data access training - fred hutch · • data stored in fred hutch archives and repositories...

Data Access Training

Data Stewardship Training for Access to Identifiable Cancer Data through the

Hutch Data Commonwealth

Revised February 2018

Cancer Consortium Memorandum of Understanding (MOU)

Through various Consortium agreements including a 2013 Memorandum of Understanding (MOU) among UW, SCCA, Children’s and Fred Hutch, Fred Hutch electronically receives identified patient data from UW and SCCA.

This data is distributed by Fred Hutch Data Commonwealth (“HDC”) to Consortium researchers through two mechanisms: data extract or access to clinical applications populated with such data. For example, such applications, typically found on Clinical Oncology Research Entrance (C.O.R.E.), include, but are not limited to CAISIS, OWL, or HDC Cortex (data platform).

The MOU, along with its security agreement and Business Associate Agreement, describes the terms and conditions under which this data can be accessed and used. This training will help researchers better understand how to use this data.

Hutch Data Commonwealth 2

MOU Governed Data – Overview: Sources and Uses


UW Medicine and SCCA Identified

Cancer data: HER, Lab, other

eSources, manual extraction.

FHCRCHDC

UW Investigators

FHCRC Investigators

SCCA Investigators

FHCRC/Hutch Data Commonwealth (HDC) Operations makes data accessible for research.

Fred Hutch electronically receives identified cancer patient data from UW and SCCA.

Investigators access MOU governed data through requests to HDC for access to clinical applications or data extract services.

Children’s Investigators

Purpose of the Module

• Explain principles of handling confidential and strictly confidential data.

• Describe Protected Health Information (PHI).

• Discuss the Consortium MOU and the roles and responsibilities for individuals accessing and using this data.

• Understanding appropriate research use of MOU governed data.


Importance of Good Data Stewardship• Data stored in Fred Hutch archives and repositories constitute valuable assets

and must be protected from unauthorized access and use.

• Under the Fred Hutch Information Security Policy (ISO Policy), Fred Hutch data is classified as either confidential information or strictly confidential information and should be handled accordingly.

• Individuals who access this data must understand their roles and responsibilities, including the use of safeguards based on the nature of the data, its criticality, and the level of risk associated with its improper access and use.

• Approval processes for data access will help ensure safeguards are in place and followed.


Confidentiality Information ClassificationConfidential information is made available only to individuals with the need and authorization to access it. The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.Access is permitted to individuals who have signed either a confidentiality agreement/pledge or are subject to the terms of an approved data access and use (or comparable) agreement.

Examples:• Research data generated by scientific staff in the course of conducting research prior

to public presentations or publications• Proprietary data owned by a company sponsoring research at Fred Hutch and

protected from unauthorized disclosure by sponsored research, collaboration or clinical trial agreements

• De-identified research data


Principles that Apply to Access and Use of Confidential Data Must be handled by Fred Hutch employees and non-employees according to

Fred Hutch ISO Policy. Should only be accessed when necessary for an approved purpose. Must be securely maintained and transmitted:

• Password Protected• Access controlled• Encrypted when transferred outside of your institution• Audited access/logging when reasonably applied

Cannot be shared with others not authorized to receive it. Loss or suspected loss should be reported immediately to the Fred Hutch

Help Desk at 206.667.5700.


Strictly Confidential InformationStrictly Confidential Information requires special protection. Unauthorized access, disclosure, destruction, or alteration of Strictly Confidential information may constitute a violation of law or contractual or ethical obligations. Such violations or breaches could cause serious to catastrophic harm to Fred Hutch or your institution, including severe financial loss, legal liability, public distrust, or harm to reputation. Unauthorized use of Strictly Confidential Information could also severely harm the individual about whom the data refers. Examples of such data include:• Protected Health Information or PHI

• Research Participant information

• Proprietary business information

• Computer passwords/encryption keys


Principles that apply to access/use of Strictly Confidential Data Must be handled by Fred Hutch employees and non-employees according to

Fred Hutch ISO Policy. Should only be accessed and/or used for an approved purpose. Must be securely maintained and transmitted:

• Password Protected• Access controlled• Encrypted in transit and rest• Audited access and logging

Cannot be shared with others not authorized to receive it. Loss or suspected loss should be reported immediately to the Fred Hutch

Help Desk at 206.667.5700.


