Welcome You are participating in the VA Research Training webinar. presentation

About This Presentation

Transcript and Presenter's Notes

Title: Welcome You are participating in the VA Research Training webinar.

1

Welcome! You are participating in the VA
Research Training webinar.
As a reminder, please dial into the audio portion
of this call at 1-800-767-1750, access code
84656.
For the best view of the Live Meeting
presentation, please use the F5 key to toggle
between the full-screen view and the console
view.
If the Live Meeting image does not take up the
whole screen, please check the computers screen
resolution by clicking on the Start button,
choose Control Panel, and then choose Display.
Click Settings. Please make sure the resolution
is set at 1024 by768 pixels.

2
VA Research Data Security and Privacy

Veterans Health Administration
Office of Research and Development

3
Module 1 Sensitive VA Research Information
4
What is VA Research and Sensitive VA Research
Data?

VA research is any research that has been
approved (or requires approval) by a VA Research
and Development (RD) Committee. Generally this
includes any research conducted with VA
resources, including funds, staff time,
equipment, or space.
VA research data consist of information that has
been collected for, used in or derived from the
conduct of VA research.
VA sensitive information is defined in VA
Directive 6504 as all Department data, on any
storage media or in any form or format, which
requires protection due to the risk of harm that
could result from inadvertent or deliberate
disclosure, alteration, or destruction of the
information.
This term includes information whose improper use
or disclosure could adversely affect the ability
of an agency to accomplish its mission,
proprietary information, or records about
individuals requiring protection under various
confidentiality provisions such as the Privacy
Act or the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule. It also
includes information that can be withheld under
the Freedom of Information Act (FOIA).

VA Protected Information (VAPI) is VA sensitive
information, Privacy Act Information, Protected
Health Information (PHI), or other VA information
that has not been deliberately classified as
public information for public distribution.
Sensitive VA research data consist of information
that has been collected for, used in or derived
from the conduct of VA research that fits the
definition of VA sensitive information.
Always err on the side of caution. Unless you are
certain that specific research data are NOT
sensitive, you should treat them as if they ARE.
Note Although results of sensitive VA research
are considered sensitive data, once they have
been summarized and submitted for publication or
published in compliance with all applicable
requirements, the summarized data are not
considered sensitive.

6
Why Is It Important To Protect VA Research Data?

The VA is committed to protecting information
about our veterans and employees. When
individuals who have served our country volunteer
to participate in VA research, they entrust us to
keep their personal and health information safe.
Inadvertent loss of private information,
including real or scrambled Social Security
Numbers (SSNs), violates veterans and employees
privacy and exposes them to the possibility of
identity theft with its attendant economic, legal
and social consequences. These can include
substantial risks to their financial security,
employability, insurability or reputation, and
can have other serious implications.

Approximately one in 10 laptop computers is
stolen (Gartner Group, 2002). Hospitals and
universities are particularly common targets for
theft of laptops and other portable media because
thieves know these facilities have so much
computer equipment.
Several recent sentinel events in the VA, as well
as in the academic and private sectors, have
demonstrated that, to honor the sacred trust our
veterans and employees have in us, we must be
vigilant and take strict precautions to keep
their research data secure and confidential.

8
How Can You Protect VA Research Data?

We all need to remember it is a privilege to be
involved in VA research. This privilege, however,
comes with many responsibilities. One of the most
important is to ensure that all sensitive VA
research information is secure and confidential
and that the privacy of our VA research subjects
is protected.
Since VA research data are owned by the VA,
everyone involved in VA research must meet all
Federal requirements for the storage, use,
security and confidentiality of the data and for
the privacy of the research subjects.

The purpose of this training is to heighten your
awareness of the requirements and remind you of
common sense precautions you can take. Some
general measures include
Treating all VA research data as if they are
sensitive unless you are absolutely certain they
are not sensitive
Fostering teamwork and a supportive culture where
everyone helps each other remember to implement
strict security controls and privacy standards
Remembering that, to keep sensitive VA research
data secure and confidential, it takes all three
legs of the three-legged stool
Technical safeguards
Physical safeguards
Good work practices
Your efforts will not only help protect veterans
rights and welfare, but also the future of VA
research.

10
Module 2 Privacy of Subjects and
Confidentiality of VA Research Data
11
Privacy Statutes

Every VHA employee must comply with all
applicable Federal privacy and confidentiality
statutes and regulations when collecting, using,
sharing or disclosing individually identifiable
information, which includes sensitive VA research
data.
The applicable Federal statutes and regulations
are
The Freedom of Information Act (FOIA), 5 U.S.C.
552
The Privacy Act (PA) of 1974, 5 U.S.C 552a
The VA Claims Confidentiality Statute, 38 U.S.C.
5701
Confidentiality of Drug Abuse, Alcoholism
Alcohol Abuse, Infection With the Human
Immunodeficiency Virus (HIV) and Sickle Cell
Anemia Medical Records, 38 U.S.C. 7332
The Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule, 45 Code
of Federal Regulations Parts 160 and 164
Confidentiality of Healthcare Quality Assurance
Review Records, 38 U.S.C. 5705

Fortunately, you do not have to read and learn
the content of these six statutes and regulations
to be able to comply with the privacy
requirements they set forth. VHA Handbook 1605.1,
Privacy and Release of Information, establishes
guidance on privacy practice and provides VHA
policy for the use and disclosure of individually
identifiable information, and for individuals
rights in regard to VHA data.
By following privacy policies in VHA Handbook
1605.1, you are simultaneously applying all six
statutes and regulations so that the result will
be the application of the most stringent
provisions for all uses and/or disclosures of
sensitive VA research data.

