A blog about Open Source, my work at the Gates Foundation and those I am fortunate enough to collaborate with

You can scroll the shelf using and keys

DURSA – the beginning of the end for siloed personal data

September 15, 2011

OK so I wouldn’t blame you if you haven’t heard of the Data Use and Reciprocal Support Agreement, or ‘DURSA’  I hadn’t either until Steve Midgley turned me onto the fact that David Riley’s work on Connect was predicated on a constructive legal framework capable of supporting both federal, state and commercial actors.  No small undertaking, particularly when you consider that Connect! was launched with 15 private sector companies and 15 federal agencies (that’s at least 30 lawyers, all of whom would rather the whole topic of exchange of sensitive patient data across open networks just went away)

In this post I just wanted to share what DURSA is, and why it might matter for education.  I am not a lawyer, so what follows represents a layman’s view.

What is DURSA?

DURSA is a multi-party legal contract that supports the nationwide exchange of both generic and sensitive Health Information across one or more public and private networks (‘NHIE’) at a variety of levels including local community, region, state and federal.

What problem does DURSA address?

For a long time health information was exchanged point to point. A somewhat crude and basic arrangement but the trust framework required was at least straightforward.  You knew who you were dealing with and in all probability had a document that memorialized that relationship.  Unfortunately after one or two of these, it becomes increasingly burdensome to establish and then maintain the resulting web of relationships and reciprocal use requirements – not to mention liabilities.  This was therefore never going to be a sustainable or  scalable model for the exchange of data over ever broadening data networks.  Social Security and the Veteran’s Administration, two of the most advanced data networks in the public sector realized this early on.  Both have far-flung networks and both lacked the infrastructure to manage linear let alone exponential growth in point-point data exchange agreements.  Both were looking for a means to foster data interchange between organizations that may not be known at the outset of any network

Why is DURSA noteworthy in the context of exchange of sensitive data ?

Due to its nature, DURSA serves as a basis for a community of data exchange to emerge and sustain itself because its contract is predicated on a set of values and ethics that community members share and are therefore willing to be bound to legally.  In its contractual form, DURSA therefore enforces specific rights and responsibilities in support of HIE.  e.g. parties agree to
form of self-governance manifested in the form of a coordinating Committee.  DURSA creates this committee and party’s sign up to follow the requirements and sanctions of the committee. Important to note that DURSA asks signatories to go beyond being just bound by a contract – DURSA embodies governance by consent of the governed.

There still is no legal authority in Federal or State law that creates any type of binding governance authority over data exchange.  DURSA, for now, is the only game in town.

What is noteworthy about DURSA itself?

    • Voluntary network (regs may mandate data exchange, but no requirement in law to use the NHIE or DURSA)
    • Launched with the participation of 15 Federal Agencies and departments including HHS, VA, DOD, CMS, SSA, VA, CDC, IndianHS
    • Enables exchange within context of different laws governing the entities themselves, e.g. HIPA, Privacy Act 74, FISMA, OMB circulars, SAMSA
    • Does not attempt to reconcile conflicting laws individual parties may be subject t0.  Party is required to follow their applicable law so as  not to be in breach of the DURSA agreement
    • Participant centers responsible for policing their users and usage patterns. Individuals also sign a User Agreement.  Allows DURSA to suspend or terminate access without having liability
    • Access controlled by role-based policy engine with limits placed on degrees of data exchange, e.g. “sensitive data” (HIV status, Mental Health record, Substance Abuse, Genetic Code)
    • Currently 50-60 signatories with ~20 in the pipe
    • Ensures HIPA compliance by saying that in signing DURSA you agree to be bound by HIPA as a code of conduct



What do you think?

Please keep your comments polite and on-topic.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: