Data Sharing: flexibility is the fuel,
governance is the glue!
Lisa Schilling, MD, MSPH
Department of Medicine, University of Colorado, Denver
AMIA
November 2012
Lisa.schilling@ucdenver.edu
Funding provided by AHRQ 1R01HS019908 (Scalable Architecture for Federated Translational Inquiries Network)
Big Thanks!
• University of Colorado – Office of Regulatory
Compliance, Multi-Institutional Review Board,
Office of University Counsel
• Partners – Denver Health & Hospital Authority,
Colorado Community Managed Care Network,
Salud Family Health Services, Metro Community
Provider Network, Cherokee Health Systems
• SAFTINet team
Objectives
• Understand data governance issues in multistakeholder collaborations
• Identify strategies for developing effective
policies to reduce data sharing obstacles
• If possible, provide insights helpful for
NIH/CTSAs
Setting the context:
AHRQ Distributed Research Networks
• AHRQ ARRA OS: Recovery Act 2009: Scalable
Distributed Research Networks for Comparative
Effectiveness Research (R01)
• Goal: enhance the capability and capacity of electronic
health networks designed for distributed research to
conduct prospective, comparative effectiveness research
on outcomes of clinical interventions.
• Combine clinical and claims/administrative data
Grid Portal
SAFTINet Data Sharing Partners
• Clinical data sharing partners
– Colorado Community Managed Care Network and the Colorado
Associated Community Health Information Enterprise
• Colorado Federally Qualified Health Centers
– Denver Health and Hospital Authority
– Cherokee Health Systems, Tennessee
– Bi-State Primary Care Assoc. &Northern Tier Center for Health
Vermont (in development)
• Claims and administrative data sharing partners
– Colorado Health Care Policy & Financing – CO All Payers
Claims Database- Center for Improving Value in Healthcare
– TennCare and Tennessee managed care organizations
(partnership in development)
– Department of Vermont Health Access (in development)
Partner-Data Sharing Concerns
• Data stewardship & loss of control
– Non agreed upon use
– Misuse, misrepresentation
• Data security –network & data transfers
• Competitive environment – cost/billing data,
proprietary coding/mapping schemas
• Compliance with state and federal rules
– HIPAA, individual state privacy laws
• Liability
Strategies to Facilitate Trust
• Transparent & open discussions, policies &
documentation
– Security Framework discussion
– Service level objectives
– Recommendations
• Alignment with federal standards
– NIST security recommendations
• Flexibility
Web of Data Sharing Agreements &
Documents
• Master Consortium
Agreement
• Service Level
Objectives
• Security Framework
• IRB protocols
– Infrastructure (45 cfr
46.118)
– Study specific
• BAA
• DUA
•
•
•
•
•
•
Purpose
Contents
Involved entities
Contingent upon/for
Place in hierarchy
Relevant
laws/regulations
• Legal or not
• Signatories
Master Consortium Agreement
• Governance must address:
– Membership –entering, leaving, decision-making
– Use & misuse
• Access, authorization, authentication
• Plans for partner ‘sign off’ before data release
– Publications, Intellectual property
– Requirements
• Partners, network administrator, security
– Liability and insurance
– Termination
– Compliance with laws and regulations
MCA – Flexibility of participation
• Each of the Consortium Members is willing to provide access to its
research data and/or receive from the other Consortium Members
certain research data for research use.
• Data Owners are able to specify the data types they make available
to the SAFTINet Network database …
• Reasonably contribute to Joint Study activities and share current
health care delivery models, current practices, and measures to
support Joint Studies, except where the Data Owner believes: (1)
such contribution may violate federal or state law, the Partner
Member’s contractual obligations, or its internal policies, (2) such
contribution would harm its proprietary or competitive interests, (3) it
does not have the functional ability to do so, (4) such contribution is
not in the best interests of that Partner Member, or (5) it is not
economically, technically or operationally feasible to do so. The
Members have the authority to grant additional exceptions.
MCA: Security –Network & Portal
• These safeguards will be guided by the following
standards:
– OMB Security of Federal Automated Information
Resources
– FIPS 200 Minimal Secr Requirements
– etc.
Due Diligence: SAFTINet Security Framework
SLO Agreement
• Assist PARTNER System Administrator with deployment of
SAFTINet Grid Node and ROSITA VMs including configuration of
network settings within guest OS, connectivity testing, and make
suggestions for post-deployment security hardening like
changing default passwords.
• Provide remote access software and licenses for remote assistance,
administration, and troubleshooting (e.g. GoToMeeting, GoToAssist).
• Maintain secure default settings on all VM templates deployed to
PARTNER.
• Design and deploy systems so that all PHI is transferred using
FIPS140-2 validated encryption technologies.
• Ensure that all applications used in the SAFTINet infrastructure are
developed and maintained using the highest possible
standards and industry best-practices in an effort to safeguard
PARTNER’s systems, security, and data integrity.
Getting to Yes:
•
•
•
•
Many hours, lots of iterations
Complementary agreements and policies
Balance of technology and trust
Baby steps
Acknowledgments
•
•
•
•
•
•
•
Michael G. Kahn, MD, PhD
Wilson Pace, MD
David West, PhD
Bethany Kwan, PhD, MSPH
Annalissa Philbin, JD, Sr. Research Associate Attorney
Art Davidson, MD, MSPH, Co-PI, DHHA
Warren Capell, MD - Director, Colorado Multiple Institutional
Review Board
• Alison Lakin – Assistant Vice Chancellor of Regulatory
Compliance
• SAFTINet team