Beginning in November 2020, and in accordance with a new VUMC policy, contract requests that include a transfer of human subjects data from VUMC to the other contract party will require completion of a Human Data Risk Assessment Tool (HDRAT). Depending on the risk level determined by your answers to the survey, additional actions may be required to ensure that the data transfer complies with all legal and cybersecurity requirements.
The HDRAT applies to new requests for Data Use Agreements and Standard/Research agreements when a set of conditional questions is answered indicating the conditions are met. This will also apply to certain Supply Chain contracts where transfer of Patient Data is identified in the Sourcing Request.
Opening the HDRAT: When the conditional questions are answered in such a way as to indicate that the risk tool is required to be completed, you will see this:
To open the HDRAT, click on the blue button. The tool will open in a pop up over the top of the PEER request:
The HDRAT must be 100% complete in order to submit your contract request. Answer each question and click save before closing the tool and returning to the contract request.
External Reviews:
There are two possible extra reviews that must take place for each HDRAT that is required. Their applicability is determined by the answers to other questions in the HDRAT:
Image Sharing Deidentification Review by VICTR-ImageVu
If you are sharing images, you must submit a REDCap request to VICTR-ImageVu to review that images have been deidentified appropriately. If you answer one of the imaging/photograpic questions yes, you'll see this:
Then you'll see this at the bottom of the HDRAT form:
De-identification review by Integrated Data Access & Services Core (VICTR-IDASC) for de-identified or limited data sets:
If you indicate a deidentified or limited data set, the HDRAT form will ask you to specify the method of deidentification used. You will also be required to submit a request for review by VICTR-IDASC which will determine the appropriateness and completeness of the deidentification. In the HDRAT form you will see this:
You will NOT be allowed to submit your contract request if these steps are required and not completed. If required, these review requests must be started in REDCap and the IDs saved in the form in order to proceed with the contract request.
It is NOT required that you have received an answer back from these reviews at the time of your contract request. The contracts office can begin their processes in parallel to these reviews and will document the outcomes of each review.
Questions about the Data Recipient
If you indicate any PHI in the HDRAT, you will be required to answer 10 questions that related to the recipient of the data. You would then contact a representative of data recipient and work with them to get the answers. You can use the PRINT button in the HDRAT to save a copy of the form to PDF for this purpose.
The rest of the process after you submit your contract request:
The HRDRAT produces a risk score. Low risk projects can proceed without further review once the required external reviews are completed, if they apply in each case.
For projects that are medium or high risk, they must be reviewed by the Contracts Optimization Committee. The committee can approve the project, recommend changes to the data sharing being proposed, or escalate the project to upper administration for a decsision. They may also ask you to submit a Pegasus request for VEC (Cybersecurity) Review of the project. If VEC review is requested, the project could not proceed until that review is complete and the Optimization Committee has reviewed any findings.
Getting Help with the Risk Tool:
For technical issues, submit a help ticket to the PEER team using this site.
For explanations and/or help answering the questions in the HDRAT, please contact Research Support Services: research.support.services@vumc.org.