Cloud-based DUA

Project Description

This project will be included in a future phase and is based on a pilot with the FDA. The goal is to create a cloud-based data use agreement (DUA) toolkit to support the entry of de-identified EHR data from partner institutions into the sandboxes. The project will leverage a preconfigured FHIR repository maintained on the CD2H/NCATS cloud or behind the partner institution’s firewall as a demonstration. The team will work with the community to write governance documents, standard operating procedures, and policy for CTSA informatics community collaboration. A pan-sandbox governance group will have CD2H and community representatives to contribute subject matter for specific domains.

This project will create a general Data Use Agreement (DUA) to support the entry of de-identified EHR data from a partner institution to a preconfigured FHIR repository maintained on the CD2H/NCATS FISMA-Compliant Amazon Web Service (AWS) Cloud or behind the partner institution firewall. The DUA will allow data query and transfer of query results to 3 HHS agencies (CDC, FDA, and/or NIH). The DUA will be designed to be signed once by multiple institutions and used for a variety of research projects. We will draft the DUA and pilot it with a small set of data partners. It will be built to support use in centralized sharing systems such as the CTSA program within the CD2H/NCATS FISMA-Compliant AWS Cloud.

The creation of a cloud-implemented DUA management system will involve the following key components, implemented within the CD2H-NCATS cloud architecture: 

1. Hosting EHR data on a FHIR Repository and Query Tool via launch of the FHIR server in the cloud for the purposes of FDA data harmonization
2. Harmonizing EHR data using the U.S. Core Data for Interoperability (USCDI) standard, a FHIR standard supported by CD2H Health Open Terminology expertise and services 
3. Making certain EHR data are available for query by the Parties, driven by involved Parties and the community
4. Releasing query results to the Parties governed by the DUA described below.

DUA definitions that need to be ratified to enable deployment of the above components are:

• 1.1. Authorized Persons includes any person, designated by a Party to the FHIR Harmonization Project, as authorized to receive Data and Confidential Information to carry out necessary portions of the FHIR Harmonization Project. All Authorized Persons are bound by terms at least as restrictive as those found in this Agreement.
• 1.2. Confidential Information encompasses each Party’s confidential information, including but not limited to Background Intellectual Property, disclosed by that Party to any of the other Parties for use in the FHIR Harmonization Project and marked as confidential at the time of disclosure or if disclosed verbally or visually, is identified by the disclosing Party to be confidential at the time of disclosure and is confirmed in writing as “Confidential Information” by the disclosing Party to the Recipient within 30 days of initial disclosure.
• 1.3. Data include raw or processed datasets, metadata, clinical data provided or received hereunder, including claims data. It does not include administrative or billing data.
• 1.4. Data Subject is defined as a person who is the subject of the Data provided or received.
• 1.5. De-Identified Data includes information that has been de-identified in accordance with the requirements for de-identification of Protected Health Information under HIPAA (45 CFR §164.514(b)
• 1.6. FHIR Repository and Query Tool refers to Fast Healthcare Interoperability Resources (FHIR®), and is a standard designed to capture, integrate, and exchange clinical data for research purposes through a shared repository [RJ([1] and enhance capabilities to share research data through a query tool. Together, these processes are integrated in a FHIR Repository and Query Tool.
• 1.7. General Research Use means use of the Data for general research purposes, including but is not limited to, health/medical/biomedical purposes, fundamental biology research, the study of population origins or ancestry, statistical methods and algorithms development, and social-sciences research.
• 1.8. HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all implementing regulations.
• 1.9. Public Health and Safety refers to the systematic collection, analysis, and interpretation of data and its timely dissemination to those responsible for education, policy making, and research for disease and injury prevention.
• 1.10. U.S. Core Data for Interoperability (USCDI) Standard is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. Detailed information may be found at https://www.healthit.gov/isa/us-core-data-interoperability-uscdi.