NIH Data Sharing Dr. Belinda Seto, Deputy Director National Institute of Biomedical Imaging and Biomedical Engineering (NBIB) June 23, 2004 Collaborative Meeting
“Data should be made as widely and freely available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data.” -- Final NIH Statement on Sharing Research Data February 26, 2003 NIH Viewpoint
PHS Grants Policy Statement April 1994 “Restricted availability of unique resources upon which further studies are dependent can impede the advancement of research and the delivery of medical care. Therefore, when these resources are developed with PHS funds and the associated research findings have been published or after they have been provided to the agencies under contract, it is important that they be made readily available for research purposes to qualified individuals within the scientific community. This policy applies to grants, cooperative agreements, and contracts.”
NIH expects timely release and sharing of final research data for use by other researchers. NIH expects grant applicants to include a plan for data sharing or to state why data sharing is not possible, especially if $500K or more of direct cost is requested in any single year NIH expects contract offerors to address data sharing regardless of cost Effective with October 1, 2003 receipt date for NIH applications NIH Data Sharing Policy
Caveats for Studies Including Human Research Participants Investigators need to carefully consider –Studies with very small samples –Studies collecting very sensitive data However, even these data can be shared if safeguards exist to ensure confidentiality and protect the identity of subjects
In general, no later than the acceptance for publication of the main findings from the final dataset No timeline specified—will vary depending on nature of the data collected First and continuing use, but not prolonged exclusive use –Investigators who collected the data have a legitimate interest in benefiting from their investment of time and effort What Is Meant by Timely?
How to Share Data Provide in publications Share under the investigator’s own auspices Place datasets in public archives Place in restricted access data centers or data enclaves Other ways?
YES! In application—budget and budget justification Administrative supplements Will NIH Provide Support for Data Sharing?
Examples of Current NIH Data Sharing Activities National Human Genome Research Institute (NHGRI) Release of genomic sequence data National Library of Medicine (NLM) Genome sequence submission and distribution Enhanced access to other research data/tools Outreach to research community Possible support for research and development related to data sharing
The National Longitudinal Study of Adolescent Health (Add Health): An Example of Sensitive Data and Multi-Tiered Access Examples of Current NIH Data Sharing Activities
The National Longitudinal Study of Adolescent Health (Add Health) 20,745 adolescents enrolled in grades 7-12, followed between 1994 and Data from: –adolescents and parents; –90,118 students attending sample schools; –school administrators; – independent data on neighborhood/community Data collected in three waves, Measures of: –health –health-related behaviors (e.g., sex, drugs) –determinants of health at the individual, family, school, peer group, and community level.
Reasons for Sharing Data Scope Potential Cost Add Health: Sensitive Data Sharing Example
Challenges to Sharing Data Data sensitivity Need to protect confidentiality Danger of deductive disclosure Add Health: Sensitive Data Sharing Example
A further challenge… The timely release of these public use samples is essential. Reviewers understand this to mean that investigators outside of the Carolina Population Center will have ready access to the data as soon as investigators inside the center have such access. Procedures for the guarantee of confidentiality … should apply to all users, both the general public and those at University of North Carolina. Add Health: Sensitive Data Sharing Example
Solution: a multi-tiered system Public use data Contractual data sets Cold room for on-site data use Add Health: Sensitive Data Sharing Example
Public use data Made available through Sociometrics, a small business data archive Contains only a subset of cases (6,504) Rare over-samples not included Contains most data on included cases Potentially identifying information redacted Add Health: Sensitive Data Sharing Example
Restricted-use contractual data Full data set available only under contract Available to researchers with: –IRB- and UNC-approved data security plan –Signed agreement to maintain confidentiality –Fee covering costs of providing data & user support; monitoring compliance Requires annual progress report and renewal after 3 years Add Health: Sensitive Data Sharing Example
Cold room for on-site use Initial plan required access to some data only on-site at UNC Cold room constructed at UNC Limited use to date Add Health: Sensitive Data Sharing Example
Data security caveats Security requirements require periodic updating as technology advances IRBs often lack understanding of security needs Smaller institutions handicapped in creating secure environments for restricted data Add Health: Sensitive Data Sharing Example
New Concepts Introduced by the Privacy Rule An individual’s written Authorization is required for use or disclosure of protected health information unless waived or excepted. Authorization waivers can be granted by IRBs or Privacy Boards. Decedent’s information is protected but Authorization is not required. Accounting and reporting of disclosures are required. Special topic: Data Sharing and HIPAA Privacy Rule
Key Points about Research In general, the Privacy Rule requires an individual’s written Authorization before the use and disclosure of PHI. For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted: –with individual authorization, or –without individual authorization under limited circumstances. Special topic: Data Sharing and HIPAA Privacy Rule
Authorizations for Research Must be for a specific research study – Authorization for future, unspecified research is NOT permitted but authorization may be used to create a repository or database Review/approval by IRB/Privacy Board NOT needed Different from, but may be combined with, informed consent Must contain “core elements” & “required statements” Need not expire Special topic: Data Sharing and HIPAA Privacy Rule
Research Use and Disclosure of PHI Without Authorization 1.De-identify PHI 2.Limited Data Set with Data Use Agreement 3.IRB or Privacy Board waiver of Authorization requirement 4.Activity preparatory to research 5.Research is on decedent’s information 6.Research qualifies for the Transition Provisions 7.Disclosure to a public health authority or as required by law Special topic: Data Sharing and HIPAA Privacy Rule
Option 1: De-identified Health Information Completely de-identified information (18 elements removed) and no knowledge that remaining information can identify the subject. OR Statistically “de-identified” information where a statistician certifies that there is a “very small” risk that the information could be used to identify the subject. Special topic: Data Sharing and HIPAA Privacy Rule
The Privacy Rule defines 18 identifiers –Names –Geographic info (including city, state, and zip) –Elements of dates –Telephone #s –Fax #s – address –Social Security # –Medical record, prescription #s –Health plan beneficiary #s –Account #s – Certificate/license #s – VIN and Serial #s, license plate #s – Device identifiers, serial #s – Web URLs – IP address #s – Biometric identifiers (finger prints) – Full face, comparable photo images – Unique identifying #s Special topic: Data Sharing and HIPAA Privacy Rule
Option 2: Limited Data Set with Data Use Agreement The Privacy Rule permits limited types of identifiers to be released with health information (referred to as a Limited Data Set) -- City, State, Zip; Elements of Date; Unique identifiers not listed as one of 16 direct identifiers Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient. Special topic: Data Sharing and HIPAA Privacy Rule
For More Information NIH Office of Extramural Research (OER) Web site on Data Sharing Policy: Office for Civil Rights Web site with Departmental guidance on HIPAA: Educational information from NIH and other research agencies about HIPAA Privacy Rule: