Privacy, - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Privacy,

Description:

VHA must comply with 6 statutes that govern collection, maintenance & release of ... voice prints (16) Full-face photographic images and any. comparable images ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 51
Provided by: brendacucc2
Category:
Tags: privacy

less

Transcript and Presenter's Notes

Title: Privacy,


1
Privacy, Security
  • Brenda Cuccherini, Ph.D., MPH
  • VA Office of Research Development
  • September 2007

2
VHA Privacy
  • VHA privacy program is complex
  • VHA must comply with 6 statutes that govern
    collection, maintenance release of information
  • VHA Handbook 1605.1 addresses most requirements

3
Privacy Related Statutes
  • HIPAA Privacy Rule
  • Privacy Act of 1974
  • FOIA
  • VA Claims Confidentiality
  • Confidentiality of Drug Abuse, Alcoholism
    Alcohol Abuse, HIV, and Sickle Cell Anemia
    Medical Records
  • Confidentiality of Healthcare Quality Assurance
    Review Records

4
HIPAA the Privacy Rule
  • Title I Health Care Access, Portability,
    Renewability
  • Title II Preventing Healthcare Fraud Abuse
    Administrative Simplification Medical Liability
    Reform
  • Privacy Rule,
  • Transactions,
  • Security
  • Enforcement)

5
HIPAA The Common Rule
  • Represents 2 different, but not contradictory
    regulations
  • Many terms similar but not the same
  • IRB must make 2 separate determinations when
    reviewing approving applicable research
  • The Common Rule
  • HIPAA

6
HIPAA Research
  • Defines specific HIPAA identifiers
  • Controls use of Personal Health Information (PHI)
  • Within the covered entity
  • Disclosures outside the covered entity
  • Allows only the Minimum Necessary information
  • Use of PHI requires an authorization or waiver of
    authorization. Exceptions
  • Preparatory to research Note It does not include
    recruiting subjects
  • Use of limited data sets as defined by HIPAA

7
HIPAA Identifiers Remove All 18 to De-identify
for HIPAA
  • (1) Names
  • (2) All geographic subdivisions smaller than a
    state, except
  • for the initial three digits of the zip
    code if the
  • geographic unit formed by combining all zip
    codes with
  • the same three initial digits contains more
    than
  • 20,000 people
  • (3) All elements of dates except year and all
    ages over 89
  • (4) Telephone numbers
  • (5) Fax numbers
  • (6) E-mail addresses
  • (7) Social security numbers
  • (8) Medical record numbers

8
HIPAA Identifiers (Cont.)
  • (9) Health plan beneficiary numbers
  • (10) Account numbers
  • (11) Certificate or license numbers
  • (12) Vehicle identifiers and license plate
    numbers
  • (13) Device identifiers and serial numbers
  • (14) URLs
  • (15) IP addresses
  • (16) Biometric identifiers
  • Full-face photographs and any comparable
  • images

9
HIPAA Identifiers (Cont.)
  • Any other unique identifying number,
    characteristic
  • or code, unless otherwise permitted by
    the Privacy
  • Rule for re-identification
  • Scrambled SSNs
  • Initials
  • Last four digits of SSN
  • Employee numbers
  • Etc.
  • (19) A caveat HIPAA also states that the
    entity does not have actual
  • knowledge that the remaining
    information could be used alone
  • or in combination with other
    information to identify an individual
  • who is the subject of the information
  • If you can strip all 18 identifiers, it still may
    not be de-identified

10
Applicability of Identifiers
  • HIPAA identifiers apply to
  • The individual
  • The individuals relatives
  • The individuals employers
  • The individuals household members

11
Whats De-identified?
  • If some one tells you data is de-identified, ask
    them how they define it!

12
De-identified VHAs Definition
  • Information or data that meets the HIPAA Privacy
    Rule and the Common Rule definitions of
    de-identified
  • Does not contain any of the 18 HIPAA identifiers
  • Has not met the criteria for de-identification by
    statistical means as defined in HIPAA
  • Identity of the subject is not readily
    ascertained by the researcher

13
  • Scrambled Social Security
  • Numbers are identifiers!!!

