HomeMy WebLinkAbout20183850.tiffMEMORANDUM
TO: Department of Public Health and Environment
DATE: February 22, 2021
FROM: Clerk to the Board's Office
SUBJECT: Tyler Document #2018-3850
Final signatures were not obtained by the parties required to fully execute Tyler
Document #2018-3850, approved by the Weld County Board of Commissioners on December 3,
2018. Due to the prolonged delay in obtaining final signatures, the Clerk to the Board's Office has
deemed it prudent to close this item out. This memorandum will be added to the Commissioners'
files to demonstrate this document was not fully executed.
2018-3850
H L0050
RESOLUTION
RE: APPROVE DATA USE AGREEMENT FOR FATALITY REVIEW CASE REPORTING
SYSTEM AND AUTHORIZE CHAIR TO SIGN - MICHIGAN PUBLIC HEALTH
INSTITUTE
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Data Use Agreement for a Fatality
Review Case Reporting System between the County of Weld, State of Colorado, by and through
the Board of County Commissioners of Weld County, on behalf of the Department of Public Health
and Environment, and the Michigan Public Health Institute, commencing December 1, 2018, and
ending November 30, 2028, with further terms and conditions being as stated in said agreement,
and
WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy
of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that the Data Use Agreement for a Fatality Review Case Reporting System
between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, on behalf of the Department of Public Health and Environment,
and the Michigan Public Health Institute, be and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said agreement.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 3rd day of December, A.D., 2018, nunc pro tunc December 1, 2018.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST: daitet) jelo• ok
Weld County Clerk to the Board
BY:
Steve Moreno, Chair
arbara Kirkmeyer, ' o -Tern
Deputy CI k to the Board
unty Atto ' ey
Date of signature: }iq llq
c7 -
cc t -1 LC TG)
o9/ 01101
2018-3850
H L0050
amirovo I DPI- aa-9
Memorandum
TO: Steve Moreno, Chair
Board of County Commissioners
FROM: Mark E. Wallace, MD, MPH
Executive Director
Department of Public Health & Environment
DATE: November 21, 2018
SUBJECT: Fatality Review Case Reporting System
Data Use Agreement with the Michigan
Public Health Institute
Enclosed for the Board's approval is a Fatality Review Case Reporting System Data Use
Agreement between the Michigan Public Health Institute (MPHI) and the Weld County
Department of Public Health and Environment (WCDPHE), for the period beginning December
1. 2018, and ending November 30, 2028.
The data tool utilized by LILT (Weld County's Fetal/Infant Mortality Review Team known as The
Local Infant Life Initiative) since its inception in 2012 is no longer supported. In April 2018, a
new integrated database for both the Child Fatality Prevention System and National Fetal and
Infant Mortality Reviews was created and released by The National Center for Fatality Review
and Prevention which is funded by the Health Resources and Service Administration and overseen
by The Michigan Public Health Institute. While current WCDPHE staff have rights and privileges
to access the data base for the Child Fatality Prevention System via the State Health Department,
we are required to sign a separate Data Use Agreement with the Michigan Public Health Institute
to access the data system for our Fetal/Infant Mortality Reviews. This data system is an essential
tool for the Fetal/Infant Mortality Review process.
This Data Use Agreement has been reviewed by Assistant County Attorney. Bob Choate, and it
meets with his approval.
Furthermore, this Agreement was approved for placement on the Board's agenda via pass -around
dated November 20, 2018.
I recommend approval of this Fatality Review Case Reporting System Data Use Agreement with
the Michigan Public Health Institute.
2018-3850
Of3 NLeoso
FATALITY REVIEW CASE REPORTING SYSTEM
DATA USE AGREEMENT BETWEEN
THE MICHIGAN PUBLIC HEALTH INSTITUTE AND THE Weld County
Department of Public Health and Environment
This data use agreement is entered into on December 1, 2018, between the Michigan Public
Health Institute (MPHI) (known hereafter as "Receiver") and the Weld County Department
of Public Health and Environment, Weld County, Colorado, (known hereafter as
"Holder").
The purpose of this agreement is to establish the terms and conditions for the collection,
storage and use of data obtained from the fatality case reviews submitted by Fatality
Review (FR) teams in the County of Weld County, Colorado, and entrusted to the Receiver
as the National Fatality Review Case Reporting System (NFR-CRS).
A. The Receiver
1. The Receiver is a non-profit private agency. It has a Cooperative Agreement with
the Maternal and Child Health Bureau, Health Resources and Services
Administration, U.S. Department of Health and Human Services, to manage the
National Center for Fatality Review and Prevention (NCFRP). As part of this
agreement. the Receiver is to manage a standardized, web -based reporting system
for state and local fatality review teams.
2. The Receiver is responsible for the development of the NFR-CRS, training and
liaison to state and/or county agencies participating in the system, technical
assistance in using the system, and analysis and dissemination of national FR data
generated by the system. The Receiver is responsible for the maintenance of the
servers, including firewall protection and other securities, and for data storage and
data access by users of the NFR-CRS.
3. The Receiver holds a Federalwide Assurance (FWA) that is a written commitment
to protect human research subjects by complying with federal regulations and
maintaining adequate programs and procedures for the protection of human
subjects. This FWA specifies adherence to the Code of Federal Regulations Title 45
Public Welfare Part 46 Protection of Human Subjects, and the use of the Belmont
Report as an ethics guideline. The NCFRP including the NFR-CRS is reviewed
annually by the Receiver's Institutional Review Board. Copies of the panel decision
letters are available to the Holder.
4. The Receiver complies with the federal privacy requirements specified in the
HIPAA Privacy and Security Rules (45 CFR Parts 160, 162 and 164, Standards for
Privacy of Individually Identifiable Health Information). The Receiver has
appointed a Privacy Officer and a Security Officer, developed and adopted HIPAA-
compliant privacy and security policies and procedures, and staff receive training in
these policies and procedures. The NCFRP including the NFR-CRS is reviewed
annually by the Receiver's Office of Research Integrity and Compliance and
decisions letters are available to the Holder.
B. The Holder
The Holder is the Weld County Department of Public Health and Environment in
Greeley, Colorado. Melanie Cyphers, Coordinator of the Weld County Fetal and Infant
Mortality Review program, LILI (Local Infant Life Initiative Program), is the contact
person for the Holder.
C. Purpose of and Type of Data
I. The Fatality Review teams in Weld County, Colorado, are supplying data to the
NCFRP in order to:
a. Provide the local FR team with a comprehensive FR case reporting system
for collecting, analyzing and reporting on their reviews of fetal, infant, and
child deaths.
b. Permit comparability of FR data within and between local FR teams and
states.
c. Use data collected to promote policy, programs, services and laws to
prevent fetal, infant, and child deaths at the local, state and national levels.
d. Use data collected to better identify and address health disparities.
D. Data Entry and Transmittal
1. Data are submitted by the Holder to the Receiver only via the Internet, using the
NFR-CRS, OMichigan Public Health Institute. The Receiver will provide paper
forms to the Holder upon request; however all data is obtained by the Receiver
through the Internet.
2. The Holder is complying with its applicable state laws and policies in making the
determination of the specific data to be entered into this system and of the persons
it authorizes to enter and transmit the data. Relevant Holder state FR statutes or
promulgated rules are set out in Appendix A.
3. Only persons selected by the Holder and provided with a password by the Holder or
the Receiver will have access to the NFR-CRS for data entry and submission as a
data entry user.
4. The Receiver will create and administer data entry user accounts upon request of
the Holder, or accounts can be created and maintained by the assigned
administrators of this reporting system upon request of the Holder.
5. Accounts are locked out when a user attempts but fails to log in successfully 5
times in 10 minutes; such accounts remain locked out until released by NCFRP
staff or assigned Holder administrators.
6. Accounts are automatically logged out after 60 minutes when there is no
transmission to the server.
7. The Receiver and/or the Holder's assigned administrator may terminate a user's
access to the system at any time.
E. Data Storage
1. All data submitted via the Internet using the NFR-CRS are stored on a server
located within the MPHI Data Center.
2. Data are stored on this server indefinitely unless the I folder terminates the data use
agreement.