13
Authorization for Disclosure of Information

VHA employees may disclose individually
identifiable information from official VHA
records only when
The VHA has first obtained the prior signed,
written authorization of the individual, or
Other legal authority in the above statutes and
regulations permits the disclosure without
written authorization (see your Privacy Officer
for advice on specific cases)

When a written authorization from the individual
is required, the request and authorization must
contain the following information
An expiration date, event or condition
The individual to whom the requested information
pertains
The permitted recipient(s) or user(s) of the
information
A description of the information requested
A statement regarding revocation
A statement that VA treatment and benefits are
not conditioned on the signing of the
authorization
The signature of the individual whose information
will be used or disclosed
The date of signature of the individual whose
information will be used or disclosed

Investigators and others involved in research
should
Limit their request to the minimum information
needed to conduct the research
Always use data in a manner that is consistent
with the protocol and the signed authorization
Never re-use or share data without the
appropriate approvals

16
Waiver of HIPAA-Compliant Authorization

A waiver of HIPAA-Compliant authorization may be
approved by the Institutional Review Board (IRB)
or Privacy Board at your facility. There are
three criteria required for approving a waiver
The use or disclosure must involve no more than
minimal risk to the individuals
The research cannot practicably be conducted
without the waiver
The research cannot be conducted without access
to, and use of, the protected health information

17
Data Use Agreements

A Data Use Agreement (DUA) may be obtained when
data will be disclosed outside of VHA for non-VA
research (VHA Handbook 1605.1, Privacy and
Release of Information, Appendix E).
A data use agreement is a written contract that
defines the following
What data may be used
How data may be used
How data will be stored and secured
Who may access data
Legal authority under privacy for access to data
Disposition of data after the research has been
terminated
Actions required if data are lost or stolen

18
Certificates of Confidentiality

Under Federal law, researchers must obtain an
advance grant of confidentiality from the
National Institutes of Health, known as a
Certificate of Confidentiality, to protect data
pertaining to sensitive issues such as illegal
behavior, alcohol or drug use, or sexual
practices or preferences.
This document will provide protection against
compulsory disclosure of research data (e.g., for
a subpoena).

19
De-Identification of Data

De-identified data is health information that
does not identify an individual and there is no
reasonable basis to believe that the information
can be used to identify an individual.
VHA would consider health information no longer
protected health information (PHI) if it has been
appropriately de-identified in accordance with
the HIPAA Privacy Rule as outlined in VHA
Handbook 1605.1, Appendix B.

For protected health information to be
de-identified, all of the following 18 types of
identifiers must be removed
Names or initials
All geographic subdivisions smaller than a state
All elements of dates except the year and all
ages over 89
Telephone numbers
Fax numbers
E-mail addresses
Social Security Numbers (or scrambled Social
Security Numbers)
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate or license numbers
Vehicle identifiers and license plate numbers
Device identifiers and serial numbers
URLs
IP addresses
Biometric identifiers, including finger and voice
prints
Full-face photographs and any comparable images

HIPAA identifiers also pertain to the persons
employer, relatives, and household members. Along
with removing the 18 identifiers, HIPAA also
states that for the information to be considered
de-identified, the entity does not have actual
knowledge that the remaining information could be
used alone or in combination with other
information to identify and individual who is the
subject of the information.
According to the Common Rule, de-identification
involves removal of all information that would
identify the individual or would be used to
readily ascertain the identity of the individual.
Note For VA research purposes, VA research data
are considered to be de-identified only if they
meet the de-identification criteria of BOTH HIPAA
(i.e., removal of all 18 identifiers) AND the
Common Rule.

22
Limited Data Sets

The use of limited data sets does not require
HIPAA-Compliant authorization or a waiver of
HIPAA-Compliant authorization, but does require a
data use agreement (DUA). Their use is only
allowed for research, public health, or health
care operations. Your Institutional Review Board
(IRB) or Privacy Officer (PO) can help you
determine if use of a limited data set is
appropriate for your research project.

Limited data sets have the following
characteristics
They exclude certain direct identifiers that
apply to
The individual
The individuals relatives
The individuals employers
The individuals household members
They may contain
City, state, ZIP code
Elements of a date and other numbers
Characteristics or codes not listed as direct
identifiers
Identifiable information, such as scrambled
Social Security Numbers (SSNs)
Note The use of limited data sets may constitute
human subjects research and, therefore, it may
require IRB approval.

