Busy. Please wait.

Forgot Password?

Don't have an account?  Sign up 

show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.

By signing up, I agree to StudyStack's Terms of Service and Privacy Policy.

Already a StudyStack user? Log In

Reset Password
Enter the email address associated with your account, and we'll email you a link to reset your password.

Remove ads
Don't know (0)
Know (0)
remaining cards (0)
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
restart all cards

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

Hlth Info Mngmt


healthcare provider that chooses to transmit health info electronically, a health plan, or healthcare clearinghouse, and must comply w/HIPAA's requirements covered entity
claims/encounter info, eligibility requests, referrals & authorizations, & claims status inquiries are the 4 types medical info a health care provider can submit electronically/on-paper & are required to transmit using HIPPA's standards
health plan & healthcare clearinghouse must be able to receive the provider's 4 types medical info subject to HIPAA standards, but also be able to electronically conduct premium payments, claim payments, & remittance advice, enrollment & disenrollment, & coordination of benefits
healthcare clearinghouse working on behalf of healthcare provider, in role of business associate, must also comply w/HIPAA standards requirements under a "covered entity"
electronic exchange of info between (2) covered-entity business partners using HIPAA-defined electronic data interface exchange transaction standards for the exchange covered transactions
patient sending email message to physician containing patient-identifiable info ___ be considered a covered transaction under HIPAA would not
physician transmitting electronic claim to health care plan or referral/auth. electronically to another physician, lab or hospital ___ be considered a covered transaction under HIPAA would
the receipt of a physician transmitting electronic claim to health care plan or referral/auth. electronically to another physician, lab or hospital invokes security protections the physician must have in place under HIPAA
computer-to-computer exchange of routine business info using publicly available standards electronic data interchange (EDI)
refers to transmission of info between 2 parties to carry out financial/administrative activities transaction
HIPAA requires that providers carefully define who has access to personal health information; what portions of PR available to front-office, utilization mgrs, billing personnel, etc. minimum necessary
discourage anyone from having open access to medical records that contain files of info regarding an individual's medical history intent of minimum necessary
legal document developed by a practice & its attorney stating what practice will do to protect each patient's rights Notice of Privacy Practices (NPP)
one person who oversees privacy activities & security protections; can delegate responsibilities to privacy team but alone holds accountability for HIPAA compliance privacy & security officials
under HIPAA's privacy & security officials, members of a privacy team must be trained specifically to fulfill any delegated responsibilities
the privacy & security official may be the same person
in larger practices, depending on the workload, the privacy & security official would usually be separate people
info that can be used to identify an individual because it contains 1/more patient identifiers Protected Health Information (PHI)
the HIPAA Privacy Rules specifies that PHI must be protected whether it is written, spoken, or in electronic form
de-identified health information is not considered PHI
HIPAA defers to laws of the state if state's laws are more stringent than HIPAA privacy standards state preemption
put in force 2002, HIPAA gave physicians freedom to continue treating patients, seeking payment, & conducting routine healthcare operations without requiring written consent to conduct business of behalf of patient Modification to the Privacy Rule
HIPAA privacy consent is not the same as a Consent to Treat
means you can provide care, including coordination or management of health care between providers, or referring patient to another provider treatment
within HIPAA means you can disclose PHI (name, address, date/birth, social security # & account number) to obtain reimbursement payment
refers to activities including: quality assessments or improvements, reviewing competencies or qualifications of health care professionals, evaluating professional's performance, business mngmt & general admin. activities healthcare operations
if you must defend an activity under HIPAA's healthcare operations category, before proceeding w/task, you should clarify w/ privacy official or your attorney
is a requirement standard
document including standards rule
each rule starts out with a Notice of Proposed Rule-Making (NPRM)
presents NPRM for public comment & revisions US DHHS
final rules are published in the Federal Register
deadline for compliance or implementation is 24 months after a rule's effective date
a rule's effective date, may be 30-60 days after publication date
in 1991 created to study what impact replacing paper healthcare transactions would have on containing rising healthcare costs Workgroup for Electronic Data Interchange (WEDI)
foundation of Administrative Simplification provisions in HIPAA 1993 WEDI report
guarantees that you can obtain insurance if you change jobs, first term of the title law portability
