Protected Health Information (PHI) and the CIBMTR Research ID (CRID)
In order to create a universal unique ID system, the CIBMTR collects protected health information (PHI), including but not limited to identifiers such as name, social security number (SSN), mother’s maiden name and birth information. This decision was made after careful consideration by a combination of CIBMTR staff, an external Data Advisory Group and representatives of the Health Resources and Services Administration (HRSA). Upon notification of a patient’s first HCT or cellular therapy, the CIBMTR will request the PHI needed to create a unique CIBMTR Research ID (CRID). A CRID must be assigned using the CIBMTR Research ID (CRID) Assignment Form (Form 2804). The CRID is a lifelong ID used across the entire C.W. Bill Young Cell Transplantation Program. Direct identifying information collected to establish the CRID will not be disclosed to investigators for research purposes.
The use of PHI to uniquely identify recipients who are registered with CIBMTR is needed for several reasons. First, CIBMTR is required by HRSA to develop a system to uniquely identify recipients for center-specific outcomes reporting. The CRID will avoid duplication of recipient records across transplant and cellular therapy programs, particularly when situations exist where sequential HCTs occur at different institutions. The CRID will facilitate knowledge of previous autologous HCTs that may not be reported by a center performing an allogeneic HCT, and therefore adjusting the expected outcome accordingly for center-specific outcome reporting. Data used to generate a CRID may be used to increase the value of the Stem Cell Therapeutic Outcomes Database (SCTOD) by acquiring matching data from other Federal government databases for government reports or research. Second, generation of a CRID is essential to determining that all allogeneic HCT recipients in the United States are reported to the SCTOD. In the event of a state law or IRB policy that supersedes federal statute, centers may opt out of providing some of these data.
The items listed below highlight the important security concerns that have been addressed with regard to the collection of the PHI.
•CIBMTR and NMDP are designated Public Health Authorities in the capacity of collecting and using data for the SCTOD and addressing HIPAA privacy regulations.
•The electronic system that collects the PHI is called FormsNet3. The server holding the direct identifiers is secure and is separate from the outcomes database. Access to these data is highly restricted within the CIBMTR. The electronic systems used for acquisition and generation of CRID numbers have undergone rigorous certification and authorization from HRSA’s Office of Information Technology and comply with all United States federal regulations (21 CFR Part 11) relevant to security of electronic data in federal databases.
•Electronic transmission of the PHI from transplant centers using FormsNet3 is protected by double authentication entry requirements (login/password and SecurIDTM card) for all system users who enter the data. Electronic transmission is protected by SSL technology.
•The PHI used to create the CRID will not appear on any subsequent forms or correspondence. Centers wishing to confirm a CRID will be able to re-enter data into one-way look-up tables, however PHI will not be displayed by the system. This security measure will prevent inappropriate revealing of PHI to unauthorized individuals.