NOVEMBER-DECEMBER 2018 |
Whether pulled from existing sources or collected during a project, data derived from human subjects often requires a transfer or use agreement.
Research data can take many forms as recorded information, whether it be the analytics of trends, statistics, predictive modeling, etc. Generally data and its use or publication is not restricted by law or contractual obligations as Purdue’s mission is to publish its research and further the knowledge base of the world. Occasionally data results from a research project may be classified or have restrictions on their use imposed by the project’s sponsor. Purdue administration will only enter into such engagements with the consultation and approval of the project’s principal investigator.
- Personal health information (often referred to as PHI) is patient data from physical or electronic health records and has rules imposed by Federal law to protect individuals’ privacy rights. These rules come from the “Privacy Rule”, issued by the US Department of Health and Human Services to implement the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Standards exist for the exchange, security and privacy of PHI that must be followed and are typically codified in a data use agreement. An important factor in any data use agreement is to capture the level of “identification” of the data. The data can be “full” PHI, which requires more stringent protections than completely de-identified health information, which has no restrictions. The identification standard itself is specific and outlined in the Privacy Rule.
Purdue University’s Institutional Review Board and IT Security and Policy are heavily involved in the review and approval of any such agreement to ensure that the research protects the rights of the human subjects involved, and that adequate security measures are in place as Federal law mandates certain best practices for securing PHI. Purdue’s Office of Legal Counsel may also review with input from Purdue’s Chief Privacy Officer.
- Personally identifiable information (often referred to as PII) is information that can be used to identify an individual in context. This is not PHI under the Privacy Rule as it is not limited to any specific category of information. PII’s protections must be determined by a case-by-case assessment of the risks to an individual that could be identified. Research PII is typically gathered with the use of consent forms which participants will complete and acknowledge to allow a researcher certain uses and distribution of their information.
Purdue University’s Institutional Review Board will always be involved in the review and approval of an agreement contemplating the use of PII to verify the intended use matches the consent of the participants. Purdue IT Security and Policy may be involved although security measures for PII have to be decided specific to each use.
Purdue University’s Sponsored Program Services, Contracting group will coordinate data use and data transfer agreements among the aforementioned offices and review and negotiate data contracts to ensure they comply with legal and sponsor requirements and mitigate risk to Purdue University and its faculty.