One of the primary missions of the Scientific Registry of Transplant Recipients
(SRTR) is to provide information and data to researchers and clinicians who have
legitimate needs, and the SRTR will make every attempt to fulfill this mission.
Possible reasons for denying a data request in whole or in part include: 1) the
data are not collected and/or verified; 2) release of the data violates the Privacy
Act or applicable federal or state laws on confidentiality of patient medical records
or trade secrets; 3) the purpose of the data use is not sufficiently valuable to
warrant a large-scale expenditure of time and effort; or 4) the data and information
are excepted from disclosure under the Freedom of Information Act (FOIA). As a general
rule, the SRTR does not release data with personal identifiers.1
The STAC is currently scheduled to meet on:
Thursday, February 23, 2012
There are 4 types of data requests:
- Simple Data Requests
Data requests that can be fulfilled with existing data and do not require additional
programming or analyses can generally be fulfilled quickly (i.e., less than 4 hours)
and do not require a data use agreement (DUA) or the approval of the Health Resources
and Services Administration (HRSA), SRTR Project Officer, or the SRTR Technical
Advisory Committee (STAC). Data sets require a DUA and do not fall into the category
of simple data requests. Any request requiring more than 4 hours of programming
or analysis time will be considered under the fourth category, Data Requests for
Additional SRTR Programming.
- Data Requests for Standard Analysis Files or Simulated Allocation Models
Data requests that can be fulfilled by releasing a Standard Analysis File (SAF)
and/or a Simulated Allocation Model (SAM) require a DUA. The release of an SAF or
SAM under a DUA requires the prior approval of the SRTR, but generally does not
require the prior approval of the STAC. DUAs must be renewed annually through the
duration of the approved use.
- Data Requests Requiring Linkages
Data requests that require the provision of personal identifiers to link with other
public or private data sources can often be accommodated. To protect the private
information of individuals in the transplant registry, the SRTR will perform the
linkages and analyses that require the use of personal identifiers; the SRTR will
release the resulting data as summary data or as individual data with encrypted
identifiers. In exceptional circumstances, identifiers may be released to other
government agencies or investigators for linkage, but only after authorization by
the STAC and the HRSA SRTR Project Officer.
This type of data request must be authorized by the HRSA SRTR Project Officer and
the STAC. The STAC meets every 3 months; the SRTR must receive the data request
at least 1 month before the meeting for it to be considered at that meeting. After
STAC approval and the receipt on an acceptable finder file, the linkage will take
1-3 months to complete.
- Data Request for Additional SRTR Programming
Data requests for additional SRTR analyses will be considered depending on resources
available and reviewed on a case-by-case basis by the SRTR and HRSA SRTR Project
Officer.
Cost
Standard Analysis Files cost $1000; each additional, updated SAF costs $500.
Simulated Allocation Models cost $1000 per model.
Requests for data or information that are estimated to require less than 4 hours
of SRTR personnel time are generally fulfilled without charge.
Requests for data that require more than 4 hours of SRTR personnel time will require
payment at an hourly rate, currently $120 per hour. Data sets are associated with
a $1000 cost in addition to the hourly rate, while the cost of analytical results
is based solely on the programming time required to fulfill the request. All patient
linkage requests require more than 4 hours of SRTR personnel time. The SRTR will
provide an estimate of the cost of the data request. Then, an estimated work-effort
and payment agreement must be obtained before the programming proceeds.
A student discount is available for current students using SRTR data to fulfill
requirements of a degree program. Starting January 1, 2012 the student discount
will be available for medical doctors currently in residency or fellowship programs.
Documentation is required and the student must be named as the principle investigator.
For qualifying students, the cost of a SAF is $200 and the cost of each SAM is $200.
No student discount is available for requests requiring additional SRTR programming.
Please contact the SRTR for details regarding adding investigators to a DUA, making
an addendum to a current DUA, and other situations not laid out in this document.
Data Use by the SRTR under Contract with the Health Resources and Services
Administration
The SRTR contractor and its collaborating institutions and investigators will conduct
research and publish the results of research in peer-reviewed journals as contract
deliverables. Research conducted under this contract does not require a DUA.
