- Standard Operating Procedure: details database security, de-identification of data, access to identified data, data delivery, and data use agreement.
- Data Use Agreement: all users must agree to these parameters of data usage.
- MSDW Database Access Agreement: all users requesting direct database connection must submit the access agreement.
- Chargeback Policy: custom Data Warehouse programming is charged at $180/hour (see policy provisions and applications)
Standard Operating Procedure
I. A. Data Warehouse Security
The Data Warehouse database, staging tables, reference tables, code, access permissions, datamarts and derived reports are kept on secure servers in the Mount Sinai data center and managed by IT staff in accordance with IT Security standards.
B. Annual Security Audit
Data Warehouse servers and storage devices will undergo an IT Security Audit on an annual basis. Remediation of any security vulnerabilities will be performed until certification by IT Security of acceptable security level is achieved.
II. A. PPHS/HIPAA/Privacy implementation
The Data Warehouse conforms with Mount Sinai policy and/or New York State or Federal regulations The MSDW implementation of these provisions is reviewed and approved by the Program for Protection of Human Subjects and by the Mount Sinai HIPAA/Privacy Officer. Data stored in the underlying database is identified and linked by Medical Record Number and Visit Number. This is necessary in order to collect and collate data from multiple systems, and to append new longitudinal data to individual patient records over time.
B. Special populations
Certain populations of patients are excluded from identified data delivery, in compliance with Mount Sinai policy and/or New York State or Federal regulations. At the current time this includes “VIP’s”, HIV positive patients, and patients with records in the VEMR from a practice that has not authorized access to the Data Warehouse. Investigators requesting data may request a count of such patients that will be excluded from data being requested/delivered. The Data Warehouse team will provide a count (subject to small cell size restrictions). Patients excluded for these reasons may be included only by explicit authorization by the IRB.
C. NYS HIV provisions
New York State law prohibits certain information concerning HIV status, testing, results, and treatment information from being used for nonclinical purposes without specific consent.
Records of patients with HIV-positive status may be excluded from identified data sets for Human Subjects research, regardless of whether the research has to do with HIV. Exceptions will be (a) if the IRB-approved consent for the study explicitly allows for inclusion of HIV information, or (b) if all HIV-suggestive data elements (see paragraph below) are excluded from the data delivered.
MSDW Data Delivery of identified data (containing PHI), regardless of whether the research has to do with HIV, will exclude HIV diagnoses, HIV test orders and results (whether positive or negative), and medications commonly used to treat HIV, from all identified data sets except for research studies approved by the IRB including explicit authorization to include HIV-related data.
A qualified HIV expert not affiliated with the Data Warehouse team will be appointed to advise on the set of HIV diagnoses, HIV test orders and results, HIV-suggestive medications, procedures or other treatments, that must be excluded from identified data delivery. The HIV expert advisor will review the excluded data elements on at least a semi-annual basis.
D. Specification of Data Elements
For projects requiring IRB approval, the Data Warehouse will only implement access to the specific types of data elements that the IRB says can be accessed. In cases where the Data Warehouse staff finds that the IRB approval is not specific, or is too broad (e.g. retrospective chart review) or too ambiguous to be understood, that approval will be sent back to the IRB for clarification. It is the investigator’s responsibility to meet IRB requirements in this regard.
E. De-identification of data
The default view of data in MSDW is de-identified. HIPAA rules of de-identification are applied.
1. PHI fields
All PHI fields defined under HIPAA are blocked (not viewable and not exportable).
2. Full text reports
Full text reports such as Radiology, Pathology, Operative reports, Progress Notes, Discharge Summaries are excluded from the de-identified view. This is because the text m
3. Small cohorts
Searches of the database that result in cohorts of fewer than 6 patients are blocked.
4. Surrogate tags
MSDW substitutes surrogate numbers for MRN and visit numbers. The surrogate numbers remain constant for each patient and visit, to enable linking data reported by separate searches and exports.
