SlideShare a Scribd company logo

Data sharing and data agreement lecture.ppt

Download as PPT, PDF
M
Muhd7

Data sharing and agreement

Technology
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
DATA SHARING and DATA SHARING AGREEMENTS 1
● Definition • A data-sharing agreement is a formal contract that clearly documents what data are being shared and how the data can be used. Such an agreement serves two purposes. First, it protects the agency providing the data, ensuring that the data will not be misused. • Second, it prevents miscommunication on the part of the provider of the data and the agency receiving the data by making certain that any questions about data use are discussed. Before any data are shared, both the provider and receiver should talk in person or on the phone to discuss data-sharing and data-use issues and come to a collaborative understanding that will then be documented in a data-sharing agreement. Data Sharing Agreement 2
Data Sharing Agreement ● Purpose o HIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused. • HIPAA (Health Insurance Portability and Accountability Act.) a US law designed to provide privacy standards to protect patients’ medical records and other health info. 3
● Can the Data be shared and what type of agreement is needed? ● Steps o Can the data be shared? o Identify: o The data elements requested o De-identified o Limited Data Set o Identifiable Data o The applicable confidentiality laws Overview of Today’s Discussion 4
● What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared - 5
●DSA is required by Law ●For liability reasons ●For ethical reasons WHEN / WHY IS DSA NEEDED? Monitoring ● Follow up is required – o After agreed time, at end of project, etc. o Ensure shared data continues to be protected or has been returned or destroyed 6
● Step One: Identify the data elements requested: o De-Identified Data: is the removal of specific information about a patient that can be used alone or in combination with other information to identify that patient. o Limited Data Set o Identifiable Data Can the data be shared? Steps… 7
● Two methods of de-identification o First: Safe Harbor – Ages, zip codes, or ‘dummy codes’ are permitted with limitations. o Age: In most cases, year of birth may be retained, however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined. De-identified Data 8
o Zip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The mechanism used to create the code can not be disclosed to the data recipient. De-identified Data…cont. 9
● Two methods of de-identification…continued o Second: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable. De-identified Data…cont. 10
● A limited data set is a limited set of identifiable patient information as defined in the privacy regulations issued under HIPAA. ● All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations. o Demographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed. o All Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity. o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. Limited Data Set 11
● Data with identifiers may be shared if an exception exists under applicable law. o HIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted. Identifiable Data 12
● Step Two: Identify the applicable confidentiality laws… more than one may apply o Medicaid: provide coverage for some low-income people, families and children, pregnant women, the elderly & ppl wit disability. o Public Health Code o Mental Health Code o HIV/AIDS/STD o Substance Abuse o HIPAA o Research – Human Subjects (Common Rule) o Other Can the data be shared? Steps…cont. 13
● When more than one confidentiality law is applicable and both/all cannot be complied with… o The HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections. Can the data be shared? Steps…cont. 14
● Step Three: Identify the players – and the relationship between the data provider and the requester o Business Associate o Covered Entity (under HIPAA) o Public Health Agency o Researcher o Government entity o Independent o Other Can the data be shared? Steps…cont. ● After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared… 15
● What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared - 16
● Business Associate Agreement (BAA) o A business associate is an entity/contractor that requires the sharing of protected health information (PHI). ● Memorandum of Understanding (MOU) o A MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law. What type of written agreement is appropriate? 17
● Data Sharing Agreement (DSA) o A DSA may be required in the following circumstances: o If sharing de-identified information with any entity. o If sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract. o If sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations. (continued…) What type of written agreement is appropriate? 18
A DSA may be required in the following circumstances (continued): o If sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board (IRB: other law) review requirement for human subjects research. (Refer to Harry McGee.) (continued…) Data Sharing Agreement (DSA) (continued…) 19
A DSA may be required in the following circumstances (continued): o If sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.) o If sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.) o If sharing fully identifiable information to an entity for a permitted purpose under HIPAA or other applicable confidentiality law. Data Sharing Agreement (DSA) (continued…) 20
● Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database. MDCH Log of Data Sharing Agreements 21
● Identify the requested data elements, the applicable laws, and the players, ● Determine the appropriate agreement that is needed and execute, ● Send copy of completed MDCH DSA to OLA to be logged, ● Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed. In review: 22
● What is DSA? ● State the importance of agreement in data sharing administration ● Cite the types of written agreement ● Why is DSA needed? ● Prepare data sharing policy and regulation (Hints: The 3 types) ● Outline the factors that can work against DSA (Hints: Conflict of interest, ethical consideration, lack of communication…) Questions? 23

