Title: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC
1VA Research Data Security and Privacypresented
by Ellen GrafRCO, Cincinnati VAMC
2What is VA Research and Sensitive VA Research
Data?
- VA research is any research that has been
approved (or requires approval) by a VA Research
and Development (RD) Committee. Generally this
includes any research conducted with VA
resources, including funds, staff time,
equipment, or space. - VA research data consist of information that has
been collected for, used in or derived from the
conduct of VA research. - VA sensitive information is defined in VA
Directive 6504 as all Department data, on any
storage media or in any form or format, which
requires protection due to the risk of harm that
could result from inadvertent or deliberate
disclosure, alteration, or destruction of the
information. - This term includes information whose improper use
or disclosure could adversely affect the ability
of an agency to accomplish its mission,
proprietary information, or records about
individuals requiring protection under various
confidentiality provisions such as the Privacy
Act or the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule. It also
includes information that can be withheld under
the Freedom of Information Act (FOIA).
3VA Protected Information (VAPI) is VA sensitive
information, Privacy Act Information, Protected
Health Information (PHI), or other VA information
that has not been deliberately classified as
public information for public distribution. Sensi
tive VA research data consist of information that
has been collected for, used in or derived from
the conduct of VA research that fits the
definition of VA sensitive information. Always
err on the side of caution. Unless you are
certain that specific research data are NOT
sensitive, you should treat them as if they
ARE. Note Although results of sensitive VA
research are considered sensitive data, once
they have been summarized and submitted for
publication or published in compliance with all
applicable requirements, the summarized data are
not considered sensitive.
4As a member of the Research Community it is quite
simply our DUTY to protect the sensitive
research data of the Veterans who have served and
protected our country and who now volunteer as
Research Subjects!
5WHY ARE WE AT RISK?
- Approximately one in 10 laptop computers is
stolen (Gartner Group, 2001) - Hospitals and universities are particularly
common targets for theft of laptops and other
portable media , thus... - We need to be vigilant in the storage, use,
security and confidentiality of data and for the
privacy of the research subjects
6(No Transcript)
7(No Transcript)
8The loss of data
- Violates veterans and employees privacy.
- Exposes them to the possibility of identity
theft. - Possibly resulting in risk to their financial
security, employability, insurability and
reputation. - Instills a lack of trust in the VA system.
9Consider this when dealing with Sensitive Data
- Lead by example!
- Treat all research data as sensitive unless you
are absolutely sure they are not! - Foster camaraderie in this quest!
- Utilize technical safeguards, physical safeguards
and good work practices!
10VHA Handbook 1605.1
- Utilizing VHA Handbook 1605.1 will lead to
compliance with the privacy requirements set
forth in all six Federal privacy
confidentiality statures and regulations
regarding the - COLLECTION
- USING
- SHARNG
- or DISCLOSING of individually identifiable
information
11Data Collection Use
- Collect the minimum information needed to conduct
the research. - Use data as outlined by the protocol and signed
authorization. - Never re-use or share data without the
appropriate approvals
12Sharing or Disclosing Information
- Disclosure of individually identifiable
information from official VHA records is
acceptable only when - The VHA has first obtained the signed, written
(HIPAA) authorization of the individual, or - Waiver of HIPAA authorization is approved by the
Privacy Board.
13HIPAA Authorization must contain the following
information
- Expiration date, event or condition
- Individual to whom the requested info pertains
- Description of the information requested
- Statement regarding revocation
- Statement that VA treatment benefits are not
effected by the authorization - The signature of the individual whose info will
be used or disclosed. - Date of the signature
14Waiver of HIPAA Authorization
- Must be approved by the facility IRB or Privacy
Board. - Approval is based on 3 criteria
- The use or disclosure must involve no more that
minimal risk to the individual - The research cannot practicably be conducted
without the waiver - The research cannot be performed without access
to, and use of, the protected health information
15Data Use Agreements(DUA)
- A written DUA may be obtained when data will be
disclosed outside of the VHA for non-VA research. - The DUA must include the following
- What and how data may be used
- How data will be stored secured
- Who may access data by what legal authority
- Disposition of data after the termination of
research - Actions required if data are lost or stolen
16Certificates of Confidentiality
- Under Federal law, researchers must obtain
- an advance grant of confidentiality from the
- NIH, known as a Certificate of
- Confidentiality, to protect data pertaining to
- sensitive issues such as illegal behavior,
- alcohol or drug use, or sexual practices or
- preferences.
