Title: Data Security and Research 101 Completing Required Forms
1Data Security and Research 101 Completing
Required Forms
- Kimberly Summers, PharmD
- Assistant Chief for Clinical Research
- South Texas Veterans Health Care System
- Research and Development Service
- (210) 617-5300 x 15969
- KimberlyK.Summers_at_va.gov
2Goal of VA Privacy and Information Security
- Protecting the privacy of our veterans
- Assuring the confidentiality of research
subjects data - Ensuring research will continue within the VA
- Ensuring the stackholder's and publics
confidence in the integrity of the data
3Concerns Regarding VA Research And Cyber-Security
- Large data sets with PHI identifiers
- VA leads the world in electronic records
- VA also receives Medicare Data
- Genomic medicine raises new concerns
- VA investigators have many collaborators
- Abundance of devices
- Recent negative publicity regarding loss of
VA-sensitive information
4VHA Privacy Program
- Consists of 6 statues that govern collection,
maintenance, and release of information - Provision of the Freedom of Information Act,
Privacy Act, Title 38 United States Code (U.S.C.)
(U.S.C. Sections 5701, 5705, 7332), and Standard
of Privacy of Individually-Identifiable Health
Information, 45 Code of Federal Regulations (CFR)
Parts 160 and 164, hence Health Insurance
Portability and Accountability Act (HIPAA)
Privacy Rule - VHA Handbook 1605.1addresses most requirements
- Investigators must have the authority to collect,
use, or disclose private information
5Investigators Certification Storage and
Security of VA Research Information
- February 2007
- Deputy Under Secretary for Health Operations and
Management and Chief Research and Development
Officer established a process by which PIs be
certified as meeting the security requirements
for VA research information - All active protocols had to be certified by
ACOS/Research, Information Security Officer
(ISO), Privacy Officer, and Director as compliant - The STVHCS research program (all protocols) was
in jeopardy of being shut down if the entire
program didnt meet the standards
6Annual Certification
- By April 15 of each year
- PI must confirm all active research protocols
continue to meet the VA data security standards
and requirements - Process for annual recertification in development
- Annual security training
- Cyber Security, Privacy, and Data Security
- Annual certifications are forwarded to the STVHCS
Medical Center Director and VISN Director
7Collection, Storage, and Use of VA-Sensitive
Research Data
- All protocols submitted for IRB and RD approval
must - Contain specific information on all sites where
data will be used or stored - How data will be transmitted or transported
- Who will have access to the data
- How data will be secured
- Information contained in the Data Security
Checklist
8 - Completed by RD office based on information
provided by investigator during the pre-review
process - Returned to PI for signature
- Reviewed and signed off on by the ACOS/Research
and ISO - Forwarded to Hospital Director for certification
9Information Requested From PI
10Background and Definitions Required to Complete
VA Research Data Security Checklist
11VA-Sensitive Research Data
- Individually-identifiable research data collected
on a veteran subject through a STVHCS approved
protocol - Individually-identifiable research data collected
on a veteran or non-veteran within the STVHCS - Individually-identifiable research data collected
as part of a VA-funded study
12Not VA-Sensitive Data
- Non-identifiable data
- Data collected on non-veterans outside of the VA
on a non-VA funded project
13HIPAA and Research
- Controls use of protected health information
(PHI) - Within the covered entity (STVHCS)
- Disclosures outside the covered entity
- Allows only the Minimum Necessary information
- Use of PHI requires an authorization or waiver of
authorization - Informed consent / HIPAA authorization from
patient - IRB waiver of authorization for exempt research
- 18 defined HIPAA identifiers
14HIPAA Identifiers
- 1. Names
- 2. ALL geographic subdivisions smaller than
the state - 3. All elements of dates smaller than a year
and all ages over 89 - 4. Phone numbers
- 5. Fax numbers
- 6. E-mail addresses
- 7. Social Security numbers (SSN)
- 8. Medical record number
- 9. Health plan beneficiary numbers
- 10. Any other account numbers
- 11. Certificate/license numbers
- 12. Vehicle identifiers and license plate
numbers - 13. Device identifiers and serial numbers
- 14. WEB URL's
- 15. Internet IP address numbers
- 16. Biometric identifiers (fingerprint, voice
prints, retina scan, etc) - 17. Full face photographs or comparable images
- 18. Any other unique number, characteristic or
code
15HIPAA Identifiers Continued
- Any other unique number, characteristic or code
- Scrambled SSN
- Initials
- Last four digits of SSN
- Employee numbers
- Etc.
- HIPPA also states that the entity does not have
actual knowledge that the remaining information
could be used alone or in combination with other
information to identify an individual who is the
subject of the information
16(No Transcript)
17HIPAA and The Common Rule
- Two different regulations
- VA requires de-identification by both
- Common Rule states the identity of the subject
can not be readily ascertained by information
remaining after removal of all 18 HIPAA
identifiers - After stripping all 18 identifiers the remaining
information may still be identifiable (e.g.
through statistical analysis)
18 Keys To Coding Systems
- If non-identifiable information is linked to
identifiable information with the use of log
(e.g. coding system) - Logs are identifiable and VA-sensitive research
data - Applies to data and specimen logs
19(No Transcript)
20If There Is No Collection of Identifiable
Information
- Should be consistent with informed consent
document and HIPAA authorization - Should be consistent with protocol
- Provide IRB approval letter for exempt research
or page(s) of protocol which clearly states no
identifiable information will be collected
21Disclosure of VA-Sensitive Research Data
22Disclosure of Research Data
- Release, transfer, or provision of access to, or
divulging in any other manner information outside
the VA - VHA Handbook 1605.1
- STVHCS is required to maintain an accounting of
all disclosures of individually-identifiable
information including those for state reporting
and research - Disclosure of de-identified data, or a limited
data set, does not require an accounting
23Limited Data Set
- Data set that contains PHI that excludes 16
categories of direct identifiers - May contain identifiable information
- Scrambled SSN
- City, State, ZIP code
- Elements of date and other numbers
- Characteristics or codes not listed as direct
identifiers
24Limited Data Sets Direct Identifiers
- 1. Names
- 2. Postal address other than town, city,
state, and ZIP code - 3. All elements of dates smaller than a year
and all ages over 89 - 4. Phone numbers
- 5. Fax numbers
- 6. E-mail addresses
- 7. Social Security numbers (SSN)
- 8. Medical record number
- 9. Health plan beneficiary numbers
- 10. Any other account numbers
- 11. Certificate/license numbers
- 12. Vehicle identifiers and license plate
numbers - 13. Device identifiers and serial numbers
- 14. WEB URL's
- 15. Internet IP address numbers
- 16. Biometric identifiers (fingerprint, voice
prints, retina scan, etc) - 17. Full face photographs or comparable images
- 18. Any other unique number, characteristic or
code
25Accounting of Disclosures For VA-Sensitive
Research Excluding Limited Data Sets
- The accounting must include
- Date, nature, and purpose of the disclosure and
- Name and address of the person or agency to whom
the disclosure is made - Web-based database available
- A paper format of the web-based database will be
used as a contingency if needed
26(No Transcript)
27(No Transcript)
28Privacy Office Review
- STVHCS Privacy Officer or designee
- Provide consultation as needed in the pre-review
process - Attends the RD Committee meetings
- Performs a final privacy approval prior to
activation of any research protocol - Signature required for RD approval
- Monitors the disclosures of private information
at least quarterly
29STVHCS Privacy Office Contacts
- Vickie Macdonald, RHIT
- (210) 617-5661
- Vickie.Macdonald_at_va.gov
- Mary Wohl
- (210) 617-5300 ext 15602
- Mary.Wohl_at_va.gov
30Storage of VA Research Data
31Storage of VA-Sensitive Paper Research Data
- Lower risk of loss or compromise
- Physical security controls
- Within the VA system
- Locked room, locked cabinet
- Access limited to research staff
- At the UTHSCSA
- Physical security arrangements must be inspected
and approved by ACOS/Research and ISO
32Storage of VA-Sensitive Electronic Research Data
- Risk of loss or compromise is high
- Must be stored within the VA system (e.g. behind
the VA firewall) - VA research server recommended
- Accessed directly through the VA network from a
VA computer or - Through VPN from a non-VA computer
- Encrypted VA computer in VA office
- Rare instances
- Explain requirement for storage outside the
server
33VA Research Server
- For instructions on how to set up an investigator
folder on the VA Research server and/or - To obtain VPN access
- Contact RD office
- Angela Casas (210) 617-5300 x15523
- Angela.Casas_at_va.gov
- Contact Information Security Officer (ISO)
- Gerald Steward (210) 617-5300 x14734
- Gerald.Steward_at_va.gov
34Transfer / Transmission of Research Data
35Sharing Research Data Often Appropriate and
Necessary
- With collaborators
- With those who have specialized expertise
- With data coordinating centers for Multi-site
studies - With outside sponsors of research
36Transfer or Transmission of Research Data Outside
the VA
- Transfer to entity other than the sponsor or its
designated data center - Requires prior written approval from
- ACOS/Research
- Privacy Officer
- Information Security Officer
- Applies to any VA-sensitive research data
- Including limited data-sets
- Transfer of data should be described in the
protocol and consent / HIPAA authorization - Transfer or transmission requires an accounting
of disclosure
37Forms For Authorization of Transfer
- Data Use Agreement
- Data Transfer Agreement for within VHA
- Data Transfer Agreement for outside VHA
- Removable Storage Media Agreement
- For assistance obtaining the appropriate forms
- Contact RD office
- Angela Casas (210) 617-5300 x15523
- Angela.Casas_at_va.gov
- Forms will be available on STVHCS Research
website in future
38Loss or Compromise of VA-Sensitive Research Data
- Must be reported promptly to
- Supervisor
- ACOS/Research
- Information Security Officer (ISO)
- Privacy Officer
- IRB
- Reported as an Unanticipated Problem Involving
Risk to Subjects or Others (UPIRSO)
39Loss of a Device Used to Transport, Access or
Store VA-Sensitive Information
- Must be reported promptly to
- Supervisor
- ISO
- If within a VA facility to the VA police
- If traveling or at another institution report to
the security/police officers of the institution
and obtain - Case number
- Name and badge number of the investigation
officer - Copy of the case report, if possible
40Data Security and Research The Stakes are High
- VA must assure information security privacy
protects research subjects and facilitates
current and future research - May also protect the researcher
- Negative publicity impacts the local research
program and investigators, VA research in
general, and VHA health care