3. The Receiver ensures the security of these servers in the following ways:
a. Data transmitted to and from the web server uses a load balancer with an
integrated web application firewall. This device negotiates the best possible
TLS encry ption method (we do fallback to TLS < 1.2 for backwards
compatihi l its ) to enable secure, encrypted communications between MPHI
I
i
I4
'5
servers and the site requestor The certificate authority is GoDaddy and is
renewed annually A failover pair of stateful firewalls and intrusion
prevention systems (IPSes) are utilized The application is divided into
separate web and database tiers with a stateful firewall inspecting traffic
between the tiers
b The servers are in a physically secure location with restricted access and a
complete automatic temperature alarm system and fire sprinkler protection
system The server rooms have separate air conditioning systems, and
electrical supplies are backed up with uninterruptible power supplies, which
are backed up by a diesel generator for long term power outages
c When the MPHI Data Center is closed during non -business hours, the
building is locked, an electronic alarm system is activated, and access into
the building is permitted only through the use of electronic reader cards
The MPHI Data Center is also equipped with a video surveillance system
d The Receiver continuously updates virus -scanning software on all servers
and workstations
e A small group of Receiver authorized staff have access to the server room
for server management and maintenance These staff abide by strict
confidentiality agreements These individuals will be identified and their
signed confidentiality agreements provided upon request of the Holder
f Custodial and building maintenance staff are not allowed in the server area
except in the presence of authorized Receiver staff
g The Receiver staff regularly audit database servers to ensure there are no
security violations
For disaster recovery, the Receiver's network servers are backed -up nightly online
to disk storage and replicated to disk in a second location nightly Daily backups
are kept on disk for 30 days Data is sent to encrypted tape weekly, and weekly
backups are kept off -site for 30 days Monthly backups are saved on the encrypted
backup tapes for 7 years The tapes are delivered in locked containers via courier
and stored off -site in a physically secure location
The Receiver is not responsible for any damage caused by viruses originating from
any places not attributable to the Receiver
6 It is strongly suggested that the Holder have consistent/comparable security
practices in place for data that is downloaded from the servers back to the Holder or
back to the Holder's identified users
Access to the FR Data on the Servers
1 Receiver staff managing the server and NFR-CRS will only access the data
submitted by the Holder in the event that there are unforeseen problems with the
database that need troubleshooting, correction or upgrading or during development
of NFR-CRS releases or upgrades Receiver staff will not amend, addend, alter or
erase any information contained in data files without prior written authorization
2 Identifiers will be removed from data downloads based on the permission levels for
each of the Holder and Receiver This removal of data elements is a software
program feature of the NFR-CRS
3 NCFRP staff will have access only to data submitted by the Holder and its
authorized data entry persons that have case identifiers removed using the HIPAA
standards listed in Appendix B, unless in the event of unforeseen problems with the
database that require troubleshooting or during development of NFR-CRS releases
or upgrades
4. The Holder will iden t i I) the level of access to data of its authorized persons at both
the state and/or local level. Data will be accessible to the Holder via the Internet.
5. It is strongly suggested that the holder have signed confidentiality statements from
all of its authorized users (see Appendix C as an example statement).
6. The Holder will provide the Receiver with the written names and contact
information for persons with permission to access data in the event the Receiver is
asked by the Holder to create logins.
7. Any breach of security or unintended disclosure known by the Receiver will be
reported immediately to the appropriate Receiver supervisors, Privacy Officer,
Security Officer, and Research Integrity Officer. The Holder will then be notified
of the event and steps will be taken in coordination with the Holder to mitigate
harm and cure the breach of security within thirty days. As stated in Section A, the
privacy protocols and policies in place at the Receiver are in compliance with
I II PAA and meet or exceed federal standards.
8. Any breach of security or unintended disclosure known by the Holder will be
reported immediately to the Receiver, and steps will be taken in coordination ‘\ ith
the Holder to mitigate harm.
G. Permitted Data Uses
1. Data housed at the Receiver are not subject to the Freedom of Information Act
(FOIA) and, as such, no data submitted by the Holder will be released by the
Receiver in response to any FOIA request. The Holder will address any FOIA
request made to the Holder.
2. .\ 11 data accessed b) and released to the Holder are the responsibility of the Holder.
Any subsequent breaches of security or confidentiality once the Holder obtains the
data are the responsibility of the Holder.
3. The Holder will comply with its applicable state laws and policies in determining
the specific data the Receiver is allowed to disclose.
4. The Receiver will not release any data that includes identifiable characteristics as
defined by HIPAA (Appendix B) to any persons or organizations, except in
circumstances provided in writing by the Holder.
5. The Receiver may release de -identified data only in accordance with the M PI II
IRB/Privacy approved data dissemination policy (Appendix E).
6. All reports released by the Receiver and the Holder shall be developed with
adequate provision for the accuracy, reliability and integrity of the data.
H. Ownership
1. The Receiver acknowledges that all fatality review data submitted by the Holder
and by the Holder's designated data entry persons shall be and remain the sole
property of the I lolder.
2. The Holder acknowledges that the NFR-CRS and all of its software platform
applications are the copyrighted property of the Receiver.
I. Agreement Terms and Termination
1. This agreement applies to all activities occurring between December 1, 2018, and
November 30, 2028.
2. This agreement may be terminated by the Holder or Receiver under the following
circumstances:
a. lithe Holder wishes to terminate its relationship with the Receiver for any
reason.
b. I f the Holder of data can no longer participate in the Internet web system
due to changes in laws or funding for FR programs.
c. lithe Receiver of data no longer receives funding to serve as the NCFRP.
3. Upon termination of this agreement, the Receiver, shall. upon request of the Holder,
remove all of the Holder's fatality review case data stored on the server. Fatality
review data stored on backup tapes cannot be removed in the event of the Holders
termination but will never be reported or disseminated by the Receiver.
4. Any subcontractors or other agents hired by the Receiver or Holder must agree to
the same restrictions and conditions that apply through this agreement.
>. All Receiver staff with access to the data submitted by the Holder will sign a
confidentiality agreement (Appendix D).
6. The Receiver agrees to maintain an insurance rider to provide additional liability
insurance, beyond that normally required for MPHI I programs.
IN WITNESS WHEREOF, the parties hereto execute this agreement as follows:
Michigan Public Health Institute
Data Receiver
By:
Date:
Weld County Department of Public Health and Environment,
Data Holder
By:
(Signature of person with authority to sign agreement for the holder of data)
Steve Moreno, Chair, Board of Weld County Commissioners
IEC 0 3 2018
Date:
Ocs O C ►J
Appendix A
Relevant FR Statutes or Promulgated Rules for the
Collection, Analysis and Distribution of FR Data
Colorado Department
of Public Health
and Environment
DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT
Office of Planning and Partnerships
6 CCR 1014-7
Core Public Health Services
(PROMULGATED BY THE STATE BOARD OF HEALTH)
Last amended 10/19/11, effective 11/30/11
DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT
Colorado State Board of Health
CORE PUBLIC HEALTH SERVICES
6 CCR 1014-7
[Editors Notes follow the text of the rules at the end of this CCR Document ]
Section 1 - Purpose and Authority for Rules
1.1 These rules recognize that an effective public health system needs clearly defined core public health
services. These core public health services are long-term programs, representing the minimum
level of public health services that local public health agencies would provide in a modern public
health system. Core public health services are intended to improve the health of individuals as
well as the health of our communities.
1.2 These rules further recognize that local public health agencies are essential to the provision of quality
and comprehensive public health services throughout the state and are critical partners with the
Colorado Department of Public Health and Environment in maintaining a strong public health
system.
1.3 This regulation is adopted pursuant to the authority in section 25-1-503 et seq., C.R.S. and is
intended to be consistent with the requirements of the State Administrative Procedures Act,
section 24-4-101 et seq. (the "APA"). C.R.S.
Section 2 - Definitions
2.1 All definitions that appear in Section 25-1-502, C.R.S.. shall apply to these rules.
A. "Agency" means a county or district public health agency established pursuant to C.R.S. § 25-
1-506, or a municipal public health agency established pursuant to C.R.S. §25-1-507.
B. "Local Board of Health" means a county or district board of health established pursuant to
C.R.S. § 25-1-508, or a municipal board of health established pursuant to
C.R.S. X25-1- 507.
C. "Core public health" shall be defined by the state board and shall include, but need not be
limited to. the assessment of health status and health risks, the development of policies
to protect and promote health. and the assurance of provision of the essential public
health services.
D. "Public health" means the prevention of injury. disease. and premature mortality: the
promotion of health in the community: and the response to public and environmental
health needs and emergencies in the community and is accomplished through the
provision of essential public health services.
E. "Essential public health services". The essential public health services provide aworking
definition of public health and a guiding framework for the responsibilities of local public
health systems. These services are not additional requirements on local public health
agencies. The 10 essential public health services are:
1. Monitor health status to identify and solve community health problems.
2. Investigate and diagnose health problems and health hazards in thecommunity.
3. Inform, educate, and empower individuals about health issues.
4. Mobilize public and private collaboration and action to identify and solve health
problems.
5. Develop policies, plans. and programs that support individual and community health
efforts.
6. Enforce laws and regulations that protect health and promote safety.
7. Link people to needed personal health services and assure the provision of health
care.
8. Encourage a competent public health workforce.
9. Evaluate effectiveness, accessibility, and quality of personal and population -based
health services.
10. Contribute to research into insightful and innovative solutions to health problems.
2.2 In addition, the definitions listed below shall apply to these rules.
A. "Assure" means to address current and emerging community health needs through
governmental leadership and action with public health system partners. Take reasonable
and necessary action through a community defined selection of education, services,
regulations, and enforcement.
B. "Sustainable Development" refers to forms of progress or development that meets the needs
of current generations without compromising the ability of future generations to meet their
needs.
