TriNetX is compliant with the Health Insurance Portability and Accountability Act (HIPAA), the US federal law which protects the privacy and security of healthcare data. TriNetX is certified to the ISO 27001:2013 standard and maintains an Information Security Management System (ISMS) to ensure the protection of the healthcare data it has access to and to meet the requirements of the HIPAA Security Rule.
Any data displayed on the TriNetX Platform in aggregate form, or any patient-level data provided in a data set generated by the TriNetX Platform, only contains de-identified data as per the de-identification standard defined in Section §164.514(a) of the HIPAA Privacy Rule. The process of de-identifying data is attested to through a formal determination by a qualified expert as defined in Section §164.514(b)(1) of the HIPAA Privacy Rule. This formal determination by a qualified expert was refreshed in December 2020. Please find more information about our Expert Determination here.
The TriNetX network contains data provided by participating healthcare organizations (HCOs), each of which represents and warrants that it has all necessary rights, consents, approvals, and authority to provide the data to TriNetX under a Business Associate Agreement (BAA), so long as their name remains anonymous as a data source and their data are utilized for research purposes. The data shared through the TriNetX Platform are attenuated to ensure that they do not include sufficient information to facilitate the determination of which HCO contributed which specific information about a patient.
When publishing using data from the TriNetX network or TriNetX as a method, the following guidelines must be adhered to:
Network to be used
The TriNetX data networks for scientific use and publications include Dataworks, Diamond, TriNetX Research, COVID-19 Rapid Response, and COVID-19 Research Network. In reasonable exceptional cases (e.g., if the topic of the project is related to clinical trials or validation of the network for use in clinical trials), other regional networks can be used. The specific network(s) used in the analysis should be disclosed in the methods section of the publication as a data source.
Use of the appropriate network
Contracts with TriNetX member HCOs do not always allow the use of their data for publications. Therefore, during review of the manuscript and discussion with the author, clarification should be sought on whether the appropriate network was used for the scientific project to be published.
Information not to disclose
HCO names or HCO-specific data
Unless the publication is initiated and authored by an HCO, no HCO-specific data should be shown in any publication, not even in an anonymized way (e.g., “site 1, site 2, site 3, etc.”). All results must be shown as aggregated statistics only. HCOs may only disclose site-specific data from their own institution.
Screenshots of the platform are confidential and shall not be used in any publication without express consent from TriNetX. If permission is granted, TriNetX shall provide the appropriate language relating to said screenshot(s). Graphs and associated data downloaded from the platform using the platform’s export tools can be used in publications without express consent from the TriNetX Legal Department.
TriNetX, LLC should be mentioned in the methods section. A suggested adequate general description would read:
“The data used in this study was collected on [INSERT DATE OF ANALYSIS OR DATE OF DATA DOWNLOAD] from the TriNetX [INSERT NETWORK NAME] Network, which provided access to electronic medical records (diagnoses, procedures, medications, laboratory values, genomic information) from approximately [##] million patients from [##] healthcare organizations.”
For publication ethical considerations
A suggested adequate general description would read:
“This retrospective study is exempt from informed consent. The data reviewed is a secondary analysis of existing data, does not involve intervention or interaction with human subjects, and is de-identified per the de-identification standard defined in Section §164.514(a) of the HIPAA Privacy Rule. The process by which the data is de-identified is attested to through a formal determination by a qualified expert as defined in Section §164.514(b)(1) of the HIPAA Privacy Rule. This formal determination by a qualified expert refreshed on December 2020.”
Please note that although TriNetX recommends the above-mentioned language for publication, it may be revised as applicable.
Please direct any additional publishing-related questions with TriNetX to your institution’s account manager or healthcare partnership manager.