Question:
Our research site is a subsidiary of a medical practice. The financial controller, who works for both the practice and the research site, wants to export data from our clinical trial management system (CTMS) to the computer server housed within the medical practice. The report will be used to monitor for insurance, Medicare/Medicaid fraud and abuse. The proposed report will include subject names, sponsor, and information about subject visits including dates and procedures performed. The financial controller is also requesting full access to the CTMS.
Answer:
We are assuming that both the research site and the practice are a single covered entity. Many physician practices have in place compliance programs to prevent erroneous or fraudulent insurance and Medicare/Medicaid claims, and this is acceptable. These programs may include monitoring and auditing of medical records as well as research records. In setting up this kind of financial compliance program, it will be important for the medical practice to address the concerns you raise about the protection of your research subject’s data and protected health information.
The HIPAA Privacy Rule guides the use and disclosure of protected health information. Your medical practice will need to consider the minimum necessary data the controller will need to carry out her compliance program. Your practice should review your current HIPAA authorization to ensure that the HIPAA authorizations for medical care and participation in research that your patients routinely sign identifies the classes of persons within your medical practice who may use the PHI.
The medical practice will also need to ensure that the program conforms with the HIPAA Security Rule. These rules lay out a set of security standards for protected health information that is part of an electronic medical record. The controller will have to follow all the measures that your medical practice already has in place to protect and control access to data and protected health information. For example, the controller will need to follow office policies on using privacy screens, password protection, logging off workstations. She may need to consider use of encryption or password protection of documents containing protected health information.