650-20: Interim: External Sharing of Personally Identifiable Information (PII) and PII-Derived Data

Questions? Contact Campus Administrative Policies

Overview

Governance in regard to sharing UCSF-owned Personally Identifiable Information (PII) and PII-Derived Data with entities external to UCSF.

Call for Comments

Comments on interim Campus Administrative Policy 650-20 are currently under review.

Purpose

To establish policies and procedures for sharing UCSF-owned Personally Identifiable Information (PII) and PII-Derived Data with entities and individuals external to UCSF.

Definitions

UCSF business units with authority to execute legally binding contracts and other agreements on behalf of the University of California (UC). A list and description of Contracting Units is available at http://data.ucsf.edu/data-sharing-contracting-units.

Health care providers that transmit electronic information in connection with certain transactions. The University of California is a hybrid CE consisting of a Single Health Care Component (SHCC) and non-covered components. UCSF entities that are part of the SHCC include: UCSF Health; clinical operations of the Schools of Dentistry, Medicine, Nursing and Pharmacy that perform covered functions; Student Health and Counseling Services; and Occupational Health Services. The research function is excluded from HIPAA coverage at UC; accordingly, research health information that is not associated with a health care service is not subject to the HIPAA Privacy and Security Rules.

Any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or reasonably linkable to that individual.

A derivation of PII, including Limited Data Sets and de-identified Protected Health Information (PHI) as defined by HIPAA. Aggregated data not linked to individual-level data elements does not fit the definition of PII-derived data (e.g., summary population data shared publicly in scholarly publications and presentations).

A subset of PII that is created or received by a HIPAA covered entity and relates to: (i) an individual’s past, present or future physical or mental health condition; or (ii) the provision of and/or payment for health care to an individual.

Information created, acquired, and/or managed by UCSF for its own purpose(s). It includes UCSF data maintained by external entities pursuant to written agreement with UCSF. It does not include information that UCSF: (i) maintains as a service for external parties; or (ii) appropriately discloses to an external recipient absent written agreement that UCSF will maintain ownership and control of the data.

Policy

UCSF recognizes the importance of safeguarding UCSF-owned PII and PII-derived data in order to protect the privacy of individuals who interact with the University. When sharing UCSF-owned data with external entities, UCSF is committed to ensuring compliance with applicable federal and state privacy laws and regulations.

Additionally, it is UCSF policy to restrict certain legally permissible external sharing of UCSF-owned PII and PII-derived data if sharing the data may harm individuals or University interests. For example, in accordance with this policy, UCSF may restrict the disclosure of de-identified PHI to an external recipient in certain cases that would otherwise be permitted by the HIPAA Privacy Rule.

  1. Oversight and Governance
    To ensure appropriate oversight and governance, all external sharing of UCSF-owned PII and PII-derived data must be reviewed in advance by a Contracting Unit unless at least one of the following exceptions apply:
    1. Disclosure of PHI by UCSF Medical Center for purposes specifically permitted by UCSF Medical Center Policy 5.02.01 Confidentiality, Access, Use, and Disclosure of Protected Health Information and Privacy. This includes disclosures of PHI to other HIPAA CEs and Business Associates for treatment, payment, and health care operations. Important note: UCSF Medical Center may disclose PHI for research purposes if also permitted by IRB policies; however, a UCSF researcher may not subsequently share data with an external recipient prior to review by a Contracting Unit in accordance with this policy.
    2. External sharing authorized in writing by all individuals whose information is included in the PII or PII-derived data. HIPAA Authorization forms and/or IRB-approved Informed Consent Forms may constitute the required written authorization, providing the external data recipient is specifically named.
    3. Specific data sharing arrangements approved by the IT Governance Committee on Enterprise Information & Analytics (EIA).
    4. When reviewing external data sharing requests, all Contracting Units will follow the procedures available at Supporting Secure Data-Sharing Partnerships | UCSF Data Resources.
  2. Contracting Requirements
    1. Data Sharing Requests. UCSF Community members must request review from an authorized Contracting Unit prior to sharing UCSF-owned PII or PII-derived data with an external party, unless an aforementioned exception applies.
    2. Contracting Requirements. Contracting Units are responsible for ensuring all of the following requirements are satisfied prior to UCSF-owned PII or PII-derived data being shared with external parties:
      1. The data sharing arrangement supports an articulated public benefit and/or UCSF core mission.
      2. Any data sharing to foreign countries complies with the obligations as described in https://data.ucsf.edu/data-sharing.
      3. A data sharing agreement is executed in writing between UCSF and any external recipient of UCSF-owned PII or PII-derived data. Data sharing agreements may include, but are not limited to, Sponsored Clinical Trial Agreements and Data Use Agreements. Data sharing agreements must include the following minimum terms:
        1. Contains the right for UCSF to terminate without cause;
        2. Requires recipient to destroy or return data at conclusion of agreement term or upon request by UCSF;
        3. Prohibits any re-identification of individuals;
        4. Prohibits further transfer of any data without prior written approval from UCSF;
        5. Prohibits commercialization of the data;
        6. Requires that data be protected by all applicable privacy laws;
        7. Specifically identifies the information technology security controls that will be applied;
        8. Requires data recipient to provide evidence of compliance with the data sharing agreement upon request by UCSF;
        9. Provides audit rights to UCSF to ensure compliance by data recipient;
        10. Requires data recipient to promptly report breaches to UCSF;
        11. Requires data recipient to maintain insurance in the amounts of $1M per occurrence and $2M in aggregate, as well as cyber insurance; and
        12. Requires data recipient to indemnity UCSF for its negligent acts and omissions, as well as indemnify UCSF for any breach attributable to data recipient. 
      4. The proposed data sharing arrangement, in the judgement of the Contracting Officer, presents unusual or unreasonable risk to individuals or UCSF.
        Upon satisfaction of the above requirements and execution of a data sharing agreement, UCSF-owned PII and/or PII-derived data may be shared with the external party. If any of the above requirements is not met, the Contracting Unit will escalate the data sharing request to the EIA Committee for review.

    3. EIA Committee Escalation Protocol: When a data sharing arrangement is escalated as previously described, the EIA Committee may take one of the following actions:

      1. Approve the data sharing arrangement by waiving certain Contracting Requirements listed above, as follows:
        1. The EIA Committee may waive Contracting Requirements 2(c) and/or 2(d), in whole or in part, after conducting a thorough risk-based assessment of individual privacy rights and UCSF institutional interests. Important note: the requirement to execute a data sharing agreement may only be waived if: (i) an agreement is not otherwise required by law, regulation or policy (e.g., de-identified PHI); and (ii) relinquishing ownership and control of the data does not unreasonably interfere with individual privacy rights nor UCSF’s institutional interests.
        2. The EIA Committee may not waive Contracting Requirements 2(a) or 2(b). The EIA Committee may approve the data sharing arrangement contingent upon the completion of additional requirements necessary to protect individual privacy or University interests.
        3. Disapprove the data sharing arrangement. The Committee will document specific justification for the disapproval.
        4. Refer the data sharing arrangement to the Chancellor’s Executive Team for approval or disapproval.

      The EIA Committee will communicate its action to the appropriate Contracting Unit and/or data sharing requester. If the EIA Committee approved the data sharing arrangement contingent upon the completion of additional requirements, the data requester is responsible for ensuring all requirements are met prior to sharing any data with an external party. If the data requester wishes to appeal the EIA Committee’s action, the requester may inform the EIA Committee and the data sharing arrangement will be escalated to the Chancellor’s Executive Team for final approval or disapproval.

Responsibilities

The Office of IT Enterprise Information & Analytics is responsible for this policy.

References

Subject area

Information Technology

Policy number

650-20

Responsible office

Office of the Senior Vice Chancellor, Finance and Administration

Primary content owner

Information Technology

Effective

Reviewed