transferred to the third party. DDOC staff suggest best practices or other options that make the request lower risk, and thus
such requests are more likely to be approved by the committee. As a result, the initial request that is submitted to DDOC
often looks significantly different than the request that is ultimately approved.
DDOC advises sending the minimum amount of data elements necessary to meet business objectives and challenges proponents submitting requests to examine what type
of data needs to be disclosed. One example involved a proposal to send facial images, behavioral health records, and
MRNs to a third party as part of a data sharing arrangement
to engage in industry benchmarking. When asked for the
business case on why these types of data elements would
be required for surgical benchmarking, confirmation was
received that these data elements would not be needed by
the third party.
DDOC reviews routinely minimize the type of data elements sent to a particular business associate. Other examples
of where the committee provides value involve leading effective enforcement of institutional information security standards before data can be sent. Some proposed high-risk data
transfers are postponed until the vendor can provide sufficient
security assurances and attestations from third-party audit
firms. During other reviews, it may be discovered that vendors
are unwilling to meet minimum contractual data protection
standards and therefore business proponents are advised to
explore alternative options with other third parties that are
able to agree to institutional data protection contractual provisions. Once a request has been approved, the vendor is added
to a “dashboard” through the use of a vended solution. This
dashboard enables DDOC to effectively monitor approved
vendors for events that may significantly affect the risk profile
of an approved vendor such as bankruptcies, data breaches,
Integrating the DDOC Process with a Broader
Technology Assurance Process
After the Data Disclosure Program was fully established and operational, colleagues in IT and information security diligently worked
to establish a more streamlined and robust review of information
technology-related requests. A process was created to help ensure
technology- and data-related requests are able to meet technical data protection and IT architectural standards that promote
implementing strong information security controls as well as IT
system congruence. This process, known as the Security, Privacy,
Architecture, and Data (SPAD) assurance process, is intended to be
a single entry point to obtain necessary data disclosure, information technology, and information security reviews of a particular
request to disclose data. This process helps to ensure sufficient
technical expertise is devoted to reviewing a third party’s ability to
meet Mayo Clinic data privacy and information security standards.
The data disclosure review process was strategically integrated
with this broader review process to help promote efficiency and
streamlined reviews of data sharing requests.
Developing an effective framework to prudently manage the
risks associated with data sharing will be more critical than ever
before as healthcare organizations continue to manage divergent
priorities—sharing large sets of patient data in ways that fuel innovation while also keeping patient privacy and information security
at the forefront. ¢
1. Francis, Ryan. “Healthcare records for sale on Dark Web.”
CSO. April 24, 2017. www.csoonline.com/article/3189869/
April Carlson ( firstname.lastname@example.org) is privacy officer/data protection
officer, Daniel Goldman is legal counsel, Burke Milnes is Arizona compliance and privacy officer, Kimberly Otte is chief risk officer, and Morgan
Schacht is contract manager at Mayo Clinic.
Third-Party Data Disclosure
SOFTWARE SPEED UP YOUR TEXT INPUT • Create customized glossaries in an instant.
• Type a few letters and Instant Text suggests.
• Continue phrases without typing.
Call 1 800 355 5251 Instant Text 7 Pro www.instanttext.com
Make your clinical documentation and data entry
TIMELY - ACCURATE - RELIABLE
and give doctors more time for patient care.