A Governance Framework to Integrate Longitudinal Clinical and Community Data in a Distributed Data Network: The Childhood Obesity Data Initiative.

CONTEXT: Integrating longitudinal data from community-based organizations (eg, physical activity programs) with electronic health record information can improve capacity for childhood obesity research.
OBJECTIVE: A governance framework that protects individual privacy, accommodates organizational data stewardship requirements, and complies with laws and regulations was developed and implemented to support the harmonization of data from disparate clinical and community information systems. PARTICIPANTS AND
SETTING: Through the Childhood Obesity Data Initiative (CODI), 5 Colorado-based organizations collaborated to expand an existing distributed health data network (DHDN) to include community-generated data and assemble longitudinal patient records for research.
DESIGN: A governance work group expanded an existing DHDN governance infrastructure with CODI-specific data use and exchange policies and procedures that were codified in a governance plan and a delegated-authority, multiparty, reciprocal agreement.
RESULTS: A CODI governance work group met from January 2019 to March 2020 to conceive an approach, develop documentation, and coordinate activities. Governance requirements were synthesized from the CODI use case, and a customized governance approach was constructed to address governance gaps in record linkage, a procedure to request data, and harmonizing community and clinical data. A Master Sharing and Use Agreement (MSUA) and Memorandum of Understanding were drafted and executed to support creation of linked longitudinal records of clinical- and community-derived childhood obesity data. Furthermore, a multiparty infrastructure protocol was approved by the local institutional review board (IRB) to expedite future CODI research by simplifying IRB research applications.
CONCLUSION: CODI implemented a clinical-community governance strategy that built trust between organizations and allowed efficient data exchange within a DHDN. A thorough discovery process allowed CODI stakeholders to assess governance capacity and reveal regulatory and organizational obstacles so that the governance infrastructure could effectively leverage existing knowledge and address challenges. The MSUA and complementary governance documents can inform similar efforts.

Childhood obesity has early and often long-lasting impacts, including serious health outcomes in childhood such as type 2 diabetes, hypertension, anxiety, and depression; most children with obesity enter adulthood with excess adiposity that increases risk for other common, serious, and costly chronic diseases.1,2 Per the 2017 US Preventive Services Task Force recommendations for child obesity treatment, health care providers should screen children for obesity and refer to intensive, family-centered, evidence-based interventions that focus on nutrition and physical activity counseling and behavior modification.3 Pediatric weight management interventions can occur in clinical and/or community settings and can be augmented by auxiliary community resources that address patients' social conditions to improve patient outcomes.4,5 Although clinical and community interventions have been independently studied in rigorous trials,6 data are lacking to assess whether and for whom real-world clinical and community intervention implementations are effective. The Centers for Disease Control and Prevention (CDC) designed the Childhood Obesity Data Initiative (CODI)7 to integrate clinical and community longitudinal data for childhood obesity research, evaluation, and surveillance. CODI's goals were 2-fold: (1) demonstrate enhanced data capacity to conduct childhood obesity research and surveillance within an existing distributed health data network (DHDN), and (2) develop and share reusable tools and resources to encourage similar work.

One challenge childhood obesity researchers face is patient data fragmentation across clinical and community settings, which is a barrier to obtaining comprehensive, accurate information on health care services, interventions, and outcomes over time.8 Integrating data across institutions is difficult due to patient privacy concerns, the complexity of matching patients and data across institutions, and lack of clarity regarding ownership and stewardship of integrated data. To remedy these data gaps, DHDNs combine data across health care entities for research, surveillance, population health, operations, and quality improvement.9–11 However, DHDNs have focused almost exclusively on clinical data and rarely contain information about a patient's use of community resources,9,12–14 and nonclinical data (eg, community resource interactions) are typically absent in DHDN-based research.15 Bringing data together across disparate systems requires both a technical solution and governance infrastructure for data exchange. Governance must address privacy needs of patients and families while fulfilling responsibilities of health care and community-based organizations to conduct ethical research.16

