• Return to Care New England
Care New England Research

Data Compliance

Research and other sponsored programs are governed by strict rules and regulations from sponsors, federal or state government, and CNE policies. The Compliance Department is here to help navigate the complexities of data management, data sharing, and much more. Below you’ll find information on a wide variety of compliance issues commonly encountered during the lifecycle of an award.

Privacy Rule

Research is governed by the HIPAA Privacy Rule.

“The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information.  However, in recognition of the potential utility of health information even when it is not individually identifiable, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b).”

Helpful Links

  • Limited Data Sets
  • De-Identifying Data Sets
  • HIPAA Identifiers

Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. The IRB governs when PHI may be used or disclosed in many circumstances. However, limited data sets may be disclosed with the use of a Data Use Agreement. 

The disclosure should include only the minimum necessary.
The recipient must agree not to re-identify the data or use it to identify individuals.  

Limited data sets are data sets that are not fully de-identified according to the Privacy Rule regulations. “A limited data set is described as health information that excludes certain, listed direct identifiers (see below) but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers.” 

Creation and Transfer of De-Identified Data – Responsible Person Attestation required and available on Carenet and in the CNE Research Data Use & Transfer Workflow in ConvergePoint.

 There are two methods for de-identifying data sets:

  1. Expert Determination Method
  2. Safe Harbor Method (removing 18 identifiers)

A training course on de-identifying dates can be found here 

There are eighteen unique identifiers according to HIPAA. These pieces of information alone, or in combination with other information, can identify a person. While many of these identifiers can be found on public record, those public records are not associated with research datasets. The association of these identifiers with research datasets could reveal intimate details about an individual which said individual would not want shared with anyone beyond the research study to which they have consented. Therefore, researchers must consider all HIPAA identifiers as protected information in the pursuit of their studies. Researchers and their hosting organizations are responsible to protect all collected data and store it in a manner which protects an individual’s privacy and potential re-identification in association to the study. Below are eighteen unique identifiers:

  • Names
  • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Phone numbers
  • Fax numbers
  • Electronic mail addresses
  • Medical record numbers
  • Social Security numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

NIH Data Management and Sharing Policy

NIH has issued the Data Management and Sharing (DMS) policy (effective January 25, 2023) to promote the sharing of scientific data. Sharing scientific data accelerates biomedical research discovery, in part, by enabling validation of research results, providing accessibility to high-value datasets, and promoting data reuse for future research studies.

Under the DMS policy, NIH expects that investigators and institutions:

  • Plan and budget for the managing and sharing of data
  • Submit a DMS plan for review when applying for funding
  • Comply with the approved DMS plan


Is my research covered by the DMS Policy?

The DMS Policy applies to all research that generates scientific data, including:

  • Research Projects
  • Some Career Development Awards (Ks)
  • Small Business SBIR/STTR 
  • Research Centers

The DMS Policy does not apply to research and other activities that do not generate scientific data, including:

  • Training (T)
  • Fellowships (Fs)
  • Construction (C06)
  • Conference Grants (R13)
  • Resource (Gs)
  • Research-Related Infrastructure Programs (e.g., S06)

More information on data sharing as it relates to foreign collaborations and proprietary data can be found here.

  • What should I be doing now?
  • The DMS Plan
  • Budgeting
  • When should data be shared?
  • What happens if I don’t comply with the policy?
  • Resources

1. Evaluate your personal needs and timelines. Suppose you have plans to submit an NIH proposal after January 25, 2023, or you have an active NIH award up for renewal after January 2023. In that case, you should be actively focusing on developing DMSP plans. This is especially important if you are working with external collaborators as it may take additional time to finalize data procedures and data sharing agreements. Additionally, the IRB may ask for elements from the DMSP as part of their review if human subjects are involved in your research. It is highly recommended you complete the DMSP prior to seeking IRB approval or renewal.

2. Discuss the new requirements with colleagues—reach out to colleagues and collaborators at CNE, locally, and further afield. Understand how they’re managing the new requirements and how you can utilize best practices in your data management processes.
3. Utilize the resources available to you. Familiarize yourself with the CNE resources such as the Research Roundup, The CNE Research Community Workspace on Teams, and the Research Administration Website. NIH has a robust Data Sharing Website ; additional resources can be found in the resources section below.

