Step 2: The Data Use Agreement and InterAgency Agreement Process
A. Definitions
What is Personally Identifiable Information (PII)?
PII shall mean personally identifiable information as defined by OMB Memorandum M-07-16 (May 22, 2007) (“PII refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”). PII includes, but is not limited to, information that would be considered Protected Health Information (PHI) if held by a Covered Entity or Business Associate under Health Insurance Portability and Accountability Act (HIPAA). PII also includes, but is not limited to Medical Records protected by the Maryland Confidentiality of Medical Records Act (Health-General § 4-301 et seq, Ann. Code of MD).
What is Protected Health Information (PHI)? See above.
PHI shall have the meaning set forth for “Protected Health Information” at 45 C.F.R. § 160.103.
What is Covered Data?
The data to be disclosed as defined in Attachment 1 of your DUA, almost always consisting of data extracted from Medicaid data files.
What is a Derivative Product?
These products include, but are not limited to, reports, studies, manuscripts, tables, and charts created from Medicaid data files.
What is incoming data?
The term incoming data references the data that is to be received by the Data Recipient(s).
What is outgoing data?
The term outgoing data references the data that is disclosed by the Data Provider(s).
What is a Limited Data Set (LDS)? A LDS is information with facial identifiers, such as PHI and PII, which have been removed. Examples of facial identifiers can be, but are not limited to, information relating to the individual or his or her relatives, employers or household members. For more information on LDS, please see the informational link, available
here.
What is Sanitization?
Sanitization refers to the general process of removing Covered Data from storage media and cloud services, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. There are several methods of sanitization, including, but not limited to, disposal, clearing (in a fashion that is resistant to keystroke recovery attempts), purging, and physical destruction.
What is the Health Insurance Portability and Accountability Act (HIPAA)?HIPAA shall mean the Health Insurance Portability and Accountability Act of 1996 including all pertinent privacy regulations (45 C.F.R. Parts 160 and 164) and security regulations
(45 C.F.R. Parts 160, 162, and 164), as amended from time to time, issued by the U.S. Department of Health and Human Services as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5). The latter directly affects Medicaid data requests. MDH is required to generate and execute DUAs to comply with HIPAA. For more information on HIPAA, please see the following website, available
here.
What is a Covered Entity?
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
What is 45 CFR Part 2 – Substance Use Disorder Data?
Part 2 applies to federally-assisted programs that hold themselves out as providing, and do provide alcohol or drug use treatment, diagnosis or referral for treatment. Includes information that would identify a patient as an abuser directly or by reference to other public information except in certain situations, including scientific research.
B. The DUA and BAA
What are the different roles in the DUA process?
MDH is the “Data Provider.” Your organization or individual interest is the “Data Recipient.” The Hilltop Institute at UMBC (in the majority of the cases) is the “Data Warehouse.” In rare cases, Hilltop will not be a party to the DUA. It is also possible that other parties - such as contractors hired to study the Covered Data for the Data Recipient - will be added to the DUA to ensure compliance with HIPAA.
What happens after the statement of the Scope of Work is finalized?
If Hilltop is providing the Covered Data, the Hilltop team estimates the cost of providing the agreed upon deliverables, and submits a proposed budget to the principal investigator and her/his research administrator for review and negotiation. Once the budget has been tentatively negotiated with the principal investigator and her/his employer, the Hilltop team submits the draft budget to the Office of Sponsored Programs at UMBC for its administrative review and approval. A contract for payment by the principal investigator’s employer to UMBC is then established and executed.
Once the Scope of Work statement and the corollary budget have been finalized, what happens next?
As soon as feasible, the principal investigator submits the following to the Maryland Medicaid Planning administration team: (1) finalized statement of the Scope of Work; (2) that information needed from the principal investigator to customize templates for the Inter-Agency Agreement (IA) and the Data Use Agreement (DUA) and (3) a drafted MDH IRB application (MDH IRB Form 2124, available
here) or a MDH IRB Approval Letter.
What is a Data Use Agreement (DUA)?
Because Maryland Medicaid owns the requested data, an agreement must be formed for other parties to receive and use this data. The DUA allows the transfer of Medicaid data, while protecting all parties involved and allowing parties to be within federal and State regulations.
Typically, the DUA includes, but is not limited to, the following attachments comprised of information submitted to Medicaid Planning by the data requestor: Covered Data & Period of Use; Scope of Work; Additional Data Sources; Data Management Plan and Data Storage Location; Project Managers and Notice; Certificate of Data Destruction; and Documentation of IRB approval or a pending IRB application.
When is a DUA necessary?
