CLPHA Data Sharing Template for PHAs and Health Organizations

Share: 
Research
Aug 5, 2019
CLPHA developed a general data sharing template that public housing authorities (PHAs) and their health partners can customize to suit their data sharing and collaboration needs. Please feel free to comment to share any uses/modifications your organization made to implement into a partnership.

 

Disclaimer: This template is provided for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or question. Use of this template, including its exhibits and attachments, does not create a relationship or any responsibilities between CLPHA and the user.

 This template is provided for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or question. Use of this template, including its exhibits and attachments, does not create a relationship or any responsibilities between CLPHA and the user.

 

This document has been created in order to foster data sharing between housing and other sector organizations in order to improve efficiency, reduce duplication of efforts, and increase holistic care in order to improve health and life outcomes. This document draws upon existing and successfully implemented data sharing agreements between housing authorities and other organizations. It is designed to allow those who wish to engage in data sharing to have an easier place to start and reduce costly staff time. It is meant to allow for flexibility: inserting and deleting parts where indicated to fit specific community needs. This document attempts to account for different types of data sharing and provide wording for those agreements.

 

 

 

 

Table of Contents

 

< >Sample Data Sharing AgreementExhibit A: Authority Data (includes examples)Exhibit B: Health Data (includes examples)Exhibit C: Form of Confidentiality AgreementExhibit D: Form of Written ConsentAppendix 1: Data Type & Compliance ChartAppendix 2: Optional Data Sharing Agreement Sections

DATA SHARING AGREEMENT

FOR [INSERT BRIEF EXPLANATION OF REASON TO SHARE DATA]

 

This DATA SHARING AGREEMENT (this “Agreement”) is entered into and effective ____________, 20___ by and between the [name of housing authority], located at [address] (the “Authority”) and [name of health organization] (the “Health Organization”) located at [address]. The Authority and the Health Organization are collectively referred to as the “Parties.”

 

Note: “Authority” and “Health Organization” are used throughout, but may be replaced with an appropriate acronym or alternate term, as applicable.

 

Note: If this Agreement will include more than two parties, this Agreement may be modified to add additional Parties or separate data sharing agreements may be entered between pairs of parties.

 

BACKGROUND

 

< >The Authority is a public housing authority which owns, operates and manages residential housing projects in the City of _______, State of _________ for low-income residents (each, a “Resident”). The Authority maintains data regarding its projects and Residents as necessary for the operation of such projects and the provision of services and as required by, without limitation, the U.S. Department of Housing and Urban Development (“HUD”), the low-income housing tax credit program, project lenders and investors, and local, state and federal requirements (the “Authority Data”). The Health Organization is a provider of ___________________ in the City of ________, State of _________ and as the provider of such services maintains data regarding its patients and recipients of such services (the “Health Data”).  Health Data and Authority are periodically referred to herein, collectively or individually, as “Shared Data”. The Authority and Health Organization seek to cooperate with one another to share information that will further their abilities to serve the Residents, and to facilitate authorized studies of data exchanged pursuant to this Agreement. For the purposes of this Agreement, “authorized studies” includes research of which both Parties are aware and share a mutual understanding and agreement that such research should be conducted. The purpose of this Agreement is to set forth the scope of the Parties’ responsibilities in sharing data to serve the purposes contained herein. The Authority and Health Organization intend to protect the privacy and provide for the security of Protected Health Information (“PHI“) disclosed pursuant to this Agreement, if any, in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the data privacy and security regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”), 45 C.F.R. Parts 160 and 164, as the same may be amended from time to time (collectively, the “HIPAA Rules”).GOALS

 

 

This Agreement has the following goals and objectives:

 

< >Protect against unauthorized access to and disclosure of Health Data and Authority Data and ensure compliance with all applicable HIPAA Rules.Enhance the ability of the Parties to improve services of the Health Organization by providing access to individual records consistent with the requirements of the HIPAA Rules and only as authorized, to the extent required, by prior written consent.Accurately measure the Parties’ progress toward improving health outcomes and indicators, and meeting established targets and other goals, as mutually and/or separately defined.Establish the terms and conditions for the sharing of Health Data and Authority Data which is necessary for the Parties and their partners to identify programs that may help monitor and track progress over time, assess program effectiveness, complete reporting requirements, program evaluations and research, and demonstrate the efficacy of collective impact.AGREEMENT

 

 

NOW, THEREFORE, the Authority and the Health Organization mutually agree as follows:

 

< >Obligations of the Authority. The Authority shall provide the Health Organization the Authority Data set forth at Exhibit A attached hereto.  