14
Protected Health Information (PHI)
  • PHI is individually identifiable health
    information (IIH)
  • IIH Health information including demographics
  • Collected from an individual
  • Relates to
  • The past, present, or future physical, mental
    health, or condition of an individual
  • Provision of health care to the individual
  • Identifies the individual or there is a
    reasonable basis to believe the information can
    identify the individual
  • Is retrieved by name or other unique identifier

15
Preparatory to Reach
  • VHA Handbook 1605.1 states that contacting
    research subjects or conducting pilot studies are
    not Preparatory to Research activities
  • HHS states that the Preparatory to Research
    provisions allow an investigator to use PHI to
    contact prospective research subjects

16
Limited Data Sets
  • Does not require a HIPPA authorization or waiver
    of authorization
  • Only allowed for research , public health, or
    health care operations
  • Requires a DUA
  • May contain identifiable information such as
    scrambled SSNs, are still PHI
  • May still be human subjects research

17
Limited Data Set (Cont.)
  • Excludes certain direct identifiers
  • Excluded identifiers apply to
  • The individual,
  • The individuals relatives
  • The individuals employers
  • The individuals household members
  • May contain
  • City, state, ZIP code,
  • Elements of a date other numbers,
  • Characteristics or codes not listed as direct
    identifiers

18
Limited Data Sets Direct Identifiers
  • (1) Names
  • (2) Postal address other than town, city, state,
  • and ZIP code
  • (3) Telephone numbers
  • Fax numbers
  • Electronic mail address
  • (6) SSNs
  • (7) Medical Record number
  • (8) Health plan beneficiary numbers
  • (9) Account numbers

19
Limited Data Set Direct Identifiers (Cont.)
  • (10) Certificate/license numbers
  • (12) Vehicle identifiers and serial numbers
  • including license plate numbers
  • (12) Device identifiers serial numbers
  • (13) Web universal resource locators (URLs)
  • (14) Internet protocol (IP) address
  • (15) Biometric identifiers, including
    fingerprints
  • voice prints
  • (16) Full-face photographic images and any
  • comparable images

20
Business Associate Agreements
  • Business Associate An individual or entity who
    on behalf of VHA
  • Performs or assists in performing functions or
    activities involving the use or disclosure of PHI
    or
  • Provides certain services to VHA which include
    use or disclosure of PHI by VHA.
  • Activities must be related to treatment, payment,
    or health care operations

21
Business Associate Agreements
  • BAAs required for
  • Any person or entity meeting the definition of
    Business Associate
  • BAAs not required for research or research
    sponsors
  • Research is not a function or activity regulated
    by HIPAA (treatment, payment, or health care
    operations)

22
HIPAA Authorization
  • Authorization requirements
  • Handbook 1605.1 Privacy Release of
    Information
  • Poor authorizations
  • Inadequate description of the data
  • Does not specifically state if PHI related to
    drug or alcohol abuse, alcoholism, HIV, or Sickle
    Cell Anemia will be used
  • General statements regarding who will see data
  • Failure to state what will happen with the data,
    where it is sent, and how it is secured
  • Stand alone or incorporated into informed consent

23
Waiver of Authorization
  • IRB or Privacy Board (PB) may approve
  • Full waiver of authorization
  • Partial waiver of authorization
  • Alteration of the disclosure
  • IRB or Privacy Board
  • Must make specific determination prior to
    approving waiver
  • Must document specific findings

24
Required Determinations 3 Criteria
  • 1. The use or disclosure of PHI involves no more
    than a minimal risk to the individual based on
    at least the presence of the following elements
  • An adequate plan to Protect the identifiers from
    improper use disclosure
  • An adequate plan to destroy the identifiers at
    the earliest opportunity consistent with the
    conduct of the research unless there is health
    or research justification for retaining them or
    retention or the retention is required by law
    and
  • Adequate written assurance that the PHI will not
    be reused or disclosed to any other person or
    entity, except as required by law, for authorized
    oversight of the research study, or for other
    research for which the use of disclosure of PHI
    would be permitted by this subpart

