DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs

●Definition/Purpose oAgreement between parties that outlines how shared data will be used, disclosed, and protected, by agreeing to provisions that place general and specific limitations on the receiving party... oHIPAA and other laws require Covered Entities to obtain satisfactory assurance that the data recipient will only use or disclose the information for limited purposes to ensure that shared data will not be misused. Data Sharing Agreement

●Can the Data be shared and what type of agreement is needed? ●Steps oCan the data be shared? oIdentify: oThe data elements requested oDe-identified oLimited Data Set oIdentifiable Data oThe applicable confidentiality laws oThe parties – Business Associate, Covered Entity, Researcher, Public Health Agency, … Overview of Today’s Discussion

●What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -

●When Required by Law oHIPAA oIRB oFinancial oOther ●For liability reasons ●For ethical reasons WHEN / WHY IS A DSA NEEDED?

●Include language to ensure proper use, disclosure,…etc…. ●Routine provisions – those required by law ●Special Provisions – unique to the data WHAT PROVISIONS

●Follow up is required – oAfter agreed time, at end of project, etc. oEnsure shared data continues to be protected or has been returned or destroyed Follow up – Monitoring

●Step One: Identify the data elements requested: oDe-Identified Data oLimited Data Set oIdentifiable Data Can the data be shared? Steps…

●Two methods of de-identification oFirst: Safe Harbor – HIPAA list of identifiers – Note: All dates and most demographic information are included as identifiers. Ages, zip codes, or ‘dummy codes’ are permitted with limitations. oAge: In most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses - however dates that might be directly related to the subject must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages – 90 and over – must be aggregated further to avoid identification of very old individuals. For young children or infants – age can be expressed in months, days, or hours – as long as the birth date can not be determined. (Zip codes, ‘dummy codes’ – see following slides…) De-identified Data

●Two methods of de-identification…continued oFirst: Safe Harbor…continued oZip Code: Three digit zip codes can be used if the zip code area contains more than 20,000 people as determined by the Bureau of the Census. (In 2000, there were only 18 three-digit zip codes containing fewer than 20,000 people). o‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism can not be used to create a dummy code in a de-identified data set. The mechanism used to create the code can not be disclosed to the data recipient. De-identified Data…cont.

●Two methods of de-identification…continued oSecond: Expert – a person with appropriate knowledge and experience is to apply generally accepted statistical and scientific methods to render information not individually identifiable. De-identified Data…cont.

●All direct identifiers must be removed. Some demographic information, dates, and ‘dummy codes’, are permitted. Under HIPAA, a Limited Data Set can only be shared for the purpose of Research, Public Health, or Health Care Operations. oDemographic information is allowed, such as zip codes, cities, and geographic areas, however, street addresses are direct identifiers that must be removed. oAll Dates are permitted – including birthdates, however, requests for birthdates should be reviewed for necessity. o‘Dummy codes’: A re-identification code can be created and provided to the data recipient as long as the code was not derived from information related to the subject of the information. The HMAC (keyed hash message) mechanism CAN be used to create a dummy code in a limited data set (but not in a de-identified data set). The mechanism used to create the code can not be disclosed to the data recipient. Limited Data Set

●Data with identifiers may be shared if an exception exists under applicable law. oHIPAA permits the sharing of identifiable data for specific purposes – in which case, a Data Sharing Agreement may be warranted. Identifiable Data

●Step Two: Identify the applicable confidentiality laws…more than one may apply oMedicaid oPublic Health Code oMental Health Code oHIV/AIDS/STD oSubstance Abuse oHIPAA oResearch – Human Subjects (Common Rule) oOther Can the data be shared? Steps…cont.

●When more than one confidentiality law is applicable and both/all cannot be complied with… oThe HIPAA Privacy regulation will preempt all other privacy or confidentiality laws, (state or otherwise) unless – the other law provides the individual with greater privacy rights or protections. Can the data be shared? Steps…cont.

●Step Three: Identify the players – and the relationship between the data provider and the requester oBusiness Associate oCovered Entity (under HIPAA) oPublic Health Agency oResearcher oGovernment entity oIndependent oOther Can the data be shared? Steps…cont.

●After analyzing the requested data elements, all applicable laws, and the players – and their relationship, you have decided that the information can be shared… (descriptions that follow under each type of agreement can be used to sort out this information.)

●What type of written agreement is appropriate? Business Associate Agreement (BAA) Memorandum of Understanding (MOU) Data Sharing Agreement (DSA) You have determined that the data can legally be shared -

●Business Associate Agreement (BAA) oA business associate is an entity/contractor that the covered entity, MDCH, has contracted with to perform a HIPAA covered function on MDCH’s behalf that requires the sharing of protected health information (PHI). oHIPAA requires covered entities, such as MDCH, to enter into a written Business Associate Agreement that requires the business associate to comply with the confidentiality provisions under HIPAA. oDifferentiate a business associate from other entities – a business associate is performing a function on MDCH’s behalf – which requires a BAA, and the other is performing a function on its own behalf. What type of written agreement is appropriate?

●Memorandum of Understanding (MOU) oA MOU is similar to a BAA, however, is generally used when sharing identifiable data between governmental entities to carry out responsibilities under state or federal law. What type of written agreement is appropriate?

●Data Sharing Agreement (DSA) oA DSA may be required in the following circumstances: oIf sharing de-identified information with any entity. oIf sharing a limited data set or identifiable data with a business associate where a new function has been added under the contract. oIf sharing a limited data set with a business associate that has requested the information for its own public health, research, or health care operations. (continued…) What type of written agreement is appropriate?

A DSA may be required in the following circumstances (continued): oIf only sharing a limited data set with a business associate to perform functions on MDCH’s behalf – thereby eliminating the need for a BAA. oIf sharing a limited data set with a researcher. This eliminates the researcher’s need for an individual’s authorization. The researcher also might be able to bypass the Institutional Review Board review requirement for human subjects research. (Refer to Harry McGee.) (continued…) Data Sharing Agreement (DSA) (continued…)

A DSA may be required in the following circumstances (continued): oIf sharing a limited data set with another covered entity that has requested the information for its own public health, research, or health care operations. (Assists in the sharing of data with another covered entity where HIPAA limits the sharing of fully identifiable information – e.g. “to another covered entity for its health care operations”.) oIf sharing a limited data set with any other entity for public health or research purposes. (e.g., non MDCH cancer registry.) oIf sharing fully identifiable information to an entity for a permitted purpose under HIPAA or other applicable confidentiality law. Data Sharing Agreement (DSA) (continued…)

●Include language to ensure proper use, disclosure,…etc…. ●Routine provisions – those required by law (HIPAA requirements handout and copy of MDCH template.) ●Special Provisions – unique to the data requested WHAT PROVISIONS

●Follow up is required – oAfter agreed time, at end of project, etc. oEnsure shared data continues to be protected or has been returned or destroyed After the DSA is signed, the data is provided, … Monitoring and

●Please forward a copy of all completed MDCH Data Sharing Agreements to the Office of Legal Affairs (OLA) to be entered into MDCH DSA Database. MDCH Log of Data Sharing Agreements

●Identify the requested data elements, the applicable laws, and the players, ●Determine the appropriate agreement that is needed and execute, ●Send copy of completed MDCH DSA to OLA to be logged, ●Monitor – and follow up at end of project, or agreed upon time, to ensure shared data continues to be protected or has been returned or destroyed. In review:

●Forward any MDCH questions to the Office of Legal Affairs: ●(517) ● Questions?