I. The PI of the study must have a current faculty appointment at the medical school.
II. The following documents must be sent to the assigned contact at the medical school Research Informatics Core.
a. A Statement of Work (SOW) that includes the following:
1. Description of the project
2. Duration of engagement
3. Payment terms
4. Data Type (aggregate/identified/de-identified) requested
5. List of data categories requested
6. Proposed technological infrastructure
7. Process workflows
8. Access requirements
9. Data encryption and transmission protocols proposed by the vendor
10.Data handling mechanisms
b. In addition, to be included in the SOW or associated documentation:
1. Data releases and data retention policies by the vendor
2. Description of all third party hosting and access platforms, including specific geographical locations
3. Third-party information security and privacy review (SSAE16, HITRUST certification, HIPAA review, etc.)
III. The Research Informatics Core will provide these documents to UMass Chan IT Security and Compliance Office for security review. These documents must also be provided to and reviewed by the school’s Office of General Counsel for contractual and the Privacy Officer for a privacy review.
Upon successful completion of contractual and privacy and security reviews, the school’s Office of General Counsel will establish a contractual agreement with the vendor, which may involve a BAA and data use agreement as deemed necessary.
IV. Prior to the release of PHI, the medical school’s Institutional Review Board (IRB) approval must be obtained and the protocol must outline details regarding categories of data requested, data handling mechanisms, and data retention policies by the vendor. The previous steps within this SOP will be completed before submission to the IRB. The PI should submit documentation associated with this SOP as part of their IRB submission.
V. Once the above conditions are met, go to the Research Informatics Website and complete the data request form.
VI. Required data will be extracted either manually by the Research Informatics Core staff or by automated processing. The Research Informatics Core staff will send the data to the vendor systems through secure and medical school-approved mechanisms. Identifiable information will be sent in adherence to security guidelines set forth by the UMass Chan IT Security and Compliance Office.
VII. The Research Informatics Core will maintain a log of data releases and ensure that a Confidentiality Agreement is complete before access is provided.