24
Coded Data

Coding consists of labeling information with a
code that
Does not include any patient identifiers (see
HIPAA identifiers noted previously)
Is not derived from or related to the 18 HIPAA
identifiers
Cannot be translated so as to identify the
individual. Thus, initials, Social Security
Numbers (SSNs) and so on may not be used as
codes, even in partial or scrambled form.
Codes provide a link by which identities can be
accessed through a key held separated from the
research and the researchers. For example, the
code might be a barcode or a combination of
random numbers and letters.
If sensitive VA research data are coded, the key
to linking the code with these identifiers must
be stored within the VA, but it should not be
stored with the coded data.
Note If the investigator has access to the code,
the coded information is not considered
de-identified.

25
Common Sense Ways to Protect Subjects Privacy
and the Confidentiality of Their Information

When research subjects (or potential subjects)
provide information about themselves, they do so
with an assumption of trust. Your common sense
will help you will come up with many ways to help
protect their privacy and the confidentiality of
their information.
For instance,
Do not walk away from a computer without logging
off
Do not print private data and leave it on the
printer
Access information systems only through approved
hardware, software, solutions and connections
Take appropriate steps to protect information,
network access, passwords and information (not
just electronic versions, but also hard copies,
audio- and videotapes)
Control access to patient files or data that you
have saved on a disk or, better yet, do not use
a disk, but backup your data on a VA server,
instead (see Module 4)
Do not access information you dont really need
Avoid using automatic password-saving features
Do not talk about a subjects information in a
public place

26
Module 3 VA Research Projects
27
Preparatory to Research

Data use preparatory to research does not require
a written authorization or a waiver of
HIPAA-Compliant authorization. Within VHA,
preparatory to research refers to activities
that are necessary for the development of a
specific protocol. Protected health information
(PHI) from data repositories or medical records
may be reviewed during this process, but only
aggregate data may be recorded and used in the
protocol.
Preparatory to research does not involve the
identification of potential subjects or the
recording of data for the purpose of recruiting
these subjects or to link to other data.
For example, accessing VA medical records to
count how many patients had a specific
complication of diabetes prior to developing a
retrospective study of these patients is an
activity preparatory to research, but recording
their names and contact information is not.

The preparatory to research activity ends once
the protocol has been approved by the IRB and the
RD Committee.
The PI must document in his/her preparatory to
research files that
Access was limited to protocol preparation
No protected health information (PHI) was removed
Access was necessary to prepare for the research
Note VHA protected health information may never
be disclosed for non-VA preparatory to research
activities.

29
Pilot Studies

Pilot studies are early studies designed to test
an idea or treatment. The information gathered in
pilot studies usually is used to help design a
larger study. Pilot projects must be reviewed and
approved by the IRB and RD Committee and must
meet all applicable research requirements.
Even if they are performed in preparation for a
research grant application, pilot studies are not
considered to be preparatory to research, but
full-fledged research projects.

30
Research Protocol

During the early stages of planning a research
project, an investigator should think about how
sensitive research data will be stored and
accessed, as well as how to protect subjects
privacy. When the principal investigator (PI)
submits a research study that involves the
collection, use and/or storage of sensitive
information (e.g., subject identifiers or
protected health information (PHI)) to an IRB and
a RD Committee, his/her submission for approval
must contain specific information on
All sites where the data will be used or stored
Specifically who will have access to the data
How the data will be transmitted or transported
How the data will be secured
If copies of the data will be placed on laptops
or portable media, a discussion of the security
measures
If the data will be re-used for subsequent or
future research protocols, provisions for future
use in the informed consent form, and
HIPAA-Compliant authorization
If relevant, provisions to ensure sponsor data
storage guidelines are met and do not conflict
with VA policies

Note The principal investigator (PI) must
certify that all VA sensitive information
associated with each specific study is being
used, stored and secured in accordance with
applicable VA and VHA policies and guidance.
The following forms must be stored with the
research protocol files
Data Security Checklist for Principal
Investigators
Principal Investigators Certification Storage
and Security of VA Research Information

32
IRB Approval

Prior to accessing or collecting ANY data
involving human subjects (other than preparatory
to research as previously discussed), the PI
must obtain written approval from the IRB. As
part of its review, the IRB will determine
If the protocol is exempt from IRB review. If it
is not, then
If written informed consent can be waived or
altered. If not, then
If the written consent form contains appropriate
information and is consistent with the protocol
The IRB or a Privacy Board also will determine if
the criteria for granting a waiver of
authorization are met. If they are, the IRB or
Privacy Board will document its specific findings
regarding the criteria and the approval of the
waiver of authorization as required by HIPAA.

Exemption from IRB approval may be granted under
the following conditions
Research involves the use of educational tests
(cognitive, diagnostic, aptitude, achievement),
survey procedures, interview procedures, or the
observation of public behavior unless
The information is recorded in such a manner that
human subjects can be identified, directly or
through identifiers linked to the subjects, and
Any disclosure of the subjects responses outside
the research could reasonably place the subjects
at risk of criminal or civil liability or be
damaging to the subjects financial standing,
employability, or reputation
Research involves the analysis of existing data
or documents if these sources are publicly
available, or if the information is recorded so
that subjects cannot be identified, either
directly or through identifiers linked to the
subjects
Note The IRB must determine whether or not a
protocol is exempt from IRB review. This
determination cannot be made by the investigator.
Note Even if a protocol is exempt from IRB
review it may still require the IRB to grant a
waiver of HIPAA-Compliant authorization.