Section 3 - General Statement of Duties:
3.1 Pursuant to Colorado Revised Statutes, part 5 of article 1 of title 25, in addition to all other powers
and duties, an agency has the following duties:
A. To provide or arrange for the provision of quality core public health services as defined by the
state board or deemed essential by the comprehensive statewide public health
improvement plan (section 25-1-506 (3)(b)(iii). C.R.S.).
1. The agency shall be deemed to have met this requirement if the agency can
demonstrate to the local board of health that other providers offer core public
health services that are sufficient to meet the local need as determined by a local
public health plan (Section 25-1-506 (3)(b)(iii). C.R.S.).
B. Exemptions from the Provision of Core Services are further detailed in Section 5, below.
Section 4 - The Provision of Core Public Health Services:
4.1 Public health core services in Colorado shall include, but need not be limited to thefollowing:
A. Assessment, Planning, and Communication: All agencies are required to use assessment and
planning methodologies to identify, evaluate and understand community health problems,
priority populations, and potential threats to the public's health, and use this
knowledge to determine what strategies are needed to engage partners and
improve health.
Furthermore, agencies are required to:
1 Participate in integrated state, local, and national surveillance system(s) that quantify
public health and environmental problems and threats
2 Complete a local public health plan based on a comprehensive assessment of the
community's health and environmental status at a minimum of every five years
3 Use regional and county data, provided by CDPHE, on conditions of public health
importance, including chronic and communicable disease, environmental
hazards, health disparities, determinants of health, and injury
4 Communicate to the public and key stakeholders the results of the community health
assessment and local public health plan, as well as other public health
information that is important to the health of residents and visitors
B Vital Records and Statistics All agencies are required to record and report vital events (e g
births and deaths) in compliance with Colorado statutes, Board of Health Regulations,
and Office of the State Registrar of Vital Statistics policies Public health directors shall
act as the local registrar of vital statistics or contract out the responsibility of registrar in
the area over which the agency has jurisdiction
C Communicable Disease Prevention, Investigation, and Control All agencies are required to
track the incidence and distribution of disease in the population and prevent and control
vaccine -preventable diseases, zoonotic, vector, air -borne, water -borne and food -borne
illnesses, and other diseases that are transmitted person -to -person Furthermore,
agencies are required to
1 Collect and report disease information according to Colorado Board of Health Rules
and Regulations
2 Investigate cases of reportable diseases and suspected outbreaks according to
standard protocols and guidance provided by CDPHE
3 Assure immunizations using established standards, and, in collaboration with CDPHE,
monitor community immunization levels
4 Take appropriate measures to prevent disease transmission using methods specific
to infected persons (isolation, treatment, contact tracing/notification), contacts to
infected persons (quarantine, prophylaxis), and the environment in which the
communicable disease occurs (facility closure, disinfection)
5 Work closely with CDPHE in communicable disease investigation and control,
particularly if the investigation crosses county lines or technical assistance's
needed
D Prevention and Population Health Promotion All agencies are required to develop,
implement, and evaluate strategies (policies and programs) to enhance and promote
healthy living, quality of life and wellbeing while reducing the incidence of preventable
(chronic and communicable) diseases, injuries, disabilities and other poor health
outcomes across the life -span Furthermore, agencies are required to
1 Work to improve the health status of infants, children, youth, women, and their
families
2 Work to protect critical stages of a child's physical and mental development during
pregnancy, infancy and early childhood
3 Promote physical (including oral) health, mental and behavioral health, and
environmental health with emphasis on increasing health equity among priority
populations (e g , children, elderly, racial or ethnic populations)
4 Address identified risk factors or behaviors (e g , tobacco use, physicalactivity,
nutrition, teen pregnancy, sexually -transmitted infections) based on community
health assessment priorities
5 Inform, educate, and engage the public and policymakers to build community
consensus and capability to promote/support evidenced -based strategies that
enable healthy behaviors and environments for individuals, families,
organizations, and communities
6 Assure strategies are delivered in a culturally and linguistically appropriate manner
7 Coordinate efforts with governmental and community partners to link individuals to
services such as primary care, maternal and child health care, oral health care,
specialty care, and mental health care
8 Develop community -specific solutions to address prevention priorities
9 Promote and participate in planning for sustainable environments that support healthy
living
E Emergency Preparedness and Response All agencies are required to prepare and respond to
emergencies with a public health or environmental health implication in coordination with
local, state and federal agencies and public and private sector partners Furthermore,
agencies are required to
1 Participate in All -Hazards planning, training, exercises, and response activitieswithin
the local jurisdiction
2 Serve as or support the "Emergency Support Function 8 -Public Health" lead for the
county, region, or jurisdiction
3 Implement an emergency communication strategy to inform the community and to
activate emergency response personnel in the event of a public health crisis
4 Coordinate with county Emergency Managers and other first responders
5 Promote community preparedness by communicating steps that can be taken before,
during, or after a disaster
F
Environmental Health Recognizing that significant responsibility for environmental quality
management and oversight lies with state and federal agencies, all agencies are required
to participate in the protection and improvement of air, water, land, and food quality by
identifying, investigating, and responding to community environmental health concerns,
reducing current and emerging environmental health risks, preventing communicable
diseases, and sustaining the environment These activities shall be consistent with
applicable laws and regulations, and coordinated with local, state and federal
agencies, industry, and the public. Furthermore, agencies are required to.
1 Identify and mitigate vector -borne (e g insects, rodents), air -borne, water -borne, food -
borne, and other public health threats related to environmental hazards
2 Take appropriate steps to support the protection of surface water and groundwater,
including recreational waters and drinking water sources, and assure appropriate
local regulatory oversight of onsite waste -water systems
3 Implement public health laws, policies and procedures to assure the safety of food
provided to the public at retail food establishments
4 Implement public health laws, policies and procedures to assure the sanitation of
institutional facilities (e g child care facilities, local correctional facilities and
schools)
5 Take appropriate steps to assure the proper storage, collection, treatment, and
disposal of garbage, refuse, and solid and hazardous waste
6 Promote programs to minimize the amount of solid and hazardous waste and
maximize the amount of recycling and reuse
7 Participate in land use planning and sustainable development to encourage decisions
that promote positive public health outcomes (e g consideration of housing,
urban development, recreational facilities and transport), and that protect and
improve air quality, water quality and solid waste management
8 Where appropriate and practicable, enter into contracts or other acceptable
agreements with the state's environmental programs in order to perform local
assessments, inspections, investigations, and monitoring programs
G Administration and Governance All agencies are required to establish and maintain
programs, personnel, facilities, information technology, and other resources necessary to
deliver core public health services throughout the agency's jurisdiction This may be done
directly by the agency, or in collaboration with other governmental agencies, and
community and regional partners Furthermore, agencies are required to
1 Maintain competent, appropriate staffing and other resources to ensure capacity for
delivery of core public health services
2 Meet minimum quality standards in the delivery of core public health services
throughout the jurisdiction
3 Implement public health laws, policies, and procedures regarding agency operations
in compliance with state statutes, rules, and regulations
4 assess the provision of core public health services provided in the jurisdiction
5 Establish procedures for working across jurisdictional boundaries and/orfor
requesting assistance in the delivery of core public health services
6 Utilize effective financial management systems and ensure management of the public
health fund in accordance with C R S 25-1-511
4.2 Delivery of the core services shall be performed in accordance with the 10 Essential Public
Health Services as defined by section 25-1-502, C.R.S.
Section 5 - Exemption from the Provision of Core Services:
5.1 When sufficient appropriations are absent, the local board shall set priorities for fulfilling the
duties described in section 25-1-506(3), C.R S.. and include the list of priorities in its local
public health plan submitted pursuant to section 25-1-505, C.R.S.
5.2 The local board of health may choose to limit the scope of the core public health services
provided that:
A. There is limited need for the core public health services in the community, or
B. Other providers provide this service sufficient to meet the local need.
Section 6 - The Failure to Provide Core Public Health Services
6.1 Pursuant to section 25-1-510, C.R.S.. CDPHE may:
A. If a core service is not being provided within the jurisdiction, CDPHE will first work with the
local public health agency and the local board of health to address how the agency
has prioritized these core public health services, and any statutory requirements to
provide them.
B. Staff and programs within CDPHE will work with a local public health agency that is unable
to provide core services, that agency's board of health, agencies in neighboring
counties, local health providers, appropriate stakeholders, and other organizations to
determine how best to provide or assure core services within that agency's
jurisdiction.
C. If necessary. reallocate state funds to or from an agency that is not able to provide core
public health services to another entity to deliver services in that agency's jurisdiction.
Editor's Notes
History
Entire Rule eff. 11/30/2011.
Appendix B
HIPAA Required Elements to De -Identify Case Data"
The NFR-CRS supports two types of data downloads identified and de -identified NCFRP staff
and researchers who have been approved by the NCFRP will receive only de -identified data
The NFR-CRS variables that will be removed in de -identified downloads are listed below
I
The NFR-CRS contains many free text fields (most often in the `specify' or `describe' text
fields) The NFR-CRS also provides users the opportunity to provide more detail surrounding
the (circumstances of the death in Section O Narrative text field When the Narrative,
`specify,' and/or `describe' text fields are included in a de -identified download, the
Narrative, `describe,' and `specify' text fields SHOULD NOT contain any HIPAA
Identifiers.
