2016 IQPC 13th Laboratory Informatics Summit Preparing for Possibly, Maybe, Handling PHI at the Broad Institute

1. Preparing for Possibly, Maybe,
Handling PHI at the Broad Institute
IQPC 13th Laboratory Informatics Summit
Boston, MA
2016/12/06, v3

2. About the Speaker
Bruce Kozuma is a projectprogram manager in
the Broad Information Technology Services (BITS)
department with experience in software
development, operations, and IT in industries
such as manufacturing, telecommunications,
biotechnology, and biomedical research

3. Overview
• Title of this presentation was originally “Preparing
Laboratory Data at the Broad Institute for HIPAA
Compliance”
• It’s morphed, much like things at the Broad
• If you were expecting to hear about a settled plan, I’m sorry
to disappoint you
• The presentation may still be interesting however (you can
tell me at the break if you like)

4. About the Broad Institute of MIT & Harvard
• Propelling the
understanding and
treatment of disease
• Collaborating deeply
• Reaching globally
• Empowering scientists
• Building partnerships
• Sharing data and
knowledge
• Promoting inclusion

5. HIPAA and Laboratory Data at the Broad
• Broad is NOT Covered Entity nor a Business Associate
under HIPAA
• However, we collaborate with places that handle PHI, like
HMS, MGH, DFCI, BCH, just to name a few
• There is a big push for translational medicine, including at
the Broad, i.e., a push for both bringing clinical data into
research and delivering therapies more quickly
• Have a variety of laboratory data management solutions
due to:
• Legacy
• Funding sources
• Culture

6. Towards a Common Solution
Laboratory Data Management
• Project to provide centrally-managed solutions for
management of laboratory data, divided into functions:
• Data capturearchive (instruments and other sources)
• Container inventoryregistration (chemical,
biological, hybrid)sample management
• Core Electronic Laboratory Notebook (ELN, experiment
documentationIP protectionlinking to data)
• Dataworkflow management
• Data analysisvisualization

7. Context for LDM

8. • Make using LDM easy for scientists
• Have much of IT processes outside user’s daily work
• Introduce light system controls
• Slowly bring in compliance to enable science
• Had early success identifying those with needs, with
adoption, started down the compliance path
The Plan

9. • Make using LDM easy for scientists
• Have much of IT processes outside user’s daily work
• Introduce light system controls
• Slowly bring in compliance to enable science
• Had early success identifying those with needs, with
adoption, started down the compliance path
The Plan

10. LDM Compliance Assessment
• Started as a subset of the overall LDM project
• Goals
• Determine the regulations that most likely apply that relate to LDM,
e.g., HIPAA, CLIA, GxP, FISMA
• Establish baseline understanding of the Broad’s system
management practices with respect to LDM with those regulations
• Have a roadmap for improvement, with aim of being substantially
audit-ready at some point (likely a few years) in the future
• Do as much of the compliance work with as little impact on the
LDM user community as possible

11. Best Laid Plans of Mice and Men…

12. So What Now?
• Results is that the need to handle PHI at the Broad, not in
a few years in the future, but now
• Why?
• Researchers are often working at multiple institutions, e.g., HMS,
MGH, and the Broad
• PHI being handled at the partner institutions, resulting in barriers
to research
• Want to enable researchers to have more focus on their research,
and less on information technology and mechanics of meeting IRB
requirements
• Want researchers to do more of their research at the Broad
• Broad is challenged by having early stage offerings for
technical infrastructure and procedural controls for PHI

13. Practical Immediate Steps
• Ensure PIs are aware of the PHI-related risks they face
and explicitly accept those risks
• Encourage PIs to use resources of collaborators to handle
PHI (e.g., if DFCI has a preferred secure email vendor, use
theirs)
• Document what PIs can do with PHI at the Broad

14. Practical Immediate Steps
• Ensure PIs are aware of the PHI-related risks they face
and explicitly accept those risks
• Encourage PIs to use resources of collaborators to handle
PHI (e.g., if DFCI has a preferred secure email vendor, use
theirs)
• Document what PIs can do with PHI at the Broad

15. Longer Terms Steps
• Build on the work of the LDM Compliance Assessment
project/recast it as the PHI Compliance Readiness project
• Implement quality management framework for handling PHI
• Refine risk assessment methodology for outsourced partners
• Execute on plan to address prioritized HIPAA compliance gaps

16. Longer Terms Steps
• Propose projectsbudgets for technology and process
solutions to offer more services to PIs to streamline their
research by bringing PHI to the Broad
• Implement plan to proactively manage risks, e.g.:
• Implement necessary policies
• Raise awareness of responsibilities
and risks via training
• Establish clear response matrices to
guide people to answers

17. Things Learned Along the Way
• <>
• Embrace agility and get something out there

18. Things Learned Along the Way
• Hire outside expertise to parse Federal regulations

19. Things Learned Along the Way
• Partner with technology vendors who take time to listen
and understand your needs
• Responsive, proactive management makes a lot of things
possible
• Remember that the Broad pushes the edge of possible
• Compliance approach will remain unfinished because the Broad is
not done reinventing itself
• Engaging with the world of regulatory compliance, when the Broad
chooses what boundaries to push, makes things challenging
• Our solution (for now): enter into a continual compliance
conversation, where we can choose what parts of research are
done, by which party, where what capabilities the Broad offers or
should offer is considered