III. A. Re-identification of data
Re-identification of data initially retrieved/reported with surrogate numbers is possible, but can be performed only by MSDW technical staff with the highest level of access to the underlying database.
B. Data Use Agreement
All users of the Data Warehouse or recipients of data delivered from the Data Warehouse, are required to agree to a Data Use Agreement prior to access or to delivery of data. The text of the DUA appears in Addendum 1.
C. DUA for Query Access
Acceptance of the DUA is required as a condition of every logon to the Cohort Query Tool or any other on-line access method or tool that may be offered in the future.
D. DUA for Data Delivery
Acceptance of the DUA is required as a condition of every data delivery request.
IV. A. Access to de-identified data
Authorized and trained users may access the de-identified view of MSDW.
B. Authorized personnel
MSDW users must be formally affiliated with Mount Sinai Health System. Access is managed through Sinai Central/Active Directory authentication. When an individual’s HR status changes to “terminated”, that person’s access to MSDW is immediately and automatically revoked.
MSDW users must complete three hours of training/go through the training videos to qualify for access.
D. Means of access
Authorized and trained users may access the Data Warehouse only via the tools provided by the MSDW project team. No user is permitted to write native SQL or any other means to query the underlying database.
E. Locations of access
Users must be on the Mount Sinai secured network, or connected to it remotely via a protected VPN using software approved by the Mount Sinai IT Security Officer and provided by Mount Sinai IT.
F. For research planning
Authorized and trained users may use the Cohort Query Tool (CQT) to access de-identified data for research planning and/or grant application purposes.
G. For doing research
The Data Warehouse can allow authorized and trained users who agree to the Data Use Agreement to access de-identified data for research without IRB approval if the dataset meets all criteria in section II.E of this document.
V. A. Access to identified data
Authorized and trained users may access the identified (PHI) view of MSDW, only with prior approval of the IRB (for Human Subjects Research), or of the HIPAA/Privacy Officer for Hospital uses.
B. IRB authorization
Users requesting access to PHI must present a current IRB approved research plan. All of the following are required and verified by MSDW staff before providing access:
(a) the user must be named as an investigator
(b) the plan/IRB approval must authorize use of PHI
(c) the plan/IRB approval must permit use of clinical databases and/or specify “chart review”
(d) the data requested must fall within the date range specified in the plan and the dates approved by the IRB
(e) the MSDW search criteria for the cohort must match the inclusion/exclusion criteria of the plan/IRB approval.
C. Data access
Data made available is constrained according to the research plan/IRB authorization and is done by one or more of the following:
Cohorts may be selected for inclusion in a Datamart in one of the following ways:
(a) Based on a user searches performed in the de-identified view, and verified by MSDW staff.
(b) For inclusion/exclusion conditions which are too complex for the CQT, based on custom queries written by MSDW staff, according to user specifications, consistent with the plan/IRB approval.
(c) based on a user-supplied list of identified patients, which has been assembled via means external to the Data Warehouse. In this case the user is advised of his/her responsibility to insure that the user-provided list is consistent with IRB approval.
Access to Datamarts is limited to named investigators.
2. Export Panels
Users given access to PHI datamarts have the capability to use Export Panels to view and export identified data. Users are encouraged to use the No PHI version unless the PHI version is absolutely necessary, and always when planning to share data with colleagues not named as investigators. Users are responsible for downstream usage and distribution of data access via export panels.
3. Custom Reports
For data views which are too complex for CQT Export Panels, custom reports are developed by MSDW staff. These are usually delivered as Excel spreadsheets and may be PHI or No PHI. The same provisions apply to these as to Export Panels. Custom Reports are delivered only to investigators named on the approved IRB application.
VI. A. Data delivery
Data delivered to users conforms to Mount Sinai IRB, PPHS, IT Security Officer and HIPAA/Privacy Officer policies.