For a DHDN, governance includes policies, processes, and agreements regulating data exchange to assure data partners that data sharing is ethical and compliant with appropriate laws and regulations.17,18 Each DHDN establishes governance to build trust and reconcile regulations, policies, and norms needed for sustained network participation and operations. Although a broad and meaningful set of national governance recommendations have been suggested,19 DHDN governance applications have not been well described through published research.20–22 As DHDNs consider enriching networks with data from nonclinical organizations, a modified approach to governance is needed to address new requirements and meet the needs of nontraditional partners. This article describes CODI's governance activities to enhance an existing DHDN with longitudinal data from community partners to answer childhood obesity research questions and to enhance local surveillance. A description of the CODI implementation and technical infrastructure has been published elsewhere.23 We describe our experience in CODI framed as an extensible governance framework for community and clinical data exchange; our artifacts, processes, and lessons learned can inform similar efforts across health topics.

Methods

CODI was a pilot project implemented in the Denver, Colorado, metropolitan area leveraging the Colorado Health Observation Regional Data Service (CHORDS), an existing local DHDN.

Setting

Starting with institutions participating in the CHORDS network, CODI implemented an expanded infrastructure to integrate clinical and community partner data to link information for individual patients to generate longitudinal patient records. CHORDS is an established DHDN using clinical data from electronic health records (EHRs) for public health surveillance and research.24,25 In CHORDS, surveillance and research information are generated through a query/response software called PopMedNet by distributing a query to data partners, aggregating results, and returning either aggregate counts or patient-level data sets.24,26 CODI leveraged aspects of the CHORDS data model and query/response tool that was coordinated by the University of Colorado Anschutz Medical Campus and the Colorado Regional Health Information Organization.26,27

Partners and population

Five Denver-area organizations participated in CODI, including 3 clinical data partners and 2 community data partners.

The clinical data partners included Children's Hospital Colorado, Denver Health, and Kaiser Permanente Colorado. Data partners were selected on the basis of prior experience participating in local and national DHDNs (eg, CHORDS, Patient Centered Outcome Research Network [PCORnet]), clinical pediatric weight management expertise, and serving large pediatric populations.21,24 Children's Hospital Colorado, a nonprofit pediatric health care network, provided care to 233 959 patients in 2018 and operated the Lifestyle Medicine Program, an intensive tertiary care referral-based obesity treatment clinic for children and adolescents. Denver Health, an integrated safety-net system, delivered care to approximately 216 000 patients in 2018 and offered 2 pediatric weight management interventions: (1) Healthy Lifestyle Clinic, a clinically based intensive weight management and obesity treatment program, and (2) Mind, Exercise, Nutrition, Do it.28 Kaiser Permanente Colorado, Colorado's largest managed care provider with approximately 650 000 members, provided primary care and dietician-led weight management services; care for children with obesity took place in their primary care settings as well as through referrals to Children's Hospital Colorado for more intensive weight management services.

The 2 community organizations (referred to as community data partners for CODI) participating in CODI included Girls on the Run and Hunger Free Colorado. The Denver-area Girls on the Run chapter, Girls on the Run of the Rockies, is an afterschool program for third- through eighth-grade girls, designed to enhance social, psychological, and physical health and serves approximately 6000 participants each year. Hunger Free Colorado provided navigation services to food-insecure families by connecting approximately 25 000 clients to more than 1100 community food resources each year. Through partnerships with clinical systems, Hunger Free Colorado receives approximately 4700 referrals from medical providers each year.

Governance process

Soon after project initiation, the CODI project management team and stakeholder group recommended creation of a dedicated governance work group, composed of clinical and community data partners, project leadership, external facilitators, and experts with established DHDN governance experience. The governance work group provided regular updates, presented recommendations, and solicited feedback to a broader CODI stakeholder group at weekly project status meetings. The CODI stakeholder group included all implementing partners, DHDN subject matter experts, and the project management team (ie, CDC, the MITRE Corporation, and Public Health Informatics Institute).

The work group conducted a governance environmental scan to collect CODI governance requirements and appraise candidate governance models from CHORDS, PCORnet, and its subsites.29 Key sources of requirement information were the governance documents from CODI partners and other documents developed for CODI, including a business process analysis and a document outlining technical solutions.30 Relevant data use and exchange policies and practices were reviewed with each CODI clinical and community partner. During the scan, CODI governance requirements that could not be addressed by candidate governance models were flagged and described as governance gaps requiring de novo policies or procedures.