4. Designate a data manager. Identify one individual who will develop expertise in data management processes and procedures specific to your needs. This individual should also assist in evaluating current data management practices relative to the DMS Policy, especially around documenting existing practices and developing new ones to address the increased emphasis on data sharing and administrative oversight.

5. Reach out to us as soon as possible to review current data services and capabilities and assess whether they will meet your needs. If you identify specific tools or resources that would facilitate data management and data sharing for your lab members, they will need to be vetted by IS, so early engagement is key. While reviewing data/IS needs you should also consider costs you may need to work into current or proposed budgets, such as those for additional labor (data cleaning, documentation, etc.) or other NIH allowable costs (see Budget section below). 

6. Request a risk assessment for your chosen repository. Submit a Vendor Risk Assessment request through ServiceNow so that IS can evaluate the repository. Refer to the NIH Data Management Checklist for more details.

As part of the NIH DMS Policy, researchers are required to submit a Data Management and Sharing Plan (DMSP) when applying for funding or renewal (after January 25, 2023) that details how scientific data will be managed and shared. More details can be found here.

DMPTool is a resource to assist in writing DMS Plans. The tool provides sample language, templates, and guidance. To access the CNE managed version of the site, create an account using your carene.org credentials.

The plan should include the following elements:

  • Data Type
  • Related Tools, Software, and/or Code
  • Standards
  • Data Preservation, Access, and Associated Timelines
  • Access, Distribution, and Reuse Considerations
  • Oversight of Data Management and Sharing 

NIH recommends the DMSP be no longer than two pages in length. A recommended draft format template is available here

The expectation is researchers will work to maximize the appropriate sharing of scientific while considering factors such as legal, ethical, or technical issues that may limit the extent of data sharing and preservation.

Applications subject to NIH’s Genomic Data Sharing (GDS) Policy should also address GDS-specific considerations within the elements of a DMS Plan. 

The DMSP will be reviewed by NIH program staff and will not be part of scientific peer review unless data sharing is integral to the proposed project. 

If funded, the DMSP will become part of the terms and conditions of the award.

The informed consent process will need to include language specific to scientific data sharing and reuse.

**You should consult with IS early in the writing process to collaborate on any specific needs to implement your DMSP and to receive an IS risk assessment of your repository. They should be part of the development DMSP, not problem solvers after the fact.

Making data accessible and reusable may incur costs. Allowable, reasonable costs related to data management and sharing may now be included in application budgets and justifications.

Allowable Costs

Reasonable, allowable costs may be included in NIH budget requests for:

  • Curating data
  • Developing supporting documentation
  • Formatting data according to accepted community standards, or for transmission to and storage at a selected repository for long-term preservation and access
  • De-identifying data
  • Preparing metadata to foster discoverability, interpretation, and reuse
  • Local data management considerations, such as unique and specialized information infrastructure necessary to provide local management and preservation (for example, before deposit into an established repository).
  • Preserving and sharing data through established repositories, such as data deposit fees.
    • If the Data Management & Sharing (DMS) plan proposes deposition to multiple repositories, costs associated with each proposed repository may be included.

Note that all allowable costs submitted in budget requests must be incurred during the performance period, even for scientific data and metadata preserved and shared beyond the award period. 

Unallowable Costs

  • Budget requests must NOT include:
    • Infrastructure costs that are included in institutional overhead 
    • Costs associated with the routine conduct of research, including costs associated with collecting or gaining access to research data. 
    • Costs that are double charged or inconsistently charged as both direct and indirect costs 

The National Academies of Science, Engineering, and Medicine has developed a resource "Forecasting Costs for Preserving, Archiving, and Promoting Access to Biomedical Data" that may be useful when budgeting for data management and sharing costs.

NIH encourages scientific data to be shared as soon as possible, and no later than the time of an associated publication or end of the performance period, whichever comes first. NIH also encourages researchers to make scientific data available for as long as they anticipate it being useful for the larger research community, institutions, and/or the broader public.

