In the previous issue of Get HIP! the importance and need for Information Management Agreements (IMA) were reviewed. IMAs are agreements required by custodians as outlined by the Health Information Act (HIA). You may have also heard of other types of agreements related to the collection, use, and sharing of data. Information Sharing Agreements (ISA), Data Sharing Agreements (DSA), Data Transfer Agreements (DTA), and other types of information contracts are frequently required. This issue of Get HIP! will help address when such agreements are needed, who reviews and approves them, and how are they different from IMAs.
What are these things, and when do I need them?
At their core, all of these agreements are simply intended to govern the flow and handling of information or data between two or more parties. However, unlike IMAs, there are no privacy statutes in Alberta which mandate or define ISAs, DSAs or DTAs,1 and as a result, these terms are often used interchangeably. However, the term ISA is more frequently seen in the context of healthcare delivery. For example, where several physicians wish to formally establish rules for sharing and managing data between themselves. An ISA in this setting would often include provisions for:
- Establishing a representative custodian to respond to data access requests or privacy breaches,
- Determining who would submit Privacy Impact Assessments or apply for access to Netcare, or
- Assisting in managing confidential health information in a shared electronic medical or dental record.
In contrast, the terms DSA and DTA tend to be used more commonly in the research context. For example, if you are requesting data from a third party in order to carry out your research, you will likely have to execute a DSA/DTA or similar agreement with the third party. These agreements typically outline each party’s obligations with respect to:
- Appropriate collection, use and disclosure of the data,
- The requisite safeguards needed to protect the security of the data, and
- The standards for retention and destruction of the data,
and may also include other items such as breach protocols, liability waivers, agreement renewals and termination, etc.
Regardless of the title of an agreement, as a participant it is paramount to understand what the agreement does, and what risks and obligations it puts on you and the University of Alberta. Therefore, whenever you are involved in the sharing or transfer of information with other parties, you should determine whether there is an ISA, DSA, DTA, or a similar agreement in place and how it governs the use and disclosure of information.
Who reviews them?
For some agreements, UAPPOL policy will dictate which office or department must review, although note that this policy is currently being reviewed, so it is advisable to refer back to it frequently.
Where such agreements deal with personal information or confidential health information, it is also recommended that you contact the FoMD’s health information privacy advisor.
In addition, many of these agreements will require the signature or acknowledgment of an information technology (IT) executive who can confirm the ability of the University to provide appropriate technical security safeguards over the information. This will often need to be reviewed by the University’s Chief Information Security Officer (CISO). The FoMD’s health information privacy advisor can assist in bringing your agreement before the CISO’s office.
What about these other agreements I am receiving?
Aside from the above, there are other agreements you may also encounter which concern the sharing of information, such as Confidentiality Agreements and Non-Disclosure Agreements (NDA). These agreements tend to focus strictly on limiting disclosure of any information to third parties. You can find the relevant UAPPOL policy regarding the review and signature of these agreements here.2 In addition, Confidentiality Agreements or NDAs relating to clinical trials may have to be reviewed by Northern Alberta Clinical Trials & Research Centre. If you are unsure about these agreements, or which one you are dealing with, contact FoMD’s health information privacy advisor.
What do I do with the agreement alphabet soup?
Today, many people and organizations are more concerned about privacy than ever before. As a result, it is becoming more challenging for clinicians, researchers and academics to carry out their roles while still protecting information and complying with privacy laws. To complicate matters, there is a veritable alphabet soup of legally binding agreements now required.
The most important thing to keep in mind is not necessarily the acronym or name given to an agreement, but what the effect of the agreement is. Is the agreement meant to impose a duty on you or your group to protect data received from a research institution? Is it meant to ensure your employees comply with basic privacy principles in case they come across sensitive personal information in their roles? Is it meant to prevent you from disclosing confidential business or intellectual property information about a third party’s products or services? Is it meant to describe the roles of all of the physicians, dentists or other custodians in a shared clinical space?
These are the questions you should ask yourself first when dealing with any information-related agreement. The next step is to determine who must review and sign the agreement – the FoMD’s health information privacy advisor can help with this. If you are currently engaging in a data sharing arrangement, consider whether there should be a formal agreement in place to govern that arrangement.
If you have any questions regarding information related agreements, please contact the FoMD’s health information privacy advisor.
1 Note, however, that the term Information Management Agreement does not actually appear in the HIA. Rather, IMA is just the common name used to refer to the type of agreement described in section 66 of the HIA.
2 Specifically, section M of Scedule A to the Contract Review and Signing Authority Policy.