 

< >The Authority shall provide the Health Organization an executed Confidentiality Agreement, substantially in the form set forth at Exhibit C attached hereto (the “Confidentiality Agreement”), and shall comply with the terms of the Confidentiality Agreement during the term of this Agreement.  

 

< >The Authority shall restrict access to Health Data to: (i) the person or persons that provide direct services to the Resident; and (ii) the person or persons tasked with analyzing the Health Data, and the Authority shall make such persons aware of, and agree to abide by, the terms set forth in this Agreement. The Authority may share Heath Data with employees, service providers, third-parties, contractors or agents who have signed a separate agreement with the Authority, requiring them to follow all applicable state and federal laws, and the terms of this Agreement. The Authority does not assume responsibility for any inappropriate release of Health Data by third-parties and shall not be held liable for any such actions. The Authority shall not use Health Data shared under this Agreement for any purpose other than the goals, purposes and projects outlined in this Agreement. Any additional use of Health Data, not within the scope of this Agreement, shall be approved in advance and in writing by the Health Organization. Nothing in the Agreement shall be construed to authorize the Authority to access additional data from Health Organization that is not included in the scope of this Agreement or any addenda hereto. The Authority understands that this Agreement does not convey ownership of the Health Data to the Authority.For purposes of this Agreement and ensuring the Authority’s compliance with the terms of this Agreement and all applicable state and federal laws, the Authority designates __________________ as temporary custodian (the “Authority Custodian”) of Health Data. Health Organization will release all Health Data under this Agreement to the Authority Custodian. The Authority Custodian shall be responsible for transmitting all Health Data requests and maintaining a log or other record of all Health Data requested and received pursuant to the Agreement, including confirmation of the return or destruction of Health Data as described herein. Upon request by Health Organization or its agent, the Authority shall provide to Health Organization for review the records the Authority is required to keep under this Agreement, including, but not limited to, records for purposes of completing authorized audits of the Parties. The Authority may designate an alternate Authority Custodian at any time by written notice to Health Organization.The Authority has the right consistent with scientific standards, to present, publish, or use results gained in the course of their analysis, but only if the publication, presentation, or use does not include Health Data which may directly or indirectly identify Residents. Publications and reports of Health Data, or data derived from Health Data, and other information shared, including preliminary descriptions and draft reports, shall involve only aggregate data. Health Data or other information that could lead to the identification of any Resident may not be used, except by prior written consent of the Resident for the purposes of such specific publication and/or report.  

 

< >The Authority shall provide Health Organization, free of charge, a copy of any research report that is generated using the Health Data.Health Organization must be cited as the source of the Health Data in all tables, reports, presentations, and scientific papers where relevant.Obligations of Health Organization.The Health Organization shall provide the Authority the de-identified Health Data set forth at Exhibit B attached hereto, which shall exclude identifiers, enabling the use of such Health Data without PHI. The Health Organization shall ensure that Health Data provided to the Authority pursuant to this Agreement is in a form that exempts the Authority from any obligation to comply with the HIPAA Rules. 

 

< >The Health Organization shall provide the Authority an executed Confidentiality Agreement, substantially in the form set forth at Exhibit C attached hereto, and shall comply with the terms of the Confidentiality Agreement during the term of this Agreement.  