HIPAA Identifiers include names, all geographical subdivisions smaller than a state, all elements
of dates (except year) for dates directly related to an individual, phone numbers, fax numbers,
electronic mail addresses, social security numbers, medical record numbers, health plan
beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial
numbers, device identifiers and serial numbers, web universal resource locators, internet
protocol address numbers, biometric identifiers, full face photographic images, and any other
unique identifying number, characteristic or code
Identifying information can be entered into the NFR-CRS element fields in the list below,
including free text fields associated with the listed fields, because all the listed fields and their
related text fields will be removed from every de -identified download However, users should
be instructed by the Holder not to enter any identifying information in other free text
fields, including Section O: Narrative text field, because these text fields may be included in
de -identified downloads. NCFRP cannot review free text fields in de -identified downloads
to assure that they contain no HIPAA Identifiers.
HIPAA Required Elements to De -Identify Case Data
The NFR-CRS elements listed below will be removed for all persons accessing de -identified
case data.
Introduction Case Definition
Case number
County of review
Review team number
Sequence of review
Death certificate number
Birth certificate number
Medical examiner/Coroner number
Source Code of Federal Regulations Section 164 514(b)(2)(i)
13
Date FR team notified of death
Section A Child Information
Child first name
Child middle name
Child last name
Child name unknown
Date of birth month, day, and year
Date of birth unknown
Date of death month and day
Date of death unknown
Residential address unknown
Residential address street
Residential address apartment
Residential address city
Residential address, county
Residential address zip
County of death
Mother's first name
Mother's middle name
Mother's last name
Mother's maiden name
Mother's name unknown
Father's first name
Father's middle name
Father's last name
Father's name unknown
Mother's residence address same as child
Mother's residence address unknown
Mother's residence address street
Mother's residence address apartment
Mother's residence address city
Mother's residence address zip
Mother's residence address county
Mother's discharge date from hospital
Date of infant's last discharge date
I
Section E Incident Info, matron
Date of incident
Date of incident
Date of incident
Incident county
same
unknown
Section A'! Review Meeting Process
Date of first FR meeting
Section N SUID and SDY Case Registry
Date of first Advanced Review meeting
Date of SUID Case Registry data entry complete
Section P Form
Form completed
Form completed
Form completed
Form completed
Form completed
Form completed
Completed By
by — Person's name
by — Title
by — Agency
by — Phone
by — Phone extension
by — Email
14
Form completed by - Date
Date of quality assurance completed by State
My FR Outcomes
My FR Outcomes — Person's name
My FR Outcomes - Team of review
* Source Code of Federal Regulation Section 164 514(b)(2)(i)
15
Appendix C
Holder Confidentiality Agreements
Sample Confidentiality Statement for State and Local Users of the
Fatality Review Case Reporting System
By signing this Agreement, I agree to the following when I access any and all components of the
Fatality Review Case Reporting System
1 I will comply with all laws, regulations, policies and procedures as set by the State of
Colorado
I
2 I will safeguard the confidentiality of all confidential information to which I have access I
will not carelessly handle confidential information I will not in any way divulge, copy,
release, sell, loan, review, alter or destroy any confidential information except as within the
scope of my duties
I
3 I will only access confidential information for which I have a need to know and I will use
that information only as needed to perform my duties
4 I will safeguard and will not disclose my user name and password unless authorized by the
state administrator of the reporting system I understand that my user name and password
allows me to access confidential information for my team on the Fatality Review Case
Reporting System I understand that the State administrator may revoke my access to the data
system if my responsibilities change *
5 I will promptly report activities by any individual or entity that I suspect may compromise
the availability, integrity, security, or privacy of confidential information
6 I understand that the ownership in any confidential information referred to in this Agreement
is defined by State statute
7 I understand that violating applicable laws and regulations may lead to other legal penalties
imposed by the judicial system
Signature. Date:
Print Name:
* If your state already has confidentiality statements in place, you might consider replacing this
form with your own, but adding statement four from above
16
Appendix D
MPHI Confidentiality Agreement
Confidentiality Agreement for Michigan Public Health Institute Staff
Assigned to Privacy -Sensitive Projects
As described in the Michigan Public Health Institute (MPHI) Employee Handbook, all MPHI
employees have the responsibility to maintain the accuracy, availability, completeness, and
confidentiality of the business information, trade secrets, and data to which they have access
Due to the nature of its work, MPHI has access to, stores, uses, and discloses data (including
Protected Health Information as defined by the HIPAA Privacy Rule) Any or all of the
following factors may require that use and disclosure of these data be restricted in various ways
1 Federal, tribal, state and local laws and regulations Examples include the HIPAA and
HITECH, which govern the privacy and security of health information and the Common
Rule that governs Institutional Review Boards and research with human subjects
2 MPHI policies, procedures and training, including project -specific protocols 1
3 Contractual agreements between MPHI and project partners and clients
I
MPHI employees must annually sign this agreement to demonstrate that they are aware of their
obligations to protect the confidentiality and security of the data to which they have access
By signing this agreement, I agree to the following
I
2
3
4
5
6
7
8
I will comply with all laws, regulations, contractual agreements, MPHI policies and
procedures, and project -specific protocols related to my assigned duties I understand
that I may be required to complete additional training related to these obligations
I will safeguard and will not disclose my work related password(s), access code(s), or any
other work related authortzatton(s) I understand that MPHI may at any time revoke my
password(s), access code(s), other authortzatton(s), or access
At all times during my employment, I will safeguard the confidentiality of all information
to which I have access I will not carelessly handle information I will not in any way
divulge, copy, release, sell, loan, review, alter, or destroy any information except as
properly authorized within the scope of my assigned duties at MPHI
I will only access information for which I have a need to know and I will use that
information only as needed to perform my legitimate duties as an employee of MPHI
I will not misuse information
I will promptly report activities by any individual or entity that I suspect may
compromise the availability, integrity, security, or privacy of information held by MPHI
I understand that reports made in good faith about suspect activities will be held in
confidence to the extent permitted
I understand that I have no right or ownership interest in any information referred to in
this agreement
I understand that my failure to comply with this Agreement may result in disciplinary
action up to and including termination of my employment I understand that violating
17
9
applicable laws and regulations may lead to other legal penalties imposed by the judicial
system, such as fines and/or imprisonment
I understand and accept that signing this agreement is a condition of my employment and
those obligations under this Agreement will continue after termination of my
employment
Employee Signature: Date:
Print Employee Name:
Supervisor Signature: _
Print Supervisor Name:
Date:
I understand that it is my responsibility to read the Privacy and Confidentiality Policy and any associated
policies and understand its terms If I have any questions concerning information contained in the policy, I
will bring them to the attention of my supervisor, manager, or Privacy Officer
18
Appendix E
NCFRP Data Dissemination Policy &
Guidelines for Requesting De -identified Dataset
DATA DISSEMINATION POLICY
Mission
The purpose of the Fatality Review Case Reporting System (NFR-CRS) of the National Center
for Fatality Review and Prevention (NCFRP) is to systematically collect, analyze, and report on
information surrounding stillbirths and deaths of individual infants and children around the
country The information can then be used at the local, state, and national levels to inform
improvement in maternal and child health and safety and to prevent deaths The data collected
with the System includes the following
® information about the child, family, supervisor and perpetrator,
® the types of action taken during the investigation,
• the scene, incident, and background information on the cause of death, including
the risk and protective factors,
® the services provided or needed as a result of the death,
• a descriptions of the teams' recommendations, as well as the policies, practices,
and other actions taken to prevent other fetal, infant, and child deaths, and
S factors affecting the quality of the case review
The jweb-based NFR-CRS was first implemented in May 2004 in 14 pilot states Version 1 was
made available for widespread use in January 2005 Since 2005, the software has been upgraded
several times, including the addition of several new questions, most notably to support the
Sudden Unexpected Infant Death Case Registry and the Sudden Death in the Young Case
Registry Effective with Version 5, the NFR-CRS collects detailed information about fetal and
infant deaths Updated information on the number of participating states, number of entered
cases and number of cases migrated into the system from older state reporting systems is
available from NCFRP The NFR-CRS is supported primarily by the HRSA Maternal and Child
Health Bureau and secondarily by the US Centers for Disease Control and Prevention Data
submitted by states resides on servers at the Michigan Public Health Institute (MPHI)
Data Sources
Data collected by the NFR-CRS are the result of multi -disciplinary processes that bring together
state and/or community agencies to share information on maternal health, fetal, infant and child
death events and to identify the risk factors in these deaths Data entered into the System may
include, but are not limited to, information gathered from the following data sources birth
certificates, death certificates, law enforcement records, medical records, autopsy reports, child
protective services reports, and Emergency Medical Services run reports
I
Fatality Review Programs in States
Fatality review programs vary by jurisdiction and state with respect to case selection, the
maximum age of children whose deaths are reviewed (0-14, 0-17, 0-25, etc ), and the average
19
time between review and death (ranges from 1 to 36 months) Due to these variances, the data
