IRB Determination & HIPAA Regulations
Researchers who wish to access the SEER-Medicare data are required to provide IRB determination prior to any data being released to them.
Background
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information” or PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (i.e., covered entities).
The Centers for Medicare & Medicaid (CMS) is a covered entity, while the National Institutes of Health/National Cancer Institute (NIH/NCI) is not a covered entity.
Although the released SEER-Medicare data do not contain direct identifiers (e.g., names, SSNs), geographic locations smaller than state and dates (e.g., full dates: admission, discharge and service; and m/y date of birth) are included. As such, per the agreement between the NCI and CMS, all SEER-Medicare data requestors must submit a research-specific application that includes a data protection and storage plan, IRB determination, and a signed Data Usage Agreement (DUA) to NCI for approval prior to receiving any data.
SEER-Medicare requestors are not allowed to share the data they receive. If other investigators wish to access the SEER-Medicare data, they must submit their own formal request to the SEER-Medicare contact.