begins to identify who/what should be accountable for specific healthcare activities, second term of the title law accountability
Administrative Simplification was designed to address the health care administrative systems & business issues
Administrative Simplification promises to make business of health care easier
those data sets that identify diagnoses, treatment procedures, drug codes, equipment codes, & other codes code sets
"Everyone must send or receive transactions using standards formats & data content
process to handle industry recommended modifications to standard that may enhance administrative simplification designated standard-maintenance organization (DSMO)
outcome of ___ practices will have to ensure their software vendors can send/receive info using standard data formats & data content Transactions and Code Sets Rule
requires PHI secure at rest, movement, or in electronic, oral, written format
only the __ __ can know everyone's passwords system administrator
about controlling access to PHI security
about controlling how electronic, oral, & written PHI is used & disclosed privacy
a practice immediately became obligated to build program that protects security of personal health information when HIPAA was signed into law
within the __ __ are standards that say practices must "safeguard" or protect medical records Privacy Rule
published in Federal Register 2/20/03, including administrative, physical & technical safeguards pertaining to electronic PHI that must be in place no later than 4/21/05 final Security Rule
requires similar safeguards, to the final Security Rule, for not only electronic PHI but also oral & written PHI & must be in compliance by 4/14/03 the Privacy Rule
rooms & storage facilities w/locks or other safeguards that control access are considered ___ safeguards physical
policies & procedures defining who has access to info, user IDs, passwords, & actions if violations occur are considered administrative safeguards
encryption of electronic data & use of passwords to verify users who have logged onto a system are considered technical safeguards
security is an ongoing process that is never done
are based on the principle of "reasonableness" given size/complexity of environment in which covered entity operates privacy & security rules
as a foundation for developing a practice's polices & procedures ___ ___ must be conducted risk analyses
as a foundation for developing a practice's polices & procedures determination of how to __ __ from the risk analyses mitigate risks
Your first priority is to develop a way to quantify & evaluate ___ risk
you need to know what you are protecting & how much it is worth before you can decide how to protect it
even though there are federal penalties for noncompliance w/privacy & security rules, HHS' focus is to encourage voluntary compliance
www.hhs.gov/ocr provides guidance on privacy
www.cms.gov/hipaa provides questions & guidance on security
under the final Security rule HIPAA will require every healthcare provider to put several layers of safeguards in place
"reasonable & appropriate" administrative, technical & physical safeguards will vary depending on area located and scope of technology used
product must be certified as defined by federal government, product can do e-prescribing, product is interoperable, & product has necessary clinical decision support to rpt on key clinical indicators as being rptd by government HITECH provisions of ARRAs meaningful use
key terminology for all medical providers to be able to gain their Medicaid/Medicare incentives, a key benchmark within the HITECH provisions of ARRA meaningful use
responsible for defining meaningful use Office of the National Coordinator
responsible for rolling out specific provisions of HITECH ARRA Secretary of Health & Human Services
a number of health insurance carriers will be moving to a an HITECH platform, which is a valid program around patient centered medical home
gathers necessary the care of the patient, combines it together in a data repository, provides meaningful, timely, accurate info to develop a very effective plan of care, & kept by primary care physician patient centered medical home
patient centered medical home differs from managed care in that the primary physician does not select referring doctors responsible for care for care, but rather responsible for where all that care is coordinated
reduce reliance on necessary tests, potentially unnecessary hospitalizations, unnecessary follow-up visits to doctors because care/tests already rendered; quicker path to diagnosis idea behind patient centered medical home
must be actively engaged in use HIT product meaningful user
to determine physical safety of patient info, the security official is required to conduct a risk analysis & regular audits
administrative actions, & policies & procedures, to manage selection, development, implementation, & maintenance of security measures to protect electronic PHI & to manage conduct of covered entity's workforce in relation to PHI administrative safeguards
property that "data/info is accessible & usable upon demand by an authorized person" availability
property that "data/info is not made available or disclosed to unauthorized persons or processes" confidentiality
health plans, healthcare clearinghouses, & healthcare providers that transmit any health info in electronic form under the transactions standards covered entities
PHI that meets requirements of (i) transmitted by electronic media, or (ii) maintained in electronic media, of the PHI definition electronic protected health information (EPHI)