17What About De-identified Data?
- Is your data truly de-identified, thus containing
none of the 18 types of identifiers as outlined
by VHA Handbook 1605.1, Appendix B? - Does your data involve the removal of all
information that would identify the individual or
would be used to readily ascertain the identity
of the individual?
18Can you actually recite the 18 types of
identifiers that MUST be removed to assure that
the data is DE-IDENTIFIED ?
19Names or initials All geographic subdivisions
smaller than a state All elements of dates except
the year and all ages over 89 Telephone
numbers Fax numbers E-mail addresses Social
Security Numbers (or scrambled Social Security
Numbers) Medical record numbers Health plan
beneficiary numbers Account numbers Certificate
or license numbers Vehicle identifiers and
license plate numbers Device identifiers and
serial numbers URLs IP addresses Biometric
identifiers, including finger and voice
prints Full-face photographs and any comparable
images Any other unique identifying number,
characteristic or code, unless otherwise
permitted by the Privacy Rule for
re-identification HIPAA identifiers also pertain
to the persons employer, relatives, and
household members.
20Limited Data Sets
- Exclude certain direct identifiers that apply to
- The individual
- The individuals relatives
- The individuals employers
- The individuals household members
- They may contain
- City, state, ZIP
- Elements of a date and other numbers
- Characteristics or codes not used as direct
identifiers - Identifiable information, such as scrambled SSs.
21Coded Data
- Coding consists of labeling info with a code that
- Does not include any patient identifiers
- Is not derived from or related to the 18 HIPAA
identifiers - Cannot be translated so as to identify the
individual - If data are coded, the key to linking the code
with these identifiers - must be stored within the VA, but it should not
be stored with the - coded data.
22Lets Just Be Sensible!
- Log off from your computer when you are not
physically using it. - Do not leave printed private data on the printer.
- Pick up your Fax's in a timely fashion.
- Use only approved hardware, software, solutions
and connections. - Control access to data.
- Avoid using automatic password-saving features.
- Do not talk about private information in a public
place.
23Steps We Have Taken to Assure Compliance with
Regulations
- Additional Medical Center Memorandums to include
- Loaning of Research IT Equipment
- Research Management of Laptops
- Security of PHI/sensitive info held by
Researchers
24Additional Steps
- Addition of the Privacy Officer to the RD
Committee. - Questions regarding data security and privacy
asked at the pre-consenting interview held with
the PI and coordinator. - More stringent exiting procedures.
- Annual PI Certification and Data Security
Checklist. - Annual certification of compliance by MCD.
25What we are currently working on
- PKI compliance.
- Quarterly walk-thru inspections of work areas
within Research. - Reviewing and updating SOPs (as needed) to
include appropriate language regarding data
security and privacy. - Creating a database that provides information
regarding data security and privacy by protocol. - Adding the Privacy Officer and the Information
Security Officer to our semi-annual all research
staff meetings.
26Final Words of Wisdom
- Err on the side of caution!
- Keep regulations at hand, it is extremely
difficult to remember everything! - Work closely with your Privacy Officer the
Information Security Officer! - Ask for assistance from VACO!
- Steadily work to improve and modify as necessary
in a timely fashion! - Be positive and optimisticnothing hinders the
process more than pessimism! - Keep your Medical Center Director up to date with
any new information or process. - Be an example!
27IT IS A PRIVLEDGE TO NOW SERVE THEM!