are not universally consistent from site to site or state to state
Because most states do not review or enter every fetal, infant and child fatality into the System,
the NFR-CRS should not be directly compared with vital statistics data nor should it be used to
compute incidence rates All of these distinctions among sites and states and limitations must be
accounted for and noted in any analysis of the data More information about fatality review
programs and case selection can be found at http //www nfrp org
Prior to the development of the NFR-CRS, local FIMR programs had been using a variety of
systems to collect and report their data Typically, most FIMR information is collected from
maternal interviews, birth and death certificates, autopsy reports, hospital records including labor
and delivery, newborn, neonatal and pediatric care units, emergency department, and outpatient
records including prenatal care, pediatric well baby and sick baby visits, and other service
providers such as WIC, public health, home visits, and department of human and social services
records FIMR data is meant to complement other population data Collection of FIMR data
into' the NFR-CRS did not begin until 2018
Data Ownership
Fatality review data entered into the NFR-CRS are owned by the individual program that entered
it (per the data use agreement executed between each local program or state and MPHI/NCFRP)
Requests for de -identified, individual case report data will be submitted to the NCFRP Data
Dissemination Committee, per guidelines contained in this document For any research request
thatiproposes to identify data by state in any published or publicly released analysis or results,
local programs and states will be provided an opportunity to have their state's data excluded
from the study
Data Inclusion
Cases included in the de -identified dataset will include all cases that are at least 24 months from
the end of the calendar year for the preceding January -December time frame For example, the
death cohort from calendar year 2015 (deaths that occurred in January -December 2015) and
earlier will be made available in a researcher de -identified dataset on January 1, 2018 The
death cohort from calendar year 2016 and earlier will be made available in a researcher de -
identified dataset on January 1, 2019 Cases migrated from previous fatality review reporting
systems into the NFR-CRS will not be included in a standard dataset but may be provided upon
further consultation between the researcher and NCFRP
Removal of Identifiable Data Elements for Dataset
No data file that includes HIPAA-defined personally identifiable elements is available to
researchers Although states often enter HIPPA-defined personally identifiable data elements
(child's name, address, date of birth, date of death, date and time of incident, and incident
county) into the NFR-CRS, all personally identifiable data elements will be removed from any
dataset made available to researchers The data elements that will be removed from the dataset
are listed in Attachment 1 of the Application for Access to De -identified Dataset (Application for
Data) The "Narrative" field contained in Section O of the Case Report form will only be
released to researchers under special circumstances
20
Although no HIPAA defined personally identifiable data elements should be Included in the
Narrative field of Section O, should there by ANY identifying elements contained in this section,
it is to be considered an inadvertent disclosure and (1) shall not be used or disclosed by
researchers, (2) shall be immediately deleted by researchers and (3) be immediately reported to
MPHI/NCFRP with written confirmation by the researchers that the confidential information
cannot be used
If any HIPAA personally identifying data elements are included in other free text fields in the
researcher dataset, it is also considered to be an inadvertent disclosure and the confidential
Information (1) shall not be used or disclosed by researchers, (2) shall be immediately deleted by
reseaarchers and (3) be immediately reported to MPHI/NCFRP with written confirmation by the
researchers that the confidential information cannot be used
I
To further protect anonymity of states, NCFRP will create and provide a unique code for each
state for each approved research project so that researchers can evaluate variation and control for
potential bias in the dataset without identifying the individual states NCFRP will retain the
coding key
Permitted Data Uses
NCFRP may use de -identified case report data for its own research and reports NCFRP only
has access to de -identified case report data, NCFRP does not have to obtain permission from the
Data Dissemination Committee (see Guidelines below) in order to have access to the de -
identified data NCFRP has access to all de -identified data entered into the NFR-CRS and is not
limited to only those cases in the researcher dataset The NCFRP may report aggregated, de -
identified data identified by state to requesting parties such as agencies or organizations without
state permission The NCFRP will only report aggregated data with cell counts of six or more
cases Requests by researchers for de -identified datasets must be made in accordance with the
Guidelines for Requesting De -identified Dataset (Guidelines), below, and NCFRP will only
release de -identified datasets in accordance with the Guidelines
Required Fees
A feel may be charged to each applicant for preparation of the requested dataset The amount of
the fee will be determined by NCFRP staff An estimate of any fee will be provided to the
applicant upon a preliminary review of the proposal by staff Fees will be determined based on a
price equal to the number of staffing hours estimated to prepare the dataset using the federally
approved MPHI MOBUS rates Fees must be paid in full prior to the release of the dataset to the
applicant NCFRP reserves the right to waive fees in certain situations
Data Quality
In order to standardize the collection and interpretation of data elements, the NFR-CRS contains
a comprehensive Data Dictionary that is readily available online when entering cases into the
System or as a standalone PDF document that can be used by fatality review teams during review
meetings Additionally, NCFRP is readily available to provide technical assistance about the
Case Report tool and is in constant communication with states about data and reporting
questions Since the data are owned by the individual participating states, states are responsible
for cleaning data records, and states vary in the degree to which they review data for
inconsistencies, incompleteness, or inaccuracies NCFRP has found that data quality appears to
improve with increased time and training on the System The Case Report tool contains by
21
design some subjective questions to engage team discussion (e g , "Was the death preventable9"
or "Did a person or persons other than the child do something that caused or contributed to the
death?") The subjective nature of some of the questions can, however, make data analysis more
problematic Finally, although teams record in the System which agencies participated in the
fatality review, the primary data source for each data element is not collected as part of the Case
Report tool If there is a discrepancy in information shared by the different agencies at the review
meeting, it is up to the fatality review teams to determine the best answer and there is no set
primacy rule for data sources
I
More information'about the NFR-CRS and limitations on the use of the data can be found in the
February 2011 Supplement to Injury Prevention (Covington TM The US national child death
review case reporting system Injury Prevention 2011, 17 Suppl 1 i34 -i37)
22
GUI ELINES FOR REQUESTING DE -IDENTIFIED DATASET
Researchers affiliated with eligible Receiving Institutions may apply for access to a de -identified
dataset The Receiving Institution must be an institution of higher education, research
organization, non-profit agency or government agency that either employs or contracts with the
Investigator The Institution must be registered with the U S Office for Human Research
Protections Any release of data will be subject to a signed Contract for Access to and Use of
Data (Contract for Data) between NCFRP and an authorized representative of the Receiving
Institution The Contract for Data is set out after these Guidelines
An Application for De -identified Dataset (Application for Data) must identify a principal
investigator (PI) The PI serves as the primary point of contact for all communications involving
the Contract for Data The PI must sign the Contract for Data, by which the PI assumes
responsibility for compliance with all terms of the Contract for Data by employees of the
Receiving Institution, including the day-to-day security of the electronic data and all printed
output derived from the files
Each additional researcher who will have access to the NCFRP dataset must be identified on the
Application for Data and must sign the Confidentiality Agreement attached (Attachment 3) The
applicants may not release or permit others to release the dataset in whole or in part to any
persons other than those identified in the Application for Data
Access to the dataset is also subject to the following requirements
l The researchers given access to the Center's dataset may not conduct analyses of the data
for purposes other than those described in the approved Application for Data Applicants
will not alter the approved use of the data in the research design unless they have notified
and obtained written permission for the alteration from NCFRP
2 The PI must obtain IRB approval for the proposed research Letters of approval must be
submitted to NCFRP prior to release of data for approved analyses
3 All data shared are and shall at all times remain the sole property of the state and local
county teams which performed the fatality reviews that are the source of the data States
have the right of first refusal to participate in this research project if the PI plans to
publish or publicly release any analysis or results that identifies individual states It is
permissible, however, to list the states included in the dataset, as long as no data are
attributed to specific states, and the states have authorized this acknowledgement States
will be asked whether they wish to be specifically acknowledged in any project
publication or presentation
4 The researchers must not attempt nor permit others to attempt to use the dataset to learn
the identity of any decedent If the identity of a decedent should be inadvertently
discovered by the PI or any other individual, the PI must make no use of this knowledge,
permit others to use the knowledge, or inform anyone else of this knowledge, and must
inform NCFRP of the discovery so it can prevent future discoveries of this nature
5 Although no HIPAA defined personally identifiable data elements should be included in
the free text fields or the Narrative field of Section O, should there be ANY identifying
elements in these variables, it is considered to be an inadvertent disclosure and (1) shall
not be used or disclosed by researchers, (2) shall be immediately deleted by researchers
and (3) be immediately reported to MPHUNCFRP with written confirmation by the
researchers that the confidential information cannot be used
23
6
7
8
9
11
12
13
14
No data will be released that identifies data by state jurisdiction without the explicit
approval of the state(s)
Only aggregated data with cell counts of six or more cases will be released and reported
