Who should use this document: This document is for human subjects researchers conducting health related research with a study team that includes individuals appointed or enrolled both inside and outside the UW-Madison Health Care Component (HCC).
When it should be used: This document should be used prior to making any arrangements/plans to receive or use protected health information (e.g. submitting an IRB protocol, entering into a contract/agreement to receive protected health information).
Introduction to UW-Madison’s Health Care Component (HCC)
UW-Madison is a hybrid covered entity under the HIPAA regulations; this means that only some parts of the organization are subject to HIPAA. These parts of the organization are known as the Health Care Component (HCC) and are defined in policy. The HCC is mostly comprised of staff employed/appointed by the units listed in the HCC policy.
UW-Madison is also part of an Affiliated Covered Entity (ACE) with UW Health. This arrangement can facilitate data sharing in some cases with the components of the UW HCC that are part of the ACE. But UW-Madison and UW Health are still separate organizations.
Protected health information (PHI) subject to HIPAA should generally only be used by individuals appointed and/or enrolled in an HCC unit. PHI includes health information containing one or more identifiers that is maintained by or came from a covered entity subject to the HIPAA regulations. PHI can come from a medical record or be directly provided by subjects.
In some circumstances, it may be possible for individuals employed/appointed outside the HCC to work with PHI, but additional steps must be taken in these cases. This document outlines the HIPAA privacy and security steps that must be taken to allow individuals not employed/appointed by the HCC to work with PHI. These steps are needed to ensure that PHI is being handled appropriately and in compliance with the law and regulations.
Collaboration between HCC and faculty, staff, or students temporarily brought into HCC
Individuals not employed/appointed[1] by the HCC are temporarily brought into the HCC when they are collaborating with someone employed/appointed by the HCC on a human subjects research protocol. Being temporarily brought into the HCC provides the basis for those individuals to access PHI that is subject to the HIPAA regulations.
Working with HIPAA-protected information is complex and requires study teams with one or more members who are temporarily brought into the HCC to take the following additional steps. The staff employed/appointed by the HCC must be sufficiently situated to provide the resources needed to carry out these steps.
[1] For the purposes of this document, non-appointment relationships (such as joint governance, joint departmental, emeritus, and other affiliations) inside the HCC do not make an individual part of the HCC.
Step 1: Training for Researchers Temporarily Brought into HCC
All researchers using UW-Madison PHI must complete the most recent version of UW-Madison’s HIPAA Privacy and Security Training before they can access PHI.
Study team members inside the HCC are responsible for ensuring collaborators employed/appointed outside the HCC complete the training prior to being added to the IRB protocol or exposing non-HCC members to PHI preparatory to research. Training completion can be verified using the VCR Training Information Lookup Tool. Compliance checks are also performed by compliance staff to ensure training has been completed.
Study team members with appointments inside the HCC are automatically enrolled in the training upon hire and then on an annual basis (new training is released each Fall). However, study team members who are temporarily part of the HCC must self-enroll in the training and complete it annually for the duration of their study involvement.
Step 2: Cybersecurity
The HIPAA Security Rule requires the use of certain safeguards to ensure that PHI remains secure at all times. This means that researchers need to ensure that all software/tools and devices used with PHI have been vetted by campus cybersecurity staff to ensure HIPAA’s Security Rule requirements have been met.
Software/tools:
For those individuals appointed or enrolled outside of the HCC, the most efficient way forward from a cybersecurity perspective is to only utilize tools from the Approved Tools list for storing and transferring PHI. All tools listed on the Approved Tools list have gone through a cybersecurity risk assessment and do not require further review. For the items on this list that are under the “Use with Caution” section, please reach out to the HCC collaborator’s HIPAA Security Coordinator for guidance.
Any additional technology and tools that are needed and not on the Approved Tools list should be endorsed by the HCC unit in consultation with the applicable HIPAA Security Coordinator. If the technology or tools that will be used have not had a cybersecurity risk assessment completed, this will be required per UW-503 Cybersecurity Risk Management. It may also be necessary to enter into a Business Associate Agreement with the tool’s vendor. This agreement provides the basis for them to access our PHI. Please note that if you choose to use technology or tools not on the Approved Tools list, this will be a longer process.
To submit a request for a cybersecurity risk assessment, a questionnaire will need to be completed and submitted in OneTrust. The cybersecurity risk assessment request must be submitted by a study team member in the HCC to ensure the HCC collaborator’s HIPAA Security Coordinator is consulted as part of the cybersecurity risk assessment process. Please work with the HCC collaborator’s HIPAA Security Coordinator for any questions. Approval from the appropriate Risk Executive is required prior to use of technology or tools that are not on the Approved Tools list. This is part of the standard cybersecurity risk assessment process.
If there are additional cybersecurity questions from HCC or Non-HCC study team members, please contact the applicable HCC HIPAA Security Coordinator or contact the HIPAA Security Officer.
Devices:
All computers/endpoints need to be in compliance with UW-526 Endpoint Management and Security and Endpoint Management and Security Policy Standards. This means that non-HCC collaborators need to obtain a device from the HCC unit that they are collaborating with to use in the study, or obtain validation of the device (see below) that was issued to them by their UW-Madison department.
