Contracts – Data Sharing Agreements
Overview of Issue
Data sharing agreements are contracts which outline terms and conditions for collecting, using, exchanging, retaining, or disclosing data/information for a defined purpose within a defined timeframe between two or more parties. In addition, they specify provisions related to accountability for maintaining the security and privacy of the shared data/information. From a risk management perspective, important requirements included in data sharing agreements are specifications for who owns the shared data/information, how confidentiality will be maintained, and security and safeguards taken by each party to protect the data/information during transmission and/or in storage.
HIROC recommends that subscribers have their corporate counsel (and privacy officer if personal health information is involved) review all contracts.
Refer to related Risk Notes: Contracts – Important Provisions, Contracts – Indemnification Clause with Hold Harmless and Defense Provisions
Key Points
- Data sharing agreements must delineate who is accountable for maintaining the security and privacy of the shared data/information.
Things to Consider
Common Clauses
- A data sharing agreement typically includes clauses related to the following:
- Ownership of data;
- Confidentiality and privacy;
- Security and access;
- Accuracy and data quality;
- Record maintenance requirements;
- Quality assurance;
- Scope of services and functionality;
- Termination for convenience;
- Termination and the continuity of operation of the electronic medical system;
- Indemnification;
- Limitation of liability;
- Representation and warranties;
- Dispute resolution;
- Funding; and
- Governing law.
Purpose
- Data sharing agreements should specify what data/ information is being shared between parties and the purpose for sharing this information.
Ownership of Data
- Data sharing agreements should specify:
- Which party has ownership of the data being shared and who owns the data at the termination of the agreement;
- Who has access to the shared data/information and why;
- Accuracy of the data/information, method of exchange, its frequency and duration.
Retention
- If patient data is being shared, the original data should be retained in the health record.
Confidentiality and Privacy
- Data sharing agreements should:
- Clarify applicable provincial/territorial legislation governing the protection of personal health information and remind the parties of their obligations to comply with the legislation;
- Outline what patient information can be collected, used, retained, and disclosed on the basis of implied consent. If explicit patient consent is required, this should be stated;
- Consider if confidentiality should survive termination of the agreement;
- Clarify how data/information will be returned/ destroyed at the termination of the agreement. A secure method of destruction is paramount and should be detailed in the agreement if applicable. If the data/information is not returned/destroyed at the termination of the agreement, the agreement should outline the retention period;
- Clarify how responsibility for costs and notifications for privacy breaches will be addressed.
- Relevant organizational policies may be referenced in this section of the agreement, e.g. confidentiality policy and the need to sign a confidentiality agreement.
Safeguards and Security
- Data sharing agreements should:
- Specify security measures, safeguards, and precautions to be taken to minimize the risk of loss, corruption, theft, or unauthorized access to shared data/information. Typical safeguards include: encryption, firewalls, strong password policies, secure file transfer, data back-up strategies, audits to determine unauthorized access, etc.;
- Outline what happens if there is a privacy or security breach and the process for patient notification if required. This includes consequences for improper use or disclosure of patient information.
Key Contacts
- Data sharing agreements should include key contacts should something go wrong and a contact person(s) at the organization needs to be notified quickly. This typically differs from the individual who signs the contract as they may be less accessible in an emergency
Insurance
- The insurance clause should include a thirty-day prior notice of material change to, cancellation and nonrenewal of the insurance policy. This is important so that all participants are aware of significant changes in coverage.
- Ensure the third party’s insurance includes:
- Privacy breach costs, including notification;
- Cyber coverage.
References
- Canadian Medical Association. (2009). Data sharing agreements: Principles for electronic medical records/ electronic health records.
- Canadian Medical Protective Association. (2014). Electronic records handbook.
- Sawatsky E. (2010). Information sharing agreements for disclosure of EHR data within Canada.
- Service Alberta. (2003). Guide for developing personal information sharing agreements. Freedom of Information and Protection of Privacy Act.