Waiver of written documentation of informed
consent may be granted by the IRB if it finds
either
That the only record linking the subject and the
research would be the informed consent document
and the principal risk to the subject would be
potential harm resulting from a breach of
confidentiality, or
That the research presents no more than minimal
risk of harm to subjects and involves no
procedures for which written informed consent is
normally required outside of the research context
In these situations, consent must still be
obtained, but the requirement for a signed
consent document is waived. The IRB may require
that a written statement about the research be
given to the subject. If it does, the IRB should
review and approve this statement.

Short form signed documentation of informed
consent may be permitted by the IRB for some
kinds of projects. The subject is given an oral
presentation that includes all the elements of
consent. The following are required when a short
form signed consent document is used
A witness to the oral presentation
IRB approval of the written summary of what is to
be presented orally
Only the short form be signed by the subject or
the legal representative of the subject
The witness to sign both the short form and the
summary
The person actually obtaining consent to sign the
summary
A copy of the summary and the short form to be
given to the subject or the legal representative
of the subject

Waiver of one, several, or all of the elements of
informed consent may be approved by the IRB where
it finds
The research involves no more than minimal risk
to the subjects
The waiver or alteration will not adversely
affect the rights and welfare of the subjects
The research could not practicably be carried out
without the waiver or alteration and
Whenever appropriate, the subjects will be
provided with additional pertinent information
after participation

37
Approval from Other Entities

In addition to approval from the IRB, the
investigator must have written approval from the
local VA Research and Development (RD) Committee
before starting a VA research project. Depending
on the nature of the project, other approvals
also may be required before it can be
implemented. Some examples include approvals by
Institutional Animal Care and Use Committees
(IACUC) for research involving animals
The VA Office of Research and Development (ORD)
for international research or research involving
children or prisoners
The appropriate union for research involving
union employees
The Office of Management and Budget (OMB) for
survey research
A database manager when data are being accessed
through a database
A Privacy Officer (PO) when privacy regulations
apply (if the IRB does not serve this function)
VA Operations and Management (10N) when employees
are to be surveyed

38
Re-Use of Data

VA research data may be used only in accordance
with the provisions in the approved protocol and
informed consent. If an investigator wants to use
VA research data for another purpose, he/she must
submit a new proposal to the IRB, Research and
Development (RD) Committee and any other
relevant entities. Data may not be re-used until
the investigator has obtained all the appropriate
approvals for their re-use.

39
Using Data from Deceased Individuals

Whenever data are retained for any period of time
some participants may die. The Common Rule does
not cover deceased subjects, but HIPAA and other
Federal privacy statutes do. Consent of
next-of-kin or other legally authorized
representatives may be required for release, use
or disclosure of the data about deceased
individuals.

40
Data Repositories and Procedures

A data repository must be created if data are to
be retained, re-used or shared for future
studies. Creation of a data repository requires
development of policies and procedures that must
be approved by the Institutional Review Board
(IRB) and Research and Development (RD)
Committee at the institution where the repository
resides. Your facilitys Privacy Officer can
assist in ensuring you do not have any Privacy
Act system of records issues.
For VA research data, the data repository must be
located at a VA facility on a VA server, unless
all appropriate permissions are obtained to house
it elsewhere (see Module 5).
To access data from a repository, an investigator
must have a specific protocol that has been
approved by his/her local IRB and RD Committee.
The protocol must contain the specific data
elements requested, including sufficient
justification for any request for identifiable
information.
The repository and the investigator must sign a
Data Transfer Agreement (DTA) that details the
authorized uses of the data and stipulates that
the data may not be re-disclosed.

41
Module 4 Storage and Security of VA Research
Data
42
Requirements

Everyone involved in VA research must be in
compliance with all applicable Federal laws,
regulations, policies and guidance related to
privacy of research subjects, and
confidentiality, storage and security of research
data.
Specific requirements are found in VA Directive
6504, Restrictions, Transportation and Use of,
and Access to, VA Data Outside of VA Facilities
VA IT Directive 06-02, Safeguarding Confidential
and Privacy Act-Protected Data at Alternative
Work Locations VA IT Directive 06-06,
Safeguarding Removable Media and VA
Memorandum, February 6, 2007, Certification by
Principal Investigators Security Requirements
for VA Research Information.
Note Your Information Security Officer (ISO) can
help you understand, and advise you on how to
implement, these requirements.
To keep sensitive VA research data secure and
confidential, investigators and everyone else
involved in research must pay strict attention to
all three legs of the three-legged stool
Technical safeguards
Physical safeguards
Good work practices

43
Restricted Access

Access to sensitive VA research data should be
restricted to those
Individuals named in the research protocol, on
the research informed consent and the
HIPAA-Compliant authorization form
Individuals who are responsible for oversight of
the research program
VA investigators who require access preparatory
to research if their activity meets the
requirements for preparatory to research set
forth in VHA policy

44
Technical Safeguards

The appropriate use of technical safeguards is
extremely important to protect against
unauthorized access, disclosure or loss of VA
research data.

