October 9 th, 2015 University of Pennsylvania TIES Cancer Research Network Y3 Face to Face Meeting U24 CA Session 5 Regulatory Update

Agenda Mission and goals of the TCRN Policies and Processes Subcommittee Network Agreement TCRN Standard Operating Procedures (SOPs) Auditing in TIES Open Discussion – How to deal with ancillary and outcomes data

TCRN Policies and Processes Subcommittee Our mission: To establish an agreed upon set of policies, procedures and recommendations that will enable all TCRN users to collaborate in a secure and regulatory compliant system. Our goals: Identify what policies and procedures are needed to enable inter-site use of TIES while maintaining regulatory compliance Define policies and procedures to be followed by TCRN members and their users Generate recommendations for consideration by the TCRN Executive Committee Ensure that TIES is secure and compliant with regulations Provide trans-network communication on matters such as de-identification quality, security, etc. Ensure compliance with all policies surrounding the security and privacy of the system by review of de-identification validation results and user audits

Subcommittee Members University of Pittsburgh:Rebecca Jacobson, MD, MS Vanessa Benkovich, MBA, CT(ASCP) CM Julia Corrigan Roswell Park Cancer Institute:Monica Lopez Murphy, BSMT University of Pennsylvania:JoEllen Weaver, BSMT Georgia Regents University:Roni Bollag, MD, PhD Jinni Carrick

Network Agreement The TCRN Network Agreement is a “trust agreement” negotiated among the founding TCRN institutions. Puts forth Data Use terms and an agreement to use the Uniform Biological Material Transfer Agreement Enables new institutions to join the TCRN with the instrument of adherence Establishes two governing committees Defines the criteria each member must follow to ensure a secure and compliant use of TIES by all users: Members will implement all TCRN SOPs and will comply with all policies Members will follow defined security requirements Members will provide IRB approval for use of the system

TCRN Standard Operating Procedures Standard Operating Procedures (SOPs) are the policies that regulate the use of the TCRN. All TCRN member institutions agree to follow the SOPs: Governance Validation of De-Identification Quality Study Registration and Authorization Verifying Eligibility of TCRN Users Step Up Requests Auditing of TCRN Users and Searches Incident Reporting Joining of New Member Institutions There is also a recommendation: Recommendation for Member Institutions Establishing Approval Committees for External Users.

TCRN SOPs – Network Processes & Organization SOPPurposeElements GovernanceTo ensure that all TCRN members participate in governing the network Defines the role and tasks of the TCRN Executive Committee and the Policies & Procedures Subcommittee Validation of De- Identification Quality To ensure that TCRN members achieve an acceptable level of text de-identification Defines requirements for de- identification during the initial load process and annual ongoing QA Study Registration and Authorization To outline the requirements and procedure for TCRN study registration and authorization Describes requirements and procedures TCRN applicants, admins, and approval committees follow to create TCRN studies Verifying Eligibility of TCRN Users To ensure that only eligible investigators are granted TCRN access Defines the criteria TCRN applicants must meet in order to become TCRN users Step Up RequestsTo outline the process for users to increase their level of access to the network Describes the process TIES or TCRN users follow to request higher level access to TCRN 7

TCRN SOPs – Ongoing Network Processes SOPPurposeElements Auditing of TCRN Users and Searches To ensure that all users accessing TCRN are using the network appropriately and to assess value of TCRN Describes three forms of auditing to determine 1) that current users are valid users, 2) that searches are within the scope of the user’s approved use of the system, and 3) the value that the network provides Incident Reporting To describe incidents that may arise in TCRN and how members must report and respond to them Provides instructions for dealing with eight potential security and privacy threats Joining of New Member Institutions To outline the requirements and process for new institutions to join the TCRN Defines the criteria new institutions must meet in the following areas: 1) security, 2) preparation, and 3) resources, and the process to apply for and join the TCRN 8

Policy Workflow

Requirements for TCRN Studies Requirements and processes for TCRN studies vary based on requested level of access: 10 Access LevelApproval by TCRN Member Institutions IRBUBMTA Aggregate Data Only Required__ Reports Only (Data Only) Required__ Reports and Biomaterials Required

Auditing of TCRN Users and Searches Different levels of audits will be performed by each TCRN institution. Valid system user audit – performed every 6 months Check if users are still valid users Still employed by the institution Have not violated TCRN data use rules IRB approvals and/or MTA approvals (if applicable) are valid TIES query validation – performed annually Identify searches that are incongruent with the research topic or IRB approval Identify searches attempting to re-identify a particular patient or case Annual TCRN User Survey Survey sent to all users requesting information regarding publications, presentations, pilot data, grant submissions, etc.

Auditing in TIES – The Basics Auditing of TCRN Users and Searches SOP has three components: Valid system user audit TIES query validation Annual TCRN user survey New tool built into TIES v5.4 allows us to audit queries: Are the user’s searches related to their study description/IRB? Are they attempting to re-identify a patient? How we can use the tool: Compare user’s queries to their protocol description Check for text search terms that indicate an attempt to re-identify a patient

Auditing in TIES – The Tool Included in upcoming release of TIES v5.4 Available to TIES Administrators Login as a Regulatory Administrator There is a new auditing option in your toolbar

Auditing in TIES – The Tool Main screen of Activity Log

Auditing in TIES – Key Features Sort by any category

Auditing in TIES – Key Features Show or hide categories

Auditing in TIES – Key Features View more information with tooltips Will be able to view brief study description

Auditing in TIES – Key Features Change the date range Choose custom dates Can refine to last year, last 6 months, last 30 days, last 7 days, and today

Auditing in TIES – Key Features Search the query log

Auditing in TIES Query Audit Includes instructions from the Auditing of TCRN Users and Searches SOP Select the year to audit Export audit record as.csv

Auditing in TIES Excel Export Enables simple record-keeping Easy to analyze

Auditing in TIES Future Changes Will include the ability to view statistical data in chart or graph form Number of users and active users, number of searches, etc. Can use this information to analyze TIES use at your node

Auditing Records All auditing records are recorded in REDCap (Research Electronic Data Capture). RPCI hosts the data All TCRN Regulatory Administrators can login to view auditing records from all sites Go to Audit Tracking screen View auditing records Create new auditing record

Auditing Records - REDCap Form to complete to track audits

Open Discussion Dealing with Ancillary and Outcomes Data Our panel Georgia Regents University: Jinni Carrick Roswell Park Cancer Institute: Monica Lopez Murphy University of Pennsylvania: JoEllen Weaver University of Pittsburgh: Vanessa Benkovich