Office of Human Research
Page Title
SOP No.: 901 SAFEGUARDING PROTECTED HEALTH INFORMATION |
||
Author: Office of Human Research |
||
Effective Date: October 1, 2007 |
Supercedes document dated: N/A |
|
Last Reviewed on: N/A |
Results of Review: N/A |
|
This SOP pertains to: All personnel involved in FDA regulated human subject research to ensure the confidentiality of subject protected health information (PHI) and access to such information is limited to authorized research staff for approved purposes only. |
||
Responsibility for executing this SOP: Investigator and Designated Research Personnel |
||
Approved By:
J. Bruce Smith, MD
Associate Vice President for Research
(signature on file at OHR) |
Approved By:
Steven E. McKenzie, MD, Ph.D.
Vice President for Research
(signature on file at OHR) |
|
1. INTRODUCTION AND PURPOSE
This standard operating procedure (SOP) describes the steps taken to ensure that subject protected health information (PHI) is kept confidential and access to such information is limited to authorized research staff for approved purposes only. Access to confidential information should only be permitted for direct subject management, administrative oversight, or with Institutional Board approval. Maintaining high standards of conduct with respect for the privacy of individuals and the confidentiality of information is essential for all personnel involved with the conduct of clinical research.
2. SCOPE
This SOP applies to all staff, employees, students, consultants, monitors and others at TJU research site to maintain high standards of conduct with respect for the privacy of individuals and the confidentiality of information both during the hours they are performing their professional and work-related activities and outside their work-related activities.
3. APPLICABLE REGULATIONS AND GUIDELINES
45 CFR Parts 160, 162 and 164
4. REFERENCES TO OTHER APPLICABLE SOPs
GA-102 Responsibilities of the Research Team
GA-103 Training and Education
PM-301 Site-Sponsor/CRO Communications
PM-303 Regulatory Files and Subject Records
DM-501 Data Management
5. ATTACHMENTS
A. Guidelines for Safeguarding Protected Health Information
B. Fax and E-mail Transmission Procedure
6. RESPONSIBILITY
This SOP applies to those members of the clinical research team involved in conducting or overseeing clinical trials at TJU. This includes the following:
- Principal investigator
- Subinvestigator
- Research nurse/coordinator
- Data manager
- Jeff-IT
- Study pharmacist
- Monitor
- Support staff
7. DEFINITIONS AND GLOSSARY
Case Report Form (CRF): A printed, optical, or electronic document designed to record all of the protocol-required information to be reported to the sponsor on each trial subject
Confidentiality: Prevention of disclosure, to other than authorized individuals, of a sponsor’s proprietary information or of a subject’s identity.
Direct Access: Permission to examine, analyze, verify, and reproduce any records and reports that are important to evaluation of a clinical trial. Any party (e.g., domestic and foreign regulatory authorities, sponsors, monitors, and auditors) with direct access should take all reasonable precautions within the constraints of the applicable regulatory requirement(s) to maintain the confidentiality of subjects’ identities and sponsor’s proprietary information.
electronic Protected Health Information (ePHI): means information that is transmitted by electronic media or maintained in any electronic storage media including memory devises in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card
Integrity: means the property that data or information have not been altered or destroyed in an unauthorized manner.
Protected Health Information: Information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or when there is a reasonable basis to believe the information can be used to identify the individual. (Under HIPAA regulations at 45 CFR 164, PHI (Protected Health Information) also includes: Individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media at §162.103, or (iii) Transmitted or maintained in any other form or medium.)
8. PROCESS OVERVIEW
A. Oral and phone communication
B. Computer access and security
C. Electronic communication
D. Documents and written communication
E. Transporting of confidential information
9. PROCEDURES
A. Oral and phone communication
All research team members
|
Oral communications between investigators and research staff and other health care providers, whether in person or by phone, are essential to effectively manage subjects while on study. (Attachment A, Guidelines for Safeguarding Protected Health Information.) Ensure that discussions regarding the treatment of individuals take place in areas that are not public and where others cannot overhear confidential information and identifiers. Ensure that staff and employees do not discuss subjects in public areas, such as elevators, waiting rooms, cafeterias, and hallways. Names and unique descriptions of individuals should not be discussed except in areas where privacy is maintained, such as a private office or treatment room. |
PI Research nurse/coordinator Support staff
|
When a PI/research coordinator talks with a subject in a semi-private area, such as a hospital or clinic room, emergency room, or other areas where absolute privacy cannot occur, conversations should take place behind curtains, or in a partitioned area. When it is impossible to ensure absolute privacy, staff and employees must make every effort to remove themselves from the area, when possible, and to keep anything over heard confidential. Ensure that PHI is not discussed on a cell phone except in an emergency. If subjects' PHI must be discussed via cell phone, it will be done in a private area (parked car, office, etc.). |
B. Computer, portable and remote device access and security
Jeff-IT PI Research manager
|
Ensure that each user is allowed access only to the information necessary for each unique encounter. Ensure that devices and tools containing ePHI including laptops, personal desktop assistant (PDA) and Smart Phones, USB flash drives and memory cards, floppy disks, CDs, DVDs, backup media, etc. are controlled through device and tool inventory control systems (e.g., logs). Log-on password protections applications are applied to the above-noted devices and tools containing ePHI, where applicable. Ensure that session termination (time-out) controls are in place on inactive portable or remote devices. Password protect files containing ePHI on desktops and portable or remote devices. Ensure backup of all ePHI entered into remote systems. Limit and control direct access to the PHI that resides on the site's computer system(s). Locate workstations in areas of limited public access, except when necessary to provide care. Maintain access lists and password assignments. |
Research nurse/coordinator
|
Determine access level prior to allowing individual access to PHI. Base these determinations on minimum necessary access. Instruct users regarding password assignment and use and logging on and off procedures.
|
C. Electronic communication
PI Research nurse/coordinator
|
Ensure that each member of the research team is aware of and adheres to requirements for safeguarding PHI via: e-mail – Do not transmit PHI unless individuals request such transmission in writing, or such information is protected via encryption software. Fax – Care shall be taken when documents containing PHI are transmitted via fax. (Attachment B, Fax and E-mail Transmission Procedure.) |
Research nurse/coordinator Support staff Jeff-IT
|
Intranet, internet – Prohibit transmission of ePHI via open networks, such as internet, where appropriate
Install and monitor encryption procedures or other security software and update regularly. |
Research nurse/coordinator Support staff
|
Monitor the fax logs and e-mail transmissions regularly. (Attachment C, Fax Log.)
|
D. Documents and written communication
PI Research nurse/coordinator
|
Handle all PHI in written form in a manner that respects the privacy of the individual and the confidentiality of information. Ensure that staff do not carry, transport, use, or share written information in a careless manner. Share case report forms, documents, test results, notes, and any other written information about a subject only with other staff members who have a need to see such information as part of their duties. Ensure that written information is not held in public areas, not taken off premises and not handled in a manner that allows unauthorized access. |
E. Transporting of confidential data
PI Research nurse/coordinator
|
Transport confidential documents by authorized staff only, using secure methods. Remind individuals transporting confidential information of their responsibility for the security of such information until it arrives at another secure location. |