45
Password Protection

Passwords are important tools for protecting VA
information systems. They ensure that VA
researchers have access to the information they
need. Here are some important password-related
requirements for VA employees
Passwords must meet VA password requirements
Blank and default user names and passwords
cannot be used
User credentials, including passwords, must be
protected appropriately because they are
considered VA sensitive information
Passwords should never be shared with anyone else
Passwords must be stored in a safe and secure
place that no one else knows about
Password-protected screensavers must be
configured to activate after 15 minutes of
inactivity
The save password feature cannot be used on VA
equipment or programs that provide access to the
operating system or VA network services
Passwords or other authentication information
cannot be stored on remote systems unless those
systems have been encrypted according to VA
requirements

46
Protection from Viruses and Other Malicious Codes

It is important to protect VA research data from
computer viruses and other malicious codes. Here
are some key points to remember
Always use VA-approved antivirus software on all
VA-owned AND non-VA computers that contain
sensitive VA research data
Local ISOs will provide the software for VA-owned
equipment
Immediately stop using any computer or software
you suspect is infected
Immediately isolate the computer from any VA
network connections
Do not reboot the system since many viruses are
triggered to propagate upon system reboot
If it appears that a negative activity is
occurring, the system must be shut off and left
off until a clean Antivirus boot media is used to
clean the system
Employees not authorized to attempt recovery and
restoration must not remove the suspected
software themselves, but must contact a qualified
IT Specialist
Only VA-approved software and tools may be used
to attempt recovery from infection with a virus
or other malicious code
If a non-VA technician is called to work on
non-VA owned equipment, use caution to protect
the VA information, including any information
that facilitates access to VA private networks

47
Encryption

Additional security controls, such as encryption,
are required to guard sensitive research data
stored on computers used outside VA facilities or
when transmitting sensitive data via remote
access. You must use encryption for the
following
When you use either VA-owned or non-VA equipment
in a mobile environment outside the VA (e.g., a
laptop)
When you use a personal computer (PC) at an
alternative work site
When you access a VA network from a remote
location
Note All encryption modules used to protect
sensitive VA research data must meet National
Institute of Standards and Technology (NIST)
standards and be Federal Information Processing
Standards (FIPS) 140-2 certified.

48
Physical Safeguards

Physical security measures are just as important
as technical safeguards for protecting VA
research data. The following rules for physical
security of data apply to all VA employees, and
they apply whether the data are stored on
VA-owned or non-VA equipment, inside or outside
of VA facilities
Do not take equipment, information, or software
containing sensitive VA research data to non-VA
sites without the express authorization of your
supervisor, Associate Chief of Staff for Research
and Development (ACOS/RD), Privacy Officer (PO)
AND your Information Security Officer (ISO)
See that equipment is housed and protected to
reduce the risks from environmental threats and
hazards, and protected against opportunities for
unauthorized access, use, loss, removal or theft
Secure portable computers that have sensitive VA
research data on their storage devices or have
software that provides access to VA networks
under lock and key when you or another
responsible employee is not in the immediate
vicinity

Note Thumb drives are of particular concern
since they are small, can store considerable data
and are easy to misplace or lose.
Use physical locks to secure portable computers
to immovable objects when you must leave
computers in areas where individuals other than
authorized employees have access
When in an uncontrolled environment, follow
clear desk practices for media to reduce the
risk of unauthorized access to, loss of, and/or
damage to the sensitive research information
Note This means that you cannot leave storage
media or hard copies containing sensitive VA
research data unsecured.

Guard against disclosing VA research data to
unauthorized personnel through eavesdropping,
overhearing, or unauthorized personnel actually
seeing the data on a computer screen
When traveling, keep portable computers and
storage devices with you at all times and do not
check them as baggage
Protect data and system backups with the same or
equally effective physical security as you
provide the source computer, its media and the
information contained on them
Store backups where they are physically secure
yet accessible within a reasonable time frame
Note Do not store original sensitive VA research
data on laptops or portable media.
Note If you store data on a VA server, you do
not need to back them up to portable media since
VA servers are routinely backed up.

51
File Sharing

Note You must not create a shared file or a
drive containing sensitive VA research data on a
device that you use for remote computing. You can
share files of sensitive VA research data only
through authorized VA servers.

52
Data Retention and Destruction

You must retain VA research data in accordance
with VA, VHA, local and IRB policies, protocol
sponsor guidelines, or Privacy Act system of
records notice, whichever is most restrictive.
During the period that data are retained after a
protocol closes, you must provide the same
security and privacy measures as when the
protocol was active, including all physical and
technical safeguards.
Note VHA research data belong to the VA. If an
investigator leaves a facility or the VA system,
all data must be kept and stored within the VA so
as to be easily accessible to facility officials.
Investigators cannot take copies with them.
Once the required retention period has lapsed,
the data may be destroyed using a method that
will render them unreadable, undecipherable and
irretrievable.
Note This pertains to both VA and non-VA owned
computer equipment and storage devices.
Investigators should consult their local ISOs for
local policies and procedures for media
destruction and for computer and portable device
sanitation.
Note Pushing the delete button is not sufficient
to permanently delete data.

