Data Use Policy

I. Introduction

The National Institutes of Health (NIH) has supported data collection from participants in numerous clinical trials and epidemiologic studies as part of approved protocols under the Rare Diseases Clinical Research Network (RDCRN). These data from well- characterized population samples constitute an important scientific resource. It is the view of the NIH that their full value can only be realized if they are made available, under appropriate terms and conditions consistent with the informed consent provided by individual participants, in a timely manner to the Rare Diseases Community and the largest possible number of qualified investigators. Accordingly, the Rare Diseases Clinical Research Network (RDCRN) has adopted a Data Sharing Policy (Appendix A) establishing the criteria and mechanisms for data sharing among investigators within the Rare Diseases Network (RDN) and with the general scientific community.

The Brittle Bone Disorders Consortium (BBDC) created this document as a companion piece to the RDCRN Data Sharing Policy. It establishes policies and procedures that the BBDC will follow when sharing data within and outside of the Consortium.

II. Scope

This policy addresses how data generated by the BBDC are to be used.¹

III. Definitions

Commercial Purpose–Data will be considered as being for a commercial purpose if they are to be used by an investigator who is an employee of a for-profit organization, if they are to be used by an investigator as the basis for a consulting relationship with a for- profit organization. Data will also be considered as being for a commercial purpose if the investigator(s) take any affirmative steps to facilitate commercial use of results derived from data.

Data–In this policy, the term data refers to data generated by the BBDC and maintained by the RDCRN’s Data Management and Coordinator Center (DMCC)

Data Use Agreement (DUA)-HIPAA allows researcher(s) who wish to use a limited data set to enter into an appropriate "data use agreement" with a covered entity to provide limited data set without an authorization or a waiver of authorization from an IRB or Privacy Board². The agreement must list the permitted use and disclosures of the PHI being used and require that the researcher will:

• Use appropriate safeguards for the information.
• Not use or further disclose the information other than as agreed or as required by law.
• Report any uses/disclosures that were not permitted.
• Ensure that anyone who has access to the data also agrees to these restrictions to not identify the information of individuals on whom data were collected or make any attempt to contact individuals on whom data were collected.

A researcher using de-identified data, where the information cannot be traced to a particular individual or protected health information disclosed by a covered entity in a limited data set under an appropriate data use contract, is exempt from the disclosure accounting requirements.

The DUA may be part of a Services Agreement (see section D) or a stand-alone agreement.

De-identified Data–De-identified data excludes certain identifying information in accordance with certain regulatory standards set forth in the Privacy Rule so that it no longer contains Protected Health Information (PHI) and is exempt from the requirements applicable to PHI under the Privacy Rule³. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. Data shall be considered de-identified only when all 18 PHI items are removed from the data in accordance with 45CFR164.514⁴.

Limited Data Set - A limited data set is an exception to the HIPAA Privacy Rule requirement for authorization from the subject for research use of protected health information. A limited data set lacks 16 of the 18 identifiers itemized by the Privacy Rule. A limited data set may contain dates of birth, admission, discharge and death and it may contain geographical information such as town/city, state, and zip code³.

External Investigator–An Investigator who is not a BBDC Member (see definition below) and has expressed an interest in using BBDC data and/or BBDC research generally for an academic purpose or for a commercial purpose.

Internal investigator–An Investigator who is a BBDC Member (see definition below).

“Other Use”–Use of data other than for publication purposes, such as for a grant application, presentation, to determine the feasibility of a data mining project or study, or to support an IND or NDA application.

Limited Data Set -A limited data set is an exception to the HIPAA Privacy Rule requirement for authorization from the subject for research use of protected health information. A limited data set lacks 16 of the 18 identifiers itemized by the Privacy Rule. A limited data set may contain dates of birth, admission, discharge and death and it may contain geographical information such as town/city, state, and zip code.

BBD Member/Members–Includes all members of the Brittle Bone Disorders Consortium, such as principal investigators, co-investigators, study coordinators, study neuropsychologists, biostatisticians, and program administration.

BBD Leadership–Consortium principal investigator (director), co-principal investigator (co-director), and associate director.