More Related Content

DOCX
This training program is designed to introduce staff
sawanda
 
PPTX
Ameet Sarpatwari: "Data Sharing that Enables Post-Approval Drug and Device Re...
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
PPTX
iHT2 Health IT Summit in Austin 2012 – Deborah C. Peel, MD, Founder and Chai...
Health IT Conference – iHT2
 
PPTX
Privacy & confedentiality
Hemang Patel
 
PPTX
PathInformatics 8 Cybersecurity slides.pptx
Felipe Avila
 
PPT
HIPAA&predictiveanalytics
dmcgraw418
 
PDF
Healthcare Data Ecosystem 101
Lynne Frederickson
 
PDF
Legal aspects of_health_information_exchange_w_toc and index
J.B.. Shandrew
 
This training program is designed to introduce staff
sawanda
 
Ameet Sarpatwari: "Data Sharing that Enables Post-Approval Drug and Device Re...
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
iHT2 Health IT Summit in Austin 2012 – Deborah C. Peel, MD, Founder and Chai...
Health IT Conference – iHT2
 
Privacy & confedentiality
Hemang Patel
 
PathInformatics 8 Cybersecurity slides.pptx
Felipe Avila
 
HIPAA&predictiveanalytics
dmcgraw418
 
Healthcare Data Ecosystem 101
Lynne Frederickson
 
Legal aspects of_health_information_exchange_w_toc and index
J.B.. Shandrew
 

Similar to Data sharing and data agreement lecture.ppt (20)

PPTX
Confidentiality and hipaa
brandypsmith
 
DOCX
Please Read Carefully The Complete Instruction.Deliverable Lengt
velmakostizy
 
PPTX
Med.data.edu.au Online Interactive Use Guide
ARDC
 
PPTX
Hipaa and information technology pp
Rhess1967
 
PPTX
HIPAA and Information Technology
Rhess1967
 
PPTX
Data Management Protection Acts
Joseph White MPA CPM
 
PPTX
Hippa final JU nursing informatics
kmcanty
 
PDF
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
feuzehayaad
 
PPTX
Hippa compliance training
scapoccia
 
PPTX
Mha 690 presentation hippa
belle0508
 
PPT
HIPAA 2010
barbarabenson
 
PPTX
Hi103 week 6 chpt 15
BealCollegeOnline
 
PPTX
Hm300 week 5 part 2 of 2
BHUOnlineDepartment
 
PPTX
Hm300 week 5 part 2 of 2
BealCollegeOnline
 
PPTX
EU General Data Protection Regulation top 8 operational impacts in personal c...
Erik Vollebregt
 
PPT
Baker HIMSS Staffers Final
bakerdb
 
PPTX
Confidentiality in the Workplace
salvarez63
 
PDF
Addressing Privacy and Security Concerns to Unlock Insights in Big Data in He...
Health Data Consortium
 
PDF
Safeguarding Personal Health Information: HIPAA Rules on De-Identification
Conference Panel
 
PDF
Hipaa training new_staff_december 2018 - compatibility mode
robint2125
 
Confidentiality and hipaa
brandypsmith
 
Please Read Carefully The Complete Instruction.Deliverable Lengt
velmakostizy
 
Med.data.edu.au Online Interactive Use Guide
ARDC
 
Hipaa and information technology pp
Rhess1967
 
HIPAA and Information Technology
Rhess1967
 
Data Management Protection Acts
Joseph White MPA CPM
 
Hippa final JU nursing informatics
kmcanty
 
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
feuzehayaad
 
Hippa compliance training
scapoccia
 
Mha 690 presentation hippa
belle0508
 
HIPAA 2010
barbarabenson
 
Hi103 week 6 chpt 15
BealCollegeOnline
 
Hm300 week 5 part 2 of 2
BHUOnlineDepartment
 
Hm300 week 5 part 2 of 2
BealCollegeOnline
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
Erik Vollebregt
 
Baker HIMSS Staffers Final
bakerdb
 
Confidentiality in the Workplace
salvarez63
 
Addressing Privacy and Security Concerns to Unlock Insights in Big Data in He...
Health Data Consortium
 
Safeguarding Personal Health Information: HIPAA Rules on De-Identification
Conference Panel
 
Hipaa training new_staff_december 2018 - compatibility mode
robint2125
 
Ad

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Approach and Philosophy of On baking technology
30anthuong17
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Ad