in any analysis Cells less than six cases will be aggregated with other like cells
All oral and written presentations or other distribution of information resulting from the
use of this dataset must be developed with adequate provision for the accuracy, reliability
and integrity of the data
All oral and written presentations or other distribution of information resulting from the
use of the requested data must be submitted to NCFRP for review at least two weeks
prior to presentation or submission to a journal or other source of publication The
purpose of this review is to determine whether the research was completed in the manner
specified in the Application and whether the analysis is in the spirit of Fatality Review
and the NCFRP mission, and to permit NCFRP to have advance notice of potential issues
pertaining to the analysis and/or results Any additional or other use of these data will be
considered a breach of the Contract for Data, unless agreed upon in writing by both
parties beforehand
0 NCFRP may terminate its contract with the recipient if the recipient is in violation of any
condition of the contract and such violation is not remedied within 30 days after the date
of written notice of the violation Furthermore, failure to comply with the contract terms
will result in the disqualification of the PI, along with any collaborators implicated in the
violation, from receiving additional NCFRP data
All presentations and publications making use of this dataset must be provided to NCFRP
in a timely manner so that it is a repository of the various uses of the data
All presentations or other distribution resulting from use of the requested dataset must
include an acknowledgement of the participating states and NCFRP They must include
the following language "This dataset was provided by the NCFRP, which is funded in
part by Grant Number UG7MC28482 from the U S Department of Health and Human
Services (HHS), Health Resources and Services Administration (HRSA) and in part by
the US Centers for Disease Control and Prevention Division of Reproductive Health The
contents are solely the responsibility of the authors and do not necessarily represent the
official views of NCFRP, HHS or the participating states The following states
contributed data from their fatality review (list states) "
Within three years of completion of the project, all hard copies of the dataset generated
by the researchers must be destroyed with a cross -cut shredder or returned to NCFRP,
and all electronic data must be destroyed/deleted within the same time frame Written
confirmation that the dataset has been destroyed is required
All installations of the data must have electronic security measures in place to prevent
unauthorized access, by electronic or physical means, to the confidential data provided or
to output from that data
Data Inclusion
Cases included in the de -identified dataset will include all cases that are at least 24 months from
the end of the calendar year for the preceding January -December time frame For example, the
death cohort from calendar year 2015 (deaths that occurred in January -December 2015) and
earlier will be made available in a researcher de -identified dataset on January 1, 2018 The
death cohort from calendar year 2016 and earlier will be made available in a researcher de -
identified dataset on January 1, 2019 Cases migrated from previous fatality review reporting
24
systems into the NFR-CRS will not be included in a standard dataset but may be provided upon
further consultation between the researcher and NCFRP
Application Process
To request a de -identified dataset from the NCFRP, the PI must complete the Application for
Data, including a detailed proposal to NCFRP describing the purpose of the data request,
methods for study, and mechanisms that will be used to keep the data secure (see Application
form) Upon receipt, the Data Dissemination Committee (consisting of representatives of
participating states, scientists, members of the NCFRP National Center Advisory Committee,
and other relevant individuals) will evaluate the application on the basis of the following criteria
I
Quality of the research question(s) and objectives for use of the dataset,
Whether the requested data elements are clearly described and whether access to those
elements is necessary for the research questions,
Applicant's understanding of the strengths and limitations of the database and analysis
plan that is appropriate for this type of dataset,
Qualifications of researchers who will have access to the dataset,
Sufficiency of safeguards in place to maintain the data security, confidentiality, and
prevent unauthorized access to data and evidence that the institution is registered with the
U S Office for Human Research Protections,
Extent to which the proposal is in accordance with the mission of Fatality Review, which
is to better understand how and why children die and use the findings to take action that
can prevent other deaths and improve the health and safety of children,
Whether NCFRP is conducting similar research or has plans to do so, and
Whether anticipated presentations, publications, or other dissemination of results from
the research is consistent with the NCFRP mission
At a minimum, the Committee will review applications on a quarterly basis All applicants will
be notified in writing by NCFRP of the Committee's decision Proposals will be scored using the
above criteria and given one of three grades
1 Rejected for not meeting the criteria
2 Preliminary approval but requesting revision
3 Approved
r
After approval by the Committee, NCFRP will inform the states participating in the NFR-CRS of
the Committee's decision For any research request that proposes to identify data by state in any
published or publicly released analysis or results, states will be notified and given the
opportunity to have their state's data excluded from the study (Attachment 2) States will also be
asked whether they wish to be specifically acknowledged in any project publication or
presentation
Requests for more information about the data file and the process for obtaining permission to
access the dataset should be directed to
National Center for Fatality Review and Prevention
2479 Woodlake Circle, Suite 380
25
Okemos, MI 48864
Phone : (800) 656-2434
Fax : (517) 324-7365
Email : info@ncfrp.org
26
NATIONAL CENTER FOR FATALITY REVIEW & PREVENTION
CASE REPORTING SYSTEM
Application for De -identified Dataset
Please complete information electronically
I. Data
A. For what year or years of the NCFRP Case Reporting System are data requested?
2004
2005
2006
2007
2000
2009
2010
2011
2012
2013
2014
2015
I —
Note States have different timeframes for when cases are reviewed and entered into the NFR-
CRS Only cases that have been identified and approved by the states as being complete and
clean will be included in the de -identified dataset NCFRP surveys states on an annual basis to
make lthis determination
Cases migrated from previous fatality review reporting systems into the NFR-CRS will not be
included in a standard dataset, but may be provided upon further consultation between the
researcher and NCFRP
II. Investigator/researchers
A. Identify the Principal Investigator who will carry out the duties described in the
Guidelines and provide his/her curriculum vitae as an attachment:
Name
Title
Institution
Department
Street address
City,
State
Zip
Phone
Email address
I
27
I
I
B. Identify each additional researcher/collaborator/co-investigator that will have access to
the dataset and provide the curriculum vitae for each:
Name
Title
Institution
Department
Street address
City
State
Zip
Phone
Email address
C. Describe the specific responsibilities the PI and other investigator(s) will have in
conducting and completing the proposed research:
PI role
Investigator 2
Investigator 3
[Add additional description for additional investigators ]
I
'II Description of proposed research project
I
In no more than five pages (excluding the list of variables), provide a detailed study
protocol that includes the following:
A. Title of project.
B. Describe the research question(s) and objectives for the study.
C. Describe the significance and rationale for the research.
D. Describe the funding source(s) for the research
E. Describe the study design and methods.
The' response should be a coherent narrative that links the sample, the variables requested, and
the analysis plan to the research questions The narrative response is expected to be at least one
page long, and, in addition to the narrative description, the response must include the following
I
Description of the sample set requested using the Case Report form as a guide (for
example, "infants only," or "children ages 0-4 with motor vehicle as cause of death")
28
List of variables needed to carry out the study using the Case Report form (attached to
Application Packet) as the guide
3 Analysis plan and software that will be used
Discussion of how limitations of the data and data quality issues will be addressed and
will likely impact the study and your conclusions The NCFRP database is a unique set
of information, and researchers are urged to read the attached article from Injury
Prevention, in particular the sections that describe in detail the "Limitations" and
"Strengths" of the data.
5 Discussion of how the study will handle small data numbers and missing and incomplete
data
F. Estimated timeframe for study start and completion.
G. (Anticipated presentations, publications, or other dissemination of results. Please be as
specific as possible. Reminder Per the Guidelines for Use of Data, all oral and written
presentations or other distribution of information resulting from the use of the requested data
must be submitted to NCFRP for review at least two weeks prior to presentation or
submission to a journal or other source of publication to determine whether the research was
completed in the manner specified in the Application, whether the analysis is in the spirit of
Fatality Review and the NCFRP mission, and to permit NCFRP to have advance notice of
potential issues pertaining to the analysis and/or results
29
IV. Data Security
All users of the NCFRP dataset must have electronic security measures in place to prevent
access to the confidential dataset from unauthorized individuals.
A. Where will the data reside and how will data be shared among researchers? Describe
the physical transmission.
R. Security details In the table below, provide a comprehensive list of all devices on which
the dataset will be installed and indicate the electronic security measures that will be applied
to each device For those devices that have access to the Internet, all four of the electronic
security measures must be in place for this data request to be approved For non -Internet
devices, firewall protection is not required
If co -investigators at different institutions from the PI will also have physical control of
the data, complete a table for each such co -investigator's institution.
ID
Device type
Indicate
workstation,
laptop, server,
portable media, or
other device
Internet
Does the
device have
access to the
Internet7(Y/N)
Electronic security measures
i
Password
login
The device
requires a
login ID and
password at
startup and
after a period
of inactivity
(Y/N)
Restricted
directory
access
The
directories
containing
the data are
restricted to
authorized
users who
have logged
in to the
device
(YIN)
Virus
protection
Anti -virus
software is
installed on
the device
(Y/N)
Firewall
protection
Firewall
technology
is in place
for devices
that are
connected to
the Internet
(Y/N)
1
21
3
4
30
C.