IV. Policies

A. Data Use
All data generated by the BBDC is available to all BBDC members for analysis. These participating individuals and institutions are listed below:

• Reid Sutton, MD, Sandesh Nagamani, MD, & Brendan Lee, MD, PhD – Baylor College of Medicine
• Jeanne Franzone, MD – Nemours Hospital for Children
• Cathleen Raggio, MD – Hospital for Special Surgery
• Janice Lee, DDS, MD – National Institute of Dental Craniofacial Research
• Mahim Jain, MD – Kennedy-Kreiger Institute
• Laura Tosi, MD – Children’s Research Institute
• Frank Rauch, MD, & Francis Glorieux, MD – Shriners Hospital for Children, Montreal
• Danielle Reynolds, MD – Shriners Hosptial for Children, Tampa
• Peter Smith, MD, & Karen Kruger, PhD – Shriners Hospital for Children, Chicago/Marquette University
• Danita Velasco, MD - University of Nebraska Medical Center
• Jean-Marc Retrouvey, DDS – University of Missouri Kansas City
• Eric Orwoll, MD – Oregon Health and Science University
• Deborah Krakow, MD – University of California at Los Angeles
• RDCRN DMCC (Data Collection & Analysis Core)
• Pamela Smith, MD – Phoenix Children’s Hospital
• Tracy Hart, CEO- Osteogenesis Imperfecta Foundation

The only Protected Health Information (PHI) available to all internal investigators are dates of birth, study visit dates, dates of occurrence of clinical events, dates of admission, discharge, and death. All other identifying information such as name, address, phone number, fax number, email address, social security number, medical record number, health plan beneficiary number, and account numbers are only available to investigators at the enrolling site. Certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP address numbers, biometric identifiers, full face photographic images, and other unique identifying numbers or codes are not collected as part of BBDC research.

External investigators will specify whether de-identified data or limited data set(s) are requested. If a limited data set is requested, only data from subjects that have consented to share a limited data set will be shared. To ensure that the confidentiality and privacy of study participants are protected, all external investigators seeking access to data from BBDC studies must execute and submit an appropriate standard data use agreement form prior to obtaining BBDC data.

B. General Data Released to the Scientific Community

Data will be shared with the scientific community as is required for all NIH-funded studies and will follow NIH Data Sharing Policy and Implementation Guidance⁵ and the RDCRN Data Sharing Policy (see Appendix A). The general release of data will not include customized data reports or analysis but will include a data dictionary.

C. Specific Data Requests

External commercial and non-commercial investigators interested in using data generated by the BBDC prior to its general release to the scientific community or who would like customized data reports and/or analysis have several options as described below.

• Collaboration with a BBDC member on analysis and publication (or other use) –
• External investigators (commercial or non-commercial/academic) Independent analysis
• Services agreement

D. Data Request Process

Individuals and institutions participating in the BBDC as well as, non- participating persons should submit a concept sheet for executive committee review. This concept sheet should be submitted to the BBDC project manager as outlined in Appendix B.

This concept sheet will be reviewed by the BBD executive committee for feasibility and scientific merit within 1 month of submission of all materials. The executive committee is comprised of all BBDC PIs listed above. If the concept sheet is submitted by a member or the executive committee, then they must recuse themselves from the evaluation.

Approval will be determined by taking a majority vote. If a proposal is rejected, then written documentation must be issued within four weeks of the decision. Rationale must be provided along with the determination. An appeal can be made, and the concept sheet can be resubmitted to the executive committee. This resubmission must occur within two months of the rejection documentation being received.

Once a concept has been approved, the BBDC project manager will forward this request to the Data Management and Coordinating Center (DMCC) or the BBDC Statistical team. The DMCC or the BBDC statistical team will then ensure that this request is processed in a timely manner.

Once data requests have been completed, the DMCC or the BBDC statistical team will send the data reports to the executive committee for review. This information will be transmitted via email unless requested otherwise. It is the executive committee’s responsibility to approve this information before it is sent out to the requestor(s) listed on the approved concept sheet.