SRTR Publications
Reports and publications required by the contract will state that data and analyses
contained in the report or publication have been supplied by the Scientific Registry
of Transplant Recipients, that the authors alone are responsible for reporting and
interpretation, and that all or part of the data used for these publications was
collected pursuant to Contract No. HHSH250201000018C (Department of Health and Human
Services, Health Resources and Services Administration, Rockville, Maryland). All manuscripts must be submitted to
srtr@srtr.org prior to submission to be reviewed by HRSA as outlined in the DUA.
Authorship on SRTR Publications
When individuals have made a substantial contribution to the conduct of the study
and the writing or revising of the manuscript, they shall be listed as authors.
The assignment of authorship will follow guidelines established by the International
Committee of Medical Journal Editors (ICMJE).2
Footnotes
1 http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/
HIPAA ‘Protected Health Information’: What Does PHI Include?
HIPAA.com has received from its readers requests for information on topics related
to HIPAA Administrative Simplification Privacy and Security Rules and to updates
to those rules reflected in the HITECH Act provisions of the American Recovery and
Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Of particular
interest to readers is: what exactly is protected health information (PHI)?
Protected Health Information
Protected health information is defined in two ways in Section 1171 of Part C of
Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability
and Accountability Act of 1996: Administrative Simplification. These statutory definitions
are of health information and individually identifiable health information.
“Health information means any information, whether oral or recorded in
any form or medium, that– (A) is created or received by a health care provider,
health plan, public health authority, employer, life insurer, school or university,
or health care clearinghouse; and (B) relates to the past, present, or future physical
or mental health or condition of any individual; the provision of health care to
an individual; or the past, present, or future payment for the provision of health
care to an individual.”
“Individually identifiable health information is information that is a
subset of health information, including demographic information collected from an
individual, and:
(1) Is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past, present,
or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.”
Protected health information is defined in 45 CFR 160.103, where “CFR”
means “Code of Federal Regulations,” and, as defined, is referenced in Section 13400
of Subtitle D (Privacy) of the HITECH Act.
“Protected health information means individually identifiable health information
(defined above):
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information
in:
(i) Education records covered by the Family Educational Rights and Privacy Act,
as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer.”
The HIPAA Privacy Rule covers protected health information in any medium while the
HIPAA Security Rule covers electronic protected health information.
Thus, the question arises as to what elements comprise protected health information
such that if they were removed, items (i) and (ii) of (2) in the definition of
individually
identifiable health information would not obtain. The answer is in the
de-identification standard and its two implementation specifications of the HIPAA
Privacy Rule [45 CFR 164.514]:
“(a)
Standard: de-identification of protected health information. Health
information (defined above) that does not identify an individual and with respect
to which there is no reasonable basis to believe that the information can be used
to identify an individual is not individually identifiable health information.
(b) Implementation specifications: requirements for de-identification of protected
health information. A covered entity may determine that health information is not
individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted
statistical and scientific principles and methods for rendering information not
individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small
that the information could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual who
is subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination;
or
(2)
(i) The following identifiers of the individual or of relatives, employers, or household
members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for the
initial three digits of a zip code if, according to the current publicly available
data from the Bureau of the Censue:
(1) The geographic unit formed by combining all zip codes with the same three initial
digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing
20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual,
including birth date, admission date, discharge date, date of death; all ages over
89 years and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of age 90 or
older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social Security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted
by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could
be used alone or in combination with other information to identify an individual
who is a subject of the information.
(c) Implementation specifications: re-identification. A covered entity may assign
a code or other means of record identification to allow information de-identified
under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived
from or related to information about the individual and is not otherwise capable
of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means
of record identification for any other purpose, and does not disclose the mechanism
for re-identification.”
