Data Policies & Privacy Issues

The data owners (SEER registry PIs and CMS) hold NCI responsible for tracking the use and location of all released SEER-CAHPS data. Given that interest in SEER-CAHPS data continues to grow exponentially, there is an ever increasing number of data requests that need to be tracked. In order to ensure that NCI is knowledgeable about how the data are being used, who is using the data and to avoid a change in scope, limitations on the number of data updates, data retention and data sharing are warranted.

Data Updates

The maximum number of times data can be obtained for the same project is three: initial data request and then updated data from the next two subsequent linkages. If additional updates are desired, investigators will need to submit a new application for review and approval.

Investigators that obtained data prior to December 2020 cannot request updated data, as their dataset is not compatible with the current release. If additional data is desired, investigators will need to submit a new application for review and approval to obtain data from the current linkage.

Data Retention

The Data Use Agreement (DUA) states the data retention time period is 5 years. If additional time is necessary to complete the approved project, investigators can request an extension to the DUA. Without an approved extension, all SEER-CAHPS data must be destroyed. This destruction must include all raw data files, all analytic files, all back-up files, and the original media. Please be aware that any DUA established prior to December 2020 will not be extended. Investigators will need to submit a new application for review and approval if they desire to continue work on the project.

Data Sharing

Any data obtained prior to December 2020 cannot be shared /re-used. Investigators may retain these data until their DUA expires and then they must destroy the data. Investigators with data from the 2020 SEER-CAHPS linkage will be allowed to submit new applications to re-use /share data with colleagues at their institution only if the data:

• pertain to the same cohort (e.g., the same cancer site)
• were purchased within the previous 2 years.

Please note that the data retention period for the shared data will commence from when the data for the initial project was received not when the request to share the data was submitted.

Combining Data Released Before and After 2020

As a result of new agreements with the Centers for Medicare and Medicaid Services (CMS), all Medicare data released via SEER-CAHPS in 2020 and moving forward will come from CMS’s Chronic Conditions Warehouse (CCW). These files are in a different format from files that were released in prior years. Researchers who have open SEER-CAHPS projects and are using data released prior to 2020 will be able to complete their studies using the data files that they currently have for as long as their DUAs are valid. However, to not prolong the complete switch to the CCW files, researchers will not be allowed to request new CCW files to combine with older files that they previously received. If additional data are required to complete an open project, an entirely new request can be made via usual processes.

Researchers who wish to use the Surveillance, Epidemiology and End Results-Consumer Assessment of Healthcare Providers and Systems (SEER-CAHPS) data are required to obtain IRB approval prior to the data being released to them. A full IRB review is not required. Many IRBs, including NIH's Office of Human Subjects Research, have determined that the SEER-CAHPS data are exempt (45 cfr 46.101(b)(4)).

Researchers who wish to use the SEER-CAHPS data may have concerns about complying with the Health Insurance Portability and Accountability Act (HIPAA) regulations. The SEER-CAHPS data contain information about geographic location at the county level. Because of these variables, the SEER-CAHPS data are considered by HIPAA requirements as a limited data set, which requires that investigators sign a Data Use Agreement prior to receiving the data. This exception allows for the release of the SEER-CAHPS data without obtaining authorization from individual patients (see Federal Register, August 14, 2002, pg 53235). However, because the SEER-CAHPS data are a limited data set, investigators who have the data may not share these files with other investigators. Investigators who are contacted by colleagues who wish to use their data should ask their colleagues to contact SEER-CAHPS.

There have been a growing number of reports of stolen laptops that have contained sensitive personal data about patients in clinical studies. Because of the potentially sensitive nature of the SEER-CAHPS data, the National Cancer Institute (NCI) implemented a new policy, effective June 2008, related to how the SEER-CAHPS may be stored, transferred or used on portable devices and removable media.

Definitions of Portable Devices & Removable Media

A portable device includes any non-fixed equipment that contains an operating system which may be used to create, access or store SEER-CAHPS data. This includes but is not limited to laptops, personal digital assistants (PDAs), and smart phones.

Removable media includes, but is not limited to: CDs, DVDs, MP3 players, removable memory, and USB drives (thumb drives).

Policy

Any investigator who has obtained the SEER-CAHPS data (including all persons with access to the data) must take all reasonable measures to ensure the safety and confidentiality of the data that are downloaded to any portable device or removable media. Reasonable measures include storing large files only on network drives or password-protecting data AND encrypting any data on a portable device or removable media. Encryption is a method used to protect the confidentiality, integrity, and authenticity of the data. SEER-CAHPS data stored on portable devices or removable media must be encrypted using one of the following approved encryption standards: Data Encryption Standard (DES) that uses a 64-bit input-output block size; Advanced Encryption Algorithm (AES) that uses a 128, 192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that uses a 128-bit key size. If any portable device or removable media containing SEER-CAHPS data are lost or stolen, the investigator must report the loss through email within 24 hours/first business day of discovering the loss.

SEER-CAHPS Data Use Agreements (DUAs) require that investigators submit manuscripts for NCI review prior to publication. Please review the following guidelines when preparing your manuscript:

• Ensure SEER-CAHPS data is not linked with any other individually identified records in another database
• Verify all cell sizes less than 11 (eleven) are suppressed in all figures, tables, and in text in the manuscript
• Ensure that individual patients and/or providers cannot be identified
• NCI would appreciate the inclusion of the following acknowledgment in any publication or presentations using SEER-CAHPS linked data:

  "This study used the linked SEER-CAHPS data resource. The interpretation and reporting of these data are the sole responsibility of the authors. The authors acknowledge the efforts of the National Cancer Institute; the Centers for Medicare & Medicaid Services; Information Management Services (IMS), Inc.; and the Surveillance, Epidemiology, and End Results (SEER) Program tumor registries in the creation of the SEER-CAHPS data resource."

• Projects that use data from the California Cancer Registry are REQUIRED to include the acknowledgement statement posted on the California Cancer Registry website.

When you are ready to submit your manuscript for clearance, please do the following:

• Email your manuscript to NCISEERCAHPS@nih.gov for NCI and CMS review PRIOR to submitting for publication
• Include 1-2 sentences in your email describing how the aims of the manuscript are within the scope of the aims approved in your DUA

Upon receipt, NCI and CMS will review the manuscript, which will take approximately 2-4 weeks. The review of the manuscript is for the purpose of assuring that data confidentiality is maintained and that the focus of the manuscript was outlined in the approved SEER-CAHPS proposal. Revisions will likely be necessary if NCI determines that the format the format in which the data are presented may result in identification of individual patients and/or providers, or if the scope of the manuscript is not consistent with the approved proposal.