Few things are more confusing than the requirements for sharing data with other investigators. This page presents the requirements for sharing deidentified, limited and identifiable data sets and biospecimens (referred to on this page together as "data/specimens"). Show
For more information on sharing data with other investigators with several specific examples, download the NIH Data Sharing Workbook. This document also reviews items that should be incorporated into the protocol when data sharing with other investigators is part of the research plan. What is needed to share data/biospecimens?Investigators may obtain data/specimens in a variety of ways. For example the data/specimens are likely to have come from one of the following:
Sharing Data/Specimens Stored with IdentifiersData/specimens that include identifiers can be used or disclosed as permitted in the consent form and written authorization or with a waiver of consent and HIPAA authorization issued by the IRB. Investigators often want to use data collected for clinical or QI purposes or to analyze research data or use research specimens for other purposes (secondary use). If the investigator needs to retain identifiers for a legitimate research purpose then secondary uses of the identifiable data/specimens might be qualify as human subjects research or not as human subjects research depending on what is shared. The diagram on the right show that data from a clinical or research database could qualify as not human subjects research – with or without a data use agreement – or might be considered exempt, or might require IRB review and approval. To qualify as not human subjects research, the individual exporting the identifiable data has to be independent of the research. § Independent means not connected in any way to the original research involved in creation of the clinical or research source database or in the new research – in other words the individual is an "honest broker". The second issue is whether or not there are any identifiers in the exported (new research) data set. * Identifier means one or more data elements that renders the subjects readily identifiable. This includes a code number or study ID# that can be used to link back to the individual. The IRB needs to first determine whether or not the data is readily identifiable. If it is, the Common Rule applies; if it isn't, the Common Rule does not apply. Only after making this decision does the IRB consider whether or not the data contains PHI. A data set with PHI might not be considered readily identifiable but HIPAA would still apply. For example, a data set from the PHIS database represents patients from over 40 free-standing pediatric hospitals and is a national sample. The data could include dates of birth and services without making the individuals readily identifable. (Readily identifiable does not mean potentially identifiable or identifiable with substantial effort.) Summary of Requirements for Sharing Data Stored with IdentifiersThe requirements vary depending upon what type of data is shared and whether or not HIPAA applies to the data collected; #1 and #2 below involve removal of identifiers so that the data is no longer readily identifiable, while #3, #4 and #5 involve sharing data that requires determination of exemption by the IRB (#3 and #4) or IRB review and approval (#5)..
Sharing Deidentified Data and BiospecimensData/specimens that have been deidentified would not be considered human subjects research and may be used or shared under the HIPAA Privacy Rule. Most commonly, data/biospecimens qualify as deidentified under the Safe Harbor provision of HIPAA, where all of the 18 HIPAA identifiers have been removed. If data is collected without recording any of the 18 HIPAA identifiers, then it is said to be anonymous. If the 18 identifiers are removed after data collection, then the data/specimens have been anonymized or deidentified. Data/specimens are often linked to a Master List using a unique code. Codes should not be derived from PHI such as using initials. Codes derived from PHI is still considered PHI. Obscured or permuted dates derived from actual dates will usually still be considered to be PHI. If a data/specimens have had all PHI removed but if there is a code that links back to PHI, the data can only be considered to be deidentified under the following conditions:
Sharing a Limited Data Set (LDS)If all elements of PHI have been removed from the data/specimens except for dates (birth date, dates of service, etc.) and/or zip codes, then the data is considered a limited data set. Geocode data can include both 5 and 9 digit zip codes and can include census tract data (see page 53235 of the 2002 HIPAA Privacy Rule). It may not include street address. A LDS may be used or disclosed for the purposes of research with the subjects consent/authorization (e.g. at the time of the original consent) or without their written authorization provided that one (not both) of the following takes place:
If the data are not readily identifiable, an IRB can conclude that the use of the data/specimens does not constitute human subjects research (45 CFR 46 does not apply). (If the data are considered readily identifiable based on it containing dates and zip codes, then the research would be subject to 45 CFR 46 and would require IRB review.) When the data/specimens are not readily identifiable – the research is not subject to the Common Rule (45 CFR 46) – IRB review or approval is not required under the regulations. Instead of obtaining a waiver of HIPAA authorization from an IRB or privacy board, the data can be shared as long as a Data Use Agreement, has been executed between the provider (or their institution and the recipient (or their institution). The IRB does not need to review Data Use Agreements. A Data Use Agreement can be used to to permit the sharing of data/specimens in all of the following situations:
Sharing a Limited Data Set Between Covered EntitiesProviding that (1) an IRB has waived the requirement for HIPAA authorization or (2) a data use agreement has been duly executed between the provider and the recipient institutions, the PHI may be used and disclosed as part of the research. If the IRB has waived the requirement for HIPAA authorization, a data use agreement is not required (HIPAA requires one or the other). However, some institutions will insist on executing a data use agreement even though either the provider's or recipient's IRB has issued a waiver. For those at CHOP, more information about obtaining a data use agreement between CHOP and another institution can be found at the Office of Collaborative and Corporate Research Contracts webpage. PHIS Data Sets: Sharing a Limited Data Set Within CHOPAn LDS may be provided by someone within CHOP to be used by an investigator at CHOP. Since the LDS contains data derived from CHOP patients, it is more likely that the individuals might be potentially identifiable by the CHOP investigators. The requirements for sharing are dependent on whether or not the investigator receiving the LDS can readily identify the subjects.
CHOP Internal Data Use Agreement Investigators can execute their own Data Use Agreement if they are sharing a limited data set within CHOP.
Can individuals be re-identified from a limited data set?Part of the basis for allowing investigators to share an LDS without IRB oversight and just a data use agreement is that the risks are low and that subjects are not individually identifiable just from date and zip code data. But is this in fact true? The Data Privacy Lab has a tool on their website (How Unique are You?) that demonstrates that with just only one or two individuals have the same birthdate and sex within a specific zip code. It is also now clear that even with access to data (patterns of lab test results) devoid of any PHI and with the aid of powerful computer algorithms, subjects can be re-identified with a high probability. Given how easy it is to re-identify individuals from very limited personal data, no data set can be considered truly anonymous even when devoid of all elements of PHI. To minimize risk to individuals, all sharing agreements, including data use agreements and agreements to share de-identified data, should include provisions to requiring that the recipient investigator promise not to make any attempt to re-identify the individuals in the data set. The Limits of Anonymity: Selected References
Which statement is correct about informed consent quizlet?Which statement is correct about informed consent? The informed consent document, regardless of the research topic, must always include the following: A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained.
When the primary potential harm is the breach of individuality identifiable data to protect against such disclosures researchers should?When the primary potential harm is the breach of individually identifiable data, to protect against such disclosures researchers should: Encrypt the data and store it in password protected files on institutionally maintained servers with limited access.
Which of the following is a measure researchers can use to protect the confidentiality of subject data quizlet?Which of the following is a measure researchers can use to protect the confidentiality of subject data? Keep sensitive and identifiable data in encrypted files on a password protected hard drive.
When research is conducted in educational settings with children when is the assent of potential student subjects required?When research is conducted in educational settings with children, when is the assent of potential student subjects required? When the IRB has determined that students are capable of providing assent.
|