Reminder: Do not include any PHI or PII in Confluence. If you require 508 accessibility assistance or any other support for this system, then please send an email to onc-jira-questions@healthit.gov
...
- What are risks, liabilities, and benefits of participant-managed systems vs. researcher managed systems vs. operationally managed systems?
- What are the workflows and pros and cons of creating identifiers on a project-by-project basis vs. maintaining identifiers over networks, registries, or initiatives intended to operate over multiple projects? Relatedly, what is needed (technically and legally) to keep this data up to date?
- Should there be a contract or data use agreement that spells out responsibilities for anyone who uses or participates in the use of a research ID? Should a model contract be made available and spell out all the terms and responsibilities, including but not limited to data breach obligations and costs?
- In you experiences, are IRBS, legal, and privacy offices well prepared to make determinations on this question?
- What is the feasibility of participants self-managing linkage information across sources? What types of individuals would be excluded from population-based research using EHR and claims data if contact is required for data linkage?
- To what extent are an individual’s concerns addressed with technical approaches that leverage cryptographic methods?
- To what extent are covered entities’ and other liable parties’ concerns addressed with technical approaches that leverage cryptographic methods?
- Some research organizations have opted to reuse identifiers created for Regional Health Information Exchanges. What are the implications of this practice?
Title | Response |
Description | To protect privacy and conform to regulatory concerns, unique identifiers for research must be applied with researcher-administered systems to link data over time and across data sources. |
Primary actor/participant | Research Teams, Covered Entities, Participants |
Support actor/participant | Information systems |
Preconditions | Identifying information that can be used to reliably link records across independently regulated data sources is available. |
Post conditions | Unique, potentially reusable identifiers are created in according to well-accepted known regulatory standards. |
Alternatives |
|
Considerations |
|
Data Elements Considered | Personally Identifiable Information (PII) and encrypted versions of PII |
Purpose of the Data Collection | Treatment, Payment, Operations |
Purpose of Data Use | Creation of potentially reusable unique identifiers |
Terms of Transfer of Original Data to the Data Holders | Treatment, Payment, Operations |
Terms of Transfer to Researchers | Identifiers created with IRB approval, potentially waiver of authorization (Alternatives – Consent, Expert Determination, BAA) |
...