Data Governance

Governance Framework for Use of PEDSnet Data

Governance Framework for Use of PEDSnet Data

PEDSnet has developed a governance framework for the use and release of PEDSnet data which includes multiple layers of review and approval. The use of PEDSnet data for research is guided foremost by our Privacy Principles, which means that PEDSnet takes numerous steps to minimize the risk of anyone's data being misused or made public, or of their privacy being put at risk. In addition to the extensive security protections that are in place, PEDSnet is committed to providing the minimum necessary information necessary to answer the research question. The four dimensions addressed by the governance framework for use and release of PEDSnet data include:

  1.  Network Participation Approval- Requests for patient level data will be assessed for research concept fitness and will undergo a formal vote by the Research Committee. PEDSnet will seek to prioritize studies that will inform or directly address clinical decision making among diagnostic or treatment alternatives available to parents, patients and providers or by health care delivery systems.
  2.  Institutional Participation Approval- Participation by an Institution in a PEDSnet study is voluntary. The expectation is that participating institutions allow their data to be used for observational studies that do not require contact with human subjects (data-only studies) unless there is a compelling reason to not participate.
  3.  Human Subjects Review- IRB approval or designation for exempt or not human subjects research, will be obtained from an IRB of a PEDSnet institution. 
  4.  Legal Review- Required data sharing agreements will be executed for a research activity.

Once network and institutional participation approvals are obtained, and resources are secured, a study team will launch the study by fulfilling the required IRB and legal requirements. When the Data Coordinating Center is nearing the completion of a data science request, the Coordinating Center will activate a data release procedure that includes receipt of a final approval for data release from a designated institutional official (IO) at each site. Each PEDSnet Site PI and the designated IO receive a summary of all the governance requirements that have been fulfilled in support of the release of the study data. 

The governance framework for data release addresses 4 primary categories of data:  Aggregate results, De-identified individual level data (according to the Safe Harbor guidelines), Limited data sets- with and without actual dates, and Data sets with identifiers. 

1. AGGREGATE RESULTS. For queries, both preparatory to research and for some research projects, aggregate counts (no individual level data, no PHI) will be shared with investigators within or outside the institution of origin. This may include data science activity occurring at the PEDSnet DCC, or use of self-service query tools by investigators at respective PEDSnet institutions. Such uses of data will be conducted without additional review by the IRB, since this does not meet the criteria for human subjects research. Prospective approval of sites is not required and, PIs will be made aware (after the fact) of queries of their data through standard PEDSnet reports. Release to investigators of results with small cell sizes (<11 persons having a combination of attributes) that could potentially identify individuals will not be allowed. This cell size limitation could be at the level of an institution or for PEDSnet as a whole, depending on the level of aggregation to be released to investigators. Confirmation of data (and quality control) using limited chart review may be undertaken without further IRB review only if an institution has a mechanism for such review to be conducted by personnel not on the research team (e.g. information systems personnel). Any review of individual records by investigators or their staff will require IRB approval, and qualify the data set type as identifiable.

1b. AGGREGATE RESULTS- With intent to publish. For Aggregate Counts for Publishable Research, the PEDSnet Research Committee will approve the concept for the study publication, and institutions must agree to participate. It is expected that the Study PI abide by PEDSnet Publication Policy, including the opportunity for authorship for all data contributors.

2. DE-IDENTIFIED INDIVIDUAL LEVEL DATA (according to the Safe Harbor guidelines). Patient-level data sets may be released to investigators within or outside of the institution of origin with an IRB determination of NHSR. The receipt of NHSR determination is for documentation purposes. For the purposes of PEDSnet, to be considered de-identified, the data set must use the safe harbor method for De-identification of Protected Health Information. * PEDSnet will not allow use of the “Expert Determination” method for this purpose. The data set may not include any of the 18 HIPAA identifiers, and may not include dates of service or of birth, except for year. The only variable related to geographic location will be the first 3 digits of zip code, unless the population defined by this area is < 20,000 persons. Data sets that are compliant with HIPAA’s safe-harbor requirements for de-identification will not be considered human subjects research. PIs at study sites must give prospective approval regarding institution participation, and data is only released upon receipt of IO approval.

2b. LIMITED DATA SET with allowable LDS HIPAA identifiers EXCEPT ACTUAL DATES; may include obscured dates. A limited data set must exclude all HIPAA identifiers with the exception of dates (actual or obscured) and elements of postal address including state, county, city, zip code, or census tract or block. (A limited data set may not include street address.) For the purposes of PEDSnet, a limited data set, with dates obscured by introduction of random offsets or similar techniques will generally be considered not readily identifiable and therefore not human subjects research (unless there are other attributes requiring IRB review). An IRB Determination of NHSR by a PEDSnet site will be required.  The PEDSnet Data Use Agreement covers release of such data sets to participating PEDSnet institutions. PIs at study sites must give prospective approval regarding institution participation, and data is only released upon receipt of IO approval.

For the purposes of PEDSnet, both categories of data described above will be subject to the same procedures. The consideration of these two categories of data as falling under the same procedures was driven by variation in institutional governance around the treatment of LDS containing actual dates. 

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf

3. LIMITED DATA SETS. A limited data set must exclude all HIPAA identifiers with the exception of dates (actual or obscured) and elements of postal address including state, county, city, zip code, or census tract or block. (A limited data set may not include street address.) Studies requiring a limited data set that includes actual dates will be submitted to the IRB administrative office of the PI for the project for consideration for whether the data are readily identifiable and constitutes human subjects research. If not, no further IRB review is required.  If the IRB administrative office of the study’s PI requires approval as human subjects research, the IRB at other institutions whose data will be included will either need to approve the study, or rely on the reviewing IRB under the separately developed Master Reliance Agreement. PIs at study sites must give prospective approval regarding institution. participation, and data is only released upon receipt of IO approval.

4. Data Set with PHI Direct Identifiers.  Studies that require identification of individual patients (e.g. for patient contact or enrollment) will be submitted to the IRB of the study’s PI for consideration for approval as human subjects research.  The IRB at other institutions whose data will be included will either need to approve the study, or rely on the reviewing IRB under the separately developed Master Reliance Agreement to which all PEDSnet institutions are signatories.  The DCC will maintain coded identifiers for patients at sites that contribute data to the DCC’s datamart. For studies that require it, patient re-identification, additional record review, or patient contact, will be done at the site of origin, unless specifically approved by the IRB.  Specific procedures for each study will be specified in the relevant study protocol, which will be subject to IRB review.  If identifiable data is released under a waiver of consent, sites are individually responsible for following institutional requirements for tracking such release under HIPAA.

TABLE1

Footnotes:

Blue text indicates change from previous data set type

  1. This includes use of self-service query tools, like Harvest.
  2. This includes DRNOC originating queries only. PCORnet study queries fall under "Other" category. This is consistent with the documentation workflow that we have been using to date.
  3. PEDSnet reserves the right to require a Responsible Use of Data (RUD) agreement where sensitive/small cells exist; in the case of DRNOC query, PEDSnet reserves the right to refrain from participating.
  4. NHSR determination serves to manage institutional risk, and is not addressing a regulatory requirement. 
  5. Currently, PCORnet does not require a DUA with data recipients for this category of data. PEDSnet required a work around for both the Bariatric and Antibiotic studies, by requiring PCORnet to implement a PCORnet DRA (see definition below) with the data recipient
  6. Standard data shifting procedure is +-180 days 


Last Updated: 3/30/21