Versions Compared

Old Version 17

changes.mady.by.user Gagan Jindal

Saved on

compared with

New Version Current

changes.mady.by.user Gagan Jindal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • What are risks, liabilities, and benefits of participant-managed systems vs. researcher managed systems vs. operationally managed systems?
  • What are the workflows and pros and cons of creating identifiers on a project-by-project basis vs. maintaining identifiers over networks, registries, or initiatives intended to operate over multiple projects? Relatedly, what is needed (technically and legally) to keep this data up to date?
  • Should there be a contract or data use agreement that spells out responsibilities for anyone who uses or participates in the use of a research ID? Should a model contract be made available and spell out all the terms and responsibilities, including but not limited to data breach obligations and costs?
  • In you experiences, are IRBS, legal, and privacy offices well prepared to make determinations on this question?
    • What is the feasibility of participants self-managing linkage information across sources? What types of individuals would be excluded from population-based research using EHR and claims data if contact is required for data linkage?
    • To what extent are an individual’s concerns addressed with technical approaches that leverage cryptographic methods?
    • To what extent are covered entities’ and other liable parties’ concerns addressed with technical approaches that leverage cryptographic methods?
    • Some research organizations have opted to reuse identifiers created for Regional Health Information Exchanges. What are the implications of this practice?

Title

Response

Description

To protect privacy and conform to regulatory concerns, unique identifiers for research must be applied with researcher-administered systems to link data over time and across data sources.

Primary actor/participant

Research Teams, Covered Entities, Participants

Support actor/participant

Information systems

Preconditions

Identifying information that can be used to reliably link records across independently regulated data sources is available.

Post conditions

Unique, potentially reusable identifiers are created in according to well-accepted known regulatory standards.

Alternatives

  • Identifiers are created using methods certified by expert determination method under HIPAA to be de-identified (and not subject to HIPAA) vs. creating identifiers using an IRB vs. creating identifiers under a BAA.
  • Deterministic identifiers provided as part of multi-institutional operations
  • Participant-managed linkage systems
  • In cases where data systems already exchange information (e.g. payers and providers or networked providers), researchers may be able to link on non-PII data.

Considerations

  • Risks, liabilities, and benefits of participant-managed systems vs. researcher-managed systems vs. operationally-managed systems
  • Feasibility of participants self-managing linkage information across sources
  • Reusing identifiers created for regional health information exchanges
  • Single use (i.e. one analysis, one product) vs. Reuse (potentially multiple projects)

Data Elements Considered

Personally Identifiable Information (PII) and encrypted versions of PII

Purpose of the Data Collection

Treatment, Payment, Operations

Purpose of Data Use

Creation of potentially reusable unique identifiers

Terms of Transfer of Original Data to the Data Holders

Treatment, Payment, Operations

Terms of Transfer to Researchers

Identifiers created with IRB approval, potentially waiver of authorization

(Alternatives – Consent, Expert Determination, BAA)

 

...