Data sharing and data agreement lecture.ppt

  • 2. ● Definition • A data-sharing agreement is a formal contract that clearly documents what data are being shared and how the data can be used. Such an agreement serves two purposes. First, it protects the agency providing the data, ensuring that the data will not be misused. • Second, it prevents miscommunication on the part of the provider of the data and the agency receiving the data by making certain that any questions about data use are discussed. Before any data are shared, both the provider and receiver should talk in person or on the phone to discuss data-sharing and data-use issues and come to a collaborative understanding that will then be documented in a data-sharing agreement. Data Sharing Agreement 2
  • 3. Data Sharing Agreement ● Purpose o HIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused. • HIPAA (Health Insurance Portability and Accountability Act.) a US law designed to provide privacy standards to protect patients’ medical records and other health info. 3
  • 4. ● Can the Data be shared and what type of agreement is needed? ● Steps o Can the data be shared? o Identify: o The data elements requested o De-identified o Limited Data Set o Identifiable Data o The applicable confidentiality laws Overview of Today’s Discussion 4
  • 5. ● What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared - 5
  • 6. ●DSA is required by Law ●For liability reasons ●For ethical reasons WHEN / WHY IS DSA NEEDED? Monitoring ● Follow up is required – o After agreed time, at end of project, etc. o Ensure shared data continues to be protected or has been returned or destroyed 6
  • 7. ● Step One: Identify the data elements requested: o De-Identified Data: is the removal of specific information about a patient that can be used alone or in combination with other information to identify that patient. o Limited Data Set o Identifiable Data Can the data be shared? Steps… 7
  • 8. ● Two methods of de-identification o First: Safe Harbor – Ages, zip codes, or ‘dummy codes’ are permitted with limitations. o Age: In most cases, year of birth may be retained, however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined. De-identified Data 8
  • 9. o Zip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The mechanism used to create the code can not be disclosed to the data recipient. De-identified Data…cont. 9
  • 10. ● Two methods of de-identification…continued o Second: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable. De-identified Data…cont. 10
  • 11. ● A limited data set is a limited set of identifiable patient information as defined in the privacy regulations issued under HIPAA. ● All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations. o Demographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed. o All Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity. o ‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. Limited Data Set 11
  • 12. ● Data with identifiers may be shared if an exception exists under applicable law. o HIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted. Identifiable Data 12
  • 13. ● Step Two: Identify the applicable confidentiality laws… more than one may apply o Medicaid: provide coverage for some low-income people, families and children, pregnant women, the elderly & ppl wit disability. o Public Health Code o Mental Health Code o HIV/AIDS/STD o Substance Abuse o HIPAA o Research – Human Subjects (Common Rule) o Other Can the data be shared? Steps…cont. 13
  • 14. ● When more than one confidentiality law is applicable and both/all cannot be complied with… o The HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections. Can the data be shared? Steps…cont. 14
  • 15. ● Step Three: Identify the players – and the relationship between the data provider and the requester o Business Associate o Covered Entity (under HIPAA) o Public Health Agency o Researcher o Government entity o Independent o Other Can the data be shared? Steps…cont. ● After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared… 15
  • 16. ● What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared - 16
  • 17. ● Business Associate Agreement (BAA) o A business associate is an entity/contractor that requires the sharing of protected health information (PHI). ● Memorandum of Understanding (MOU) o A MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law. What type of written agreement is appropriate? 17
  • 18. ● Data Sharing Agreement (DSA) o A DSA may be required in the following circumstances: o If sharing de-identified information with any entity. o If sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract. o If sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations. (continued…) What type of written agreement is appropriate? 18
  • 19. A DSA may be required in the following circumstances (continued): o If sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board (IRB: other law) review requirement for human subjects research. (Refer to Harry McGee.) (continued…) Data Sharing Agreement (DSA) (continued…) 19
  • 20. A DSA may be required in the following circumstances (continued): o If sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.) o If sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.) o If sharing fully identifiable information to an entity for a permitted purpose under HIPAA or other applicable confidentiality law. Data Sharing Agreement (DSA) (continued…) 20
  • 21. ● Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database. MDCH Log of Data Sharing Agreements 21
  • 22. ● Identify the requested data elements, the applicable laws, and the players, ● Determine the appropriate agreement that is needed and execute, ● Send copy of completed MDCH DSA to OLA to be logged, ● Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed. In review: 22
  • 23. ● What is DSA? ● State the importance of agreement in data sharing administration ● Cite the types of written agreement ● Why is DSA needed? ● Prepare data sharing policy and regulation (Hints: The 3 types) ● Outline the factors that can work against DSA (Hints: Conflict of interest, ethical consideration, lack of communication…) Questions? 23

Editor's Notes

  • #4: QUICKLY - OVERVIEW
  • #5: QUICKLY - OVERVIEW
  • #6: QUICKLY - OVERVIEW
  • #8: HAND OUT – YELLOW CARDS
  • #13: HAND OUT – DATA SHARING FLOW CHART AND DEFINITIONS
  • #14: HAND OUT - PREEMPTION FLOW CHART
  • #16: HAND OUT – MDCH DATA SHARE TEMPLATE