 

< >The Health Organization shall not use Authority Data shared under this Agreement for any purpose other than the goals, purposes and projects outlined in this Agreement. Any additional use of Authority Data, not within the scope of this Agreement, shall be approved in advance and in writing by the Authority. Nothing in this Agreement shall be construed to authorize the Health Organization to access additional data from the Authority that is not included in the scope of this Agreement or any addenda hereto. The Health Organization understands that this Agreement does not convey ownership of the Authority Data to the Health Organization.The Health Organization shall provide the Authority with information security specifications required to transmit Health Data and other information electronically. 

 

< >For purposes of this Agreement and ensuring the Health Organization’s compliance with the terms of this Agreement and all applicable state and federal laws, the Health Organization designates __________________ as temporary custodian (the “HO Custodian”) of Authority Data. The Authority will release all Authority Data under this Agreement to the HO Custodian. The HO Custodian shall be responsible for transmitting all Authority Data requests and maintaining a log or other record of all Authority Data requested and received pursuant to the Agreement, including confirmation of the return or destruction of Authority Data as described herein. Upon request by the Authority or its agent, the Health Organization shall provide to the Authority for review the records the Health Organization is required to keep under this Agreement, including, but not limited to, records for purposes of completing authorized audits of the Parties. The Health Organization may designate an alternate HO Custodian at any time by written notice to the Authority.The Health Organization has the right consistent with scientific standards, to present, publish, or use results gained in the course of their analysis, provided the publication, presentation, or use does not include Authority Data which may directly or indirectly identify Residents. Publications and reports of Authority Data, or data derived from Authority Data, and other information shared, including preliminary descriptions and draft reports, shall involve only aggregate data. Authority Data or other information that could lead to the identification of any Resident may not be used, except by prior written consent of the Resident for the purposes of such specific publication and/or report.  

 

< >The Health Organization shall provide the Authority, free of charge, a copy of any research report that is generated using the Authority Data.The Authority must be cited as the source of the Authority Data in all tables, reports, presentations, and scientific papers where relevant.Mutual Obligations of Health Organization and Authority.The Parties shall not release or otherwise reveal, directly or indirectly, Shared Data to any individual, agency, entity, or third-party not included in this Agreement, except as provided herein, unless such disclosure is required by law or court order. 

 

< >The Parties shall not distribute, reprint, alter, sell, assign, edit, modify, or create derivative works or any ancillary materials from or with Shared Data, other than publications permitted by the terms of this Agreement or agreed to in writing by the Parties.The Parties shall comply with the reasonable security specifications of the other Party prior to receiving any electronic transfers of Shared Data. The Parties shall take reasonable security precautions and protections to ensure that electronic transfers of Shared Data are secure and that only persons authorized to access the Shared Data are able to access the Shared Data. Reasonable security precautions and protections include, but are not limited to: (i) creating, distributing, and implementing data governance policies and procedures, which protect Shared Data through appropriate data security systems; (ii) encrypting all Shared Data carried on mobile computers/devices; (iii) encrypting Shared Data before it is transmitted electronically; (iv) requiring that Shared Data users be uniquely identified and authenticated before accessing Shared Data; (v) establishing and enforcing well-defined data privilege rights, which restrict users’ access to Shared Data necessary to perform their job functions; (vi) ensuring that all persons accessing Shared Data sign a confidentiality agreement, and maintaining copies of such signed agreements; (vi) securing access to any physical areas and electronic devices where Shared Data is stored; and (vii) installing anti-virus software to protect networks and a firewall to permit or deny network transmissions based upon a set of rules.The Parties shall report all known or suspected breaches of Shared Data, in any format, to the other Party as soon as practicable, but in no more than twenty-four (24) hours. Such report shall include, as applicable: (i) the name, job title, and contact information of the person reporting the incident; (ii) the name, job title, and contact information of the person who discovered the incident; (iii) the date and time the incident was discovered; (iv) the nature of the incident (e.g. system level electronic breach, an electronic breach of one computer or device, or a breach of hard copies of records); (v) a description of the information lost or compromised; (vi) the name of the electronic system and possible interconnectivity with other systems; (vii) storage medium from which information was lost or compromised; (viii) the controls in place to prevent unauthorized use of the lost or compromised information; (ix) the number of individuals potentially affected; and (x) whether law enforcement has been contacted.The Parties shall securely and permanently destroy all Shared Data, and any and all copies, physical and digital, thereof, when it is no longer necessary for the purposes of this Agreement or subsequent related agreements. The Parties agree to document the methods used to destroy Shared Data, and provide certification to the other Party that the Shared Data has been destroyed. The Parties agrees to require all employees, contractors, or agents of any kind using Shared Data to comply with this provision. Term. This Agreement is effective from the date hereof and shall extend for an initial term of one (1) year, unless earlier terminated as provided herein. This Agreement may be renewed for up to five (5) additional one (1) year terms, provided (i) either Party requests renewal no more than thirty (30) days prior to expiration of the current term and (ii) the requesting Party has not violated the terms of this Agreement. Termination. Health Organization may terminate this Agreement upon thirty (30) days prior written notice to the Authority, at any time, for any reason. The Authority may terminate this Agreement, upon thirty (30) days prior written notice to Health Organization, at any time, for any reason. In addition, either Party may terminate this Agreement at any time if it determines such action is necessary for the health, safety, or well-being of any Resident(s) or other person(s).Payment. No payments shall be made under this Agreement by either Party, unless otherwise agreed to by all Parties and contracted through a formal procurement process. Indemnification. 

