ISHLT Response to OPTN Revise Conditions for Access to the OPTN Computer System

Published 24 September 2024

• OPTN Comment

The International Society for Heart and Lung Transplantation (ISHLT) appreciates the opportunity to provide feedback on the “Revise Conditions for Access to the OPTN Computer System and Reporting Privacy Incidents involving OPTN Data” OPTN public comment. ISHLT reviewed the OPTN's proposal, which focuses on revising membership requirements and enhancing security protocols for accessing OPTN computer systems. The proposal is intended to ensure that entities supporting transplant centers, OPOs, and histocompatibility laboratories access the OPTN system in a manner that safeguards data privacy and security, consistent with NOTA and the OPTN Final Rule. The proposal outlines security requirements for members utilizing APIs to access OPTN data.

ISHLT has concerns regarding the potential limitations on third-party access to OPTN data for research purposes, as well as the impact these restrictions might have on current research pathways.

ISHLT also has concerns that the description of "Interconnection Security Agreements" (ISAs) lacks clarity whether there are circumstances where the vendors who supply the software platforms (such as EHRs) members use to access APIs must be parties to these agreements.

ISHLT Responses to the OPTN Considerations for the Community questions are as follows:

Bylaw Changes for OPTN Membership (Small and New Businesses)
ISHLT supports the proposed bylaw changes, provided that high security standards and compliance measures are upheld.

Feasibility of the Transition Plan
The feasibility of the transition plan will depend on expert analysis to ensure a realistic timeline, adequate resources, and minimal disruption to clinical and research operations.

Additional Obstacles to Completing the Transition Plan
Potential obstacles include challenges with system interoperability, increased compliance burdens, limitations on research access, and cost implications.

Data Use Agreement (DUA) Recommendation
The DUA should set clear expectations for data integrity, accuracy, and HIPAA compliance. It must define privacy parameters for authorized users and set limitations on third-party use of OPTN data. The agreement should include breach notification requirements, clarify data ownership, and specify the consequences for non-compliance, as well as dispute resolution mechanisms.

In conclusion, ISHLT supports the OPTN proposal while emphasizing the need to refine key details to balance security with accessibility. Ensuring that security and data access changes do not impede legitimate research is paramount. Changes should not place significant burdens on clinicians and researchers. Ensuring resources and training are readily available will be critical.

We recommend refining the draft to clarify the parties required for ISAs and address security implementation details. We also recommend that the proposal include clear guidelines on shared responsibilities between hospitals, vendors, and the OPTN to avoid ambiguity, ensuring research pathways, particularly for donated organs not utilized for transplantation, remain accessible despite the new restrictions.