Case Study on an Inter-Institutional EHR-Linked HIV Disease Registry in the Southeastern United States, 2018 Open Access

England, Cameron (Spring 2019)

Permanent URL:


Background. This case study explores an HIV disease registry developed at Emory Center for AIDS Research with a healthcare partner that demonstrates successful inter-institutional sharing of protected health information. Secondary uses of patient data collected in electronic health systems have valuable, broad applications in public health. A common challenge is that healthcare organizations lack the skill, knowledge and resources to leverage this data for secondary uses. Furthermore, a defensive environment exists for sharing HIPAA-protected patient information because of legal and financial consequences. Researchers can help provide the necessary resources; however, negotiating data access is the primary challenge in building a disease registry. This case study demonstrates a pathway for sharing patient data between two institutions by examining the characteristics that influence the organizational behaviors, requirements, goals, and relationships. 

 Methods.  The case study is formulated with a multi-modal approach of a descriptive case study that incorporates iterative stakeholder interviews, protocol analysis, observations, review of documents and archived records, process evaluation, and exploring the physical environment. Inter-institutional data agreements were also reviewed to understand the legal partnership. 

Results. The disease registry was developed within the healthcare organization’s informatics enterprise, so the data stewards maintain control over patient data. Data are migrated from several data sources that include EHR, LIMS, and pharmacy databases. ETL processes transfer five domains of data that encompass outpatient visits, patient admissions, medications, lab results, and procedures that resulted in nine relational tables contained in the Oracle database. The database constitutes HIV patients seen at the clinic since 2010 as well as historical data on these patients going back to 2000.

Summary. Key characteristics that contributed to a successful sharing of patient information include: (1) Researchers provide knowledge, skills and experience to manage data for secondary applications thus shifting the burden of work from the healthcare system. (2) The disease registry exists within the healthcare enterprise so data stewards maintain control of uses and security. Furthermore, data migration is unidirectional thus limiting strain on and preventing modifications to the health applications. (3) Emory CFAR ensures the quality of data is scientifically robust and quickly accessible. (4) Accountability processes manage and control uses of data with limited involvement from the healthcare system. (5) Governance strategies safeguard data from impropriety. (6) Security for the database is HIPAA-compliant to ease concerns for allowing an external partner to manage data. 

Table of Contents

Table of Contents

1    Definition of Terms. 1

2    Executive Summary. 1

3    Introduction. 5

3.1     Background. 5

3.2     Problem Statement 10

3.3     Purpose Statement and Public Health Impact 10

4    Literature Review.. 12

5    Methodology. 20

5.1     Introduction. 20

5.2     Research Design. 22

5.3     Instruments. 24

5.4     Limitations and Delimitations. 26

6    Results. 29

6.1     Introduction. 29

6.2     Program Evaluation Logic Model 30

6.3     Project Organization. 33

6.4     Strategic Planning. 36

6.5     Identification of Patients with HIV.. 41

6.6     Requirements for the Data. 41

6.7     Description of the Data. 42

6.8     Description of the Database & Data Storage. 49

6.9     Governance of Data Sharing. 53

6.9.1  BAA Use and Disclosure of PHI. 55

6.9.2  BAA Safeguarding and Reporting Misuse. 56

6.9.3  BAA Access to PHI. 56

6.9.4  BAA Accountability of Data Uses. 57

7    Discussion. 60

7.1     Summary of the Case Study. 60

7.2     Implications. 61

7.3     Limitations. 68

7.4     Recommendations. 70

7.5     Conclusion. 72

8    Appendix I: Interview Questions. 77

9    Appendix II: Physical Data Model 78

10  Appendix III: Stakeholder Profiles. 79

11  Appendix IV: Project Plan. 81

11.1   Work Breakdown Structure. 81

11.2   Work breakdown structure dictionary. 82

12  Appendix V: Data Quality Plan. 86

13  Appendix VI: Data Security Plan. 92

13.1   PII Confidentiality Impact Level Assessment 95

13.2   Operational Security Analysis. 98

13.3   Minimizing the Confidentiality of PII. 101

13.4   Types of Controls. 102


About this Master's Thesis

Rights statement
  • Permission granted by the author to include this thesis or dissertation in this repository. All rights reserved by the author. Please contact the author for information regarding the reproduction and use of this thesis or dissertation.
Subfield / Discipline
  • English
Research Field
Committee Chair / Thesis Advisor
Committee Members
Last modified

Primary PDF

Supplemental Files