17428
An Effective, Scalable Privileging Model for Enabling HIPAA-Compliant User Access in a Shared Data Repository

Friday, May 16, 2014
Atrium Ballroom (Marriott Marquis Atlanta)
D. Voccola1, A. Van Wagner1, C. H. Tirrell1, T. Cermak2, M. Yourd1 and W. Jones3, (1)Prometheus Research, LLC, New Haven, CT, (2)Marcus Autism Center, Atlanta, GA, (3)Department of Pediatrics, Marcus Autism Center, Children's Healthcare of Atlanta, Emory University, Atlanta, GA
Background: Multiple factors are causing an increase in the need for both local and multi-site collaboration in autism research (OARC/IACC, 2012). This increased need, while arguably beneficial in a still-emerging research domain, such as autism, often produces significant unanticipated problems for collaborators: (1) They typically lack access to research informatics expertise, resulting in homegrown re-creations of appropriate (read: HIPAA-compliant) data access rules; and (2) their usual “data” tools (e.g., Excel, SPSS, R, Access) are not designed to facilitate the enforcement of these rules.

Objectives: Suggest a relational data model and set of cascading data access rules for creating a shareable data repository capable of complying with all relevant sections of HIPAA’s Administrative and Technical Safeguards using a newly available database tool.

Methods: We interviewed investigators, clinicians, and research staff at the Marcus Autism Center and Emory University about their perceived needs and challenges in the areas of security and convenience when sharing data in a collaborative environment. We designed two solutions, each containing sets of cascading data access rules accounting for each of the major components in determining “minimum necessary” data access for a given research team member, and a complimentary relational data model for configuring and enforcing these rules. Solution 1 assumed a sharing-centric institutional environment in which cooperative agreements exist between investigators, facilitated by the use of consistent participant consent language between projects (à la Marcus). Solution 2 assumed a project-centric (a.k.a., “siloed”) environment, in which consent language and data sharing agreements can vary widely, even within the same institution. Using the default Research Exchange Database (RexDB) schema as our starting point, we designed and tested several data model augmentations and calculated rule-sets, which were presented back to the interviewees.

Results: Solution 1 was accepted for deployment at the Marcus Autism Center. When launched near the end of 2013, it will automatically enforce “minimum necessary” data access for nearly 100 users across several overlapping research cores and projects at the Center.

Conclusions: Researchers need not design homegrown solutions to solve the perceived challenges of data access in an increasingly collaborative landscape. Most data access permutations can be appropriately addressed by a small set of pattern-based data access rules. These rules can be applied and configured using available data management software, such as RexDB.

Citation:

Office of Autism Research Coordination (OARC), National Institute of Mental Health and Thomson Reuters, Inc. on behalf of the Interagency Autism Coordinating Committee (IACC). IACC/OARC Autism Spectrum Disorder Research Publications Analysis Report: The Global Landscape of Autism Research. July 2012. Retrieved from the Department of Health and Human Services Interagency Autism Coordinating Committee website: http://iacc.hhs.gov/publications-analysis/july2012/index.shtml

See more of: Other Topics
See more of: Other