Data Sharing: flexibility is the fuel, governance is the glue! Lisa Schilling, MD, MSPH Department of Medicine, University of Colorado, Denver AMIA November 2012 Lisa.schilling@ucdenver.edu Funding provided by AHRQ 1R01HS019908 (Scalable Architecture for Federated Translational Inquiries Network) Big Thanks! • University of Colorado – Office of Regulatory Compliance, Multi-Institutional Review Board, Office of University Counsel • Partners – Denver Health & Hospital Authority, Colorado Community Managed Care Network, Salud Family Health Services, Metro Community Provider Network, Cherokee Health Systems • SAFTINet team Objectives • Understand data governance issues in multistakeholder collaborations • Identify strategies for developing effective policies to reduce data sharing obstacles • If possible, provide insights helpful for NIH/CTSAs Setting the context: AHRQ Distributed Research Networks • AHRQ ARRA OS: Recovery Act 2009: Scalable Distributed Research Networks for Comparative Effectiveness Research (R01) • Goal: enhance the capability and capacity of electronic health networks designed for distributed research to conduct prospective, comparative effectiveness research on outcomes of clinical interventions. • Combine clinical and claims/administrative data Grid Portal SAFTINet Data Sharing Partners • Clinical data sharing partners – Colorado Community Managed Care Network and the Colorado Associated Community Health Information Enterprise • Colorado Federally Qualified Health Centers – Denver Health and Hospital Authority – Cherokee Health Systems, Tennessee – Bi-State Primary Care Assoc. &Northern Tier Center for Health Vermont (in development) • Claims and administrative data sharing partners – Colorado Health Care Policy & Financing – CO All Payers Claims Database- Center for Improving Value in Healthcare – TennCare and Tennessee managed care organizations (partnership in development) – Department of Vermont Health Access (in development) Partner-Data Sharing Concerns • Data stewardship & loss of control – Non agreed upon use – Misuse, misrepresentation • Data security –network & data transfers • Competitive environment – cost/billing data, proprietary coding/mapping schemas • Compliance with state and federal rules – HIPAA, individual state privacy laws • Liability Strategies to Facilitate Trust • Transparent & open discussions, policies & documentation – Security Framework discussion – Service level objectives – Recommendations • Alignment with federal standards – NIST security recommendations • Flexibility Web of Data Sharing Agreements & Documents • Master Consortium Agreement • Service Level Objectives • Security Framework • IRB protocols – Infrastructure (45 cfr 46.118) – Study specific • BAA • DUA • • • • • • Purpose Contents Involved entities Contingent upon/for Place in hierarchy Relevant laws/regulations • Legal or not • Signatories Master Consortium Agreement • Governance must address: – Membership –entering, leaving, decision-making – Use & misuse • Access, authorization, authentication • Plans for partner ‘sign off’ before data release – Publications, Intellectual property – Requirements • Partners, network administrator, security – Liability and insurance – Termination – Compliance with laws and regulations MCA – Flexibility of participation • Each of the Consortium Members is willing to provide access to its research data and/or receive from the other Consortium Members certain research data for research use. • Data Owners are able to specify the data types they make available to the SAFTINet Network database … • Reasonably contribute to Joint Study activities and share current health care delivery models, current practices, and measures to support Joint Studies, except where the Data Owner believes: (1) such contribution may violate federal or state law, the Partner Member’s contractual obligations, or its internal policies, (2) such contribution would harm its proprietary or competitive interests, (3) it does not have the functional ability to do so, (4) such contribution is not in the best interests of that Partner Member, or (5) it is not economically, technically or operationally feasible to do so. The Members have the authority to grant additional exceptions. MCA: Security –Network & Portal • These safeguards will be guided by the following standards: – OMB Security of Federal Automated Information Resources – FIPS 200 Minimal Secr Requirements – etc. Due Diligence: SAFTINet Security Framework SLO Agreement • Assist PARTNER System Administrator with deployment of SAFTINet Grid Node and ROSITA VMs including configuration of network settings within guest OS, connectivity testing, and make suggestions for post-deployment security hardening like changing default passwords. • Provide remote access software and licenses for remote assistance, administration, and troubleshooting (e.g. GoToMeeting, GoToAssist). • Maintain secure default settings on all VM templates deployed to PARTNER. • Design and deploy systems so that all PHI is transferred using FIPS140-2 validated encryption technologies. • Ensure that all applications used in the SAFTINet infrastructure are developed and maintained using the highest possible standards and industry best-practices in an effort to safeguard PARTNER’s systems, security, and data integrity. Getting to Yes: • • • • Many hours, lots of iterations Complementary agreements and policies Balance of technology and trust Baby steps Acknowledgments • • • • • • • Michael G. Kahn, MD, PhD Wilson Pace, MD David West, PhD Bethany Kwan, PhD, MSPH Annalissa Philbin, JD, Sr. Research Associate Attorney Art Davidson, MD, MSPH, Co-PI, DHHA Warren Capell, MD - Director, Colorado Multiple Institutional Review Board • Alison Lakin – Assistant Vice Chancellor of Regulatory Compliance • SAFTINet team