Just as for electronic media, you are responsible
for ensuring that hard-copy documents or physical
media, such as audio and videotapes, that contain
sensitive VA research data are protected from
improper disclosure, including inadvertent
disclosure. When you no longer need them, you
must also destroy hard copies and other physical
media by a method rendering them unreadable,
undecipherable and irretrievable.
If you have any questions about the best method
of disposal, consult your local ISO or Privacy
Officer.

54
Backups

You must backup essential data and software at
regular intervals and treat backups and archives
according to their VA security classification.
You also must securely store any backups
containing sensitive VA research data. You may
backup data on a separate storage medium such as
a network drive, CD, or DVD.
Note As mentioned above, a VA server is the best
place to create a backup because VA information
technology (IT) staff ensure the safety of the
network and that it is routinely backed up.

55
Loss or Theft

The loss or theft of sensitive VA research data
or portable media such as laptops is covered in
VA Directive 6504. In addition, local VA
facilities should have their own local policies
and procedures. Your research office will help
you locate those documents.
At a minimum, the following should occur as soon
as it is discovered that there has been a loss
Report the loss or theft to security/police
officers immediately
If you are in a VA facility, notify the VA police
If you are on travel or at another institution,
notify the security/police officers at the
institution such as hotel security, university
security, etc. as well as the police in the
jurisdiction where the event occurred
Obtain the case number and the name and badge
number of the investigating officer(s). If
possible, obtain a copy of the case report
Immediately call or email the following regarding
the incident
Your supervisor
Your local Information Security Officer (ISO)
Your VA facilitys Privacy Officer (PO)
Your VA facilitys Security Officer
Your facilitys procedure may include notifying
others such as the Chief of Staff or the Medical
Center Director. You must determine the name of
your facilitys PO and ISO so that you will have
their names and contact information available.
The ISO will promptly determine whether the
incident warrants further reporting and actions.

56
Best Practices to Help Ensure the Security and
Confidentiality of Stored VA Research Data and
the Privacy of Research Subjects

While the following measures are not included in
official requirements, these common sense steps
can help ensure the security and confidentiality
of sensitive VA research data, and the privacy of
VA research subjects
Whenever possible, you should store VA research
data on network drives with restricted access,
not on your desktop computer
Keep data in one file location for ease in making
backups (or, better yet, simply backup all your
VA research data in one location on a VA server)
Label backup media with the file names and
include the date the backup was created
Set your backup schedules to match the importance
of the data (e.g., data containing protected
health information or irreplaceable data should
be backed up more often)
Storage media wear out, especially magnetic
media so change storage media as they age and as
better storage technology becomes available

57
Module 5 Safeguarding VA Research Data Outside
the VA
58
Approvals

According to VA Directive 6504, VA employees are
permitted to transport, transmit, access and use
VA data outside VA facilities only when such
activities have been specifically approved by the
employees supervisor and where appropriate
security measures are taken to ensure that VA
information and services are not compromised.
To store, transport, transmit, access and use
sensitive VA research data outside the VA, the
principal investigator (PI) must obtain
permission from ALL of the following
His/her supervisor
The Associate Chief of Staff for Research and
Development (ACOS/RD)
The Information Security Officer (ISO), and
The Privacy Officer (PO) when appropriate
Note This includes storage on non-VA computer
systems or servers, desk top computers located
outside the VA, laptops or other portable media.
Note Research subjects or veterans names,
addresses and Social Security numbers (real or
scrambled) may be stored only within the VA and
on VA servers. If the data are coded, the key
linking the code with these identifiers must also
be stored within the VA, but not with the coded
data.

59
Remote Access

Laptops and handheld computers, such as personal
digital assistants (PDAs), owned by the VA are
called Government Furnished Equipment (VAGFE).
These electronic devices may be used to access
the VA Intranet remotely. Only VA-approved remote
access solutions may be used, and all remote
connections to VA networks must be through
VA-authorized configurations and access points.
Requirements for remote access include the
following
You can only access, use or send sensitive VA
research information from a VA-owned laptop,
handheld computer or storage device
You cannot share sensitive VA research data with
anyone else
You must not share your username, password or
instructions on how to access the VA network with
anyone else
You may not use non-VA owned equipment to access
the VA Intranet remotely or to process sensitive
VA research data except when approved as above
Note Only VA personnel may access VA-owned
equipment that is used to process sensitive VA
research information or access VA processing
services.