Datamarts are maintained on secured servers managed by IT staff according to IT Security standards.
2. Export to Excel
Data exported to users becomes the responsibility of the user/recipient to manage. Users are advised to adhere to IRB and Mount Sinai HIPAA/Privacy policies with regard to proper use of and protection of data in their possession.
3. Custom Reports
The same provisions as in V.2. above apply to data delivered via custom reports.
4. Data interfaces
In select cases, MSDW is interfaced to other Mount Sinai research systems (such as eRAP), and/or departmental databases (such as the Biobank). IRB approval of the sending or receiving program is required and verified before such an interface is built. Such interfaces are to remove the human element from data-copying operations and/or to protect PHI, and are generally either to send qualified patients to MSDW or to send authorized data from MSDW to an approved specialty research database.
VII. A. Data delivery methods
Data delivery methods conform to Mount Sinai IT Security Officer and Privacy Officer policies.
1. via Mount Sinai email
Data may be sent to MSDW users via internal Mount Sinai email without leaving Mount Sinai’s secured network. According to policy, these files are not encrypted.
2. via external email
Data may be sent to MSDW users via external email systems. All data sent via external email must be encrypted and password protected.
3. via shared drives
Files too large to be sent via email may be written to properly secured departmental shared drives. These files must be encrypted and password protected, to protect against inadvertent access by other users of the shared drives.
4. via FTP
Large files may be pushed via secured FTP verified user-supplied FTP servers. These files must be encrypted and password protected, to protect against inadvertent delivery to an unsecured or unintended FTP site.
5. via secured data media
Files may be delivered by copying to a secured encrypted thumb drive of a type authorized by the Mount Sinai IT Security Officer. When this type of device is utilized it must be hand-delivered to the intended user.
6. via CD or DVD
Files may be delivered by copying to CD or DVD media. These files must be encrypted and password protected, and must be hand-delivered to the intended user.
7.Sending data externally
For cooperative research involving external collaborators or other institutions, data may be delivered to identified collaborators, provided that they are named in the research plan/IRB approval, and may be sent via any of the above methods.
8.via Mount Sinai One Drive
Large files may be uploaded to your Mount Sinai One Drive. These files must be encrypted and password protected, to protect against inadvertent delivery to an unsecured or unintended user.
9. User responsibility
It is emphasized in training, and reinforced when data is delivered, that users are expected to abide by Mount Sinai IRB and PPHS policy, HIPAA/Privacy regulations, and Mount Sinai IT Security policy, with regard to proper use of data and protection of PHI.
I. Data Use Agreement
- For Human Subjects research uses, I certify that I have completed Mount Sinai training required by the Program for Protection of Human Subjects, and agree to abide by all PPHS requirements pertaining to access, storage, sharing and review of data.
- I will limit my review of data elements in the Data Warehouse, or any Data Marts, to only those data elements and date ranges in the scope of my IRB approved project, or for authorized Hospital uses as necessary to carry out my job responsibilities.
- For any custom reports or datasets that I request, I will limit my request to those data elements and date ranges in the scope of my IRB application and approval, or for authorizedHospital uses as necessary to carry out my job responsibilities.
- When using data provided without identifiers for research purposes I will not attempt to re-identify patients from any data that I may see in the Data Warehouse or any Data Marts or reports. This restriction applies to all uses, including data being used in preparation of a project, or for purposes of research that is considered not federal regulated human subjects research.
- For any identified (ie, containing PHI) Data marts or reports made available to me, I will exclude any subjects personally known to me or co-investigators except in a formal provider/patient relationship.
- Data supplied for projects with IRB approval shall not be re-used or re-disclosed without explicit permission from the IRB
- I certify that I understand and agree to abide by the guidelines of the PPHS, the rules and regulations of the Mount Sinai medical center, and all applicable federal and state laws and regulations.
- I understand that all access is audited, and that unauthorized access or inappropriate usage of data may result in disciplinary action up to and including termination.