 

< >The Authority agrees to the fullest extent permitted by law to hold harmless and indemnify Health Organization, its agents, employees and board members from any liability, cost or expense including without limitation penalties, losses, damages, attorneys’ fees, taxes, expenses of litigation, judgments, liens, and encumbrances, to the extent arising out of or resulting from any act or omission by the Authority under this Agreement. The terms of this section shall survive termination of this Agreement.Health Organization agrees that to the fullest extent permitted by law to hold harmless and indemnify the Authority, their agents, employees and board members from any liability, cost or expense including without limitation penalties, losses, damages, attorneys’ fees, taxes, expenses of litigation, judgments, liens, and encumbrances, to the extent arising out of or resulting from any act or omission by Health Organization under this Agreement. The terms of this section shall survive termination of this Agreement.  

 

< >Health Organization agrees that to the fullest extent permitted by law to hold harmless and indemnify the Authority, their agents, employees and board members from any liability, cost or expense including without limitation penalties, losses, damages, attorneys’ fees, taxes, expenses of litigation, judgments, liens, and encumbrances, to the extent arising out of or resulting from Health Organization’s provision to the Authority of PHI which is not de-identified as required under this Agreement and the HIPAA Rules. The terms of this section shall survive termination of this Agreement. Insurance. Each Party represents that it has sufficient insurance coverage or is appropriately self-insured for (a) general liability of $1,000,000 per occurrence and $2,000,000 in the aggregate, (b) professional liability of $1,000,000 per occurrence and (c) Cyber Liability coverage of $250,000 per occurrence. For purposes of this Section, “Cyber Liability”  shall include, without limitation, both first-party and third-party insurance coverage for claims arising from privacy violations, information theft, damage to or destruction of electronic information, intentional and or unintentional release of private information, alteration of electronic information, and extortion and network security. Cyber Liability coverage may be provided as a standalone policy or within a professional liability policy. Notice. All notices contemplated or required under this Agreement shall be in writing and delivered by hand or U.S. Mail as follows:Miscellaneous Provisions.  Entire Agreement. This Agreement constitutes the entire agreement between the Parties, and supersedes all prior oral or written agreements, commitments, or understandings concerning the matters provided herein. Amendment. Modifications to this Agreement must be in writing and be signed by the Parties. Governing Law. The terms of this Agreement shall be interpreted according to and enforced under the laws of the State of ____________ and federal law. The Parties agree that any judicial proceedings filed by the Parties regarding this Agreement will take place in [city, state where both Parties are located].Construction. Whenever in this Agreement a pronoun is used, it shall be construed to represent either the singular or the plural, either the masculine or the feminine, as the case shall demand. Severability. If any provision of this Agreement is held invalid or unenforceable, the remainder of the Agreement will not be affected, but continue in full force.Assignment. Neither Party shall assign its rights or responsibilities under this Agreement without written permission from the other Party. Non-Waiver. Any express waiver or failure to exercise promptly any right under this Agreement will not create a continuing waiver or any expectation of non-enforcement. Counterparts. The Parties agree that this Agreement may be executed in one or more counterparts, each of which, when assembled together, shall constitute one and the same agreement and shall constitute an enforceable original of the Agreement, and that facsimile signatures shall be as effective and binding as original signatures. Debarment. Health Organization, by executing this Agreement, warrants that they are not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from covered transactions (defined as not being eligible to receive federal funds) by any local, state, or federal department or agency).Conflict of Interest. The Authority represents that the Authority has no existing financial interest and will not acquire any such interest, direct or indirect, which could conflict in any manner or degree with the performance of services required under this Agreement and that no person having any such interest shall be subcontracted in connection with this Agreement, or employed by the Authority. The Authority will take all necessary steps to avoid the appearance of a conflict of interest and shall have a duty to disclose to the Health Organization prior to entering into this Agreement any and all circumstances existing at such time which pose a potential conflict of interest. Should a conflict of interest issue arise, the Authority agrees to fully cooperate in any inquiry and to provide the Health Organization with all documents or other information reasonably necessary to enable the Health Organization to determine whether or not a conflict of interest existed or exists. Failure to comply with the provisions of this Section shall constitute grounds for immediate termination of this Agreement, in addition to any other legal remedies available to Health Organization.