electronic storage media, transmission media used to exchange ePHI already in electronic storage media, & other ePHI transmissions (to the extent any ePHI transmitted via these means originates or is received as data in electronic storage media) electronic media
algorithmic process to transform data into form in which low probability of assigning meaning w/out use of confidential process/key encryption
using confidential process/key to transform information into the original data decryption
physical measures, policies & procedures to protect covered entity's electronic info systems & related buildings & equipment from natural or environmental hazards & unauthorized intrusion physical safeguards
property that "data/info has not been altered or destroyed in an unauthorized manner" integrity
individually identifiable health info that is (i) transmitted by electronic media; (ii) maintained in electronic media; (iii) transmitted/maintained in any other form or media protected health information (PHI)
requires implementation by covered entity required implementation specification
allows covered entity to determine "whether each implementation specification is reasonable/appropriate safeguard in its environment, when analyzed w/reference to likely contribution to protecting entity's EPHI" addressable implementation specification
administrative, physical & technical safeguards are the 3 types of security standards
security standards will supersede any contrary provision of State Law
security standards establish a __ level of security that covered entities must meet minimum
compliance with Security Rule is designed to provide a ___ ___ of all EPHI floor protection
the Security Rule is considered technologically neutral
the Security Rule does not dictate what ___ ___ to make technology choices
the Security Rule dictates what ___ to achieve protections
under Security Rule standards, technology choices are considered inputs
under Security Rule standards, protections are considered outputs
security protections must be reasonable & appropriate, as assessed in the required risk analysis & study of rick-management measures foundation of Security Rule
the Security Rule is designed to be scalable & flexible
implementation of security rule standards will be reflected in policies & procedures which must be kept current & retained for six years from creation date or date last in effect
documentation must be created & maintained that memorializes ___ ___ & ___ pertaining to the Security Rule actions, activities, & assessments
should be carefully constructed, documented in writing, updated as appropriate & retained for 6 years in accordance w/HIPAAs documentation standard required risk analysis
the required risk analysis will focus attention on ___ potential business risks mitigating
the required risk analysis will help find solution that will benefit the workforce
National Institute of Standards & Technology NIST
NIST is part of US Dept of Commerce
"likelihood of a given threat-source;s exercising a particular potential vulnerability, & resulting impact of that adverse event on the organization" NIST definition of risk
general requirements, flexibility of approach, standards, implementation specifications, & maintenance are 5 general rules in Security Rule
ensure confidentiality, integrity & availability of EPHI created, received, maintained, or transmitted; protect against reasonably anticipated threats/hazards, disclosures; & ensure compliance four general requirements in general rules of Security Rule standards
size, complexity & capabilities; technical infrastructure, hardware, & software security capabilities; cost of security measures; probability of criticality of potential risk to EPHI by covered entity reasonable & appropriate security measures factors
failure to comply with Security Rule standard leads to liability for civil sanctions & potential loss of business
covered entity must balance the safeguard specification w/degree of __ __ the specification affords risk mitigation
requires covered entity review security measures periodically & make modifications necessary to ensure providing "reasonable & appropriate protection of EPHI" maintenance
there are nine ___ safeguard standard administrative
implement policies & procedures to prevent, detect, contain & correct security violations; manage security risk, sanctions as disincentive for noncompliance, & periodically review security controls Standard: Security-Management Process
Standard: Security-Management Process "form the foundation upon which an entity;s necessary security activities are built"
risk analysis, risk management, sanction policy, & information system activity review are __ implementation specifications required
identify security official responsible for development & implementation of policies/procedures required by Security Standards for Protection of EPHI; required implementation specification Standard: Assigned Security Responsibility
implement policies/procedures for authorization and/or supervision of personnel who work w/or in locations were EPHI might be accessed Standard: Workforce Security Authorization and/or Supervision - addressable
when there are addressable implementation specifications it is required that standard compliant policies & procedures be documented in writing
implement procedures to determine that access of personnel access to EPHI is appropriate Standard: Workforce Security; Workforce Clearance Procedure - addressable
implement procedures for terminating access to EPHI when termination of employment Standard: Workforce Security; Termination Procedure - addressable