The release by HHS of the Interim Final Rule, “Breach Notification for Unsecured
Protected Health Information,” published in the Federal Register on Monday, August
24, 2009, notes the following: “If information is de-identified in accordance with
45 CFR 164.514(b) [the first implementation specification, defined above], it is
not protected health information, and thus, any inadvertent or unauthorized use
or disclosure of such information will not be considered a breach for purposes of
this subpart.” [74 Federal Register 42743]
Ed Jones, Author & Healthcare Authority
2 http://www.icmje.org/ethical_1author.html
Uniform Requirements for Manuscripts Submitted to Biomedical Journals: Ethical
Considerations in the Conduct and Reporting of Research: Authorship and Contributorship
Byline Authors
An “author” is generally considered to be someone who has made substantive intellectual
contributions to a published study, and biomedical authorship continues to have
important academic, social, and financial implications (1). An author must take
responsibility for at least one component of the work, should be able to identify
who is responsible for each other component, and should ideally be confident in
their co-authors’ ability and integrity. In the past, readers were rarely provided
with information about contributions to studies from persons listed as authors and
in Acknowledgments (2). Some journals now request and publish information about
the contributions of each person named as having participated in a submitted study,
at least for original research. Editors are strongly encouraged to develop and implement
a contributorship policy, as well as a policy on identifying who is responsible
for the integrity of the work as a whole. While contributorship and guarantorship
policies obviously remove much of the ambiguity surrounding contributions, they
leave unresolved the question of the quantity and quality of contribution that qualify
for authorship. The ICJME has recommended the following criteria for authorship;
these criteria are still appropriate for journals that distinguish authors from
other contributors. Authorship credit should be based on 1) substantial contributions
to conception and design, acquisition of data, or analysis and interpretation of
data; 2) drafting the article or revising it critically for important intellectual
content; and 3) final approval of the version to be published. Authors should meet
conditions 1, 2, and 3.
- When a large, multicenter group has conducted the work, the group should identify
the individuals who accept direct responsibility for the manuscript (3). These individuals
should fully meet the criteria for authorship/contributorship defined above, and
editors will ask these individuals to complete journal-specific author and conflict-of-interest
disclosure forms. When submitting a manuscript authored by a group, the corresponding
author should clearly indicate the preferred citation and identify all individual
authors as well as the group name. Journals generally list other members of the
group in the Acknowledgments. The NLM indexes the group name and the names of individuals
the group has identified as being directly responsible for the manuscript; it also
lists the names of collaborators if they are listed in Acknowledgments.
- Acquisition of funding, collection of data, or general supervision of the research
group alone does not constitute authorship.
- All persons designated as authors should qualify for authorship, and all those who
qualify should be listed.
- Each author should have participated sufficiently in the work to take public responsibility
for appropriate portions of the content.
Some journals now also request that one or more authors, referred to as “guarantors,”
be identified as the persons who take responsibility for the integrity of the work
as a whole, from inception to published article, and publish that information.
Increasingly, authorship of multicenter trials is attributed to a group. All members
of the group who are named as authors should fully meet the above criteria for authorship/contributorship.
The group should jointly make decisions about contributors/authors before submitting
the manuscript for publication. The corresponding author/guarantor should be prepared
to explain the presence and order of these individuals. It is not the role of editors
to make authorship/contributorship decisions or to arbitrate conflicts related to
authorship.
Contributors Listed in Acknowledgments
All contributors who do not meet the criteria for authorship should be listed in
an acknowledgments section. Examples of those who might be acknowledged include
a person who provided purely technical help, writing assistance, or a department
chairperson who provided only general support. Editors should ask corresponding
authors to declare whether they had assistance with study design, data collection,
data analysis, or manuscript preparation. If such assistance was available, the
authors should disclose the identity of the individuals who provided this assistance
and the entity that supported it in the published article. Financial and material
support should also be acknowledged.
Groups of persons who have contributed materially to the paper but whose contributions
do not justify authorship may be listed under such headings as “clinical investigators”
or “participating investigators,” and their function or contribution should be described—for
example, “served as scientific advisors,” “critically reviewed the study proposal,”
“collected data,” or “provided and cared for study patients.” Because readers may
infer their endorsement of the data and conclusions, these persons must give written
permission to be acknowledged.