Cms Data Use Agreement
The lead investigator ensures that all members of the research team verify and sign a confidentiality agreement that binds each member and ensures the confidentiality and security of the data received. The DAC is responsible for tracking and documenting all DEA certificates and IRB media issued for each project with data stored on DAC servers. The DAC Director and the DAC Compliance Coordinator are available to auditors during the presentation of the DUA procedure. CMS requires that this certificate be completed and forwarded to CMS in order to certify the destruction/abandoned use of all CMS data collected by the DUA at all sites and/or under the control of all persons with access to the data. Indiana University is committed to protecting the confidentiality of health information in accordance with HIPAA privacy and security rules. HIPAA specifies that the PHI can only be used for specific research purposes pursuant to a HIPAA authorization, that a data protection committee has authorized the waiver of the authorization or where a waiver applies. A company covered as CMS can enter into an agreement with another company and share its PHIs as long as it receives assurances that the data is protected by law. Any researcher, research team or unit that solicits identifiable CMS data for research purposes must comply with this directive. The university`s HIPAA Data Protection Commissioner will follow all CMS DUAS.
CMS-DUAs are tracked in the REDCap database. Information collected in REDCap includes: 2.1. Please describe how this cohort meets the minimum required data. Specify the approximate size of the expected cohort (- Benes) to ensure that you do not exceed a 20% sample of the carrier file. The timeline for approval processes for CMS-DUA resDAC applications typically lasts at least 3 to 5 months between transmission and receipt of data. This directive applies to all staff, regardless of their affiliation, who intend to use identifiable data from the Medicare and Medicaid Services Centres (CMS) for research purposes under the aegis of Indiana University. CMS requires compliance with these rules, whether or not the recipient is part of a covered entity. The recipient must comply with the final provisions of the Data Security and Protection Policy, which are governed by the Health and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH). The university`s HIPAA data protection representative records the date the certificate was forwarded to CMS in the REDCap database.