Third Parties and PHI Standard Operating Procedure
Accountability Act (HIPAA). UMass Memorial Health Care and the UMass Chan Medical School have entered into a Business Associates Agreement (BAA) that delineates the conditions under which the clinical system shares PHI with the medical school. Based on the agreement, while the medical school is not a Covered Entity, the medical school is a Business Associate and as such is required to protect clinical data in compliance with the HIPAA Security and Privacy rules.
The clinical system will allow the medical school to enable access to PHI in order to further the mission of research as long as standard operating procedures are established and followed to ensure appropriate protection of the data. Additionally, no third party, unless they are part of the UMass Chan Data Lake development project and have an established contract for UMass Chan Data Lake development work with the medical school, will have direct access to UMass Chan Data Lake or associated systems that store data.
3rd Party Process Steps
I. The PI of the study must have a current faculty appointment at the medical school.
II. The following documents must be sent to the assigned contact at the medical school Research Informatics Core.
a. A Statement of Work (SOW) that includes the following:
1. Description of the project
2. Duration of engagement
3. Payment terms
4. Data Type (aggregate/identified/de-identified) requested
5. List of data categories requested
6. Proposed technological infrastructure
7. Process workflows
8. Access requirements
9. Data encryption and transmission protocols proposed by the vendor
10.Data handling mechanisms
b. In addition, to be included in the SOW or associated documentation:
1. Data releases and data retention policies by the vendor
2. Description of all third party hosting and access platforms, including specific geographical locations
3. Third-party information security and privacy review (SSAE16, HITRUST certification, HIPAA review, etc.)
III. The Research Informatics Core will provide these documents to UMass Chan IT Security and Compliance Office for security review. These documents must also be provided to and reviewed by the school’s Office of General Counsel for contractual and the Privacy Officer for a privacy review.
Upon successful completion of contractual and privacy and security reviews, the school’s Office of General Counsel will establish a contractual agreement with the vendor, which may involve a BAA and data use agreement as deemed necessary.
IV. Prior to the release of PHI, the medical school’s Institutional Review Board (IRB) approval must be obtained and the protocol must outline details regarding categories of data requested, data handling mechanisms, and data retention policies by the vendor. The previous steps within this SOP will be completed before submission to the IRB. The PI should submit documentation associated with this SOP as part of their IRB submission.
V. Once the above conditions are met, go to the Research Informatics Website and complete the data request form.
VI. Required data will be extracted either manually by the Research Informatics Core staff or by automated processing. The Research Informatics Core staff will send the data to the vendor systems through secure and medical school-approved mechanisms. Identifiable information will be sent in adherence to security guidelines set forth by the UMass Chan IT Security and Compliance Office.
VII. The Research Informatics Core will maintain a log of data releases and ensure that a Confidentiality Agreement is complete before access is provided.