This document would be improved with greater specificity.
1. No opinion.
2. I am not sure how some of the suggested requirements would work in cases where a commercial entity (such as a consulting firm or independent research group that serves commercial clients (e.g. Urban Institute, RTI, NORC, etc) wishes to use the data. Data will also prove highly valuable to third party groups whose intent is advocacy - any number of specialty societies and associations would likely be interested in using data to produce findings of benefit to their membership directly or through legislative advocacy.
3. CMS has fairly solid requirements for data use agreements and differing levels of access depending on the type of entity requesting data. It may be useful to go to ResDAC for templates and advice.
4. Access to patient identifiable data should be restricted to researchers who have an IRB. However, documentation seriousness could be on a sliding scale depending on what sort of data someone requests. For example, CMS has some datasets where they only allow users to extract data that contains no PHI - GDIT is the vendor for at least one such project (VRDC) and may have useful information to take into consideration as well as useful specifications for the vendor RFP.
5. PCORI should establish data repository security standards. I would start with reviewing CMS requirements for using claims data (storage on encrypted survers, HIPAA training of all people who may come into contact with the data, etc).
6. That's very tricky, especially for studies that are complete or underway. Some project's informed consent documents may not allow for this further use (regardless of what the PCORI contract requirements may be).
7. Other:
-Minimum standards for data security and housing of PHI must be spelled out.
-A "full protocol" is not inherently meaningful. I recommend specifying the up-to-date IRB-approved protocol.
-It seems that the policy implies that, for PCS and targeted studies, data must be kept for 7 years, but PCORI will pay for this only if a suggested vendor is selected. While this increases flexibility, it means that PCORI must have at least one vendor in place and ready to accept and store data by the time the first contract requirement comes due. Additionally, there may be a need for alternatives in the instance a suggested vendors are not able to complete the request.
-How does PCORI plan to address issues of IP? This policy may become a deterrent for applicants who wish to mine datasets for a results following completion of the primary publications.
-PCORI needs to flesh out standards around appropriate costs for maintaining data and access to data.
1. No opinion.
2. I am not sure how some of the suggested requirements would work in cases where a commercial entity (such as a consulting firm or independent research group that serves commercial clients (e.g. Urban Institute, RTI, NORC, etc) wishes to use the data. Data will also prove highly valuable to third party groups whose intent is advocacy - any number of specialty societies and associations would likely be interested in using data to produce findings of benefit to their membership directly or through legislative advocacy.
3. CMS has fairly solid requirements for data use agreements and differing levels of access depending on the type of entity requesting data. It may be useful to go to ResDAC for templates and advice.
4. Access to patient identifiable data should be restricted to researchers who have an IRB. However, documentation seriousness could be on a sliding scale depending on what sort of data someone requests. For example, CMS has some datasets where they only allow users to extract data that contains no PHI - GDIT is the vendor for at least one such project (VRDC) and may have useful information to take into consideration as well as useful specifications for the vendor RFP.
5. PCORI should establish data repository security standards. I would start with reviewing CMS requirements for using claims data (storage on encrypted survers, HIPAA training of all people who may come into contact with the data, etc).
6. That's very tricky, especially for studies that are complete or underway. Some project's informed consent documents may not allow for this further use (regardless of what the PCORI contract requirements may be).
7. Other:
-Minimum standards for data security and housing of PHI must be spelled out.
-A "full protocol" is not inherently meaningful. I recommend specifying the up-to-date IRB-approved protocol.
-It seems that the policy implies that, for PCS and targeted studies, data must be kept for 7 years, but PCORI will pay for this only if a suggested vendor is selected. While this increases flexibility, it means that PCORI must have at least one vendor in place and ready to accept and store data by the time the first contract requirement comes due. Additionally, there may be a need for alternatives in the instance a suggested vendors are not able to complete the request.
-How does PCORI plan to address issues of IP? This policy may become a deterrent for applicants who wish to mine datasets for a results following completion of the primary publications.
-PCORI needs to flesh out standards around appropriate costs for maintaining data and access to data.