Presentation is loading. Please wait.

Presentation is loading. Please wait.

DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs.

Published byArlene Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs."— Presentation transcript:

1 DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs

2 ●Definition/Purpose oAgreement between parties that outlines how shared data will be used, disclosed, and protected, by agreeing to provisions that place general and specific limitations on the receiving party... oHIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused. Data Sharing Agreement

3 ●Can the Data be shared and what type of agreement is needed? ●Steps oCan the data be shared? oIdentify: oThe data elements requested oDe-identified oLimited Data Set oIdentifiable Data oThe applicable confidentiality laws oThe parties – Business Associate, Covered Entity, Researcher, Public Health Agency, … Overview of Today’s Discussion

4 ●What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -

5 ●When Required by Law oHIPAA oIRB oFinancial oOther ●For liability reasons ●For ethical reasons WHEN / WHY IS A DSA NEEDED?

6 ●Include language to ensure proper use, disclosure,…etc…. ●Routine provisions – those required by law ●Special Provisions – unique to the data WHAT PROVISIONS

7 ●Follow up is required – oAfter agreed time, at end of project, etc. oEnsure shared data continues to be protected or has been returned or destroyed Follow up – Monitoring

8 ●Step One: Identify the data elements requested: oDe-Identified Data oLimited Data Set oIdentifiable Data Can the data be shared? Steps…

9 ●Two methods of de-identification oFirst: Safe Harbor – HIPAA list of identifiers – Note: All dates and most demographic information are included as identifiers. Ages, zip codes, or ‘dummy codes’ are permitted with limitations. oAge: In most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses - however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined. (Zip codes, ‘dummy codes’ – see following slides…) De-identified Data

10 ●Two methods of de-identification…continued oFirst: Safe Harbor…continued oZip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. (In 2000, there were only 18 three-digit zip codes containing fewer than 20,000 people). o‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism can not be used to create a dummy code in a de-identified data set. The mechanism used to create the code can not be disclosed to the data recipient. De-identified Data…cont.

11 ●Two methods of de-identification…continued oSecond: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable. De-identified Data…cont.

12 ●All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations. oDemographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed. oAll Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity. o‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism CAN be used to create a dummy code in a limited data set (but not in a de-identified data set). The mechanism used to create the code can not be disclosed to the data recipient. Limited Data Set

13 ●Data with identifiers may be shared if an exception exists under applicable law. oHIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted. Identifiable Data

14 ●Step Two: Identify the applicable confidentiality laws…more than one may apply oMedicaid oPublic Health Code oMental Health Code oHIV/AIDS/STD oSubstance Abuse oHIPAA oResearch – Human Subjects (Common Rule) oOther Can the data be shared? Steps…cont.

15 ●When more than one confidentiality law is applicable and both/all cannot be complied with… oThe HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections. Can the data be shared? Steps…cont.

16 ●Step Three: Identify the players – and the relationship between the data provider and the requester oBusiness Associate oCovered Entity (under HIPAA) oPublic Health Agency oResearcher oGovernment entity oIndependent oOther Can the data be shared? Steps…cont.

17 ●After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared… (descriptions that follow under each type of agreement can be used to sort out this information.)

18 ●What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -

19 ●Business Associate Agreement (BAA) oA business associate is an entity/contractor that the covered entity, MDCH, has contracted with to perform a HIPAA covered function on MDCH’s behalf that requires the sharing of protected health information (PHI). oHIPAA requires covered entities, such as MDCH, to enter into a written Business Associate Agreement that requires the business associate to comply with the confidentiality provisions under HIPAA. oDifferentiate a business associate from other entities – a business associate is performing a function on MDCH’s behalf – which requires a BAA, and the other is performing a function on its own behalf. What type of written agreement is appropriate?

20 ●Memorandum of Understanding (MOU) oA MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law. What type of written agreement is appropriate?

21 ●Data Sharing Agreement (DSA) oA DSA may be required in the following circumstances: oIf sharing de-identified information with any entity. oIf sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract. oIf sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations. (continued…) What type of written agreement is appropriate?

22 A DSA may be required in the following circumstances (continued): oIf only sharing a limited data set with a business associate to perform functions on MDCH’s behalf – thereby eliminating the need for a BAA. oIf sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board review requirement for human subjects research. (Refer to Harry McGee.) (continued…) Data Sharing Agreement (DSA) (continued…)

23 A DSA may be required in the following circumstances (continued): oIf sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.) oIf sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.) oIf sharing fully identifiable information to an entity for a permitted purpose under HIPAA or other applicable confidentiality law. Data Sharing Agreement (DSA) (continued…)

24 ●Include language to ensure proper use, disclosure,…etc…. ●Routine provisions – those required by law (HIPAA requirements handout and copy of MDCH template.) ●Special Provisions – unique to the data requested WHAT PROVISIONS

25 ●Follow up is required – oAfter agreed time, at end of project, etc. oEnsure shared data continues to be protected or has been returned or destroyed After the DSA is signed, the data is provided, … Monitoring and

26 ●Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database. MDCH Log of Data Sharing Agreements

27 ●Identify the requested data elements, the applicable laws, and the players, ●Determine the appropriate agreement that is needed and execute, ●Send copy of completed MDCH DSA to OLA to be logged, ●Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed. In review:

28 ●Forward any MDCH questions to the Office of Legal Affairs: ●(517) 241-0048 ●Email: mulfordt@michigan.gov Questions?

Download ppt "DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs."

Similar presentations

Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.

Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.

THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Privacy and Information Security Essentials

Privacy and Information Security Essentials
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

Similar presentations

Ads by Google