To identify and evaluate candidate governance models, data sharing agreements, policies, and procedures from other DHDNs were reviewed for their capacity to address CODI governance requirements. Governance materials that could act as a template for CODI were flagged. Candidate governance models were evaluated for feasibility of implementation and level of effort for researcher in practice, measured by estimated sequential steps and duration from a research study proposal to receipt of research data set.

Results

The CODI governance work group met biweekly for 1-hour meetings from January 2019 to March 2020; roughly 30 work group meetings were held. A governance work plan was created including tasks, milestones, and deliverables; progress toward each milestone was tracked on a weekly basis. The Figure displays a timeline of CODI governance activities and milestones. Ad hoc meetings with specific data partners (≅15 hours), working sessions (≅200 hours), and status calls (≅10 hours) were held as needed. Work group members included one individual from each of 5 clinical and community partners, 2 representatives from the CODI project management team, 2 CDC project staff members, 2 facilitators, and other subject matter experts as needed.

Childhood Obesity Data Initiative (CODI) Timeline of Governance Activities and Milestones, Denver, Colorado

Governance gaps

The work group identified 3 gaps in the existing CHORDS governance structure that required new or revised governance for CODI: (1) CODI end users requested a streamlined and expedited process for initiating research studies and data agreements to allow for a high volume of research studies. In a DHDN, the execution of a study-specific data agreements can be laborious, redundant (both across participating sites and projects), and slow to execute secondary to legal and compliance review delays. When multiple DHDN data partners are involved, a study can either execute a 2-party data agreement between each partner and the research organization or execute a multiparty data agreement signed by all partners and the research organization. For CODI, with the former option, 5 data partners participating in 3 research studies would require 15 two-party agreements or 3 multiparty agreements. The latter option was just one agreement. (2) CODI required policies and procedures to support cross-organization linking of individuals' records using privacy preserving record linkage (PPRL) to avoid the need to share protected health information across partners or with a third party; (3) CODI required policies and procedures to accommodate data sharing from non-HIPAA covered community partners. CHORDS had not previously integrated data from these types of organizations.

Governance approach

CODI stakeholders reached a consensus to pursue a hybrid governance approach that combined elements from candidate models: creation of a delegated-authority agreement, reuse of the existing CHORDS governance structure, and the creation of a CODI Data Coordinating Center (DCC) to coordinate governance and support researchers in institutional review board (IRB) protocol development and approval.31 From CHORDS, CODI relied upon its Governance Committee and Research Council for decision making, guiding principles, and governance plan. The CHORDS governance plan documents policies and procedures for data request initiation, data partner approval and participation, regulatory requirements, security, privacy and confidentiality, and publication and presentation guidelines, among others.32 The CHORDS Research Council oversees research study review and makes recommended approvals for studies to the Governance Committee. The CHORDS Governance Committee, composed of data partners and public health agencies, approved the implementation of CODI's infrastructure as a pilot demonstration project within CHORDS in line with existing governance plans.

Governance artifacts

The work group developed 3 CODI governance artifacts: a Master Sharing and Use Agreement (MSUA), Memorandum of Understanding (MOU) with each community partner, and an updated CHORDS governance plan. The Table describes all governance documents, which are available for review and use.30

Master Sharing and Use Agreement

The CODI MSUA is a multiparty reciprocal agreement that defined parameters of data exchange, approved uses of CODI data, and expectations of end users.30 The MSUA included a glossary of CODI technical and governance terms and borrowed structure and language from the Master Reliance Agreement from an existing agreement used by one of the PCORnet Clinical Research Networks, REACHnet, which functions as a reliance agreement and data use agreement (DUA).30 CODI's MSUA differed from a standard multiparty DUA in several ways. The MSUA designated the University of Colorado as the DCC and empowered the DCC to conduct PPRL activities, create and distribute queries, process and aggregate site-specific data sets, share study data sets with data users, and delegate authority to the DCC to sign DUAs on behalf of data partners. The MSUA included a “reciprocity” provision that allowed sharing of limited or de-identified data sets among CODI data partners without an additional DUA. For researchers from organizations not participating in CODI, a study-specific DUA was required. MSUA appendices included a template DUA approved by CODI data partners for use in research studies and a Responsible Use of Data Agreement that defined the responsibilities of researchers receiving CODI longitudinal records.33

Developing and executing the MSUA took approximately 1 year: roughly 6 months to draft the agreement and another 6 months for iterative review, revision, and sign off by each data partner and the DCC. The MSUA was drafted by governance work group members with guidance from DCC legal staff. The final MSUA was circulated for signature; upon execution, the work group was concluded.

