Governance & Program Info

Secure Federated Research Analytics — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 27 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
01 · Scoping & Multi-Site Governance
Define the federated research question and study type
required
Confirm the clinical or translational question the federated model will answer.
01 · Scoping & Multi-Site Governance
Inventory participating sites and their class
required
List every site in the federation and its institutional type.
01 · Scoping & Multi-Site Governance
Select the federation topology
requiredtrinidy
Decide whether the federation is star, hierarchical, peer-to-peer, or hybrid.
01 · Scoping & Multi-Site Governance
Define data sovereignty and residency constraints per site
requiredtrinidy
Map the jurisdictional constraints that govern where PHI may be computed on.
01 · Scoping & Multi-Site Governance
Confirm IRB strategy — single IRB vs. site-local IRBs
required
Decide whether the study runs under a single IRB of record or parallel site-local IRBs.
01 · Scoping & Multi-Site Governance
Map consent posture for each data class
required
Confirm the legal basis under which each participating site may use data for this study.
01 · Scoping & Multi-Site Governance
Define data use agreements and BAAs across the federation
required
Confirm the contracting surface — every site pair or every site-to-aggregator link needs appropriate instruments.
01 · Scoping & Multi-Site Governance
Determine EU AI Act classification for the federated model
required
Decide whether the federated model falls under the EU AI Act's high-risk provisions.
01 · Scoping & Multi-Site Governance
Establish funding source and grant alignment
recommended
Confirm the sponsor(s) and any grant-level data management / sharing requirements.
01 · Scoping & Multi-Site Governance
Define success metrics and statistical power plan
required
State the primary endpoint, expected effect size, and required N across the federation.
05 · Governance & Compliance
Document HIPAA Privacy and Security Rule posture for each site
required
Confirm the 45 CFR 160 / 164 controls, including the 2002 research-use carve-outs, apply at every covered entity.
05 · Governance & Compliance
Align with Common Rule (45 CFR 46) single-IRB mandate
required
Confirm compliance with the 2018 revised Common Rule, including 45 CFR 46.114 sIRB requirement for federally funded multi-site research.
05 · Governance & Compliance
FDA 21 CFR 50 / 56 — IRB and informed consent
required
For any study that will support an FDA submission, 21 CFR Part 50 (consent) and Part 56 (IRB) apply in addition to the Common Rule.
05 · Governance & Compliance
21 CFR Part 11 compliance for electronic records and signatures
recommended
Signed electronic approvals, audit trails, and validated systems — required for any FDA-regulated federated study.
05 · Governance & Compliance
Map GDPR Article 9 and Article 89 for any EU site
required
Special-category health data processing under Article 9(2)(j) scientific research exemption with Article 89 safeguards, respecting member-state derogations.
05 · Governance & Compliance
Prepare EU AI Act high-risk documentation (where applicable)
required
Technical documentation, risk management, data governance, human oversight, and post-market monitoring per Regulation 2024/1689.
05 · Governance & Compliance
Engage each site's data governance committee (DGC)
required
DGC approval at every site is typically separate from IRB and is the gate on what data can be used for which purposes.
05 · Governance & Compliance
Execute DUAs, BAAs, and federation-specific agreements
required
Complete the contracting surface — every site-to-aggregator and (where relevant) site-to-site agreement.
05 · Governance & Compliance
NIST AI RMF 1.0 mapping for the federated model
recommended
Govern, Map, Measure, Manage functions applied to the federation — increasingly a baseline expectation for federal grantees.
05 · Governance & Compliance
NIST SP 800-53 / 800-171 control mapping for the aggregator environment
recommended
Federal and federally funded aggregators are expected to inherit 800-53 controls; 800-171 covers CUI handling.
05 · Governance & Compliance
NIH Data Management and Sharing Policy plan
required
For NIH-funded studies effective Jan 2023 — plan describes how results, metadata, and (where possible) data will be shared.
05 · Governance & Compliance
TEFCA alignment where QHIN participation is relevant
optional
Trusted Exchange Framework and Common Agreement — sites participating via QHIN have prescribed data-exchange obligations.
05 · Governance & Compliance
NIST Privacy Framework overlay
optional
The NIST Privacy Framework complements AI RMF and is commonly referenced in DGC reviews of federated research.
05 · Governance & Compliance
Produce a consortium-wide model card
required
Intended use, training data description (per site), known limitations, fairness analysis, privacy budget.
05 · Governance & Compliance
Per-site data provenance and lineage records
requiredtrinidy
At each site: which cohort, which extract date, which CDM version, which feature-spec version contributed to each round.
05 · Governance & Compliance
Consortium governance charter
recommended
Who decides when to add a site, retrain, publish, or retire the model — and how deadlocks are broken.
05 · Governance & Compliance
Incident response and breach-notification runbook
required
Federation-specific runbook covering gradient-integrity incidents, site compromise, and HIPAA/GDPR reporting paths.