1 / 14

Data Sharing, Privacy, Security, and Access: Governance in the Integrated Data Repository

Data Sharing, Privacy, Security, and Access: Governance in the Integrated Data Repository. October 17 th , 2008 Michael Kamerick, Director, Academic Research Systems Co-Director, CTSI Biomedical Informatics University of California, San Francisco. Definition.

cachet
Download Presentation

Data Sharing, Privacy, Security, and Access: Governance in the Integrated Data Repository

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Sharing, Privacy, Security, and Access:Governance in the Integrated Data Repository October 17th, 2008 Michael Kamerick, Director, Academic Research Systems Co-Director, CTSI Biomedical Informatics University of California, San Francisco

  2. Definition • Governance: The planning, influencing and conducting of the policy and affairs of an organization (in our case, the organization refers to a project). Office of the CIO, Ohio State University • The set of protocols, documents and governing bodies that define the relationships and access rights between the IDR, suppliers of data to the IDR, and users of the IDR.

  3. Integrated Data Repository Definition From Data Repository Interest Group Wiki: We define an Integrated Data Repository as a very large-scale database containing data from the full array of systems in a biomedical enterprise, including clinical systems, life sciences (genomics/proteomics), research, billing, registries, clinical trial systems, and more. The purpose of an IDR is to support a wide range of activities within the biomedical research enterprise, including but not limited to hypothesis testing, cohort development, genome/phenome matching, genome-wide association studies(GWAS), development of quality measures, and general population based studies.

  4. Oversight committees Faculty boards, Privacy Office, ISO Documents IRB protocols, MOUs, BAA, Certificates of Confidentiality Patient’s Rights Opt-out vs. Opt-in? No Opt-out? Stanford, Partners Challenging Opt-out UCSF Clear Opt-out Vanderbilt Special Cases – Prisoners, VIPs, Opt-outs Governance Examples

  5. Examples, continued… • Data Ownership questions • Clinician/Investigator vs. Institutional • Stakeholders • Hospital IT, IRB, Privacy Office, Security Office, Medical Records, Legal Office, • Security requirements • AuthN/AuthZ, Two Factor AuthN, Local disk encryption, Securely managed storage • Limited Data Sets, Honest Broker function • Small Cell Results

  6. Interaction With IT Governance • IDR within Hospital IT organization • Mayo, UPMC, St. Jude’s • Much less institutional conflict • IDR project likely to rank lower in priority schemes than more urgent hospital projects • May be much harder to add in non-hospital data sources • IDR in IT organization separate from Hospital IT • Stanford • Long, hard road to intra-institutional agreements • IDR project can be prioritized independently of Hospital IT • Easier to include non-hospital data sources • Federated IDR - crosses IT organization boundaries • UCSF • Architecture maps to stakeholder boundaries • Best or Worst of both worlds?

  7. IDR Regulatory Environment • Extremely challenging and complex • Goes well beyond HIPAA • Contradictory • May not be possible to be compliant • Laws written without regard to consequences • IRB policies may be outdated and insufficient • IT staff burdened with policy decisions • Very difficult to provide sufficient utility to researchers while fully protecting patient privacy • IDR use can be especially sensitive • Patients generally NOT explicitly consented

  8. Academic Systems Governance Activities at UCSF • Academic Information Systems Board • Sets high level policy, advocates for funding for projects • Reports to Executive Vice Chancellor/Provost • Research Data Systems Steering Committee • Sub group of Academic Information Systems Board • All schools represented (Medicine, Nursing, Pharmacy, Dentistry) • Chartered to provide strategic oversight and guidance for the IDR • Data Access Working Group • Chief Privacy Officer, Chief Security Officer, IRB, others. • Providing guidance and policy development for data access and management. • Data Usage and Control Working Group • Working on issues of data retention and control within the repository, especially study derived data.

  9. Academic Governance Structure EVC/Provost Subcommittees include AISB and non-AISB members AISB Research Data Systems Steering Committee Education Systems Advisory Committee Data Usage WG Data Access WG WG WG Video Conferencing WG

  10. Federal Laws and Regulations • NIST 800-53 • National Institute of Standards • E-Discovery • Federal law for preserving and protecting electronic data in Federal civil lawsuits. • NIH Certificate of Confidentiality • Protection against E-Discovery • FIPS 140-2, 196, 199, 200 • Federal Information Processing Standard • HIPAA • Health Insurance Portability and Accountability Act • FISMA • Federal Information Security Management Act • FERPA • Family Education Rights and Privacy Act • GINA • Genetic Information Non-Discrimination Act • 21 CFR Part 11 • Code of Federal Regulations Electronic Signature • Sarbanes Oxley

  11. State of CA Title 22 Definition of the Medical Record SB 1386 Notification Requirements AB 1298 Extension of 1386 to include “Medical Data” UCSF/UC 650-16 ECP UCOP IS2 and IS3 State and Institutional Laws and Regulations

  12. MyResearch@ucsf

  13. Integrated Data Repository:Design by Governance

  14. Data Repositories Interest GroupGovernance Page • Discussion area and document archive for governance documents. • Currently contains: • OHSU IRB Protocol • UCSF IRB Protocol • Kaiser Northwest Virtual Data Warehouse Governance documents • UCSF Security documents • UCSF Regulatory workflow diagram • UCSF Data Usage and Control Document • https://www.ctsawiki.org/wiki/display/INF/Governance

More Related