Hi, Russ, I think this would be a topic for the next monthly GPC IRB call for discussion. (Steve, is there room on the 10/30 agenda for the topic?) Under the HIPAA Privacy Rule preparatory to research requirements, no HIPAA identifiers may be sent outside the institution. Further, I think most of the IRBs would require IRB oversight of this type of data release. Some institutions could accommodate the release within their current data sharing protocols their IRBs have approved (or might need a minor change to the protocol) and others will need to obtain approval of a protocol to allow such data sharing. I do not think the second option noted below (identifying cases where IRB oversight would not be required) is viable. We received some feedback from OHRP already that the data exchanges, even those that are coded without HIPAA identifiers, requires IRB oversight. Because release of a limited data set requires a data use agreement, I will reach out to the UW legal counsel to see if she thinks the current GPC data sharing agreement is adequate to cover the release of data you have described. With best regards, Nichelle
Nichelle Cobb, Ph.D. Director, Health Sciences Institutional Review Boards Office 800 University Bay Drive, Suite 105 Madison, WI 53705 Phone: (608) 262-1980 Fax: (608) 265-5811 >>> Russ Waitman <rwait...@kumc.edu> 10/13/2015 12:00 PM >>> Hi Nichelle (and Brittany for tracking), We’ve had a question arise on the gpc-dev call that is at the intersection of how we manage data for the PCORnet central office distributed research queries. We’ve been operating on the understanding that for prep to research queries from PCORI, we will be hosting fully de-identified i2b2 and PCORnet CDM databases at each site. The current model based on the data sharing is that prep to research queries of these resources will have Data Request Oversight but not IRB. There’s a discussion now of an added requirement that we also generate limited datasets with the precise dates. - This could either be a persistent database copy (what they’d prefer) - Or, could theoretically be a dataset for each project The question is, when they want to distribute code that runs against these data files, is there a consistent interpretation of what IRB oversight is required? What’s the GPC IRB verdict? - Each research project has its own approved IRB protocol? - Or - There are exceptions approved by GPC IRB where if data doesn’t flow back with cell sizes less then 11, they don’t need IRB Is this a topic you’ve already addressed or should we bring this up at a meeting? Russ Waitman, PhD Director of Medical Informatics Assistant Vice Chancellor for Enterprise Analytics Associate Professor, Department of Internal Medicine University of Kansas Medical Center, Kansas City, Kansas 913-945-7087 (office) rwait...@kumc.edu http://www.kumc.edu/ea-mi/ http://informatics.kumc.edu http://informatics.gpcnetwork.org – a PCORnet collaborative
_______________________________________________ Gpc-dev mailing list Gpc-dev@listserv.kumc.edu http://listserv.kumc.edu/mailman/listinfo/gpc-dev
