Data Use Agreements and Remote Monitoring --- What do you think?


Have you (sites) received a Data Use Agreement from a sponsor as part of the process to negotiate Remote Monitoring? [or have you incorporated one as a sponsor] 

Under the HIPAA Privacy Rule, a covered entity (CE) may use a Data Use Agreement to allow for a Limited Data Set of PHI to be used and disclosed for a particular purpose without an individual authorization. This type of process should be supported by SOPs within the CE related to compliance with the applicable regulations (45 CFR 164.514 (b)). Also, unlike HIPAA Authorizations used in clinical trials during informed consent, Data Use Agreements ARE subject to the Minimum Necessary Standards under HIPAA.  Investigators are to obtain only the identifying data elements that are necessary to accomplish the research goal if using a limited data set to conduct their research.  Also, the PHI that can be disclosed is limited to a subset of 16 PHI categories. So, this is disclosure of PHI... This will need to be monitored by the IRB/Privacy Board and enforced through the provisions of the Data Use Agreement. 

There are rules on what can be in the data set. Again, there are 16 types of dentifiers (PHI) that are allowed to be included. Also, a Data Use Agreement must meet the requirements within 45 CFR 164.514 (b). 

  • The recipient will use the PHI contained in the data set only as permitted by the Privacy Rule;
  • Limits will be placed on who can use or receive the data
  • The recipient agrees not to re-identify the data or to contact the research subjects
  • Appropriate safeguards will be used to prevent use/disclosure of the limited data set other than as permitted by the data use agreement and the Privacy Rule or as required by law. (if the recipient is a sponsor, how would this be accomplished...?) 

The regulations refer to limited data sets used for certain practices, like research, but within the CE or provided to a business Associate (BA) for providing a service to the CE and no data is used for the BA but for the service being provided to the CE.

So, using this process by a site for pre-screening or chart review is very helpful where review prepratory to research (RPR) is not allowed without consent, example for 45 CFR 46, the common rule under OHRP.
I have seen sponsors use this in the past in CTAs for a couple of reasons: 1) to ensure they have access to a certain data set in CRFs no matter if the subject withdraws from the study or revokes authorization, more of a guarantee to their data; 2) this type of a agreement can also be used in pre-screening, when a sponsor would like to review or collect some PHI before consent and authorization for a number of reasons that are the same as before the days of HIPAA. Screening logs with PHI (example initials) should not be disclosed to sponsors pre-ICF / Authorization. Some sponsors are satisfied with a summary of pre-screening activities and reasons for not consenting, e.g., a pre-screening summary to a sponsor might state "20 patient records were reviewed for IC/EC from [date] to [date]; 8 women and 2 men; 5 subjects did not qualify due to IC [ ] and 2 subjects did not qualify due to EC [ ]. 3 patients were scheduled for screening visits." None of this info is PHI so not needing any permissions or waivers. BUT if a sponsor wants more specific information about pre-screening then the data use agreement can be potentially used, or some CEs use waivers of authorization.
A 3rd reason is surfacing why sponsors may look to Data Use Agreements, and may be seen more and more as well head into remote monitoring models. We should be cautious about these types of uses. This is more complicated than it appears, as you can tell by the explanation so far. 

For one, why does a sponsor want to maintain source? Remote monitoring should be timely and efficient. Technology can support this much more. Unless original source is also used as the CRF, e.g., diary data completed by a subject, sponsors do not maintain source as part of GCP data integrity. This increases the risk of re-identification or unauthorized re-use. 

Secondly, Data Use Agreements are typically used within the CE or between a CE and a business associate (BA). Not to an entity that is not governed under the Privacy Rule. Therefore, the required assurances and protections of the data are required by the data use agreement, but legally HIPAA does not have jurisdiction for enforcement. Sponsors are not business associates or CEs, usually, and most Do Not Want to become one, especially since the amendment to HIPAA in 2009 and 2013 making BAs to have the same liabilities for breeches as the CE. How a sponsor will give enough assurances that the PHI disclosed from the data set will only be used as agreed is hard to be comfortable with when disclosed to a non-CE or non-BA. In that case HIPAA no longer protects the data and it is no longer PHI when disclosed to the non-CE or non-BA = sponsors. But once PHI is disclosed outside to an non-CE, HIPAA no longer protects the data disclosed and sponsors are not required to report breeches to OCR (and the individual and in some cases the media), unless in the CTA (but a sponsor should not agree to requirements of a CE or BA unless they are one).

Also, having a Data Use Agreement in place between a sponsor and CE is not the scenario supported within the regulations under the sub-section that relates to use and disclosures of PHI without authorization. For an industry sponsored clinical trial you have subjects being enrolled with ICFs and authorizations. In typical circumstances for use of a Data Use Agreement. The authorization already must note what PHI can be used and disclosed, for what purposes and once disclosed to the sponsor is no longer protected under HIPAA. The Authorization would be the best place to inform the subject of the circumstances of remote monitoring and allow them to agree or not. The CTA should coordinate with the authorization related to PHI use and disclosure and can include language to support agreed upon remote review of source. This helps in clear expectations for the site for budgeting and resourcing the trial. Also, access to original source is typically temporary (traditionally monitored onsite, more so recently movement to remotely if possible). So a "Data Use Agreement" within the CTA may not be what is needed for alignment with the authorization for a trial; some of the required parts may be helpful. 

Use of a Data Use Agreement for sponsor disclosure of PHI for remote source review is something to report to the security and privacy officers of an institution (CE). I am not sure if they will be comfortable with the risks. Definitely, the security and privacy officers of a CE should be part of the discussion. So maybe the terminology Data Use Agreement is not specifically meant to link to the Privacy Rule. the CTA between sponsor and site should align with the subject HIPAA authorization though. 
I am giving a webseminar this Monday (28th) on the topic and discuss limited data sets and other processes that will become more used with the new paridigm shift and stakeholders need to know what various laws are applicable. Click here to learn more

The regulation can be found at 45 CFR 164.514: Other requirements relating to uses and disclosures of protected health information. Remember, if the Data Use Agreement is in a CTA, it must link to protections of confidentiality of the patient/individual, e.g., authorizations,privacy practices, risk assessments, etc., depending on the situation. The Office for Civil Rights has a FAQ section on the website for HIPAA. Here is the link directly for the FAQs on Limited Data Sets. Hope this helps!