Physical security: In addition to electronic security, the devices on which the dataset have
been copied must be physically secured to prevent theft of the device Describe below the
physical security measure in place for each device
If co -investigators at different institutions from the PI will also have physical control of
the data, complete the table for each such co -investigator's institution and describe how
data will be securely transferred between institutions.
ID
Location of Device
Indicate building
name and office
number
Description of physical security
Examples are offices are locked when unoccupied, storage in
secure cabinets when the device is not in use, and monitored
access to the building where the data are stored
1'
I
2I
3
4j
V. Receiving Institution
A. Identify the Receiving Institution, as that term is described in the Guidelines.
B. Provide the IRB assurance number.
C. Describe your Institution in detail. What kind of work does it do? Include the type of
organization, its profit/non-profit status, and primary sources of revenue.
, D Provide evidence in an attachment that your institution is registered with the U.S.
Office for Human Research Protections.
E. Describe your plans to obtain IRB approval for this study using the NCFRP data.
F. Describe your Institution's experience in overseeing the use of sensitive research data
by its staff. Please give specific examples.
G. Describe any known breaches of sensitive research data by your organization and the
steps taken to remedy the breach.
31
Application signatures:
Signature of Principal Investigator Date
Signature of Representative of Receiving Institution Date
Title
32
TEMPLATE ONLY: CONTRACT NEED NOT BE COMPLETED OR SIGNED AT
TIME OF APPLICATION
MICHIGAN PUBLIC HEALTH INSTITUTE
National Center for Fatality Review and Prevention
Contract for Access to and Use of Data
This contract specifies the conditions for release of National Center for Fatality Review and
Prevention (NCFRP) Fatality Reporting System data, research, and reports for legitimate public
health or related research. The intent of this contract is to foster such research and to prevent
misrepresentation of the data. This Contract for Access to and Use of Data (Contract for Data) is
between [ 1 (Investigators), and Michigan Public Health Institute/National Center for
Fatality Review and Prevention (NCFRP).
This Contract for Data is for the study entitled [ ], as described in the Application for De -
identified Dataset, dated [ ], which is attached hereto and made part of this contract as
Appendix A. The Investigators are responsible for ensuring that all work under this study
including the work of additional researchers, collaborators, and co -investigators complies with
all applicable federal, state, local and international laws and regulations; and that the work is
performed in a professional manner to the highest academic standards.
Investigators agree to the following requirements for the use of the dataset and assure
compliance with the requirements.
1. This agreement applies to all activities occurring between the date of signing and 18
months after that date.
2. No one will be permitted to use this dataset to conduct analyses other than those
described in the Application for Access to and Use of Data that accompanies this
statement.
3. IRB approval of the Receiving Institution will be obtained, and documentation of that
approval will be provided to NCFRP prior to release of any dataset.
4. Investigators understand that all data shared are and shall at all times remain the sole
property of the state and local teams which performed the fatality reviews that are the
source of the data.
5. NCFRP will seek permission from the participating states for release of the data for the
project described in the Application for Data if said states are to be named in the
TEMPL E ONLY: CONTRACT NEED NOT BE COMPLETED OR SIGNED AT
TIME O PPLICATION
•-yS �'
analysis or results. States have the right of first refusal to participate in this research
project if applicant intends to identify state jurisdiction in any published or publicly
released analysis or results.
6. Neither the dataset nor any part of it will be released to any persons other than those
identified in the approved Application for Data.
7. Investigators and all other researchers with access to the dataset will not attempt nor
permit others to attempt to use the dataset to learn the identity of any decedent. If the
identity of a decedent should be inadvertently discovered, Investigators will make no use
of this knowledge, nor will they permit others to use the knowledge. Investigators will
inform NCFRP of the discovery so it can prevent future discoveries. Investigators will
not inform anyone else of the discovery of identity.
8. Investigators understand that not all deaths of children in the states have been reviewed
by child death review teams and that not every fatality review team in the country
participates in the NFR-CRS.
9. Investigators understand that data will only be reported at an aggregated level and no data
will be released that identifies data by state jurisdiction without explicit state permission.
Aggregated data must have cell counts of six or more cases in order to be reported.
10. Investigators will not alter the approved research design without written permission from
NCFRP.
11. All oral and written presentations or other distribution of information resulting from the
use of this dataset shall be developed with adequate provision for the accuracy, reliability
and integrity of the data.
12. All oral and written presentations or other distribution of information resulting from the
use of the requested dataset will be submitted to the NCFRP for review at least two
weeks prior to presentation or submission to a journal or other source of publication.
13. All oral and written presentations or other distribution of information resulting from use
of the requested dataset will include an acknowledgement of the participating states and
NCFRP.
14. All presentations and publications will include the following language: "This dataset was
provided by the NCFRP, which is funded in part by the U.S. Department of Health and
Human Services (HHS), Health Resources and
TEMPLATE ONLY: CONTRACT NEED NOT BE COMPLETED OR SIGNED AT
TIME OF APPLICATION
Services Administration (HRSA) and in part by the US Centers for Disease Control and
Prevention Division of Reproductive Health. The contents are solely the responsibility of
the authors and do not necessarily represent the official views of NCFRP, NHS or the
participating states. The following states contributed data from their fatality review (list
states)."
15. All presentations and publications making use of this dataset shall be provided to NCFRP
in a timely manner so that it is a repository of the various uses of the data.
1 6. Investigators understand that once a proposal for use of the dataset is approved, NCFRP
may acknowledge publicly the investigators' names, institution, and name of the study as
partners working with the N FR -L RS data.
17. I'he sharing of this dataset for the purposes stated in the approved project does not imply,
in whole or in part, that the topic of the approved project has not been investigated
before, or will not be investigated now or in the future, by other investigators interested
in this topic.
18. Any additional or other use of this dataset except as described in Investigators'
Application for Data will be considered a breach of this contract, unless agreed upon in
writing by both parties beforehand.
19. Investigators will assure compliance with the security measures described in the
Application for Data.
20. When the proposed analyses are completed, all copies of the dataset will be destroyed
with a cross -cut shredder or returned to the NCFRP upon completion of project plus three
years. All electronic versions of the dataset will be deleted. Written confirmation that the
dataset has been destroyed or deleted is required.
21. By signing this document, Investigators agree to be responsible for compliance with the
conditions of this agreement and agree to these conditions by their signatures below.
22. Cost -reimbursement for the time and expenses spent by MPHI stallto compile the data
file requested by Investigators will be invoiced to Investigators after the work is
complete. The invoice must be paid in full to Michigan Public Health Institute prior to
release of the data
23. NCFRP may terminate the Contract for Data if the Investigator is in violation of any
condition of the agreement and such violation is not remedied within 30 days after the
date of written notice of the violation.
35
TEMPLATE ONLY: CONTRACT NEED NOT BE COMPLETED OR SIGNET) AT
TIME OF APPLICATION
Principal Investigator:
Name:
Organization:
Address:
Email address: Phone:
Signature: Date:
For Receiving Institution:
Name:
Organization:
Address:
Title:
Email address: Phone: ( )
Signature: Date:
For MPHI:
Name: Title:
Organization: Michigan Public Health Institute
Address: 2479 Woodlake Circle, Suite 340, Okemos MI 48864
Email address: Phone: ( )
Signature: Date:
36
Appendix B
HIPAA Required Elements to De -Identify Case Data*
The NFR-CRS supports two types of data downloads identified and de -identified NCFRP staff
and researchers who have been approved by the NCFRP will receive only de -identified data
The NFR-CRS variables that will be removed in de -identified downloads are listed below
The NFR-CRS contains many free text fields (most often in the `specify' or `describe' text
fields) The NFR-CRS also provides users the opportunity to provide more detail surrounding
the' circumstances of the death in Section O Narrative text field When the Narrative,
`specify,' and/or `describe' text fields are included in a de -identified download, the
Narrative, `describe,' and `specify' text fields SHOULD NOT contain any HIPAA
Identifiers.
