Request for Proposal (RFP): Patient Data Tokenization and Privacy-Preserving Record Linkage Services for MLSC Biobank Program

1. Background and Purpose 

The Massachusetts Life Sciences Center (MLSC) is a quasi-public economic development agency of the Commonwealth of Massachusetts. MLSC is launching a statewide Biobank Program designed to accelerate biomedical research, translational discovery, and innovation by enabling secure, equitable, and governed access to high-quality biospecimens and associated patient data.   As part of this initiative, MLSC seeks proposals from qualified vendors to provide patient data tokenization and privacy-preserving record linkage services. The selected vendor will support secure de-identification, tokenization, and longitudinal linkage of patient data contributed by multiple participating academic medical centers and healthcare institutions.   The goal of this RFP is to identify a vendor capable of enabling cross-institutional data integration while maintaining patient privacy, regulatory compliance, and strong governance controls, thereby supporting research use cases across academia, industry, and public-private partnerships.      

2. Scope of Work 

The selected vendor will provide a scalable, secure, and compliant tokenization solution that supports the following capabilities.   

A. Patient Identity Tokenization 

• Generation of consistent, privacy-preserving tokens from identifiable patient data supplied by participating institutions. 
• Support for deterministic and probabilistic matching approaches, as appropriate. 
• Ability to tokenize data without exposing or centralizing direct identifiers.
• Clear separation of identifiable data from tokenized datasets.

 B. Privacy-Preserving Record Linkage 

• Enable longitudinal linkage of patient data across: 
• Multiple healthcare systems and collection sites 
• Multiple data types, including clinical, demographic, molecular, imaging, and longitudinal data 
• Support linking of biospecimen data to associated clinical and outcomes data over time. 
• Minimize false positives and false negatives, with transparent matching performance metrics. 

 C. Security and Compliance 

• Compliance with applicable federal and state regulations, including HIPAA and relevant Massachusetts data protection requirements. 
• Support for de-identified and limited datasets aligned with research and governance needs. 
• Encryption of data at rest and in transit. 
• Robust access controls, audit logs, and monitoring. 

 D. Integration and Interoperability 

• Ability to integrate with: 
• Institutional clinical data systems 
• Centralized biobank data storage and curation platforms 
• Support for standard data formats and interoperability frameworks where applicable. 
• Clear APIs or secure data exchange mechanisms for token generation and linkage workflows. 

 E. Governance and Controls 

• Ability to align with MLSC-defined governance frameworks, including: 
• Broad consent models 
• Data use limitations 
• Tiered access controls for different user groups 
• Support for revocation or suppression of tokens if required by consent changes or regulatory updates. 

F. Reporting and Quality Assurance 

• Regular reporting on: 
• Token generation volumes 
• Linkage success rates 
• Error rates and data quality indicators 
• Ongoing quality control and validation processes. 

 3. Vendor Qualifications   

      Proposing vendors should demonstrate: 

• Experience providing patient data tokenization and privacy-preserving record linkage services in biomedical, healthcare, or life sciences research settings. 
• Proven ability to operate in multi-institutional or consortium-based environments. 
• Experience supporting large-scale datasets and longitudinal data. 
• Strong information security practices and compliance posture. 
• Organizational stability and sufficient staffing to support a statewide initiative. 

4. Implementation and Support   

      Proposals should describe: 

• Proposed implementation approach and timeline. 
• Onboarding process for participating institutions. 
• Required inputs from MLSC and contributing sites. 
• Ongoing technical support, maintenance, and issue resolution. 
• Training or documentation provided to MLSC and participating institutions. 

 5. Proposal Submission Requirements   

       Proposals must include the following sections: 

1. Executive Summary: Overview of the proposed solution and its alignment with MLSC program goals. 
2. Technical Approach: Detailed description of tokenization methodology, linkage approach, and system architecture. 
3. Security and Compliance: Description of compliance standards, certifications, and security controls. 
4. Experience and References: Relevant prior engagements and at least two references. 
5. Implementation Plan and Timeline 
6. Pricing and Cost Structure: Clear description of pricing model, including: 

• One-time implementation costs 
• Ongoing operational costs 
• Any volume-based or usage-based fees 

      7.  Assumptions and Dependencies 

6. Evaluation Criteria 

Proposals will be evaluated based on: 

• Technical merit and robustness of the proposed solution 
• Privacy protection and regulatory compliance 
• Experience with similar multi-institutional initiatives 
• Scalability and long-term sustainability
• Ease of integration with existing and future systems 
• Cost and overall value to the program 

7. Timeline 

Deadline: 4.17.2026

Evaluation Period: Proposals will be weighted based on technical expertise, alignment with the MLSC’s needs and cost-efficiency. Finalists may be interviewed in mid/late May. A decision will be made in May/June with a tentative commencement in June. 

MLSC reserves the right to modify this timeline at its discretion. 

8. Additional Terms 

For questions regarding this RFP, contact: BioBank@masslifesciences.com 

This RFP does not constitute an obligation for the MLSC to fund any proposals. The MLSC reserves the right to modify or cancel this RFP at any time and may request further clarifications or conduct interviews as part of the selection process.