Linking data across institutions

To link patient data while protecting individuals' privacy and confidentiality, and limiting the personally identifiable information (PII) that leaves organizational firewalls, CODI opted for a PPRL solution that relied on organizational sharing of garbled information34 that was hashed and salted data that were determined by expert assessment and HIPAA to be de-identified (§164.514(b)(1)).35,36 Using PPRL, data partners only received linkage information on their own patients. Garbled information did not require added governance protections to maintain privacy. The MSUA enabled the DCC to conduct the PPRL process by receiving garbled information from data partners, comparing garbled information across institutions, assigning a unique identifier to individuals, and returning unique identifiers to data partners for integration into the CODI data model. Work group members discussed appropriate management and use of de-identified data, whether expert determination was necessary given MSUA development, as well as effective methods for communicating PPRL concepts to attorneys and other compliance experts.

Assembling a data set of longitudinal patient records by linking and merging data from multiple partners required CODI to identify a data owner and steward for the newly created longitudinal records. CODI data partners concluded that any multiorganizational DCC-merged data set with site identifiers removed was owned by the DCC that would act as the data steward.

Supporting community partners

Prior to CODI, community partners had no technical infrastructure or capability to participate in distributed queries, thus additional governance agreements and processes were required. To manage CODI participation burden while preserving control over their data, community partners agreed to allow Denver Health to host their data within its secure environment—a newly defined role as a “technology partner” within the CHORDS governance plan. An MOU was executed between the technology partner and each community partner, codifying the management and use of community partner data. Community partners managed PPRL tasks to minimize exchange of PII with DH and shared PPRL-generated identifiers and other data required for CODI with the technology partner for normalization into a query-capable database.

Protecting human subjects

An IRB protocol describing the CODI technical infrastructure and relationship with the CHORDS network, referred to as the “infrastructure protocol,” was approved by the Colorado Multiple IRB. The objective of the infrastructure protocol was to establish one IRB protocol describing CODI functionality and technical infrastructure. While not required by the MSUA, an infrastructure protocol was established to create efficiency for investigators to cite, in lieu of drafting their own description.

For each CODI study, the MSUA required approval of a study-specific IRB protocol developed by the study's primary investigator and approved by the IRB of record. In lieu of describing CODI's technical infrastructure, study-specific IRB protocols reference the CODI infrastructure protocol. The DCC does not begin creation of DUAs (when necessary) or queries to extract data until the IRB protocol has received approval.

Discussion

CODI's successful governance implementation demonstrates that using a DHDN as a foundation to enable clinical-community data sharing was feasible yet challenging. CODI's governance agreements and documentation establish multisite governance to generate longitudinally linked data from clinical and community partners that include a streamlined process for requesting and approving research studies. The CODI project provided funding for a technical partner to aid community organizations in CODI participation and provided staff to facilitate and implement the governance approach described here. To facilitate innovative childhood obesity research, an MSUA was drafted to enable data access, linkage, use, and exchange between the DCC and data partners.30 A dedicated work group met to address governance gaps with policies and procedures translated from established networks or developed de novo. Community partners codified their relationship with a technology partner through MOUs, allowing for their participation without the need for overly burdensome technology on their end. An IRB-approved infrastructure protocol provided a technical foundation for a CODI researcher to reference when crafting study-specific IRB research applications. Finally, the CHORDS governance plan was updated with policies and processes to meet CODI-specific needs.

