Enriching knowledge and enhancing care through health data

The i~HD Quality Seal for Research Platforms (QS4RP)

Executive Summary

Introduction

The European Institute for Innovation through Health Data ( i ~HD) has developed a Quality Seal for Research Platforms (QS4RP) in order to provide assurance to the market, especially to healthcare organisations, research centres and research sponsors, that ICT products and services used to conduct research analyses using electronic health record (EHR) information do so in secure ways that protect data privacy.

Products are now emerging that offer significant opportunities to accelerate the conduct of clinical research by enabling remote or on-site querying of EHRs – normally a de-identified extract of the operational EHR – in order to optimise clinical research protocols before they are finalised, and to assist healthcare organisations to efficiently identify suitable trial recruitment candidates. In parallel, the European General Data Protection Regulation places stricter obligations on organisations that hold personal data, such as healthcare organisations, to protect the privacy of their data subjects and to use personal (i.e. identifiable) information under strict controls. These new-generation research platforms use architectures that limit researcher access only to de-identified (and usually only aggregated) information and do not enable researchers to access personal health information at patient level. The purpose of the QS4CR Seal is to verify that such ICT products do indeed restrict access in this way and that the information governance policies and information security measures adopted by the product vendor provide sufficient assurance of privacy protection.

i ~HD has chosen to commission the EuroRec Institute to develop the content of this Seal and to conduct the formal assessments of products and services. EuroRec is Europe´s leading body for quality labelling electronic health record systems, and brings nearly a decade of experience in developing quality seals and conformance-testing of EHR systems. The seal criteria draw on the software requirements specifications and standard operating rules developed during the EHR4CR project, and also on the EMIF project´s code of practice, instruments developed by the ETRIKs project, the IMI Secondary Use code and ISO/IEC 27000 series of standards on information security management systems.

On the basis of a test report issued by EuroRec, i ~HD will issue a Quality Seal of Conformity to successful service providers.

i ~HD intends that the possession of this Quality Seal will give added confidence to healthcare organisations and to research sponsors about joining such research platforms and networks.

Overview of the QS4RP Seal

Criterion 1.5 – Information Flows

The service provider shall ensure there is a clear document that describes each of the information flows, and that any APIs should document and honour baseline agreement requirements.

The QS4RP Seal has been developed as a two-step process for the independent assessment and verification of how clinical research platforms and services handle data in accordance with information governance and security requirements, and public and professional expectations.

The processes add additional assurance over existing international (ISO) standards for information security practice, and good practice guidelines. QS4RP is more precisely attuned to the area of health and genomics research using electronic health records and other sources of health and life science data.

The QS4RP identifies the following core stakeholder groups in the “ecosystem” of reusing EHRs for research:

  1. The Data Provider: for example, a hospital site participating in a multisite research study (academic or industry sponsored), offering research access to clinical data repositories holding an extract of hospital EHR data (which are usually anonymised or pseudonimized);
  2. The Service Provider: an industrial or academic organisation that runs the query execution platform providing research access to the Data Provider´s clinical data repository, returning aggregated data results to assist with optimising a clinical research protocol, and usually also providing internal support to the healthcare organisation in;
  3. The Research Sponsor: for example, a pharmaceutical company or academic institution, who uses the research platform to run clinical research queries for purposes that have been agreed with the Data Provider.

The focus of the Quality Seal is on the Service Provider and is designed to assure the two other stakeholders of Service Provider capability in discharging their responsibilities.

What does the Quality Seal involve?

There are four core sets of capability criteria that will be assessed:

  1. Risk Management (fundamentals of asset, threat, vulnerability based risk assessment, availability of a security framework for risk mitigation, assessment of security framework and its evolution, and evidence of risk treatment including access controls, authorization, authentication and confidentiality);
  2. Data Minimisation and Retention (is data processing limited to strictly what is necessary and sufficient for agreed purposes, and are data items, logs and administrative data retained in an appropriate state for agreed periods?);
  3. Audit (readiness for authoritative internal and external audit that is verifiable and transparent);
  4. Enforcement (are policy and contractual binding honoured, for example are uses limited to agreed purposes, are disciplinary measures upheld, is the Service Provider capable of assisting in data breach investigations).

The first part of this process is for Service Providers to complete a pre-assessment, where the EuroRec assessors examine specific system documentation and operational policies, and answer a series of questions. Their responses will (i) be used to help determine their suitability for the Quality Seal and (ii) help the assessment team to confirm the most relevant scenario based tests when they embark upon the second part of the process, which will involve a site visit to assess the service provider tooling and setup.

This second part will last two days and will involve a series of tests and assessments on the service provider software solutions, as well as interviews with key members of their staff.

It is important to note that any ambiguities or uncertainties about the process service providers may have must be resolved during the pre-assessment step. Once the assessment team embark upon the onsite assessments, these will be binding and are not open to negotiation, discussion or amendment. The capability criteria are fixed and cannot be altered.

Once the on-site assessments have been completed, the assessment team will provide a formal report to i ~HD, which will then determine if the Quality Seal is awarded or not. The service provider will receive a comprehensive assessment report, to assist with any improvements that may be required. Renewal of the Quality Seal will occur every two years, or on the release of a significant upgrade to the product, whichever is the sooner.