Goals and Scope

The Research Data Sharing Protocol addresses the general problem of collecting health data for cross-border medical research. The motivation underlying the solution presented here is to enable cross-border data collection in a way that involves citizens more directly in the decisions regarding the sharing of their data. This is achieved through a novel approach that retrieves data directly from the electronic health records stored on citizens’ smartphones. Citizens have complete control over their data as they can give or decline consent for data sharing on a per-study basis, and be informed of precisely what data is used by a given study.

In order to respond to the numerous technical challenges underlying such an approach, the Protocol brings novel solutions as well as relying on existing results from inside and outside the InteropEHRate project. It deals with the heterogeneity of cross-border data through relying on interoperable data representations, such as the Interoperability Profile defined by the InteropEHRate project. It automates data queries and the checking of eligibility criteria inside the smartphone. It addresses privacy constraints by in-phone data anonymization. It ensures the security of data transmission between smartphones and research centres by relying on state-of-the-art encryption techniques. It provides a formal framework for consensual data sharing through digital signatures.

Actors and Systems

The Protocol involves the following human actors:

• Citizen: any person potentially participating in a research study with his/her health data, and having the minimal technical means to do so, i.e. the S-EHR App installed on their smartphone.
• Principal Investigator (PI) of the Study: the researcher (person) in charge of a specific study, including its formal definition.
• Principal Investigator (PI) of a Research Centre: the researcher (person) in charge of the patients enrolled for a specific study at a RC. The actions of the PI of the Research Centre are not covered by the Protocol.
• Central Node Administrator: a person that oversees the publishing of new research studies on the Research Network.

These actors intervene through the following systems:

• S-EHR App. The application installed on the Citizen’s smartphone that stores and manages the Citizen’s health records , and is in charge of executing elements of the Protocol on the phone.
• Central Node (CN). A node of the Research Network (a server) that stores published research studies and provides a central access point to S-EHR Apps for retrieving the descriptions of research studies.
• Research Centre Information System. The information system of a research centre participating in a given study. It collects data shared by a set of citizens who are officially attached to this centre for the duration of the study.

Communication Channels

The main interfaces of the Protocol, as shown in Figure 1, are the following:

• Research Interface (RDSI):consent, enrollment-related communication, and the sending of citizen health data happen through this interface.
• Research Definition Document Download Interface (RDDI):the S-EHR App downloads data w.r.t. newly published studies through this interface.

Data Exchanged

The following are the main kinds of data whose exchange is covered by the Protocol:

• Research Definition Documentsstructured documents formally describing research studies, including enrollment and exit criteria, data queries, a human-readable description of the study, and other study-related metadata;
• Pseudonymized health data for research:citizen health data queried from the phone, pseudonymized/anonymized, and sent to a research centre;
• Digitally signed consent: a formal agreement between a citizen and a research centre about the participation of a citizen to a research study, or his/her withdrawal from it;
• Enrollment and exit notifications:messages indicating the successful enrollment of a citizen into a study, or his/her leaving of the study.

For the representation of health data, as well as queries and criteria, the Protocol adopts the FHIR standard [FHIR], as does the entire InteropEHRate project. This design choice allows the retrieval of health data from citizens’ S-EHRs directly, without requiring further data conversion mechanisms. Beyond FHIR itself, the Protocol requires the data contained in S-EHRs to conform to InteropEHRate’s highest, semantic level of interoperability, in order to ensure that cross-border data collection leads to meaningful results.

Processes

The execution of a research study, from its initial proposal by a Client until its closure and archival, is a long and complex process that can last years, even for retrospective studies where medical data are readily available. Typically, the entire process involves the following macro-steps:

1. Pre-acceptance (GO / NO-GO)
2. Formulation of requests to execute a given research study (as a formal research description)
3. Approvals from the Ethical Committee as well as w.r.t. feasibility
4. Setting up of research environment
5. Setting up the cohort, including citizen consent
6. Retrieval of data
7. Preparation and linkage of datasets
8. Data analysis for the research experiment
9. Control of access to results
10. Archival of experiment and results
11. Closure

Addressing all of the macro-steps above is out of the scope of the InteropEHRate project and of the Protocol itself. The Protocol’s focus, instead, is the way in which medical data are retrieved directly from citizens’ smartphones, with all the necessary handling of consent, privacy, and security aspects of the operation. For this reason, the Protocol only covers the macro-steps relevant to these operations (in italics above), namely:

• Formulation of request: only to the extent that the research study is defined in the form of a formal, machine-processable RDD document. The Protocol does not cover how the RDD is created, but it does cover the format used to create it.
• Setting up the cohort: this covers the verification of enrolment criteria, as well as gathering citizen consent. Citizens are provided with the possibility of subscribing and being enrolled into specific research studies, as well as withdrawing from them.
• Retrieval of data: the citizens’ data are transferred from their smartphones to their respective RRCs.

Accordingly, the Protocol consists of the following macro-steps or phases:

1. OPT-IN: the Citizen opts in to participating in research studies in general.
2. PUBLISHING: the PI of the Study publishes the formal description of a new research study.
3. ENROLLMENT: the consenting Citizen is enrolled into a specific study.
4. DATA RETRIEVAL: relevant health data is retrieved from the Citizen’s phone.
5. WITHDRAWAL: the Citizen decides to withdraw from providing further data to a given study.
6. OPT-OUT: the Citizen decides to opt out from a given study or from all current and future studies.
7. MONITORING: the PI of the RC monitors the study, having the possibility to view Citizen interactions and participation statistics.