If a investigator maintains a database containing PHI, then the investigator has an obligation to insure that the use and disclosure of PHI is in compliance with federal guidelines and UTC policy. The investigator is responsible for:
- Maintaining applicable security for the database, including physical security and access control;
- Control and manage the access, use and disclosure of PHI, including verifying appropriate IRB approvals and patient authorizations; and
- Any PHI in the database used for treatment or payment purposes must be a duplicate and the original must be included in the patient’s medical record.
Databases created prior to April 14, 2003 are grandfathered in and do not have to meet the Privacy Act policies. Studies involving subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.