Collaborators must observe all applicable federal and state privacy-related laws and regulations.
As described in Data, Sentinel adheres to all applicable state and federal laws, including HIPAA, FISMA, and NIST standards. The structure of Sentinel protects the privacy and confidentiality of individual health information. Data Partners maintain physical and operational control over the data in their possession and execute analysis programs securely distributed by the SOC behind their own firewalls. In most cases, the output of these programs is provided to the SOC in summary format, i.e., aggregated data. The SOC aggregates Data Partner responses to queries and sends results from the individual Data Partners and aggregated across all Data Partners to the FDA. When person-level information is required for analyses, Data Partners remove direct patient identifiers from the information conveyed to the SOC. If the SOC inadvertently receives direct patient identifiers, it will return or destroy the data immediately. The FDA does not receive or possess data with personally identifiable information (PII), as defined by the Privacy Act of 1974, in the conduct of Sentinel activities.1
Direct patient identifiers may be used by Data Partners when necessary to gather additional clinical and demographic information or to link their data to data from other sources, as required by specific projects. Prior to sharing information with the SOC, direct patient identifiers are stripped by the Data Partner behind their own firewalls.
Individual health information may be shared by Data Partners with other data holders, such as hospitals and registries, as necessary (for example, to validate health exposures and outcomes of interest) in accordance with these policies and all applicable state and federal regulations.
Policies concerning collection, storage, and use of data obtained from external data sources are described in Data.
- 1The Privacy Act of 1974 governs personally identifiable information (PII) that is maintained in systems of records by federal agencies.
The HHS Office of Human Research Protections (OHRP) determined that the regulations administered by OHRP (45 CFR Part 46, “Common Rule”) do not apply to the activities that are included in the FDA's Sentinel Initiative.2 FDA stated that this assessment also applies to the Sentinel System, as it is part of the Sentinel Initiative.
Additionally, FDA determined that Sentinel activities are public health activities in support of FDA’s public health mission. It is therefore not necessary for the Collaborating Institutions to obtain approval or exemption from their respective Institutional Review Boards (IRBs) or Privacy Boards, or to obtain waivers of authorization under HIPAA, to review Sentinel activities (45 CFR §164.512(b)).
- 2See Rosati, K., Evans, B., Jorgensen, N., and Soliz, M., HIPAA and Common Rule Compliance in the Sentinel Initiative, White Paper, February 2018.
The HIPAA Privacy Rule permits covered entities the use and disclosure of protected health information (PHI) to public health authorities without patient authorization. Public health authorities include the FDA. The SOC and Collaborating Institutions are also public health authorities for purposes of Sentinel because they are acting under contract with and under the authority of the FDA.3 While de-identified information or Limited Data Sets generally are used for all Sentinel activities, the Privacy Rule permits fully identifiable information to be disclosed to public health authorities.
Minimum Necessary Standard
Only the minimum amount of data necessary to respond to specific queries, as determined by the FDA, or by the SOC or specific project workgroups on behalf of the FDA, will be requested from data sources.
Sentinel data are managed in accordance with the national standards established by the HIPAA Security Rule. Data in the possession of the SOC are also managed in accordance with FISMA. Administrative, physical, and technical safeguards are employed to ensure the confidentiality and privacy, integrity, and security of electronic health information (45 CFR Part 160 and Subparts A and C of 45 CFR Part 164; 44 U.S.C. § 3541, et seq).
- 3HIPAA and Common Rule Compliance in the Sentinel Initiative, op cit.
State Laws and Regulations
It is the responsibility of Sentinel Data Partners to determine whether state laws regulate the use and disclosure of health information for Sentinel purposes and to comply with any such laws. Data Partners are advised to consult Evaluation of State Privacy Regulations in Relation to the Sentinel Initiative (FDA-2009-N-0192-0014) for guidance and reference. The SOC, with input from the Privacy Panel and in consultation with Data Partners and the FDA, may provide additional guidance to assist Data Partners in assessing whether state law applies to a particular Sentinel query and in determining how to comply. However, it is ultimately the responsibility of each Data Partner to assess and maintain compliance with relevant state laws and regulations.
Federal Substance Abuse Regulations
Federal regulations contained in 42 CFR Part 2 address information held by federally-assisted alcohol or drug abuse treatment programs. These regulations protect information that identifies an individual as someone who has applied for or received substance abuse treatment. The Part 2 regulations do not apply to information that does not identify an individual. If Data Partners request medical record information from a federally-assisted substance abuse treatment program to confirm a medical product safety signal, the program will be required to obtain individual patient authorization to provide that information if it reveals that the patient received substance abuse treatment.