Procedure for Third-Party Vendors and Protected Health Information

Background:

The ability to use protected health information (PHI) in research supports clinical and translational research. The use of PHI carries special obligations for management of access in order to protect the rights and welfare of patients as delineated by the Health Insurance Portability and Accountability Act (“HIPAA”). UMass Memorial Health Care (“clinical system”) and the University of Massachusetts Medical School (“medical school”) have entered into a business associates agreement (BAA) that delineates the conditions under which the clinical system shares PHI with the medical school. Based on the agreement, while the medical school is not a Covered Entity, the medical school is a Business Associate and as such is required to protect clinical data in compliance with the HIPAA Security and Privacy rules. The clinical system will allow the medical school to enable access to PHI in order to further the mission of research as long as standard operating procedures are established and followed to ensure appropriate protection of the data. Additionally, no third party, unless they are part of the Clinical Data Repository (“CDR”) development project and have an established contract for CDR development work with the medical school, will have direct access to CDR or associated systems that store data.

Procedures:

Any Medical School researcher intending to use a third party vendor for developing analytics or decision support systems that use clinical data or integrates with UMMHC clinical systems or the medical school’s Clinical Data Repository (CDR) needs to follow the guidelines below:

1. The PI of the study must have a current faculty appointment at the medical school.

2. The following documents must be sent to the medical school office of Data Sciences & Technology (DS&T) via clinicaldatportal@umassmed.edu

a. A Statement of Work ("SOW") that includes the following:

  • Description of the project
  • Duration of engagement
  • Payment termsData Type (aggregate/identified/deidentified) requested
  • List of data categories requested
  • Proposed technological infrastructure
  • Process workflows
  • Access requirements
  • Data encryption and transmission protocols proposed by the vendor
  • Data handling mechanisms

b. In addition, to be included in the SOW or associated documentation:

  • Data releases and data retention policies by the vendor
  • Description of all third party hosting and access platforms, including specific geographical locations
  • Third-party information security and privacy review (SSAE16, HITRUST certification, HIPAA review, etc)

3. DS&T will provide these documents to UMMS IT Security and Compliance Office for security review.  These documents must also be provided to and reviewed by the school’s Office of General Counsel for contractual and the Privacy Officer for a privacy review.

Upon successful completion of contractual and privacy and security reviews, the school’s Office of General Counsel will establish a contractual agreement with the vendor, which may involve a BAA and data use agreement as deemed necessary.

4. Prior to the release of PHI, the medical school’s Institutional Review Board (IRB) approval must be obtained and the protocol must outline details regarding categories of data requested, data handling mechanisms and data retention policies by the vendor. The previous steps within this SOP will be completed before submission to the IRB. The PI should submit documentation associated with this SOP as part of their IRB submission.

5. Once the above conditions are met, go to the Clinical Data Portal and complete the data request form.

6. Required data will be extracted either manually by DS&T staff or by automated processing. DS&T will send the data to the vendor systems through secure and medical school approved mechanisms. Identifiable information will be sent in adherence to security guidelines set forth by the UMMS IT Security and Compliance Office.

7. DS&T will maintain a log of data releases and ensure that a Confidentiality Agreement is complete before access is provided.

Information Security Procedure:

1. For all vendors providing services requiring access to protected health information and/or confidential information, UMMS will request the most recent SSAE16/ SOC2 and/or third-party application assessment.

Data Sciences and Technology will provide the Information Security Office the following vendor information:

a. Vendor Name

b. Vendor Address/Contact Information (phone & email address)

c. Application Name

d. Any SSAE16, 3rd party application assessment and/or HIPAA risk assessment (completed by 3rd party or internally)

2. Information Security will document any findings and recommendations resulting from document review in standard risk assessment template.  Upon completion, Information Security will provide the completed assessment to the PI, DS&T and the IRB.

a. High risk findings are expected to be closed within 30 days of the finding being identified.

b. Moderate findings are expected to be closed within 90 days of the finding being identified.

c. Low risk findings are expected to be closed within 6 months of the finding being identified and are of an informational nature.

3. On an annual basis DS&T will send a standard memo to each vendor requesting the most recent SSAE16 and/or third party application assessment and make this report available to Information Security.