Access to the VA Intranet using non-VA owned
equipment will be provided via approved VA
Virtual Private Network (VPN) access protocols,
which will offer access to a limited set of VA
applications and services. Only remote access
users with VA government furnished equipment
(VAGFE), with all required security software is
installed and updated, will be permitted to
connect to the VPN in such a way that grants full
VA access.
If non-VA owned equipment is connected to a home
or small office network with other workstations,
all interconnected workstations must have virus
protection. The anti-virus software must contain
a real-time scanning feature, which must be
enabled. You must update their antivirus software
and check for viruses before using any diskette
or file of uncertain or unauthorized origin.
In addition, if you use a computer to connect to
the Internet outside the regular work site,
whether VA government furnished equipment (VAGFE)
or non-VA equipment, you must insure that the
computer is protected by a firewall. If you use
VA government furnished equipment (VAFGE), to be
granted access, you must use the current
Host-based Intrusion Prevention System (HIPS)
software, including all critical updates and
patches.

When accessing the VA Intranet remotely
You cannot configure VPN client software to
support split or dual tunneling, allowing a
connection to the VA while simultaneously
connected to another public network such as the
Internet
You must terminate inactive sessions by logging
off when you are finished or when you leave your
workstation unattended
You must not turn off the device or monitor
without first logging off
You must see that your password-protected
screensaver is configured to activate after 15
minutes of inactivity
You are not authorized to use VA remote access
services to engage in any activity that is
illegal or violates VA policies

Remote access accounts are as needed accounts.
Therefore
You must report unused accounts so they can be
disabled and removed
Supervisors must ensure that remote access
privileges are terminated as soon as they are no
longer needed, when the account owner transfers
out of the supervisors office or leaves the VA,
or when an authorized official determines that
remote access privileges should be revoked
If users have not logged into the VPN within 30
days, their account will be disabled
Users must contact their local ISO to have their
accounts enabled

63
Data Storage and Security Outside the VA

In addition to the technical and physical
safeguards and the remote access requirements
covered previously, there are other requirements
for storing sensitive VA research data outside
the VA.
Note Outside the VA means storage or use on
any non-VA computer system, server, desk top
computer, laptop or any other portable storage
medium (e.g., CD, floppy disk, or thumb drive).
Note Sensitive VA research information may not
reside on non-VA systems or devices unless
specifically designated and approved in advance
and only where the non-VA systems or devices
conform to, or exceed, applicable VA
requirements.

64
Non-VA System Requirements

When sensitive VA research data are stored on
non-VA systems, the system must meet all
requirements set forth in Federal Information
Security Act (FISMA), including the required
certification and accreditation of the system. In
addition, all hardware/software encryption must
be FIPS 140-2 certified.
Note If the system is not FIPS 140-2 certified,
the data are considered unprotected.
If FIPS 140-2 certification is going to be a
requirement for your protocol, you will need to
contact your local ISO for further information on
how to obtain verification of this requirement.
Note ISOs are not responsible for approving
removal of specific data from the VA, but they
are responsible for ensuring all VA security
requirements are followed.
Note All sensitive VA research data residing on
non-VA laptops and other portable media must be
encrypted and password protected in accordance
with VA-approved requirements with only
authorized individuals having access to the data.

65
Module 6 Roles and Responsibilities for VA
Research Data Security and Confidentiality, and
for Privacy of VA Research Subjects
66
The Importance of Teamwork

As has been described in previous modules, every
VA facility that performs research must maintain
and implement policies and procedures to ensure
appropriate storage, security and confidentiality
of sensitive VA research data, and privacy of VA
research subjects.
Although individuals and offices have their own
roles and responsibilities, teamwork among the
different disciplines is critical to ensuring
that policies and procedures are implemented
efficiently and effectively. It is important for
all stakeholders to become familiar with each
others expertise and responsibilities, and work
closely to provide seamless protection for
sensitive VA research data.

67
Local VA Institutional Responsibilities

Medical Center Directors have ultimate
responsibility for ensuring the security and
confidentiality of sensitive VA research data in
their facilities. On an annual basis, the Medical
Center Directors must certify to their VISN
Directors that all principal investigators (PIs)
have met the certification requirements related
to storage and security of sensitive VA research
data.
Research Offices and Research and Development
(RD) Committees must assure the security and
confidentiality of sensitive VA research data,
and the privacy of VA research subjects, by
verifying principal investigators (PI)
certification checklists (see below). They also
have responsibility for ensuring that all
investigators and everyone else involved in
research is appropriately trained, credentialed
and has research privileges and/or scopes of
practice consistent with education, training and
expertise.
The RD Committee is responsible for reviewing
and evaluating all its subcommittees decisions,
including IRB approval or exemption, before
approving a research protocol.

Institutional Review Boards (IRBs) are
subcommittees of VA RD Committees. IRBs are
responsible for protecting the rights and welfare
of subjects. An IRB will not approve a protocol
unless its data management plan includes
certification from the investigator that the use,
storage and security of all research information
collected for, derived from, or used during the
conduct of the research is in compliance with all
relevant requirements.
The kinds of questions you may need to discuss
with your IRB include
Is this project exempt from IRB review?
Does this project require informed consent? If
so, is written informed consent needed?
Does this project require a HIPAA-Compliant
authorization?