 

[signature page follows]

 

 

By signing below, each signatory represents that it has the authority to execute this Agreement.

 

 

AUTHORITY:                                                          HEALTH ORGANIZATION:

 

[NAME OF HOUSING AUTHORITY]                    [NAME OF HEALTH ORGANIZATION]

 

 

______________________________                        ______________________________

Signature                                                                     Signature

 

______________________________                        ______________________________

Printed Name                                                              Printed Name

 

______________________________                        ______________________________

Title                                                                             Title

 

______________________________                        ______________________________

Date                                                                            Date

 

 

For Health Organization, only the Designee is authorized to sign. For the Authority, only the Executive Director or Chief Executive Officer is authorized to sign.

 

 

 

EXHIBIT A

Authority Data

 

[insert description of data to be shared by Health Organization]

 

 

Examples of Housing Data:

  • [insert] 

EXHIBIT B

 

Health Data

 

 

 

[insert description of data to be shared by Health Organization]

 

 

Examples of Health Data:

  • [insert]

EXHIBIT C

 

Form of Confidentiality Agreement

 

The [name of housing authority], located at [address] (the “Authority”) and [name of health organization] (the “Health Organization”) located at [address] have signed a Data Sharing Agreement (DSA) allowing access to information on participants in the Authority’s housing assistance programs.  The ultimate goals of this DSA are to share information about the Authority’s and the Health Organization’s respective members in order to close health care gaps and reduce health disparities.

The purpose of this Confidentiality Agreement is to set forth the parties’ understanding of the use of the Authority’s participant data by the Health Organization and its employees, contractors, or agents (e.g., affiliates).  Additionally, this serves to limit the access to this information only to persons or entities approved by the Authority.

Agreement

I, the undersigned, hereby agree to:

< >Not disclose, orally or in writing, confidential information, which specifically includes, but is not limited to, the identification or status of an individual or households who participates in any the Authority’s housing assistance program unless it is required by law.Refrain from storing or sending this information in a way that could compromise the confidential nature of the information.Handle all information in accordance with all requirements of the DSA.Immediately notify my supervisor of any circumstances that cause me to believe the confidential nature of the work with which I am familiar or responsible may be compromised. 

 

I hereby acknowledge that I have been provided a copy of the DSA between the Authority and the Health Organization.  Use or disclosure of any information for any unauthorized purpose constitutes grounds to immediately revoke access to the information.  