If a no cost extension is granted for an extramural award, scientific data should be made accessible no later than the time of an associated publication, or the end of the no cost extension, whichever comes first.

Once funding is awarded, the approved DMSP becomes part of the terms and conditions of your award. You must comply with the DMSP and document that compliance in reports such as the annual Research Performance Progress Report (RPPR). Non-compliance may result in enforcement action from the NIH such as

  • Addition of special terms and conditions to the award
  • Termination of the award

Non-compliance may also affect future funding decisions. To avoid possible issues when reporting progress, ensure that your submitted plan contains enough detail for the program officer to be able to evaluate compliance.

If you make changes to your submitted plan, your new plan must be re-approved. Instructions on how to make changes to an approved plan can be found here.

Genomic Data Sharing Policy

As of January 25, 2023 a separate Genomic Data Sharing plan will no longer be accepted. Genomic data sharing should be incorporated into Data Management and Sharing plans. 

Per NIH “Genomic research advances our understanding of factors that influence health and disease. To facilitate the translation of research results into applications that improve human health, NIH expects institutions and researchers to broadly and responsibly share genomic data generated by NIH funds.”

What is the Role of an Institutional Review Board (IRB) in Reviewing an Institutional Certification? The IRB works with the investigator to determine if the Institutional Certification accurately reflects the terms of the participants' informed consent as well as the adequacy of the consent process for the generation and sharing of data for secondary research use, and that it is consistent with the NIH GDS policy. 

In order to comply with the policy, CNE Researchers should submit their data sharing plan, informed consent, and completed Institutional Certification, to the IRB for review. The Institutional Signing Official (SO) won’t sign the Institutional Certification until the IRB confirms the NIH certification requirements are being met.

Data & Materials Sharing Agreements

The CNE Research Data Use or Transfer Workflow can be accessed via ConvergePoint
(Policy number CNE-RES-PROC-001)

*Any data or materials sharing agreement must be signed by both parties prior to any sharing. PIs do not have the authority to sign on behalf of their institution. The institutional signing official at your OU is required to sign on behalf of the organization.

Data Use Agreement (DUA)

To permit the transfer of a limited data set (LDS) to a third party for use in research or public health, or health care operations purposes.

Data Transfer Agreement (DTA)

For the Transfer of Research Data Pursuant to an Authorization

For the transfer of research data (health information compiled pursuant to a study participant’s authorization) to a collaborator.

Data Transfer Agreement (DTA)

For the Transfer of PHI Pursuant to a Waiver of Authorization

This form is for the transfer of identifiable Protected Health Information (“PHI”) pursuant to a waiver of authorization by the IRB.

Simple Materials Transfer Agreement

Use this form for the transfer of nonproprietary biological materials, such as existing, leftover blood or tissue samples, hair, skin or bodily fluids, and other non-proprietary materials. (For the transfer of proprietary materials, such as patented molecules, proprietary compounds, animal models, or other proprietary materials, contact CNE legal.)

HIPAA Authorization

A form used when an individual or his/her legal representative authorizes the use or disclosure of protected health information for a specific purpose.

Business Associate Agreement (BAA)

An agreement that allows a third party acting on behalf of a covered entity (e.g., a CNE provider) or providing specific services to the covered entity to have access to, to use, or to disclose protected health information.

Once an agreement is completed

  • The completed form should be sent to the data recipient for review and signature (prior to execution by CNE).

  • Once the signed form is received back from the data recipient, the form should be sent to the appropriate CNE entity signatory in accordance with CNE’s Contract Approval and Signature Authority Policy (CNE-GC-002).

  • Send a fully signed form to researchcompliance@carene.org

**Any data sharing agreement (DUA, DTA) in which the CNE affiliate is sharing data must use the CNE version of the data sharing/transfer agreement. CNE data sharing agreements are available on CareNet under the forms tab. If another institution is pressing to use its own data sharing agreement, the agreement must be sent to Compliance Services for review at cnecompliance@carene.org.