69
Principal Investigator Responsibilities

The principal investigators (PI)
responsibilities include
Obtaining and documenting appropriate informed
consent from study subjects
Obtaining written approval from the Institutional
Review Board (IRB), Research and Development
Committee (RD), and arranging for approvals from
any other applicable entity(s) (e.g., union,
Office of Management and Budget, etc.) before
starting the research project
Submitting a plan for maintaining privacy of
research subjects and confidentiality of
sensitive VA research data that includes
Storage provisions
Security measures
Transportation or transmission methods
Provisions for controlling access to the data
Encryptions methods
Plans for how long identifiable information or
linkages will be kept
Provisions for disposition of the data at the end
of the study

Ensuring that the data are collected in
compliance with relevant requirements at all
study sites in multi-center studies
Certifying each protocol
For all new research protocols, the principal
investigator (PI) must certify that the use,
storage and security of all information collected
for, derived from, or used during the conduct of
the research will be in compliance with all VA
and VHA requirements. This will require that the
PI complete two forms, the Data Security
Checklist and the Principal Investigators
Certification Storage Security of VA Research
for each new protocol, submit them to the IRB and
RD Committee and retain a copy of each of these
forms with the protocol files
For currently active protocols, the PI is
required to provide the same information at the
time of continuing review
For Just-In-Time review, the PI must submit the
Principal Investigators Certification Storage
Security of VA Research form to the Office of
Research and Development (ORD) during the
Just-In-Time process for the proposal to be
considered for VA research funding
The PI must complete this certification process
annually

Note If, at any point in a study, the PI
determines that the security or confidentiality
of data being maintained on non-VA systems or
otherwise outside the VA on portable equipment
does not meet VA requirements, the PI is
responsible for immediately ensuring that the
data are returned to reside within the VA
firewall.

72
Information Security Officer Responsibilities

Information Security Officers (ISOs) are
knowledgeable about how to keep VA research data
secure. They will answer your questions and
advise you how to set up your security measures.
If you have questions about the security of your
research information, you should feel free to
contact your ISO.
Specifically, ISOs are responsible for
Reviewing and, when appropriate, approving PIs
requests for storing VA research data outside the
VA (Note approval must also be obtained from the
Privacy Officer, Associate Chief of Staff for
Research and Development (ACOS/RD) and
investigators supervisor)
Providing help for local Research Offices and
investigators in completing the certification
checklist requirements
Coordinating requests for remote access within
their region and facility(s)
Reviewing all policies and procedures pertaining
to transportation, transmission, remote access
and use of VA IT equipment
Ensuring that remote access accounts are
immediately disabled for all persons no longer
requiring remote access

The types of issues you may need to discuss with
your ISO include
How to set up and configure, or how to close, a
remote access account
How to encrypt
When a wireless network can be used
How hardware and data can be protected from
viruses
What to do if you suspect you have been attacked
by a virus
What to do if you see someone using VA computers
for theft or fraud
What to do if you lose data (e.g., a laptop, hard
drive, portable media)

74
VHA Privacy Office Responsibilities

The VHA Privacy Office is the authoritative
source for privacy within VHA and is responsible
for developing and implementing a VHA Privacy
Program developing, issuing, reviewing and
coordinating privacy policy for VHA in
conjunction with policy efforts by VA
coordinating requirements and monitoring
compliance with all Federal privacy law,
regulations and guidance within VHA and issuing
direction on VHA privacy policies, practices and
activities to the field.

75
Privacy Officer Responsibilities

The facility Privacy Officers are knowledgeable
about how sensitive VA research data may be used
and disclosed in accordance with Federal statutes
and regulations and VHA policy. They will answer
your questions and help you comply with privacy
requirements. It is a good idea to enlist their
aid early in the design of a research project to
avoid delays in the approval process.
Specifically, Privacy Officers are responsible
for
Ensuring the facilitys overall compliance with
privacy policies and requirements
Ensuring the facility has a process to review all
IRB-approved VA research for compliance with
privacy requirements prior to the datas being
provided to the PI
Reporting incidents regarding protected health
information (PHI) to the Privacy Violation
Tracking System and participating in the
investigation of such incidents
Ensuring all employees are trained on privacy
annually

76
Office of Research Oversight (ORO)
Responsibilities

The Office of Research Oversight (ORO) serves as
the primary VHA office in advising the Under
Secretary for Health on all matters of compliance
and assurance regarding human subjects
protections, animal welfare, research safety and
research misconduct. ORO conducts its oversight
through routine and for-cause reviews. At the
request of the Under Secretary, ORO reviews
facility compliance with information security
requirements for research when staff conducts
on-site reviews. The checklist ORO uses to guide
its reviews of information security can be found
on the ORO website at http//vaww1.va.gov/oro/.
You may want to access this document to help
conduct your own assessment of your facility's
fulfillment of requirements.

77
Submit questions to ResearchData_at_va.gov through
your local resear

Write a Comment

User Comments (0)

About PowerShow.com

Welcome You are participating in the VA Research Training webinar. PowerPoint PPT Presentation