25
Required Determinations 3 Criteria (Cont.)
  • 2. The research could not practicably be
    conducted without the waiver
  • 3. The research could not practicably be
    conducted without access to and use of the
    protected health information

26
Required Documentation
  • Name of IRB or PB date approved
  • Statement IRB or PB determined the alteration or
    waiver of authorization, in whole or in part,
    satisfies the 3 criteria in the Rule
  • A brief description of the PHI for which use or
    access has been determined to be necessary
  • A statement that the alteration or waiver of
    authorization has been reviewed and approved
    under either normal or expedited review
    procedures, and
  • Signature of the chair or other member, as
    designated by the chair, of the IRB or PB, as
    applicable.

27
Data Use Agreements (DUA)
  • VHA and HHS require DUA for use of limited data
    sets only
  • VHA and ORD policy also requires a combined DUA
    and Data Transfer Agreement (DTA) for anytime
    you transfer data within VHA for research
    purposes unless
  • The consent allows transfer to the sponsor
  • The transfer is within the scope of the protocol
    e.g., transferring data to a data coordinating
    center
  • DUA/DTA requirements will be published soon

28
  • Privacy Act of 1974

29
Privacy Act of 1974
  • Purpose To balance the governments need to
    maintain information about individuals with the
    rights of individuals to be protected against
    unwarranted invasions of their privacy
  • Background Watergate era and Congress concerned
    with
  • Curbing illegal surveillance investigations
  • Potential abuses presented by governments
    increasing use of computers to store retrieve
    personal data

30
Privacy Act Objectives
  • Restrict disclosure of personally identifiable
    records by agencies
  • Grant individuals
  • Increased rights of access to agency records
  • The right to seek amendment of agency records
  • Establish code of fair information practices for
    agencies

31
A Privacy Act Requirement
  • Agencies that maintain a system of records "shall
    promulgate rules, in accordance with notice and
    comment rulemaking
  • Systems of Records (SOR) A group of records
    under agency control from which information is
    retrieved by the name of the individual or by
    some identifying number, symbol, or other
    identifying particular assigned to the
    individual.

32
System of Records Content
  • Category of individuals covered by the system
  • Categories of records in the system
  • Purpose of the records
  • Routine uses of records
  • Storage (storage medium)
  • Retrievability (name, numbers or identifier)

33
SORs and Research
  • 34VA12 -- Veteran, Patient, Employee, and
    Volunteer Research and Development Project
    Records
  • 121VA19 -- National Patient Databases VA
  • 97VA105 Consolidated Data Information System
    VA (contains Medicare data)

34
SORs Major Impact on Research
  • All release/disclosure of information must be
    consistent with the SOR and routine uses
  • Investigators can not release information to
    non-VA investigators or institutions unless
  • Written permissions/authorization from individual
    or
  • Permission of the USH or designee
  • Release of information is through the Privacy
    Office

35
Privacy Issues Resources
  • VHA Privacy Officer Stephania Putt
  • Local privacy officer
  • VHA privacy program
  • http//vaww.vhaco.va.gov/privacy/
  • Links to all Federal statutes, regulations,
    policies including security policies
  • Privacy Fact Sheets

36
  • Security

37
A Changing Climate
  • Security must be addressed in
  • Protocol, appendices, or other document
  • Facility SOPs
  • New policies (VA VHA) and requirements
  • Sensitive data must be controlled at all times

38
It is VA policy that
  • VA information may not reside on non-VA systems
    or devices unless specifically authorized by VA
    guidance/policy
  • Federal Information Security Management Act of
    2002 (FISMA) Federal Security requirements apply
    to when contractors or other organizations on
    behalf of an agency possess or use Federal
    information
  • You must obtain authorization to remove
    confidential Privacy Act protected information
  • Approved protocol
  • Consult with supervisors/obtain permission
  • Consult with supervisor and ISO to ensure that
    the data is properly encrypted and password
    protected in accordance with VA policy
    Secretarys memo June.6, 2006