purpose of termination procedure documentation is to ensure that termination procedures include ___ action to be followed security-unique
implement policies & procedures for authorizing access to EPHI consistent w/applicable requirements of Privacy of Individually Identifiable Health Information Standard: Information Access Management
Isolating Healthcare Clearinghouse Functions is a ___ implementation specification of Standard: Information Access Management required
implement policies & procedures for granting access to EPHI; addressable implementation specification of Standard: Information Access Management Access Authorization
implement policies & procedures per access-authorization policies, establish, document, review, & modify user's right/access to workstation, transaction, program & processes; addressable implementation spec. of Standard: Information Access Management Access Establishment & Modification
implementation of security awareness & training program for all members of workforce, including management; 4 addressable implementation specifications Standard: Security Awareness & Training
periodic security updates; addressable implementation spec. of Standard: Security Awareness & Training Security Reminders
procedures for guarding against, detecting & reporting malicious software; addressable implementation spec. of Standard: Security Awareness & Training Protection from Malicious Software
procedures for monitoring log-in attempts & reporting discrepancies; addressable implementation spec. of Standard: Security Awareness & Training Log-in Monitoring
procedures for creating, changing, & safeguarding passwords; addressable implementation spec. of Standard: Security Awareness & Training Password Management
security training is dependent on entity's configuration and risk
1st goal of security training is awareness
although an entity is not responsible for providing training outsides of it's workforce, they are responsible for ensuring that __ __ are aware of entity's security policies & procedures business associates
CSRC Computer Security Resource Center
Computer Security Resource Center is part of National Institute of Standards & Technology
National Institute of Standards & Technology NIST
Information Technology Security Training Requirements special publication of NIST
awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure
purpose of awareness training it to teach people skills that will enable them to perform jobs more effectively
2 important attributes if of successful awareness & training program change in corporate culture & greater staff productivity
management play an important role in effecting change & realizing the payoff
implement policies & procedures to address security incidents; one required implementation specification Standard: Security Incident Procedures
attempted/successful unauthorized access, use, disclosure, modification, or destruction of info or interference w/system operations in an info system security incident
identify & respond to suspected/known security incidents; mitigate to extent of practicable, harmful effect of security incidents known to covered entity; document incidents & outcomes Response & Reporting
covered entity's are required to respond & mitigate any __ __ of security incidents harmful effects
establish (implement as needed) policies & procedures for responding to emergency/other occurrence that damages systems that contain EPHI; 5 implementation specifications (3) required (2) addressable Standard: Contingency Plan
establish & implement procedures to create & maintain retrievable exact copies of EPHI; required implementation specification of Standard: Contingency Plan Data Back Up Plan
establish (implement as needed) procedures to restore any loss of data; required implementation specification of Standard: Contingency Plan Disaster Recovery Plan
when preparing a disaster recovery plan, covered entity should examine __ __, even though the probability may be low worst-case scenarios
EHNAC Electronic Healthcare Network Accreditation Commission
has identified several key components to a disaster-recovery plan that mitigate business interruption ENHAC
will be outgrowth of the identification of threats in the risk analysis disaster recovery planning
determine outcomes for each of the threats& impact on the operations of the practice
the final rule of the disaster recovery plan calls for covered entities to consider how natural disasters could damage systems that contain EPHI & develop policies & procedures for responding to these situations; these are considered to be a reasonable precautionary step
establish (implement as needed) procedures to enable continuation of critical business processes for protection of security of EPHI while operating in emergency mode; required implementation specification of Standard: Contingency Plan Emergency Mode Operation Plan
important to get input from each workforce member of duties/workflow in order to establish a workable emergency mode operation plan
implement procedures for periodic testing/revision of contingency plans; addressable implementation specification of Standard: Contingency Plan Testing & Revision Procedures
assess relative criticality of specific applications & data in support of other contingency-plan components; addressable implementation specification of Standard: Contingency Plan Applications & Data Criticality Analysis
because Security Rule pertains to EPHI, the loss of ___ is critical & should be dealt w/in a covered entity's risk analysis electricity
perform a periodic technical & non technical evaluation; establish extent to which entity's security policies/procedures meet requirements of Security Standards for Protection of EPHI Standard: Evaluation
Standard: Evaluation implementation specification is reflected in the standard & is required
in accordance w/general rules of security standard, may permit business associate to create, receive, maintain, or transmit EPHI on entity's behalf Standard: Business-Associate Contracts & Other Arrangements
must provide satisfactory assurances that they will protected EPHI business associates
document satisfactory assurances through written contract/other arrangement that meets applicable requirements as part of Organizational Requirements; required implementation specification of Standard:Business-Associate Contracts & Other Arrangements Written Contract/Other Arrangement
physical measures, policies, & procedures to protect a covered entity's electronic-information systems & related buildings & equipment from natural & environmental hazards, & unauthorized intrusion physical safeguards
implement policies/procedures to limit physical access to electronic-information systems & facility(s) in which housed, while ensuring properly authorized access is allowed Standard: Facility Access Controls
establish (implement as needed) procedures allowing facility access in support of restoration lost data under disaster-recovery plan & 911-mode operations plan in event of 911;addressable implementation specification of Standard: Facility Access Controls Contingency Operations
implement policies & procedures to safeguard facility & equipment therein from unauthorized physical access, tampering, & theft; addressable implementation specification of Standard: Facility Access Controls Facility Security Plan
implement procedures to control/validate person's access to facilities based on role/function, incl. visitors, & to software programs for testing/revision; addressable implementation specification of Standard: Facility Access Controls Access Controls & Validation Procedures
implement policies/procedures to document repairs & modifications to physical components of facility related to security; addressable implementation specification of Standard: Facility Access Controls Maintenance Records
Standard: Facility Access Controls applies to a covered entity's facility or facilities
under Standard: Facility Access Controls facility includes physical premises and interior/exterior of buildings
under Standard: Facility Access Controls is extended to include premises of workforce members who work __ __ with EPHI at home
under Standard: Facility Access Controls a covered entity retains responsibility for considering facility security even where it shares space with other organizations
under Standard: Facility Access Controls a covered entity must document in their risk analysis third-party security measures
implement policies/procedures that specify proper functions to be performed, manner those functions to be performed & physical attributes of surroundings of specific workstation(s) that can access EPHI Standard: Workstation Use
receptionist areas, in a private practice, __ __ __ __ to patients signing in w/receptionist may not be visible
in a private practice, workstations throughout the practice should not be visible to any passerby
implement physical safeguards for all workstations that access EPHI to restrict access to authorizes users; implementation is dependent upon entity's risk analysis & risk management process Standard: Workstation Security
implement policies/procedures the govern receipt & removal of hardware & electronic media containing EPHI into & out of a facility & movement of these items within facility; 4 implementation specifications (2) req & (2) addressable Standard: Device & Media Controls
implement policies/procedures to address final disposition of EPHI &/or hardware/electronic media on which it is stored; required implementation specification of Standard: Device & Media Controls Disposal
implement policies/procedures for removal of EPHI from electronic media before media are made available for reuse; required implementation specification of Standard: Device & Media Controls Media Reuse
Maintain record of movements of hardware/electronic media & any person responsible for them; addressable implementation specification of Standard: Device & Media Controls Accountability
create retrievable, exact copy of EPHI when needed, before movement of equipment; addressable implementation specification of Standard: Device & Media Controls Data Backup & Storage
even though software may claim to delete files, it may only deleted the __ __ & not erase the underlying content file name
Accountability implementation specification does not refer to audit trails within system/software
Accountability implementation specification does refer to record of actions of a person relative to receipt/removal of hardware/software into & out of facility-traceable to that person
consists of technology & policy/procedures for its use that protect EPHI & control access to it; 5 safeguard standards Technical Safeguards
implement policies/procedures for electronic info systems that maintain EPHI to allow access only to those persons/software programs that are granted access right per Administrative Safeguards standard of Info Access Mngmt Standard: Access Control
each of implementation specifications under Standard: Access Control require technical assistance from entity's system administrator/practice-management vendor
assign a unique name &/or # for identifying & tracking user identity; required implementation specification of Standard: Access Control Unique User Identification
establish (implement as needed) procedures for obtaining necessary EPHI during 911 situation; required implementation specification of Standard: Access Control Emergency Access Procedure
implement electronic procedures that terminate an electronic session after predetermined time of inactivity; addressable implementation specification of Standard: Access Control Automatic Logoff
implement mechanism to encrypt/decrypt EPHI; addressable implementation specification of Standard: Access Control Encryption & Decryption
implement hardware, software, &/or procedural mechanisms that record/examine activity in information system that contain/use EPHI Standard: Audit Controls
according to preamble to Security Rule Standard: Audit Controls is mandatory; however entity's have flexibility to implement in manner deemed appropriate by their risk analyses
implement policies/procedures to protect EPHI from improper alteration/destruction; one addressable implementation specification Standard: Integrity
mechanism to authenticate EPHI; corroborate EPHI hasn't been altered/destroyed in an unauthorized manner addressable implementation specification of Standard: Integrity
error-correcting memory & magnetic disk storage are examples of built-in data authentication mechanisms
implement procedures to verify a person/entity seeking access to EPHI is the one claimed Standard: Person or Entity Authentication
biometric ID systems, password systems, personal identification #'s. telephone callback, physical/soft token systems & digital signatures are examples of Person/Entity Authentication
implement technical security measures to guard against unauthorized access to EPHI being transmitted over an electronic communication network Standard: Transmission Security
implement security measures to ensure electronically transmitted EPHI is not improperly modified w/out detection until disposed of; addressable implementation specification of Standard: Transmission Security Integrity Controls
implement mechanism to encrypt EPHI whenever deemed appropriate; addressable implementation specification of Standard: Transmission Security Encryption
it is the covered entity's responsibility to secure its transmissions
An estimated 15-30% of every healthcare dollar goes towards administration (i.e. claim review, software development
activities meant to make the claims process easier have become parts of health care's administrative black hole
high $$ concerns for a medical office include rick management & medical malpractice
HIPAA was developed by __ __ & __ __ within the US DHHS, along with executive from private healthcare sector physician leaders & policy makers
1991, a collaboration of government & private industry, Louis Sullivan created Workgroup for Electronic Data Interchange (WEDI)
WEDI was developed to study what impact replacing paper healthcare transactions would have on containing rising healthcare costs
became foundation of the Administrative Simplification provisions in HIPAA WEDI 1993 landmark report
guarantees you can obtain insurance if you change jobs Portability
identifies who & what should be held responsible for specific healthcare activities Accountability
Administrative Simplification promises to make the business of healthcare easier
simplifies transactions so that all entities filing electronic transactions use same code sets, data content, & data format, & keep patient info safe/secure purpose of Administrative Simplification
systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge research defined by Privacy Rule
distinction between research activity & healthcare operations activity is whether the activity is designed to develop or contribute to generalizable knowledge
require covered entity to obtain a detailed written authorization form from the patient, in order to satisfy all required elements of an applicable exception to the authorization requirement, under the Privacy Rule, when conducting a research activity
Privacy Rule permits a covered entity to carry out its own health care operations w/out any form of patient permission & without any restrictions in the use or disclosure of PHI
HHS drafted Privacy Rule in a manner that retains more stringent protection for the use/disclosure of PHI for __ __ than other health care operations activities research purposes
if a covered entity uses/discloses only a limited data set of information pursuant to a data use agreement they may use or disclose PHI for research activities
a covered entity may use or disclose PHI for research activities if the review of PHI is preparatory to research
a covered entity may use or disclose PHI for research activities if the research is on decedents' information
a covered entity may use or disclose PHI for research activities if institutional review board (IRB) or privacy board has approved a waiver of or an alteration to the authorization
covered entities are always free to use & disclose information that has been sufficiently de-identified
when covered entity removes all of a list of enumerated identifiers from PHI & covered entity has no actual knowledge that remaining info could be used alone or in combination w/other info to identify subject of info, is known as "safe harbor" method
2nd method to de-identify involves a person w/knowledge of & experience w/statistical & scientific principles must document methods & results of analysis that justify the determination that the risk of identification is small
also known as retrospective, archival, or non-interventional research records research