Data Security and Research 101 Completing Required Forms

1
Data Security and Research 101 Completing
Required Forms

• Kimberly Summers, PharmD
• Assistant Chief for Clinical Research
• South Texas Veterans Health Care System
• Research and Development Service
• (210) 617-5300 x 15969
• KimberlyK.Summers_at_va.gov

2
Goal of VA Privacy and Information Security

• Protecting the privacy of our veterans
• Assuring the confidentiality of research
  subjects data
• Ensuring research will continue within the VA
• Ensuring the stackholder's and publics
  confidence in the integrity of the data

3
Concerns Regarding VA Research And Cyber-Security

• Large data sets with PHI identifiers
• VA leads the world in electronic records
• VA also receives Medicare Data
• Genomic medicine raises new concerns
• VA investigators have many collaborators
• Abundance of devices
• Recent negative publicity regarding loss of
  VA-sensitive information

4
VHA Privacy Program

• Consists of 6 statues that govern collection,
  maintenance, and release of information
• Provision of the Freedom of Information Act,
  Privacy Act, Title 38 United States Code (U.S.C.)
  (U.S.C. Sections 5701, 5705, 7332), and Standard
  of Privacy of Individually-Identifiable Health
  Information, 45 Code of Federal Regulations (CFR)
  Parts 160 and 164, hence Health Insurance
  Portability and Accountability Act (HIPAA)
  Privacy Rule
• VHA Handbook 1605.1addresses most requirements
• Investigators must have the authority to collect,
  use, or disclose private information

5
Investigators Certification Storage and
Security of VA Research Information

• February 2007
• Deputy Under Secretary for Health Operations and
  Management and Chief Research and Development
  Officer established a process by which PIs be
  certified as meeting the security requirements
  for VA research information
• All active protocols had to be certified by
  ACOS/Research, Information Security Officer
  (ISO), Privacy Officer, and Director as compliant
• The STVHCS research program (all protocols) was
  in jeopardy of being shut down if the entire
  program didnt meet the standards

6
Annual Certification

• By April 15 of each year
• PI must confirm all active research protocols
  continue to meet the VA data security standards
  and requirements
• Process for annual recertification in development
• Annual security training
• Cyber Security, Privacy, and Data Security
• Annual certifications are forwarded to the STVHCS
  Medical Center Director and VISN Director

7
Collection, Storage, and Use of VA-Sensitive
Research Data

• All protocols submitted for IRB and RD approval
  must
• Contain specific information on all sites where
  data will be used or stored
• How data will be transmitted or transported
• Who will have access to the data
• How data will be secured
• Information contained in the Data Security
  Checklist

8

• Completed by RD office based on information
  provided by investigator during the pre-review
  process
• Returned to PI for signature
• Reviewed and signed off on by the ACOS/Research
  and ISO
• Forwarded to Hospital Director for certification

9
Information Requested From PI
10
Background and Definitions Required to Complete
VA Research Data Security Checklist

11
VA-Sensitive Research Data

• Individually-identifiable research data collected
  on a veteran subject through a STVHCS approved
  protocol
• Individually-identifiable research data collected
  on a veteran or non-veteran within the STVHCS
• Individually-identifiable research data collected
  as part of a VA-funded study

12
Not VA-Sensitive Data

• Non-identifiable data
• Data collected on non-veterans outside of the VA
  on a non-VA funded project

13
HIPAA and Research

• Controls use of protected health information
  (PHI)
• Within the covered entity (STVHCS)
• Disclosures outside the covered entity
• Allows only the Minimum Necessary information
• Use of PHI requires an authorization or waiver of
  authorization
• Informed consent / HIPAA authorization from
  patient
• IRB waiver of authorization for exempt research
• 18 defined HIPAA identifiers

14
HIPAA Identifiers

• 1. Names
• 2. ALL geographic subdivisions smaller than
  the state
• 3. All elements of dates smaller than a year
  and all ages over 89
• 4. Phone numbers
• 5. Fax numbers
• 6. E-mail addresses
• 7. Social Security numbers (SSN)
• 8. Medical record number
• 9. Health plan beneficiary numbers
• 10. Any other account numbers
• 11. Certificate/license numbers
• 12. Vehicle identifiers and license plate
  numbers
• 13. Device identifiers and serial numbers
• 14. WEB URL's
• 15. Internet IP address numbers
• 16. Biometric identifiers (fingerprint, voice
  prints, retina scan, etc)
• 17. Full face photographs or comparable images
• 18. Any other unique number, characteristic or
  code

15
HIPAA Identifiers Continued

• Any other unique number, characteristic or code
• Scrambled SSN
• Initials
• Last four digits of SSN
• Employee numbers
• Etc.
• HIPPA also states that the entity does not have
  actual knowledge that the remaining information
  could be used alone or in combination with other
  information to identify an individual who is the
  subject of the information

16
(No Transcript)
17
HIPAA and The Common Rule

• Two different regulations
• VA requires de-identification by both
• Common Rule states the identity of the subject
  can not be readily ascertained by information
  remaining after removal of all 18 HIPAA
  identifiers
• After stripping all 18 identifiers the remaining
  information may still be identifiable (e.g.
  through statistical analysis)

18
Keys To Coding Systems

• If non-identifiable information is linked to
  identifiable information with the use of log
  (e.g. coding system)
• Logs are identifiable and VA-sensitive research
  data
• Applies to data and specimen logs