Noncompliance in Handling Confidential Information


• Inappropriate access, use, or disclosure of Confidential and Strictly Confidential information, and loss or theft of unencrypted information, can result in individual or institutional fines and penalties, personal liability, and disciplinary action up to and including termination.

PROTECTED HEALTH INFORMATION (“PHI”) Protected Health Information (“PHI” ) includes any information

generated by a Covered Entity that concerns medical history, health status or payment for health care that can be linked to an individual:• Medical Records• Clinical Billing and Health Insurance Information

The term “PHI” was established by the HIPAA, but the confidentiality principles of HIPAA are applied in other settings (i.e., oversight of human subjects research by institutional review boards - IRBs)

Generally, individuals must specifically authorize others to access their PHI for its use in research.


PROTECTED HEALTH INFORMATION (“PHI”)

Levels of PHIUse, access, and disclosure of PHI is highly regulated by HIPAA. Inmost states (including Washington state), the use, access and disclosure of “individually identifiable information” relating to health care is also regulated in a manner similar to federal regulation under HIPAA. The regulatory rigor is determined by the nature of the PHI:• De-identified Information– Least Regulated• Limited PHI (aka “Limited Data Set”) - Specific Use Regulation• Identified/Full PHI and Restricted PHI – Most Highly Regulated


De-Identified Data (Confidential Data)

Least regulated, easiest to access – De-identified data does not contain any of the 18 HIPAA identifiers.(e.g., names, social security numbers, medical record numbers, DOB) or has been determined to be de-identified by an expert statistical analysis.

• Identifiers may be masked/coded for use in data reviews, reports, and exempt research.

• Data results or extracts may be aggregated into cells of 10 or more.

• Access to de-identified information does not require patient authorization.


Safe Harbor De-Identification Method

The 18 HIPAA specified identifiers which need removal:• name, location, dates, telephone numbers, fax

numbers, e-mail addresses, social security numbers, medical record numbers, health plan numbers, account numbers, license numbers, vehicle ID’s, device ID’s, URLs, IP addresses, biometric ID’s (finger and voice prints), full face images, and any other unique identifying number or code.

Hutch Data Commonweath 14

Access a Limited Data Set (LDS) (Strictly Confidential)

• A Limited Data Set includes a subset of HIPAA Identifiers: dates (admission, discharge, service, dates of birth and dates of death), city, state, zip codes and ages in years, months or days or hours. Excluded are names, street address, remainder of 18 HIPAA Identifiers.

• A limited data set is still PHI under HIPAA.• Patient authorization is not required for release of or access to a LDS for

research when the LDS is accompanied by a Data Use Agreement (“DUA”) which satisfies HIPAA requirements.

• Loss or suspected loss must be immediately reported to the Fred Hutch Help Desk at 206.667.5700.


Access to Identified/Full PHI (Strictly Confidential)

• Identified/Full PHI is data that includes individually identifiable information about an individual (i.e., patient).

• Use and disclosure of full PHI are subject to federal and state requirements.

• Identified PHI should not contain information such as social security numbers, bank account numbers, passwords, etc.

• Loss or suspected loss must be immediately reported to the Fred Hutch Help Desk at 206.667.5700.



MOU Allowable Reasons for Access to Patient Data

Patient Authorization

Examples

Clinical Care/treatment activities by UW, SCCA and Seattle Children’s

Not Required Direct provision of care

Health Care Operations by ConsortiumCovered Entities (UW, SCCA and Seattle Children’s)

Not Required Evaluation of the performance of a health care professional, access provided to vendor under contract for business functions, e.g., auditing, compliance, billing

Quality Assessment and Improvement Activities by Consortium Covered Entities (UW, SCCA and Seattle Children’s)

Not Required Activities in which treatment is assessed and evaluated in a “protected” context consistent with Washington state law (RCW70.41.100 for hospitals). Uses of QI/QA data are reviewed and approved in the context of an coordinated quality improvement plan (“CQIP”).

Public Health Reporting by ConsortiumCovered Entities (UW, SCCA and Seattle Children’s)

Not Required Mandatory disclosure of PHI for public health activities and purposes under federal and state law, such as cancer registry

Research Operations by UW, SCCA and Seattle Children’s and Fred Hutch (in its role as a Business Associate to UW, SCCA and Seattle Children’s)

Not Required Data access required to populate, maintain contents of datawarehouses, clinical applications. Includes manual data abstraction, natural language processing, and data quality assurance for completeness and accuracy.

