Sponsor Access to Epic for Research Project Monitoring/Auditing

I. Purpose:

The purpose of this standard operating procedure is to detail the steps required to provide a research project Sponsor access to Epic for the purposes of auditing and/or monitoring the research project.

II. Introduction:

The Epic system is licensed and maintained by Stanford Health Care, a HIPAA Covered Entity required to authorize and document access to protected health information only as permitted or required by law. The Stanford Health Care Epic system is utilized for clinical purposes only and is not intended to be used as a research record. Therefore, access to view research participant information directly within Epic may only occur with appropriate authorization, supervision, and documentation as detailed in this standard operating procedure. Minimum Necessary guidelines must be followed at all times (See, Stanford University HIPAA Privacy Policy H-13: Minimum Necessary Use and Disclosure of, and
Requests for, Protected Health Information).

III. Scope:

This standard operating procedure applies to all Stanford University researchers and research team members seeking to access the Stanford Health Care Epic system, and is intended to support implementation of Stanford University HIPAA Policy H-14 Research and Patient Privacy   Any questions about or deviations from this procedure shall be directed to the Stanford University Privacy Office through a Service Request.

IV. Definitions:

CRC means Clinical Research Coordinator and may include research team members designated by the PI/PD, to carry out the tasks of this standard operating procedure. ePHI means electronic Protected Health Information. HIPAA is the Health Insurance Portability and Accountability Act of 1996. Minimum Necessary means limiting the amount of PHI accessed, used, or disclosed to the minimum amount necessary to accomplish a valid business purpose in accordance with HIPAA. PD means Protocol Director. PHI means protected health information. PI means Principal Investigator. Sponsor means the person or institution, whether corporate, private, government, or academic, who initiates the clinical investigation and is responsible for its management, but does not actually conduct the investigation. The sponsor may, in some cases, also be responsible for financing the project.

V. Procedure:

1. The CRC shall verify and document that the signed Sponsor Agreement or agency authority allows the sponsor a right to review research participant medical records for research adherence auditing/monitoring purposes.
a. Auditing of the Epic system itself is not permitted.

2. The CRC shall verify that the consent and/or authorization signed by the research participants clearly state that the Sponsor may view/access PHI.

a. Note, that in some cases the consent/authorization may specify a limited amount of PHI or the entire medical record.
b. Highly sensitive health information, such as HIV, mental health, substance/drug treatment, may only be shared if the research participant has provided specific authorization to disclose that information.
c. You may only share that information that the Sponsor is permitted to see based on steps 1-2.b. above. Follow Minimum Necessary guidelines at all times.

3. A Stanford University research staff person must be present with the Sponsor at all times whenever Epic is being accessed. No independent or unsupervised viewing of Epic is allowed by the Sponsor without specific, written permission from both the University and Stanford Health Care Privacy Offices.

4. The CRC must log into Epic using his/her individual username and password.
a. The individual’s username and password may not be shared with the Sponsor.

5. The CRC is responsible for retrieving records for the Sponsor’s review in accordance with steps 1-3, above.

6. The PI/PD is responsible for ensuring that the Documentation of Access form is completed each time a Sponsor is provided access to view research participants’ information within Epic.

a. The Documentation of Access Form must be kept at least 6 years from the date the Sponsor viewed the Epic record.
b. Each individual research participant whose information is viewed in Epic by a Sponsor shall have an entry on the form.
c. This form shall be produced to the University Privacy Office on demand.

7. All research participant requests for Accounting of Disclosure of their ePHI shall be directed to the University Privacy Office. The University Privacy Office shall review and respond to such requests, except when referring to the Hospital Privacy Office for review and response, as appropriate.

Failure to comply with this Standard Operating Procedure may result in discipline up to, and including, termination. See, Administrative Guide 2.1.16.

VI. Forms/Templates to be Used:

a. Documentation of Access form

VII. Review History:

Director, Clinical Research Quality, Jennifer Swanton Brown
School of Medicine Chief Technology Officer, Todd Ferris
Stanford Health Care Chief Privacy Office, Diane Meyer Associate
Dean of Clinical & Translational Research, Lisa Jackson

VIII. Approval History:

Stanford University Chief Privacy Officer, Wendi W. Wright
Stanford University Chief Risk Officer, D. Rick Moyer

version 1.0, May 31, 2017