As detailed in the “Obtaining access to electronic PHI” section, a device from the collaborating HCC unit is required to access UW Health systems and the study team members inside the HCC are responsible for negotiating access to these devices for their non-HCC collaborators.
If access to UW Health systems is not required, individuals appointed or enrolled outside of the HCC will need to inform their local IT that they will be collaborating with someone in the HCC and need validation of their device. Local IT staff may then need to update the device to ensure compliance with HIPAA’s security requirements. Validation of this work by the HCC collaborator’s HIPAA Security Coordinator is then needed. Personal devices should not be used, and it is expected that local IT staff are continuing to monitor the device for compliance with UW-526 Endpoint Management and Security and Endpoint Management and Security Policy Standards. Please work with the HCC collaborator’s HIPAA Security Coordinator for any questions.
Step 3: Recruiting patients
Initial contact of patients by letter, phone, or in-person should come from someone who, by virtue of their position, patients would reasonably expect to have access to their health information (i.e., NOT a research lab or study team members with appointments outside the HCC).
Letters should be on the letterhead of an entity patients would reasonably expect to have access to their health information (e.g., a clinical department or health care entity, such as UW Health). Patients in a private clinic room or hospital room should first be approached by someone who is part of the care team or an administrator who is part of the clinic or department in which the study is being conducted.
See the IRB’s Clinical Recruitment Guidelines for additional information on the application of HIPAA in these circumstances.
Step 4: Obtaining access to clinical spaces
Research requiring access to any space at UW Health regardless of facility must go through the UW Health/UW SMPH Research Operations Committee (UROC) for feasibility and operational assessment and submit a 3.11 form for requesting space and clinical resources. All research at UW Health facilities must comply with IRB requirements and UW Health research policies including UW Health Research policy 4.24.
It is incumbent on the sponsoring individual within the HCC to ensure that all UW Health policies are followed while individuals outside the HCC are working within UW Health.
Step 5: Obtaining access to electronic PHI from Health Link
If your study requires access to health information from the UW Health medical record – known as Health Link – the first step is to consult with the Clinical Research Data Services (CRDS) team to determine if they can pull this data for you. This is frequently the most efficient and compliant way to obtain data from Health Link. The CRDS team is able to pull discrete data elements for recruitment or data analysis and deliver them directly to the study team.
If CRDS has been consulted and is unable to meet the study team’s needs, study team members with existing Health Link access should utilize their access for the study.
If CRDS is unable to assist and relying on study team members with existing access is not sufficient, then it may be possible for the non-HCC study team members to obtain Health Link access. This is most commonly the case when Research Coordinator access is needed in Health Link, so study team members can enter research related documentation and orders, comply with research billing requirements, or use certain recruitment tools.
Obtaining Health Link access for study team members who are temporarily part of the HCC requires significant support from the HCC department that they are collaborating with. The collaborating department inside the HCC must provide the non-HCC study team members with a device that the collaborating HCC department manages along with submitting and approving the Health Link request on behalf of the study team members who are temporarily brought into the HCC. Additional information on the compliance requirements that must be met prior to obtaining Health Link access and the request process itself are detailed in these instructions. Determinations regarding Health Link access for non-HCC study team members may be made after consultation with UW Health’s Privacy Officer. Consultation with UW Health’s Privacy Officer is required for HCC departments that would like to offer Health Link access to a non-HCC study team member if the HCC department does not have a full time HIPAA Privacy Coordinator.
Step 6: Validation of de-identification, data classification, and further sharing of study data
The HIPAA regulations only apply to information that meets the regulatory definition of PHI. Health information that has been stripped of all eighteen HIPAA identifiers is no longer PHI that is subject to the HIPAA regulations (even if it is maintained by or originated with a HIPAA covered entity). De-identification of PHI (whether it was collected directly from subjects, extracted from Health Link, obtained under a contract) can be nuanced and staff employed by the HCC need to always be involved in this process.
Additionally, campus HIPAA policy requires that everyone obtain validation of de-identification from specific individuals in certain cases as described below. The individuals able to perform this validation are the HIPAA privacy officer, a HIPAA privacy coordinator, and the School of Medicine and Public Health’s honest broker. Datasets that need to be validated as de-identified include those that contain information from 500 or more individuals, were collected pursuant to a full waiver of HIPAA’s authorization requirement, are about a sensitive or stigmatizing topic, and/or were machine-generated (ex. CT, MRI, EEG, ultrasound or photographic or video image files).
It is crucial to obtain validation that your dataset is de-identified, or if identifiable, determine whether it is a limited dataset of PHI (i.e. the only identifiers are dates and geographic information no more specific than a five digit zip code) or PHI beyond a limited dataset before sharing it beyond your study team. This is because the steps needed to share individual data outside of UW-Madison vary based on the classification of the data. These steps outlined in this guidance document need to be reviewed prior to sharing any individual level data outside of the study team, as agreements are required to share data.