A. Data access via the CBR laboratory information management system (LIMS). The LIMS administrator will assign data viewing permissions according to each individual user’s job-related need to access individual-level data in the LIMS. All users of the LIMS will be required to sign a Training and Usage Agreement and to abide by all regulations, contract terms, and U-M and Michigan Medicine policies concerning sensitive data and Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.
B. LIMS interactions with other information systems. The CBR will allow the CBR LIMS to be interfaced with other U-M information systems using institutionally approved methods and only as necessary for LIMS security and integrity or in furtherance of the CBR’s research mission. Access to CBR individual-level data through these systems will be limited to the minimum necessary for these purposes.
C. Accounting for PHI disclosures. As the CBR is located within a covered component of the University of Michigan Hybrid Covered Entity under the HIPAA Privacy Rule, the CBR will:
- Ensure that recipients of PHI disclosed by the CBR agree in Memoranda of Understanding or other required documents to appropriate data protection measures.
- Track disclosures made by the CBR of PHI that originated within a covered component of the U-M Hybrid Covered Entity.
- Make any other efforts required by the HIPAA regulations or as advised by UMHS Compliance.
D. Approvable distributions of CBR biospecimens and data.
- CBR biospecimens and data will be distributed to investigators preferentially in a manner such that distributed datasets do not include PHI or do qualify as HIPAA Privacy Rule Limited Data Sets, and such that those investigators cannot readily ascertain the identities of the subjects to whom the materials pertain.
- CBR staff will assist investigators who present a compelling research need for identifying individual-level data in applying to an IRB for review and approval of such a project, as requested. CBR biospecimens and data will be distributed to investigators who are conducting research under an IRB-approved protocol only in accordance with that protocol. No identifying individual-level data will be distributed without such approval.
E. Subsequent use of CBR materials by recipients: Memoranda of Understanding; Material Transfer Agreements. Each recipient of CBR biospecimens or data will be required to enter into a Memorandum of Understanding to define the rights and obligations of the CBR and the recipient concerning confidentiality protections and subsequent use, redistribution, and disposition of the materials and any future derivatives of them. Material Transfer Agreements are only applicable to recipients external to the University of Michigan and are administered via the U-M Office of Technology Transfer. Each of these will, as appropriate:
- establish the permitted uses and disclosures of the research materials;
- identify who may use or receive the materials;
prohibit the recipient from using or further disclosing or distributing the materials, except as permitted by the agreement, by IRB or Privacy Board approval, by another valid University of Michigan agreement, or by law;
require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
require the recipient to report to the CBR any unauthorized use or disclosure of which it becomes aware;
prohibit the recipient from identifying or contacting the individuals to whom the materials pertain; and
prohibit the CBR from providing the recipient with the key to any coded materials.
F. Biospecimen labeling. CBR standard practice is to label biospecimen containers with no direct identifiers. When biospecimen containers enter CBR custody with such identifiers, containers will be relabeled without direct identifiers as soon as is practicable. When use of identifiers on labels is necessary for quality improvement purposes, both the amount of identifying information used and the duration of its use will be the minimum necessary for that purpose.
G. Biospecimen and data transfer from the CBR. Biospecimens will be transferred from the CBR in barcoded containers with no identifying information printed on the label. No deviations from this standard will be allowed unless approved by an IRB or Privacy Board, as appropriate. Data will be transferred using only secured means approved by UMHS Compliance.
H. Disposition of CBR materials. Biospecimens, data, and related regulatory documents will be disposed of or destroyed as required and in accordance with all applicable standards and directives. Biospecimen labels will be disposed with biospecimen containers unless they are removed before disposal.