Entities, but commonly encountered Covered Entities external to BU include: Research by the workforce members of any of these components using patient data from that component likely is subject to HIPAA. BU Rehabilitation Services, including the Physical Therapy Center and the Neuro-Rehab Center.Note that each Covered Component is considered to be a separate entity from each other Covered Component. These sources of data are covered by HIPAAīelow are examples of BU and external sources of research information that are, and others that are not, Covered Entities/Components. Researchers must follow all IT policies related to Restricted Use Data in either event. Whether human subjects research data is PHI covered by HIPAA or not, if it is possible to identify any subject, then it will be considered Restricted Use Data under BU’s Data Classification Policy. Researcher Obligations Under HIPAA and BU Policy to Secure Human Subjects Data Access to PHI: If you wish to access PHI from a HIPAA covered entity, see the section below on Access.If it is an electronic information security matter (such as a hacking, lost unencrypted laptop, or other information security incident, you must also immediately alert If it is PHI, you must also inform the HIPAA privacy and security officers at Consequences of HIPAA Breach: If the data is subject to HIPAA and is breached, the BU HIPAA Privacy Officer and Security Officer will need to notify the patients whose data was breached, and the federal department of Health and Human Services, and if over 500 persons are affected, the media. Reporting a Potential Breach: If your research data is lost, or disclosed in an unauthorized manner, or used in an unauthorized manner, you must tell the IRB.PHI under HIPAA is subject to additional safeguards by IT such as audits and other security measures there is nothing you need to do about that. You can find BU’s standards for protecting Restricted Use data here. Restricted Use data is the most sensitive form of data, and it applies to both PHI and any identifiable health information-even if it is not HIPAA covered. Safeguarding Data: The classification of the data under BU’s Data Classification Guide tells you what safeguards you need to make sure are in place at all times during your research.How research data is classified matters in the following ways: PHI is individually identifiable health information created or received by a Covered Entity/Component. HIPAA is a federal privacy law that protects Protected Health Information (PHI). Find your Department and Research Administrators.Information Systems and Web-Based Applications.Research Occupational Health Program (ROHP).Responsible Conduct of Research Training.PAFO Onboarding Pack for Department Administrators. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |