280 likes | 289 Views
DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs . Definition/Purpose
E N D
DATA SHARINGand DATA SHARING AGREEMENTSTeresa MulfordMDCH, Office of Legal Affairs
Definition/Purpose Agreement between parties that outlines how shared data will be used, disclosed, and protected, by agreeing to provisions that place general and specific limitations on the receiving party... HIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused. Data Sharing Agreement
Can the Data be shared and what type of agreement is needed? Steps Can the data be shared? Identify: The data elements requested De-identified Limited Data Set Identifiable Data The applicable confidentiality laws The parties – Business Associate, Covered Entity, Researcher, Public Health Agency, … Overview of Today’s Discussion
What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -
When Required by Law HIPAA IRB Financial Other For liability reasons For ethical reasons WHEN / WHY IS A DSA NEEDED?
Include language to ensure proper use, disclosure,…etc…. Routine provisions – those required by law Special Provisions – unique to the data WHAT PROVISIONS
Follow up is required – After agreed time, at end of project, etc. Ensure shared data continues to be protected or has been returned or destroyed Follow up – Monitoring
Step One: Identify the data elements requested: De-Identified Data Limited Data Set Identifiable Data Can the data be shared?Steps…
Two methods of de-identification First: Safe Harbor – HIPAA list of identifiers – Note: All dates and most demographic information are included as identifiers. Ages,zip codes, or ‘dummy codes’ are permitted with limitations. Age: In most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses - however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined. (Zip codes, ‘dummy codes’ – see following slides…) De-identified Data
Two methods of de-identification…continued First: Safe Harbor…continued Zip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. (In 2000, there were only 18 three-digit zip codes containing fewer than 20,000 people). ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism can not be used to create a dummy code in a de-identified data set. The mechanism used to create the code can not be disclosed to the data recipient. De-identified Data…cont.
Two methods of de-identification…continued Second: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable. De-identified Data…cont.
All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations. Demographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed. All Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity. ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism CAN be used to create a dummy code in a limited data set (but not in a de-identified data set). The mechanism used to create the code can not be disclosed to the data recipient. Limited Data Set
Data with identifiers may be shared if an exception exists under applicable law. HIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted. Identifiable Data
Step Two: Identify the applicable confidentiality laws…more than one may apply Medicaid Public Health Code Mental Health Code HIV/AIDS/STD Substance Abuse HIPAA Research – Human Subjects (Common Rule) Other Can the data be shared?Steps…cont.
When more than one confidentiality law is applicable and both/all cannot be complied with… The HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections. Can the data be shared?Steps…cont.
Step Three: Identify the players – and the relationship between the data provider and the requester Business Associate Covered Entity (under HIPAA) Public Health Agency Researcher Government entity Independent Other Can the data be shared?Steps…cont.
After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared… (descriptions that follow under each type of agreement can be used to sort out this information.)
What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -
Business Associate Agreement (BAA) A business associate is an entity/contractor that the covered entity, MDCH, has contracted with to perform a HIPAA covered function on MDCH’s behalf that requires the sharing of protected health information (PHI). HIPAA requires covered entities, such as MDCH, to enter into a written Business Associate Agreement that requires the business associate to comply with the confidentiality provisions under HIPAA. Differentiate a business associate from other entities – a business associate is performing a function on MDCH’s behalf – which requires a BAA, and the other is performing a function on its own behalf. What type of written agreement is appropriate?
Memorandum of Understanding (MOU) A MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law. What type of written agreement is appropriate?
Data Sharing Agreement (DSA) A DSA may be required in the following circumstances: If sharing de-identified information with any entity. If sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract. If sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations. (continued…) What type of written agreement is appropriate?
A DSA may be required in the following circumstances (continued): If only sharing a limited data set with a business associate to perform functions on MDCH’s behalf – thereby eliminating the need for a BAA. If sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board review requirement for human subjects research. (Refer to Harry McGee.) (continued…) Data Sharing Agreement (DSA)(continued…)
A DSA may be required in the following circumstances (continued): If sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.) If sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.) If sharing fully identifiable information to an entityfor a permitted purpose under HIPAA or other applicable confidentiality law. Data Sharing Agreement (DSA)(continued…)
Include language to ensure proper use, disclosure,…etc…. Routine provisions – those required by law (HIPAA requirements handout and copy of MDCH template.) Special Provisions – unique to the data requested WHAT PROVISIONS
Follow up is required – After agreed time, at end of project, etc. Ensure shared data continues to be protected or has been returned or destroyed After the DSA is signed, the data is provided, … Monitoring and
Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database. MDCH Log of Data Sharing Agreements
Identify the requested data elements, the applicable laws, and the players, Determine the appropriate agreement that is needed and execute, Send copy of completed MDCH DSA to OLA to be logged, Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed. In review:
Forward any MDCH questions to the Office of Legal Affairs: (517) 241-0048 Email: mulfordt@michigan.gov Questions?