Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
2016 IQPC 13th Laboratory Informatics Summit Preparing for Possibly, Maybe, Handling PHI at the Broad Institute
1. Preparing for Possibly, Maybe,
Handling PHI at the Broad Institute
IQPC 13th Laboratory Informatics Summit
Boston, MA
2016/12/06, v3
2. About the Speaker
Bruce Kozuma is a projectprogram manager in
the Broad Information Technology Services (BITS)
department with experience in software
development, operations, and IT in industries
such as manufacturing, telecommunications,
biotechnology, and biomedical research
3. Overview
• Title of this presentation was originally “Preparing
Laboratory Data at the Broad Institute for HIPAA
Compliance”
• It’s morphed, much like things at the Broad
• If you were expecting to hear about a settled plan, I’m sorry
to disappoint you
• The presentation may still be interesting however (you can
tell me at the break if you like)
4. About the Broad Institute of MIT & Harvard
• Propelling the
understanding and
treatment of disease
• Collaborating deeply
• Reaching globally
• Empowering scientists
• Building partnerships
• Sharing data and
knowledge
• Promoting inclusion
5. HIPAA and Laboratory Data at the Broad
• Broad is NOT Covered Entity nor a Business Associate
under HIPAA
• However, we collaborate with places that handle PHI, like
HMS, MGH, DFCI, BCH, just to name a few
• There is a big push for translational medicine, including at
the Broad, i.e., a push for both bringing clinical data into
research and delivering therapies more quickly
• Have a variety of laboratory data management solutions
due to:
• Legacy
• Funding sources
• Culture
6. Towards a Common Solution
Laboratory Data Management
• Project to provide centrally-managed solutions for
management of laboratory data, divided into functions:
• Data capturearchive (instruments and other sources)
• Container inventoryregistration (chemical,
biological, hybrid)sample management
• Core Electronic Laboratory Notebook (ELN, experiment
documentationIP protectionlinking to data)
• Dataworkflow management
• Data analysisvisualization
8. • Make using LDM easy for scientists
• Have much of IT processes outside user’s daily work
• Introduce light system controls
• Slowly bring in compliance to enable science
• Had early success identifying those with needs, with
adoption, started down the compliance path
The Plan
9. • Make using LDM easy for scientists
• Have much of IT processes outside user’s daily work
• Introduce light system controls
• Slowly bring in compliance to enable science
• Had early success identifying those with needs, with
adoption, started down the compliance path
The Plan
10. LDM Compliance Assessment
• Started as a subset of the overall LDM project
• Goals
• Determine the regulations that most likely apply that relate to LDM,
e.g., HIPAA, CLIA, GxP, FISMA
• Establish baseline understanding of the Broad’s system
management practices with respect to LDM with those regulations
• Have a roadmap for improvement, with aim of being substantially
audit-ready at some point (likely a few years) in the future
• Do as much of the compliance work with as little impact on the
LDM user community as possible
12. So What Now?
• Results is that the need to handle PHI at the Broad, not in
a few years in the future, but now
• Why?
• Researchers are often working at multiple institutions, e.g., HMS,
MGH, and the Broad
• PHI being handled at the partner institutions, resulting in barriers
to research
• Want to enable researchers to have more focus on their research,
and less on information technology and mechanics of meeting IRB
requirements
• Want researchers to do more of their research at the Broad
• Broad is challenged by having early stage offerings for
technical infrastructure and procedural controls for PHI
13. Practical Immediate Steps
• Ensure PIs are aware of the PHI-related risks they face
and explicitly accept those risks
• Encourage PIs to use resources of collaborators to handle
PHI (e.g., if DFCI has a preferred secure email vendor, use
theirs)
• Document what PIs can do with PHI at the Broad
14. Practical Immediate Steps
• Ensure PIs are aware of the PHI-related risks they face
and explicitly accept those risks
• Encourage PIs to use resources of collaborators to handle
PHI (e.g., if DFCI has a preferred secure email vendor, use
theirs)
• Document what PIs can do with PHI at the Broad
15. Longer Terms Steps
• Build on the work of the LDM Compliance Assessment
project/recast it as the PHI Compliance Readiness project
• Implement quality management framework for handling PHI
• Refine risk assessment methodology for outsourced partners
• Execute on plan to address prioritized HIPAA compliance gaps
16. Longer Terms Steps
• Propose projectsbudgets for technology and process
solutions to offer more services to PIs to streamline their
research by bringing PHI to the Broad
• Implement plan to proactively manage risks, e.g.:
• Implement necessary policies
• Raise awareness of responsibilities
and risks via training
• Establish clear response matrices to
guide people to answers
18. Things Learned Along the Way
• Hire outside expertise to parse Federal regulations
19. Things Learned Along the Way
• Partner with technology vendors who take time to listen
and understand your needs
• Responsive, proactive management makes a lot of things
possible
• Remember that the Broad pushes the edge of possible
• Compliance approach will remain unfinished because the Broad is
not done reinventing itself
• Engaging with the world of regulatory compliance, when the Broad
chooses what boundaries to push, makes things challenging
• Our solution (for now): enter into a continual compliance
conversation, where we can choose what parts of research are
done, by which party, where what capabilities the Broad offers or
should offer is considered
Editor's Notes
See www.broadinstitute.org for more
HIPAA: Health Insurance Portability and Accountability Act
PHI: Protected Health Information
HMS: Harvard Medical School
MGH: Massachusetts General Hospital
DFCI: Dana Farber Cancer Institute
BCH: Boston Children’s Hospital
HIPAA: Health Insurance Portability and Accountability Act
CLIA: Clinical Laboratory Improvement Amendments
SSAE: Statements on Standards for Attestation Engagements, by American Institute of Certified Public Accountants, Inc. (AICPA)
ISAE: International Standard on Assurance Engagements, International Auditing and Assurance Standards Board (IAASB), part of the International Federation of Accountants (IFAC)
TIA: Telecommunications Industry Association
ISO: International Organization for Standardization
FISMA: Federal Information Security Management Act
NIST: National Institute of Standards
LDM: Laboratory Data Management
LDM: Laboratory Data Management
LDM: Laboratory Data Management
HIPAA: Health Insurance Portability and Accountability Act
CLIA: Clinical Laboratory Improvement Amendments
GxP: Good x Practice, where the x stands for Laboratory, Clinical, Manufacturing, etc.
FISMA: Federal Information Security Management Act
Taken from the Broad’s Facebook feed
PHI: Protected Health Information
HMS: Harvard Medical School
MGH: Massachusetts General Hospital
IRB: Institutional Review Board
PI: Principle Investigators
PHI: Protected Health Information
DFCI: Dana Farber Cancer Institute
PI: Principle Investigators
PHI: Protected Health Information
DFCI: Dana Farber Cancer Institute
LDM: Laboratory Data Management
PHI: Protected Health Information
HIPAA: Health Insurance Portability and Accountability Act
PI: Principle Investigator
PHI: Protected Health Information
Decision tree image source: https://www.edrawsoft.com/images/examples/decisiontree.png
Department of Health and Human Services Office of Civil Rights
Department of Justice (for penalties)
Federal Trade Commission (Breach Notification Rule)