___________________________________________________                  ________________

Signature of [name of health organization] / Contractor                                            Date

 

____________________________________________________

Printed Name of [name of health organization] / Contractor

 

_______________________________________________________________________

Name of Supervisor

 

 

EXHIBIT D

 

Form of Written Consent

                                                                                                         

 

[ Insert language if applicable ]

 

APPENDIX 1

Data Type & Compliance Chart

 

No Data or General Insights: 

A PHA might be engaged in “uni-directional” data sharing with certain health partners seeking to understand more about those living in assisted households without getting datasets or detailed data

Sensitivity and Liability: Because no personally-identifiable health information (PHI) or even re-identifiable data, receiving this type of requires little to no compliance with HIPAA.

Data Security: Data security measures as standard at PHA and/or measures negotiated with health organizations

 

Aggregated Data:

Covering entire zip codes, census tracts, large groups of PHA residents (covering all resident household data shared or substantially-sized sub-population such as public housing households or Section 8 households)

Sensitivity & Liability: Typically not personally-identifiable health information (PHI) but depending on level of specificity, some health entities might consider data “re”-identifiable. The later might vary depending on the health entity sharing data. Data obtained should be sufficiently de-identified or may trigger HIPAA compliance requirements.

Data Security: Data security measures as standard at PHA and/or measures negotiated with health partners OR HIPAA-compliant data intermediary, depending on specificity of aggregated data and preferences/negotiations with health partner.

 

Building-, Household, or Individual-Level Data:

PHAs might share addresses as a way to highlight a service/jurisdictional overlap with health partners. This might yield insights about health condition prevalence, healthcare service utilization, etc., that is aggregated at the address/building level. This might constitute PHI if the sample size is not large enough. If sharing and matching resident and/or household-specific data with health partners, it is possible to gain very specific data about residents, which will significantly increase privacy needs.

Sensitivity & Liability: This level of health data would most likely qualify as personally-identifiable health information (PHI), protection of which require compliance with HIPAA. Given that most PHAs are not (and will not) be HIPAA-compliant-entities, they should not expect to receive data of this nature unless working with a HIPAA-compliant intermediary/partner. It is possible that the health partner with the data could establish an arrangement by which PHA staff access this data, but that would rely heavily on negotiation between the PHA and the health partner, reflective of their data security/privacy standards.

Data Security: PHA would need to work with HIPAA-compliant data intermediary (e.g. university, healthcare provider, etc.) or otherwise find way to store/access PHI that remains in compliance with HIPAA standards.

 

APPENDIX 2

 

Optional Data Sharing Agreement Sections

 

[a] Written Consent Provision for Background Section

(F)       In order to allow individualized and collaborative assistance to Residents, each Resident may be asked to grant written consent for their information collected by Health Organization to be shared with the Authority (“Written Consent”). The Written Consent shall comply with all requirements for release under the HIPAA Rules and other federal privacy laws, as applicable, and be substantially in the form attached hereto as Exhibit D. The sharing of Resident’s information and records will allow the Parties and their partners to reach collective goals.

 

[b] Authority HIPAA Rules Compliance Provisions for Section 1

(g)        The Authority agrees that all Health Data provided by the Health Organization under this Agreement shall only be provided pursuant to a Written Consent for each Resident, in conformity with the restrictions of the HIPAA Rules, other federal privacy laws and corresponding state laws, as applicable. The Authority shall provide the Health Organization with a list of the names and addresses for whom a Written Consent for the release of Health Data may be granted. This list will be vetted by Health Organization and provided back to the Authority for the purpose of collecting a Written Consent for each Resident. The list shall include any restrictions on or exceptions to the Written Consent. The Written Consent shall comply with the HIPAA Rules and other federal privacy laws, as applicable, and authorize Health Organization to release Health Data to the Authority. The Written Consent form shall be mutually agreed on by the Authority and the Health Organization, and attached hereto as Exhibit D. The Authority shall maintain the Written Consents on file. The Authority shall provide copies of the Written Consents to Health Organization upon request.

(h)        The Authority shall comply with the HIPAA Rules as applicable to the Health Data provided by Heath Organization pursuant to this Agreement.

 

 

 

No likes yet -- be the first!