39
VA Policy on Protection of Data
  • Data system backups or copies
  • Same confidentiality classification as originals
  • Laptops portable media must NOT contain the
    only copy of the data
  • VAPI stored on computers or other storage media
    outside VA facilities must be encrypted per VA
    approved protection mechanisms
  • Password or other authentication information
  • Do not store on remote systems unless encrypted
  • Data can not be transmitted by remote access
    without VA-approved protection mechanisms

40
VA policy on Government Laptops or Other Equipment
  • Updated property pass
  • Updated virus protection
  • House protect it from
  • Environmental threats hazards
  • Unauthorized access, use, or removal
  • Laptops, external hard drives, or other storage
    devices must be under lock key when not in your
    immediate vicinity if it
  • Contains sensitive/protected information (VAPI)
    or
  • Software to access VA private networks

41
What You Must Do
  • Prior to receiving laptop or sensitive data
  • Know the policies on protecting or responding to
    lost/stolen laptops or data.
  • Always be on guard
  • Use common sense about where you leave it, who
    can access it
  • Once laptop or data is discovered to be missing
  • Report it to the police
  • Obtain a copy of the police report (name of
    officer, case number, etc.)
  • Try to inventory what is on the laptop or the
    missing data.
  • Make required notifications

42
Reporting of Security Incidents
  • OMB requires reporting of an incident within 1
    hour of discovery to US-CERT
  • US-CERT US Computer Emergency Readiness Team is
    the operational arm of National Cyber Security
    Division (NCSD), Department of Homeland Security
    (DHS).
  • Suspected and confirmed breaches must be reported

43
How to Report Security Incidents
  • Immediately report to
  • Supervisor
  • ISO
  • Privacy Officer
  • Others (Your facility may require reporting to
    other facility administrators)
  • ISO will report it to the VA-Security Operations
    Center (VA-SOC)
  • Privacy Officer will enter it into the Privacy
    Violations Tracking System (PVTS)
  • VA-SOC will notify US-CERT key VHA/VA officials

44
Investigators Responsibility
  • Include all necessary information in the
    submission to the IRB
  • Describe type of data, data flow, individuals
    having access to data (VA, non-VA)
  • Locations of data, computer systems, security
    measures
  • Request use of the minimal necessary information
    to conduct the research
  • Use of data consistent with the protocol
  • No re-use or sharing of data without approvals

45
Investigators Responsibilities
  • Protocols contain sufficient information on
    security issues
  • Who uses information
  • How it will be stored and secured
  • Who has copies where
  • Will it remain within VA if not, will all data
    be returned to VA if not why
  • Disposition of the data after protocol completed)
  • Allowing access only to authorized individuals

46
Investigators Responsibilities (Cont.)
  • Safeguarding laptops, portable drives, flash
    drives, and other medium
  • Ensuring all contracts, DUAs, and BAAs contain
    required language
  • Encrypting/password protecting all sensitive data

47
IRB and RD Committee Additional Requirements
  • Is the data to be used reasonable and necessary
    to conduct the research?
  • What are the sources of the data?
  • Who will have access to the data?
  • Where will the original and all copies be stored
    or used?

48
IRB and RD Committee Additional Requirements
(Cont.)
  • Will identifiable data be sent out of the VA?
  • Does the consent authorization sufficiently
    describe where the data will go who will see
    it?
  • Will names or SSNs be sent out of the VA?
  • How will the data be secured (paper or
    electronic)?
  • If real SSNs are used, is there an adequate
    justification?

49
Policy Documents
  • VA Directive 6504 Waiver of requirements
  • Granted only by the VA Chief Information Officer
    in CO
  • Waiver request only from an Administration Head,
    Assistant Secretary, or other key official
  • Majority of IT security documents being
    redrafted on a very fast track

50
Finding Policies
  • www.va.gov/vhapublications
  • Link on left banner to VA publications
  • www.va.gov/research
  • Call or e-mail
  • Brenda Cuccherini, Ph.D. at (202)254-0277 or
  • brenda.cuccherini_at_va.gov
Write a Comment
User Comments (0)
About PowerShow.com