Project management of governance activities and detailed initial requirements gathering were essential to our success, especially with regard to the establishment and management of the MSUA. Specifically, a detailed governance work plan including tasks, leads, level of effort, milestones, and deliverables was methodically tracked to assess progress toward an executed MSUA, the final governance deliverable. The list of governance requirements became a project management tool and functioned as a comprehensive checklist for governance documents; every requirement had to be addressed and included weekly accountability reports to project leadership to understand progress, identify and manage risk(s), and anticipate delays. For example, explaining PPRL to data partner legal teams took longer than expected and delayed final MSUA execution. Once identified, this risk was proactively managed by creating more detailed explanatory communication materials to inform legal teams as they supported this work.

A key objective for CODI was creating an efficient process for researchers; efficiency was conceptualized as accelerating the research study process by reducing or streamlining steps to study initiation. Five governance strategies were implemented to increase efficiency for CODI researchers. A reciprocity provision in the MSUA enabled the DCC to sign study DUAs on behalf of partners and removed the need for a study-specific DUA when a study was initiated by a CODI data partner. When a DUA was needed, using the DCC as signatory on behalf of the clinical and community data partners reduced the duration to agreement completion. By creating a DUA template, data partners had an approved standardized format and language to expedite future DUA execution. The infrastructure IRB protocol reduced the complexity of study-specific IRB protocols by providing an approved, detailed description of CODI's technical solution for researchers to reference CODI functionality in their IRB application.

The CODI PPRL process was fundamental to creating individual longitudinally linked records. Although PPRL methods reduced disclosure risk, thereby gaining acceptance by data partner's compliance and legal staff, PPRL was a new concept to the DCC and data partners. Understanding PPRL and crafting PPRL-specific governance language were challenging. Consensus building among data partners resulted in policies that provided additional assurances, beyond legal requirements, that (1) garbled information shared with the DCC would never be reused, (2) partners would be notified of any unapproved use or breach of garbled information or the unique identifier, and (3) a study-specific participant ID would be generated and shared with researchers instead of the unique PPRL identifier. Ultimately, the PPRL policies and the MSUA reflected the most conservative compliance approach requested by any CODI data partner.

Linking records across settings and sectors over time presented challenges that required review of policies and processes. CODI data sharing necessitated decisions about data ownership and responsibilities related to generation and use of unique identifiers and longitudinal records. Because longitudinal records contain information compiled across data partners, no individual data partner may own all components. Data partners retained ownership over the unique identifiers, while the DCC had protective authority and responsibilities for longitudinal records. When shared with researchers on a study-specific basis, longitudinal records will be stripped of site and patient identifiers (ie, the unique ID resulting from PPRL) and temporarily provisioned for analysis. For recipients of longitudinal records who are CODI data partners, stripping identifiers ensures that patients from the receiving data partner cannot be reidentified. In addition, a policy prohibiting data users from reidentifying patients was implemented. The governance plan established guidelines for data destruction at a study's conclusion.

Several limitations from CODI governance merit discussion. The CODI experience may not be generalizable to other regions or networks. CODI benefited from being embedded in an established DHDN where much governance infrastructure was in place and a high level of trust existed among partner institutions, an essential foundation for establishing the MSUA. Other established DHDNs or specialized registries should be able to leverage their extensive relationships and experience in distributed data queries, harvesting and organizing EHR data, and governing cross-sector data exchange. Communities without an established DHDN may want to first establish governance of distributed health care data exchange across health partners before including community-based organizations.

Conclusion

CODI required a customized governance approach to accommodate complex technical components designed to integrate data across sectors to build longitudinal patient-specific records for research and public health surveillance. Our success with this governance approach was predicated on an existing collaborative and experienced DHDN with sufficient project resources. The governance lessons learned from this project demonstrated that expanding a DHDN to include community data was challenging yet feasible. For this project, successful governance began with thorough discovery to catalogue regulatory concerns and organizational capacity with data, tools, and data exchange experiences of new data contributors; these may be repurposed or customized to address new use cases. Those DHDNs seeking to bridge community and clinical data for research or surveillance might benefit from our observations and lessons learned. Future efforts could focus on sharing data with other social and educational programs governed by distinct privacy rules. Those sectors, with their unique observations, might contribute data and perspectives for establishing more nuanced childhood obesity and child health outcomes measures for DHDN-based research and surveillance.

CODI's successful integration of clinical and community data should encourage distributed data networks to recognize the value and to consider the feasibility of similar expansion efforts.