E. Services Agreements and Contracts

A service agreement needs to be executed for any data mining project involving external investigators. This template incorporates the following elements: statement of work, fee schedule, invoicing instructions, nondisclosure and trade secrets terms, ownership and use of work product arrangements, publication and presentation rights and other standard legal terms. Services Agreements will also set forth a project cost and budget and will contain a data use agreement. If it is anticipated that data will be requested more than once or will require complex analyses, a BBDC infrastructure fee will be assessed for support provided.

Service agreements will be executed by a designated representative of the executive committee or by the consortium PI.

For external investigator(s), the scope of the research to be performed with the BBDC data will be clearly outlined in Appendix B or any revisions of Appendix B mutually agreed upon in writing by a duly authorized representative of external investigator and the BBDC. External investigator(s) will certify that all its employees and other persons involved in the Research will be made aware of and comply with the obligations under which the BBDC data are shared. No part of the BBDC data shall be transferred to any third party or to any other person not specifically engaged in the conduct of the Research. External investigator(s) have to agree to establish appropriate administrative, technical, and physical safeguards to prevent unauthorized use of or access to the De-Identified BBDC Data.

External investigators should agree not to use the de-Identified BBDC Data, either alone or in concert with any other information, to make any effort to identify or contact individuals who are or may be the sources of the de-Identified BBDC Data without specific written approval from the BBDC and appropriate Institutional Review Board (“IRB”) approval, if required. Should an external investigator inadvertently receive identifiable information or otherwise identify a subject, they shall promptly notify BBDC and follow reasonable instructions, which may include return of or destruction of the identifiable information.

F. BBD Site Responsibilities

BBDC sites agree to submit data in a timely manner so that it is available for analysis. The BBDC collects numerous data points from a large number of participants. It is to be noted that the BBDC will not have all data points on all participants. The BBDC cannot assure completeness of any dataset that is being provided. If an external investigator uses the BBDC data for regulatory filings with the FDA, whereas the BBDC will make every effort to provide reliable data, the BBDC sites will NOT be able to provide access to source files, patient records, or other research-related data files for the purposes of monitoring or audit (eg, FDA audits). The BBDC data have been collected from the standpoint of a NIH-funded natural history study and thus do not have the monitoring or auditory oversight that are typically required of interventional studies being conducted under an FDA-IND.

G. Intellectual property

Each BBDC site owns the data collected at their own site. The BBDC owns the complete set of data collected at all sites (collective ownership). Data will be entered into dBGap; therefore, the NIH will also own the data set. At the completion of the study, the Osteogenesis Imperfecta Foundation will have ownership of the data set.

External investigators can only keep the de-identified BBDC data for a period of two years after expiration or early termination of any agreement with the BBDC or the end of the BBDC, whichever is earlier. After this term, external investigator shall follow the disposition instructions provided by the BBDC. However, external investigators may retain one (1) copy of the Data to the extent necessary to comply with the records retention requirements under any law, and for the purposes of research integrity and verification.

H. Publications

All data requests are executed in the spirit that the data are being used for scholarly activities. It is an expectation of the BBDC that all data analyses conducted under the data use policy outlined here will lead to publications. Authorship for publication purposes shall be consistent with the standards of authorship being defined by the Uniform Requirements for Manuscripts Submitted to Biomedical Journals established by the International Committee of Medical Journal Editors (see www.icmje.org). All publications coming from the BBDC data are subject to the BBDC publication policy.

I. Conflict of Interest, Data Release & Publication Agreement

Please see appendix C.

¹This document does not provide legal information or advice and BBDC members are urged to consult their own institutional officials and legal counsel for such information or advice. The BBDC expects that any use or dissemination of its data or research shall conform to all applicable laws, including those that apply to Member States of the European Union and applicable national, state or provincial, and local law. This document describes certain requirements that apply to such use within the United States.

²See 45 CFR Part 164.514 (e) (4) (ii).

³See, 45 CFR 164.514(b)((2)(i). See also National Institutes of Health (NIH), “How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?”

⁴See 45 CFR Part 164.514.

⁵See NIH Data Sharing and Implementation Guidance.