Data Sharing Agreement Outline

Russ Waitman, Steve Fennel, Dan Connolly, Amy Sokol KUMC Draft.

To date, there was been a lack of clarity across all the networks as to what institutions, network,s and people are agreeing to share: what, how, to whom, frequency, for what purpose. Having a data sharing governance approach that is inclusive but promotes transparency will help the network and its researchers.

1. Data Source:

• HIPAA considerations

  • Fully deidentified
    • Need consistency on data shifting - (e.g. required statistical certification)
  • Limited data set
  • Contains PHI

• Other Regulations

  • State Regulations (e.g. HIV, substance abuse treatment programs)
  • Federal Regulations for Part 2 Facilities

• Patient data

  • Structured data
  • Free text (scrubbed, not scrubbed)

• Provider data

  • Individual docs
  • Systems/clinics

• EMR and other meta data

  • Content concepts
    • Eg: RxCUI, ICD9, SNOMED
  • System usage
  • Patient level
  • Provider level

2. User Types

• Within a PCORnet/CDRN institution
• Outside the CDRN/PPRN or PCORnet
• Coordination/honest broker role
• Super user -> novice
• Faculty -> student

3. User requirements

• Training
  • HIPAA/security
  • Human subjects research /CITI
• Security
  • of connection to resources
  • of systems when possessing data

4. User channel flows

• Use PopMedNet
  • query
  • submit and receive analysis
• Use other tools ODHSI/OMOP/i2b2
• Develop/deploy analysis
• Receive results
• Receive data
• Review meta data and data quality profiles
• Sponsor students and contractors.

5. Intended Use

• Profit versus non-profit
• Commercial use
• Research
• Competitive
• Postmarket surveillance
• Quality improvement

6. Standard boilerplate in agreements

• Indemnity (implications of PHI versus deid/lds)
• Warranty (same)
• Termination
• Renewal
• Definitions

Flavors of data sharing. Which ones are supported currently by the CDRNs and PPRNs?

1. Public internet searchable

• High level counts of who’s in a network

2. System Access

• De-id, LDS, PHI
• Current CDRN/GPC partner or not
• View
  • I2b2
    • Conduct count
    • Do free text search
    • See timeline or analysis plugin
  • Babel
• Write
  • Update babel
  • REDCap

3. Receive results

• Aggregate counts
  • Need consistency on obfuscated cell size restrictions (<10, <=10, <5, no restriction)
• Detailed analysis
  • Histograms
  • Logistic regression and resulting reports
  • Distributed Research Network queries across sites/CDRNs

4. Ship data

• De-id
• LDS
• PHI
• Agree to refresh or one time extraction?

5. Link data

• Share data between two or more data partners one time
• Patient de-duplication between partners desired?
• Link without PHI exchange ala hash or unique ID

6. Exchange data

• Link or persist sharing between data partners on an agreed upon frequency
  • PPRN to CDRN
  • CDRN to Payor
  • Patient to CDRN site
  • Patient to PPRN

Data Sharing Grid

• Would be good to understand where people sit currently
• User Type dimension
• Data type
  • Patient
  • Provider
  • System
  • Concept
• Sharing flavor or workflow
• Sites could update their choices quarterly semi-annually

Immediate Use Cases

• ADAPTABLE trial
• Obesity studies June 2016 deadline
  • Fully using Distributed Research Network only
  • Need to ship data for pediatrics piloting work.

Oversight Levels

• Not required (ex: update overall statistics from your site)
• Auditing review (logs of i2b2 access or DRN queries run by coordinating center for approved studies)
  • What’s the approval process for DRN queries
• System access agreement must be signed to use system or view results
• Data use agreement required of study team
  • Explicit review by each site for shipping data request?

Data Partners to the agreement

• CDRNs and sites
• PPRNs and patient groups
• CMS
  • RESDAC
• Payors/BCBS
• NIST and federal data partners

Notes from December 29, 2015 meeting Steve Fennel, Amy Sokol, Russ Waitman

Amy likes the types of data, who has access and what uses (non-profit versus commercial).

Send the grid out to current networks to get the lay of the land

What types of data

• payor data Patient data Provider data.

What do you share?

What agreements do you have?

Does PCORI (Maryan Zirkle) already have this?

Get a follow up call with Maryan and Coordinating Center to review all the agreements. What's in common? Where are the things roughly in alignment.

What's non-controversial? What's not?

If you spell things out it takes more review but then you don't have the issues on the back end of uncertainty of what kind of data and use.

Potentially Controversial

• payor data?
• quality data
• competitive advantage
• IRBs and ethics around commercial purposes and patient perspective

Avoiding PHI for linkage

Next steps:

• Russ email committee and Maryan to get team to review agreements against matrix.

• Find out who is interested on committee (CHOP attorney). Reach back out to Sharon on CENA PPRN patient-centric agreement.

• Harmonize the agreements (need all the relevant agreements to review; weigh more heavily the ones finalized and signed).

• Draft the grid (Russ and Steve)

• goal is the obesity trial in June (distributed analysis of de-id? Or LDS?) but also early uses of shipping data (Chris Forrest at CHOP and Pediatric Obesity may benefit from shipped data to pilot/validate methods while waiting on full distributed research network deployment).

Is the agreement network wide or with all the sites?

• it's an agreement signed by the networks that represents their sites but sites can update their sharing status level.
• from Amy's perspective would be easiest if every site did it.

Site/institutions would profile their level of sharing similar to patients using the Platform for Engaging Everyone Responsively (PEER) used by CENA

Do bronze silver and gold settings for sharing. So define packages of the discrete settings. You may change it quarterly.

Samples of how patients set their sharing comfort levels with PEER: then each institution could compare its profile with others and adjust as trust builds:

Levels of data access

• can use data for all purposes

Levels of data type

• adds payor data
• adds free text

Metrics are shown indicating the levels of participation

• you've shared 10 burgers. Rise to level 2!

You would need examples for each type of level tweaking so that researchers/lawyers/informaticians/administrators could understand what they are setting (similar to PEER)

Boilerplate The indemnity language isn't needed if it's de-id. If it's PHI everyone wants indemnity What you can do with the data depends on the level of data obfuscation and the protections you provide.
If it's full blown PHI you must comply with HIPAA

Renewal term: could be automatic and allow quarterly profile updates.

Everyone has a confidentialty and limit of liability, no third party beneficiaries, no assignment,

The language here may also align with the ACTA and PCORnet modified ACTA.

The LCME for accreditation of med schools is a pretty good vanilla agreement. But, it’s a low risk scenario of malpractice on med students.

Now de-id data is low risk. If we have to involve PHI shipping then we are looking at a limited data set that people are willing to ask for less indemnification and it would look more like the GPC language exhibit D with a two sentence indemnification provision versus CHOP’s limitation of liability and required everyone to have $5 million/claim network security liability insurance. KUMC as a state institution doesn’t; the hospital may but would have to check. The RI does not.

It's key for people to realize they are on both sides of the fence: they are both getting data and giving data as full network partners creating/owning the network. So we don't want a one sided agreement when the parties are both using and contributing. For people totally external, we demand more agreement requirements because they don't contribute.