The CODI governance approach and artifacts can be repurposed and customized for analogous data exchange activities.

Lessons learned from CODI can help others anticipate and proactively address governance challenges.

TABLE

Summary of Governance Documents From the Childhood Obesity Data Initiative and the Colorado Health Observation Regional Data Service, Denver, Colorado

Governance Document	Description	Key Governance Information
Existing CHORDS Governance Documents
CHORDS Governance Plan: A plan prepared and maintained by the Colorado Health Institute and signed by all CHORDS data partners.	A multiparty nonlegally binding document that establishes network governance policies and guidelines and identifies a governing structure to implement guidelines, oversee CHORDS' development, operationalize changes, and engage stakeholders.	Identification of data partners Data Dictionary Data user responsibilities Data sharing responsibilities and parameters Definition of distinct research and surveillance policies and appropriate data uses
Project Intake Form: A standard form submitted by the data user to the DCC	A form describing the data needed for a project, analytic methods, and research objective(s). This form is reviewed by the DCC, CHORDS research council, and distributed to data partners for consideration.	Study description Intended data use Data attributes needed PI and analytic team Plan for Destruction of Study Data
Newly Created CODI Documents
CODI Infrastructure Institutional Review Board (IRB) Protocol: A protocol prepared by the DCC, reviewed/approved by IRB, and distributed to data partners	This protocol provides a lay description of the technical CODI data sharing infrastructure and does not cover specific research involving human subjects. Project IRB protocols reference the infrastructure protocol in lieu of describing the infrastructure on each project IRB protocol.	Description of technology Description of relationship with CHORDS infrastructure Participating data partners Risks and justification of procedures
Master Sharing and Use Agreement (MSUA): A multiparty legal agreement prepared by the DCC and signed by CODI data partners	A multiparty reciprocal agreement which defines the roles of each entity, general network functionality relationship between DCC and data partners, and tasks the DCC is permitted to carry out for the CODI network. The reciprocal nature of the agreement allows it to act as a DUA for a project initiated by a CODI data partner.	Identification of data partners DCC and data user responsibilities Data sharing parameters Definition of the CODI data Description of PPRL, queries, and query architecture DUA and Responsible Use of Data Agreement Template
Memoranda of Understanding: A legal agreement between community partner and technology partner	An agreement that permits sharing of community partner CODI data with technology partner to perform a business service (eg, creating a datamart and responding to queries).	Description of business service Data sharing responsibilities and parameters
Project-Specific Templates and Future Governance Documents
Data Use Agreement: A legal agreement signed by the data user and the DCC, on behalf of data partners participating in the project	An agreement (based on MSUA-defined template) that describes the research project and permits the sharing of CODI research data with this data user for the approved use. Studies where a limited data set is generated require a DUA, excluding studies initiated by a data partner acting as a data user (MSUA is the DUA).	Participating data partners Study description PI and analytic team Data attributes needed Data user responsibilities Description of DCC-performed analyses
IRB Protocol: A protocol prepared by the PI and approved by the IRB of record.	This protocol provides a detailed description of the proposed CODI project including objectives, data, analytic methods, and outcome measures. This protocol will reference the CODI infrastructure IRB protocol. Approved protocols are distributed to data partners and archived by the DCC.	Study description Data attributes needed Data user responsibilities Description of analytic methods PI and analytic team Participating data partners
Responsible Use of Data Agreement: A nonlegally binding form signed by the data user and submitted to the DCC for all CODI projects	An agreement between the CODI data user (ie, the researcher receiving CODI) and DCC acknowledging their intent to comply with CODI data use policies and expectations. While a DUA defines parameters of data exchange with the data-receiving organization, this agreement defines additional expectations of the data-receiving researcher. In the case of receiving a de-identified CODI data set, no DUA is required and this agreement ensures appropriate data use. This signed agreement is retained for the duration of the project by the DCC.	Data user responsibilities

Abbreviations: CHORDS, Colorado Health Observation Regional Data Service; CODI, Childhood Obesity Data Initiative; DCC, Data Coordinating Center; DUA, data use agreement; IRB, institutional review board; MUSA, Master Sharing and Use Agreement; PI, primary investigator; PPRL, privacy preserving record linkage.