A DUA is necessary whenever MDH is a provider of Medicaid Data, including LDS, with the requesting Data Recipient before use or disclosure of data if an authorization waiver for use of individual’s health data was not obtained. The DUA is required by the HIPAA Privacy Rule.
Who is responsible for drafting the Data Use Agreement (DUA)?
The Maryland Medicaid Planning Administration team is responsible for drafting the DUA, using pre-approved templates. Hilltop and the Data Recipient will work together to customize the attachment to fit the needs of the request in accordance with rules and regulations. Templates are available upon request.
Once the DUA is fully drafted, what happens next?
The drafted DUA is provided to the principal investigator and representatives of the Hilltop Institute and UMBC for review and revision. Once the terms of the DUA are agreed upon by all named parties, the DUA is finalized and circulated for required, dated signatures. Each named party is provided a signed copy of the executed DUA.
When is a Business Associate Agreement (BAA) necessary?
The HIPAA rules apply to Covered Entities and Business Associates and any time MDH transfers data that contains PII and/or PHI with a Business Associate. A BAA is required whenever Part 2 data is requested and subsequently shared, and at any time a Covered Entity engages a Business Associate to help it carry out its healthcare activities and functions. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
Who is a Business Associate?
A business associate is any organization or person working in association with or providing services to MDH who handles or discloses PHI and/or PII.
What do I do if there is a substantial change in my research project after my IRB protocol has been approved and/or the DUA has been signed?
These changes should be reported directly to the contract monitor at MDH and through the Quarterly reporting requirement. Each substantial change/deviation from the Scope of Work laid out in the DUA between the parties must be reported to the assigned Project Manager(s) in the DUA. Solutions include an amendment to the DUA, an extension of DUA timeframe, and/or closing out of the project. Any substantive change to the study protocol, as previously submitted to and reviewed by the MDH IRB, will warrant submission of a completed Request for Protocol Modification form, along with a revised Abstract Summary (with proposed changes highlighted in the text) before the MDH IRB.
What is the quarterly reporting requirement? MDH requires Data Recipients to submit a Quarterly report summarizing any analyses or reports for which Covered Data was used. These reports must be sent to John Parrish at
mdh.medicaiddatarequests@maryland.gov.
If I already have a contractual relationship with Medicaid, are there limitations on access to shared Medicaid data?
No. Access and usage is limited to the terms of the Scope of Work. A DUA may be amended and/or a new DUA may be required for the new request.
Is our organization and/or (individual researcher) required to protect and/or encrypt the E-Medicaid data received?Yes. Prior to receipt of E-Medicaid data, Data Requestors are required to complete a Data Management Plan (DMP) Google Form survey. MDH requires Data Requestors to have a sound DMP in compliance with NIST and DoIT guidelines to receive Maryland Medicaid data. MDH’s Google Form survey to access a Data Requestors DMP, available
here.
What is a Data Management Plan (DMP) and is it required for a DUA?A DMP is a written document that describes the data you expect to acquire or generate during the course of a research project, how you will manage, describe, analyze, and store those data, and what mechanisms you will use at the end of your project to share and preserve your data. Completion of the DMP is a requirement to fulfill provisions in the DUA between the Data Recipient and the Maryland Department of Health. Access to the DMP Google Form is available
here. The Google Form assists Planning Staff access your DMP, as well as providing valuable information regarding minimum requirements for a valid DMP.
Who at the organization/LHD can access the shared data?
Data Recipients agree, that within its contractors and subcontractors, access to the Covered Data, the Covered Data documentation, and any file derived from the Covered Data shall be limited to the minimum number of individuals necessary, as determined within the sole discretion of Medicaid, to achieve the purposes set out in the Scope of Work (Attachment A2 of the DUA), and access to the data shall be granted only on a need-to-know basis. Data Recipients shall keep and maintain a log of the identity of each employee, contractor, and/or subcontractor who is authorized to access the data disclosed under the DUA and shall provide the log to Medicaid on demand.
C. In Certain Circumstances, A Third Party Researcher May Need To Enter Into A Separate Agreement Governing Payment Of Costs With The Planning Admin. and/or Its Data Warehouse Provider.
What is an IA? An Interagency Agreement (IA) is an agreement between government agencies and MDH that contains a brief description of the research project and data to be shared, as well as specific duties of each party to the Agreement and requirements to submit quarterly reports and updates. Please note there may be costs associated with research projects that are outside of the scope of the IA.
When is an IA necessary?An IA is necessary when an exchange of funds occurs with MDH. Link to OPASS website – OPASS templates are
here. This link is only relevant if an IA is necessary.