Data Policies & Privacy Issues

Below you will find information regarding data policies and privacy/confidentiality considerations for using SEER-CAHPS data.

Data Policies

The SEER-CAHPS data are a different linkage than SEER-Medicare, and are based upon a different sampling frame, those who complete a CAHPS survey. Please refer to this comparison table for how SEER-CAHPS differs from SEER-Medicare and SEER-MHOS.

The data owners (SEER registry PIs and CMS) hold NCI responsible for tracking the use and location of all released SEER-CAHPS data. Given the interest in SEER-CAHPS data, there is an ever increasing number of data requests that need to be tracked. In order to ensure that NCI is knowledgeable about how the data are being used, who is using the data and to avoid a change in scope, limitations on the number of data updates, data retention and data sharing are warranted.

Data Updates

The maximum number of times data can be obtained for the same project is three: initial data request and then updated data from the next two subsequent linkages. If additional updates are desired, investigators will need to submit a new application for review and approval.

Data Retention

The Data Use Agreement (DUA) states the data retention time period is 5 years. If additional time is necessary to complete the approved project, investigators must request a one-year extension to the DUA. These extensions may be renewed annually until a maximum data retention period of 10 years. If more than 10 years has lapsed since data were initially received, investigators will need to submit a new application for review and approval. Without an approved extension, all SEER-CAHPS data must be destroyed.

Data Sharing

Investigators will be allowed to share data for approved projects with colleagues at their institute only if the data:

  • pertain to the same cohort (e.g., the same cancer site), and
  • were purchased within the previous 2 years.

Please note that the data retention period for the shared data will commence from when the data for the initial project was received not when the request to share the data was submitted.

Data Usage Agreement Amendments

Investigators wishing to make changes, including the addition of a study aim, to an active DUA without requesting additional data must provide written documentation pertaining to such modifications. NCI will review and approve proposed amendments on a case-by-case basis. All potential DUA amendments are subject to the same provisions specified in the SEER-CAHPS application, including:

  • Additional aims and/or content closely relate to aims found in the original proposal.
  • Proposal additions are relevant to improving the quality of care of older cancer patients.

Amended proposals can be submitted for review by e-mail.

Manuscript Submission

As stated in the DUA, all manuscripts must be cleared by NCI prior to submission for journal peer review.

Suggested Acknowledgment and Disclaimer

NCI would appreciate the inclusion of the following acknowledgment in any publication or presentations using SEER-CAHPS linked data:

"This study used the linked SEER-CAHPS database. The interpretation and reporting of these data are the sole responsibility of the authors. The authors acknowledge the efforts of the National Cancer Institute; the Centers for Medicare & Medicaid Services; Information Management Services (IMS), Inc.; and the Surveillance, Epidemiology, and End Results (SEER) Program tumor registries in the creation of the SEER-CAHPS database."

IRB Approval and HIPAA Regulations

Researchers who wish to use the Surveillance, Epidemiology and End Results-Consumer Assessment of Healthcare Providers and Systems (SEER-CAHPS) data are required to obtain IRB approval prior to the data being released to them. A full IRB review is not required. Many IRBs, including NIH's Office of Human Subjects Research, have determined that the SEER-CAHPS data are exempt (45 cfr 46.101(b)(4)).

Researchers who wish to use the SEER-CAHPS data may have concerns about complying with the Health Insurance Portability and Accountability Act (HIPAA)External Web Site Policy regulations. The SEER-CAHPS data contain information about geographic location at the county level. Because of these variables, the SEER-CAHPS data are considered by HIPAA requirements as a limited data set, which requires that investigators sign a Data Use Agreement prior to receiving the data. This exception allows for the release of the SEER-CAHPS data without obtaining authorization from individual patients (see Federal Register, August 14, 2002, pg 53235). However, because the SEER-CAHPS data are a limited data set, investigators who have the data may not share these files with other investigators. Investigators who are contacted by colleagues who wish to use their data should ask their colleagues to contact SEER-CAHPS.

Laptops and Other Portable Media

There have been a growing number of reports of stolen laptops that have contained sensitive personal data about patients in clinical studies. Because of the potentially sensitive nature of the SEER-CAHPS data, the National Cancer Institute (NCI) implemented a new policy, effective June 2008, related to how the SEER-CAHPS may be stored, transferred or used on portable devices and removable media.

Definitions of Portable Devices & Removable Media

A portable device includes any non-fixed equipment that contains an operating system which may be used to create, access or store SEER-CAHPS data. This includes but is not limited to laptops, personal digital assistants (PDAs), and smart phones.

Removable media includes, but is not limited to: CDs, DVDs, MP3 players, removable memory, and USB drives (thumb drives).

Policy

Any investigator who has obtained the SEER-CAHPS data (including all persons with access to the data) must take all reasonable measures to ensure the safety and confidentiality of the data that are downloaded to any portable device or removable media. Reasonable measures include storing large files only on network drives or password-protecting data AND encrypting any data on a portable device or removable media. Encryption is a method used to protect the confidentiality, integrity, and authenticity of the data. SEER-CAHPS data stored on portable devices or removable media must be encrypted using one of the following approved encryption standards: Data Encryption Standard (DES) that uses a 64-bit input-output block size; Advanced Encryption Algorithm (AES) that uses a 128, 192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that uses a 128-bit key size. If any portable device or removable media containing SEER-CAHPS data are lost or stolen, the investigator must report the loss through email within 24 hours/first business day of discovering the loss.

Last Updated: 16 May, 2019