19
(No Transcript)
20
If There Is No Collection of Identifiable
Information

• Should be consistent with informed consent
  document and HIPAA authorization
• Should be consistent with protocol
• Provide IRB approval letter for exempt research
  or page(s) of protocol which clearly states no
  identifiable information will be collected

21
Disclosure of VA-Sensitive Research Data

22
Disclosure of Research Data

• Release, transfer, or provision of access to, or
  divulging in any other manner information outside
  the VA
• VHA Handbook 1605.1
• STVHCS is required to maintain an accounting of
  all disclosures of individually-identifiable
  information including those for state reporting
  and research
• Disclosure of de-identified data, or a limited
  data set, does not require an accounting

23
Limited Data Set

• Data set that contains PHI that excludes 16
  categories of direct identifiers
• May contain identifiable information
• Scrambled SSN
• City, State, ZIP code
• Elements of date and other numbers
• Characteristics or codes not listed as direct
  identifiers

24
Limited Data Sets Direct Identifiers

• 1. Names
• 2. Postal address other than town, city,
  state, and ZIP code
• 3. All elements of dates smaller than a year
  and all ages over 89
• 4. Phone numbers
• 5. Fax numbers
• 6. E-mail addresses
• 7. Social Security numbers (SSN)
• 8. Medical record number
• 9. Health plan beneficiary numbers
• 10. Any other account numbers
• 11. Certificate/license numbers
• 12. Vehicle identifiers and license plate
  numbers
• 13. Device identifiers and serial numbers
• 14. WEB URL's
• 15. Internet IP address numbers
• 16. Biometric identifiers (fingerprint, voice
  prints, retina scan, etc)
• 17. Full face photographs or comparable images
• 18. Any other unique number, characteristic or
  code

25
Accounting of Disclosures For VA-Sensitive
Research Excluding Limited Data Sets

• The accounting must include
• Date, nature, and purpose of the disclosure and
• Name and address of the person or agency to whom
  the disclosure is made
• Web-based database available
• A paper format of the web-based database will be
  used as a contingency if needed

26
(No Transcript)
27
(No Transcript)
28
Privacy Office Review

• STVHCS Privacy Officer or designee
• Provide consultation as needed in the pre-review
  process
• Attends the RD Committee meetings
• Performs a final privacy approval prior to
  activation of any research protocol
• Signature required for RD approval
• Monitors the disclosures of private information
  at least quarterly

29
STVHCS Privacy Office Contacts

• Vickie Macdonald, RHIT
• (210) 617-5661
• Vickie.Macdonald_at_va.gov
• Mary Wohl
• (210) 617-5300 ext 15602
• Mary.Wohl_at_va.gov

30
Storage of VA Research Data

31
Storage of VA-Sensitive Paper Research Data

• Lower risk of loss or compromise
• Physical security controls
• Within the VA system
• Locked room, locked cabinet
• Access limited to research staff
• At the UTHSCSA
• Physical security arrangements must be inspected
  and approved by ACOS/Research and ISO

32
Storage of VA-Sensitive Electronic Research Data

• Risk of loss or compromise is high
• Must be stored within the VA system (e.g. behind
  the VA firewall)
• VA research server recommended
• Accessed directly through the VA network from a
  VA computer or
• Through VPN from a non-VA computer
• Encrypted VA computer in VA office
• Rare instances
• Explain requirement for storage outside the
  server

33
VA Research Server

• For instructions on how to set up an investigator
  folder on the VA Research server and/or
• To obtain VPN access
• Contact RD office
• Angela Casas (210) 617-5300 x15523
• Angela.Casas_at_va.gov
• Contact Information Security Officer (ISO)
• Gerald Steward (210) 617-5300 x14734
• Gerald.Steward_at_va.gov

34
Transfer / Transmission of Research Data

35
Sharing Research Data Often Appropriate and
Necessary

• With collaborators
• With those who have specialized expertise
• With data coordinating centers for Multi-site
  studies
• With outside sponsors of research

36
Transfer or Transmission of Research Data Outside
the VA

• Transfer to entity other than the sponsor or its
  designated data center
• Requires prior written approval from
• ACOS/Research
• Privacy Officer
• Information Security Officer
• Applies to any VA-sensitive research data
• Including limited data-sets
• Transfer of data should be described in the
  protocol and consent / HIPAA authorization
• Transfer or transmission requires an accounting
  of disclosure

37
Forms For Authorization of Transfer

• Data Use Agreement
• Data Transfer Agreement for within VHA
• Data Transfer Agreement for outside VHA
• Removable Storage Media Agreement
• For assistance obtaining the appropriate forms
• Contact RD office
• Angela Casas (210) 617-5300 x15523
• Angela.Casas_at_va.gov
• Forms will be available on STVHCS Research
  website in future

38
Loss or Compromise of VA-Sensitive Research Data

• Must be reported promptly to
• Supervisor
• ACOS/Research
• Information Security Officer (ISO)
• Privacy Officer
• IRB
• Reported as an Unanticipated Problem Involving
  Risk to Subjects or Others (UPIRSO)

39
Loss of a Device Used to Transport, Access or
Store VA-Sensitive Information

• Must be reported promptly to
• Supervisor
• ISO
• If within a VA facility to the VA police
• If traveling or at another institution report to
  the security/police officers of the institution
  and obtain
• Case number
• Name and badge number of the investigation
  officer
• Copy of the case report, if possible

40
Data Security and Research The Stakes are High

• VA must assure information security privacy
  protects research subjects and facilitates
  current and future research
• May also protect the researcher
• Negative publicity impacts the local research
  program and investigators, VA research in
  general, and VHA health care