Evolve guidance regarding Breech management, notification, security risk assessment

[rwaitman]

June 23rd conversation led by Ravi and Abel (with Russ, Ania, and Shelley) http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

The policies and regulations already exist. Many of the partners in PCORnet are covered entities.
Russ: but are all the actors acting as covered entities and following standard security risk assessments and other elements of policy and regulation?

Ravi: 3 main guideline areas (physical, IT, process)

Or if it's a patient network where they directly deposit the data, the same rules may not apply.

Where people are not covered entities but managing more than de-identified data, there may need to be guidance as best can be provided.

The way data exchanged for consented patients for adaptable may involve a transfer agreement different than a data agreement required for limited dataset transfers.

Breech depends on other defined terms of

• parties involved (CC, CDRN, PPRN, CDRN site, data coordinating center, vendor for the coordinating center e.g. mytrus)
• deidentified
• consented patient or not
• database maintained for trial
• data infrastructure maintained by PPRN or CDRN or site/partner.
• BAA needed or DSA needed

Russ:

• a deliverable may be also diagramming how data is used and safeguarded in a manner that could be explained to students.

[rwaitman]

Discussion on August 17 we had a discussion on meeting CMS guidelines. Question of how guidance varies regarding clinical use via meaningful use for the EHR, HIPAA regulations, and requirements for managing CMS claims data.

For Abel in Chicago, the pressing issues are

• does a data aggregator have a sufficient security risk assessment and security environment.
• how does the network approve software for use

They have found having a subgroup of experts do the review and adjudication is what works right now for CAPriCORN. Complemented by a document describing the principles of data governance.

Next step review those principles for relevance for PCORnet.

[rwaitman]

Adding the CAPriCORN general principles document:

General principles:

No institution may use any information without express permission from the originating institution nor for any purpose other than for which the permission was specifically granted

Each institution will maintain necessary privacy and security infrastructure, policies, and procedures consistent with current best practice, law and regulations

Each institution will assume legal, financial and ethical responsibility for any data entrusted to them.

Each institution will assure adequate insurance and other resources necessary to address and cure any breach.

Each institution agrees to audit of these requirements upon request.

In the event of any unintended breach each institution agrees to hold others harmless except to the extent of addressing and curing the breach.