HIPAA Identifiers include names, all geographical subdivisions smaller than a state, all elements
of dates (except year) for dates directly related to an individual, phone numbers, fax numbers,
electronic mail addresses, social security numbers, medical record numbers, health plan
beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial
numbers, device identifiers and serial numbers, web universal resource locators, Internet
protocol address numbers, biometric identifiers, full face photographic images, and any other
unique identifying number, characteristic or code
I
Identifying information can be entered into the NFR-CRS element fields in the list below,
including free text fields associated with the listed fields, because all the listed fields and their
related text fields will be removed from every de -identified download However, users should
be instructed by the Holder not to enter any identifying information in other free text
fields, including Section O. Narrative text field, because these text fields may be included in
de -identified downloads. NCFRP cannot review free text fields in de -identified downloads
to assure that they contain no HIPAA Identifiers
HIPAA Required Elements to De -Identify Case Data
The NFR-CRS elements listed below will be removed for all persons accessing de -identified
case data:
Introduction Case Definition
Case number
i
County of review
Review team number
Sequence of review
Death certificate number
Birth certificate number
Medical examiner/Coroner number
* Source Code of Federal Regulations Section 164 514(b)(2)(i)
37
Date FR team notified of death
Section A Child Information
Child first name
Child middle name
Child last name
Child name unknown
Date of birth month, day, and year
Date of birth unknown
Date of death month and day
Date of death unknown
Residential address unknown
Residential address street
Residential address apartment
Residential address city
Residential address county
Residential address zip
County of death
Mother's first name
Mother's middle name
Mother's last name
Mother's maiden name
Mother's name unknown
Father's first name
Father's middle name
Father's last name
Father's name unknown
Mother's residence address same as child
Mother's residence address unknown
Mother's residence address street
Mother's residence address apartment
Mother's residence address city
Mother's residence address zip
Mother's residence address county
Mother's discharge date from hospital
Date of infant's last discharge date
1
Section E Incident Information
Date of incident
Date of incident same
Date of incident unknown
Incident county
Section A'! Review Meeting Process
Date of first review meeting
1
Section N SUID and SDY Case Registry
Date, of first Advanced Review meeting
Date of SUID Case Registry data entry complete
I
Section P Form Completed By
Forni completed by — Person's name
Form completed by — Title
Forni completed by — Agency
Forni completed by — Phone
Form completed by — Phone extension
38
Form completed by — Email
Form completed by - Date
Date of quality assurance completed by State
My FR Outcomes
MyI,FR Outcomes — Person's name
My1FR Outcomes - Team of review
Source Code of Federal Regulation Section 164 514(b)(2)(i)
39
Attachment 2
A Request for the Release of Fatality Review Case Report Data when Research Applicant
Intends to Identify State(s) in Proposed Published Analysis or Results
The following template will be used by NCFRP to request written authorization from states
participating with the Fatality Review Case Reporting System for permission to release
individual case report data to research applicants that intend to identify state jurisdiction
in published analysis or results. State permission will be sought once the Data
Dissemination Committee has approved the project.
Dear State of (insert state) Data Holder
This letter is to inform you that the National Center for Fatality Review and Prevention (NCFRP)
has received a request to release de -identified individual case report data The request was
submitted by (insert name of requestor and organization) on (insert date)
The, requester will be using the data for the purpose of (insert purpose) If the requester intends to
use the data for a purpose other than what is stated here, they must submit a new request
Per the National Center for Fatality Review and Prevention's Guidelines for Requesting
De -identified Dataset, written permission is necessary from each state where the research
applicant intends to identify state jurisdictions in published or publicly released analysis or
results of fatality review data.
As a reminder, de -identified individual case report data released by the NCFRP will not include
the list of data elements found in Appendix B of the NCFRP Data Dissemination Policy and
Guidelines
I
Please verify that your state is not precluded from releasing this data by any rules or statutes
before signing this agreement
If you approve this data request, please sign both copies of the attached contract Mail both
copies to the National Center for Fatality Review and Prevention for signature
40
Attachment 3
Confidentiality Agreement to be Signed by All Researchers with Access to NCFRP Data
BY signing this Agreement, I agree to the following
1
2
I will safeguard the confidentiality of all confidential information contained in the NFR-CRS
dataset to which I have been given access I will not carelessly handle confidential
information I will not in any way divulge copy, release, sell, loan, review, or alter any
confidential information except as within the scope of my duties
I will only access confidential information for which I have a need to know and I will use
that information only as needed to perform my duties
3 I will not attempt nor permit others to attempt to use the dataset to learn the identity of any
decedent If I inadvertently discover the identity of a decedent, I will make no use of this
knowledge, will not permit others to use the knowledge, will not inform anyone else of this
'knowledge, and will inform NCFRP of the discovery so it can prevent future discoveries
4 III will transmit and store all electronic and hard copy data in a secure and confidential manner
and location at all times
5 'Upon completion of the performance of my duties, the identifiable dataset will be destroyed
and no opportunities will be available to access that data on the network or computer
systems
6 I will promptly report activities by any individual or entity that I suspect may compromise
'the availability, integrity, security, or privacy of confidential information
7 I understand that the ownership of any confidential information referred to in this Agreement
its defined by State statutes
8 II understand that violating applicable laws and regulations may lead to other legal penalties
'imposed by the judicial system
I
Signature: _
Print Name:
Date:
41
Attachment 4
'`d NATIONAL
FRP
Saving Lives Together
SELECTED JOURNAL ARTICLES AND REPORTS
USING N FR -CRS DATA
Dangerous Waters: Profiles of Fatal Child Drowning in the U.S. 2005-2014
MacKay JM, Steel A, Dykstra H. 2016. Safe Kids Worldwide.
https://www.safekids.org/sites/default/fi les/dangerous_waters_research_report.pdf
Keeping Kids Safe In and Around Water: Exploring Misconceptions that Lead to
Drowning
MacKay JM, Steel A, Dykstra H, Wheeler T, Samuel E, Green A. 2016. Safe Kids Worldwide.
https://www.safekids.org/sites/default/fi les/smal l_water safety_study_2016.pdf
Death Scene Investigation and Autopsy Practices in Sudden Unexpected Infant Deaths
Erck AB, Parks SE, Camperlengo L, Cottengim C, Anderson RL, Covington TM, Shapiro -Mendoza CK. 2016. J Pediatr2016;
174:84-90.
https://www.researchgate.net/publication/301671583_Death_Scene Investigation_and_Autopsy_Practi ces_in_Sudden_Unexpect
ed_Infant Deaths. Abstract only.
Pediatric Suicide in the United States: Analysis of the National Child Death Case
Reporting System
Triglylidas T, Reynolds E, Teshome G, Dykstra H, Lichenstein R. 2016. Injury Prevention 2016; 0:1-6. Published first
online.doi:10.1136/injuryprev-2015-041796. http://injuryprevention.bmj.com/content/early/2016/01/18/injuryprev-2015-
041796.abstract. Abstract only.
Crib bumpers continue to cause infant deaths: A need for a new preventive approach
Scheers N.J., Woodard D.W, Thach, B.T. 2015. Pediatrics, DOI: http://dx.doi.org/10.1016/j.jpeds.2015.10.050. Published online
11/24/2015. http://www.jpeds.com/article/S0022-3476(15)01284-6/pdf.
Cause -specific mortality among children and young adults with epilepsy:
Results from the U.S. National Child Death Review Case Reporting System
Tian N, Shaw EC, Zack M. Kobau R, Dykstra H, Covington TM. 2015. Epilepsy Behay. 2015. Apr; 45:31-4. doi:
10.1016/j.yebeh.2015.02.006. Epub 2015 Mar 18. http://www.epilepsybehavior.com/article/S 1525-5050(15)00054-2/pdf
Development of a dataset of national cardiovascular deaths in the young
Vetter VL, Dugan NP, Haley DM, Covington TM, Dykstra H, Overpeck M, Iyer VR, Shults J. 2014. DOI: doi:
10.1016/j.ahj.2014.06.015. American Heart Journal. http://www.ahjonline.com/article/S0002-8703(14)00365-2/pdf
Sofas and Infant Mortality
Rechtman LR, Colvin JD, Blair PS, & Moon RY. 2014. Pediatrics 2014. 134:e 1292.
http://pediatrics.aappublications.org/content/pediatrics/early/2014/ 10/08/peds.2014-1543.full.pdf.
Sleep Environment Risks for Younger and Older Infants
Colvin J, et al. 2014. Pediatrics 134(2):e406 -e412.
http://pediatrics.aappublications.org/content/pediatrics/early/2014/07/09/peds.2014-0401. tiu I I.pd t
42
Classification System for the Sudden Unexpected Infant Death Case Registry and its
Application
Shapiro -Mendoza C, Camperlengo L, Ludvigsen R, Cottengim C, Anderson R, Andrew T, Covington T, Hauck F, Kemp J,
MacDorman M. 2014. Pediatrics 2014; 134(1): 1-10.
http://pediatrics.aappubl ications.org/content/pediatrics/early/2014/06/03/peds.2014-0180. full. pd
Child maltreatment deaths in the U.S. National Child Death Review Case Reporting
System
Palusci V, Covington T. 2013. Child Abuse Neglect. S0145-2134(13)00245-7. doi: 10.1016/j.chiahu.2013.08.014. [Epuh ahead
of print] PubMed PMID: 24094272. https://www.ncbi.nlm.nih.gov/pubmed/24094272 Abstract only.
Sudden Unexpected Infant Deaths: Sleep Environment and Circumstances
Schnitzer P, Covington T, Dykstra 11. 2012. American Journal of Public Health 2012; 102(6): 1204-1212.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3483961/
Public Health Surveillance of Fatal Child Maltreatment: Analysis of Three State
Programs
Schnitzer P, Covington T, et al. 2008. American Journal of Public Health; 98:296-303.
http://ajph.aphapublications.org/doi/abs/10.2105/AJPH.2006.087783?journalCode=ajph
Hello