Research by UW, SCCA, Seattle Children’s and Fred Hutch

Required or waived per IRB

Typically data used in retrospective data. IRB may waive HIPAA Authorization as role of Privacy Board. Such waiver requires an accounting of PHI disclosures.

Research Use of Full PHI

• Washington State imposes more stringent requirements than federal HIPAA laws in certain important aspects when allowing access to identified information for research. Examples include:

• Washington state law requires an “authorization” for access to individually identifiable health information following death.

• Washington state requires a confidentiality pledge from researchers in order to obtain access to identified information when patient does not authorize access.

• Access to Consortium governed data must be controlled and regulated to satisfy all regulatory requirements.

• Use requires explicit authorization by individual to whom the PHI relates. Authorization must meet HIPAA and state law requirements.


Access to Full PHI for Research without Authorization

• When Researchers require access to identified PHI for research purposes and don’t have the ability to obtain the express authorization from participant, researchers may request a Waiver of Authorization (“waiver”) from participant authorization.

• Waivers are typically sought for viewing PHI for reviews preparatory to research consistent with HIPAA and Washington State law (RCW 70.02.050).

• A waiver is permitted under limited circumstances upon approval your institution’s Institutional Review Board (IRB), an oversight body charged by law to protect research participants from many forms of harm.

• HIPAA and state laws dictate what criteria an IRB must apply in making a determination that access to PHI without authorization is permissible.

• Plans to protect the identifiers during the research use and to destroy the identifiers when no longer needed should be considered carefully and followed.


Security Policy, Minimum Necessary and Accountings

Once allowed access to PHI, the researcher must adhere to three overarching federal requirements (“principles”):

• Adherence to the institutional Information Security Policy.• “Minimum Necessary Use” - the researcher must make efforts to

request, disclose or use only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

• “Accounting” - if PHI is accessed via an IRB approved waiver of HIPAA authorization, such access must be documented for each individual (create an accounting of disclosures). Individuals have a right to receive an accounting of who has seen their PHI over the last 6 years.


Contacting Patients for Recruitment

How can an Consortium investigators contact individuals for recruitment?

• IRB approval required in all situations.


Research Use of Identified Data: Unauthorized Disclosure


Can a researcher use share identified information for reasons outside the study protocol? No. The disclosure or use of identified data in this situation violates scope of the HIPAA Authorization or the scope of the IRB-approved waiver of the HIPAA Authorization requirement.

What happens if the data is on a non-encrypted smartphone which is lost? Because the phone is not encrypted (password protection is not sufficient), the data is considered unsecured. This could represent an unauthorized use/disclosure of unsecured PHI. Unauthorized disclosure of unsecured PHI may require notification to the IRB and the HIPAA Covered Entity that is the source of the PHI. Call Fred Hutch Help Desk at 206.667.5700 and Fred Hutch Office of the General Counsel at 206-667-1224.

Good Research Data Stewardship• Confidential and Strictly Confidential information should be secured when not

in use. Unsecured disclosure of PHI beyond the purpose of the approved study is a violation of the MOU and may require notification to the Covered Entity (UW).

• Dispose of confidential or identified information when no longer needed. (Shred paper or use locked bin, tapes must be shred, and digital media must be scrubbed with an approved destruction utility.) Contact Fred Hutch ISO or comparable office at your home institution.

• Use of PHI in approved and authorized research is prescribed by the terms of the patient consent/HIPAA authorization. If authorization waiver exists, use is restricted by the intent of the study protocol.

• Use of PHI in research under an approved HIPAA Authorization waiver requires tracking the name and MRN# of patient whose data is accessed.


Reporting and Non-Retaliation

No individual who in good faith reports a known or suspected conduct, incident or practice that may violate 1) institutional compliance and/or ethical conduct policies and/or 2) related state and federal laws and regulations will be discharged, demoted, suspended, threatened, harassed, discriminated against or otherwise retaliated against for making such report. Workforce members who conduct retaliatory behavior may be disciplined.

Suspected non-compliance of MOU data may be reported to each institutional compliance office or reporting hotline. UW, SCCA, Children’s and FHCRC each maintain their own anonymous reporting services. You may also call Fred Hutch Help Desk at 206.667.5700. You may call Fred Hutch Office of the General Counsel at 206-667-1224 for more information.


QUESTIONS ?

Any questions about this training session can be directed to Susan Glick at [email protected].


data access training - fred hutch · • data stored in fred hutch archives and repositories...

Documents