Privacy,

1
Privacy, Security

• Brenda Cuccherini, Ph.D., MPH
• VA Office of Research Development
• September 2007

2
VHA Privacy

• VHA privacy program is complex
• VHA must comply with 6 statutes that govern
  collection, maintenance release of information
• VHA Handbook 1605.1 addresses most requirements

3
Privacy Related Statutes

• HIPAA Privacy Rule
• Privacy Act of 1974
• FOIA
• VA Claims Confidentiality
• Confidentiality of Drug Abuse, Alcoholism
  Alcohol Abuse, HIV, and Sickle Cell Anemia
  Medical Records
• Confidentiality of Healthcare Quality Assurance
  Review Records

4
HIPAA the Privacy Rule

• Title I Health Care Access, Portability,
  Renewability
• Title II Preventing Healthcare Fraud Abuse
  Administrative Simplification Medical Liability
  Reform
• Privacy Rule,
• Transactions,
• Security
• Enforcement)

5
HIPAA The Common Rule

• Represents 2 different, but not contradictory
  regulations
• Many terms similar but not the same
• IRB must make 2 separate determinations when
  reviewing approving applicable research
• The Common Rule
• HIPAA

6
HIPAA Research

• Defines specific HIPAA identifiers
• Controls use of Personal Health Information (PHI)
• Within the covered entity
• Disclosures outside the covered entity
• Allows only the Minimum Necessary information
• Use of PHI requires an authorization or waiver of
  authorization. Exceptions
• Preparatory to research Note It does not include
  recruiting subjects
• Use of limited data sets as defined by HIPAA

7
HIPAA Identifiers Remove All 18 to De-identify
for HIPAA

• (1) Names
• (2) All geographic subdivisions smaller than a
  state, except
• for the initial three digits of the zip
  code if the
• geographic unit formed by combining all zip
  codes with
• the same three initial digits contains more
  than
• 20,000 people
• (3) All elements of dates except year and all
  ages over 89
• (4) Telephone numbers
• (5) Fax numbers
• (6) E-mail addresses
• (7) Social security numbers
• (8) Medical record numbers

8
HIPAA Identifiers (Cont.)

• (9) Health plan beneficiary numbers
• (10) Account numbers
• (11) Certificate or license numbers
• (12) Vehicle identifiers and license plate
  numbers
• (13) Device identifiers and serial numbers
• (14) URLs
• (15) IP addresses
• (16) Biometric identifiers
• Full-face photographs and any comparable
• images

9
HIPAA Identifiers (Cont.)

• Any other unique identifying number,
  characteristic
• or code, unless otherwise permitted by
  the Privacy
• Rule for re-identification
• Scrambled SSNs
• Initials
• Last four digits of SSN
• Employee numbers
• Etc.
• (19) A caveat HIPAA also states that the
  entity does not have actual
• knowledge that the remaining
  information could be used alone
• or in combination with other
  information to identify an individual
• who is the subject of the information
• If you can strip all 18 identifiers, it still may
  not be de-identified

10
Applicability of Identifiers

• HIPAA identifiers apply to
• The individual
• The individuals relatives
• The individuals employers
• The individuals household members

11
Whats De-identified?

• If some one tells you data is de-identified, ask
  them how they define it!

12
De-identified VHAs Definition

• Information or data that meets the HIPAA Privacy
  Rule and the Common Rule definitions of
  de-identified
• Does not contain any of the 18 HIPAA identifiers
• Has not met the criteria for de-identification by
  statistical means as defined in HIPAA
• Identity of the subject is not readily
  ascertained by the researcher

13

• Scrambled Social Security
• Numbers are identifiers!!!

14
Protected Health Information (PHI)

• PHI is individually identifiable health
  information (IIH)
• IIH Health information including demographics
• Collected from an individual
• Relates to
• The past, present, or future physical, mental
  health, or condition of an individual
• Provision of health care to the individual
• Identifies the individual or there is a
  reasonable basis to believe the information can
  identify the individual
• Is retrieved by name or other unique identifier

15
Preparatory to Reach

• VHA Handbook 1605.1 states that contacting
  research subjects or conducting pilot studies are
  not Preparatory to Research activities
• HHS states that the Preparatory to Research
  provisions allow an investigator to use PHI to
  contact prospective research subjects

16
Limited Data Sets

• Does not require a HIPPA authorization or waiver
  of authorization
• Only allowed for research , public health, or
  health care operations
• Requires a DUA
• May contain identifiable information such as
  scrambled SSNs, are still PHI
• May still be human subjects research

17
Limited Data Set (Cont.)

• Excludes certain direct identifiers
• Excluded identifiers apply to
• The individual,
• The individuals relatives
• The individuals employers
• The individuals household members
• May contain
• City, state, ZIP code,
• Elements of a date other numbers,
• Characteristics or codes not listed as direct
  identifiers

18
Limited Data Sets Direct Identifiers

• (1) Names
• (2) Postal address other than town, city, state,
• and ZIP code
• (3) Telephone numbers
• Fax numbers
• Electronic mail address
• (6) SSNs
• (7) Medical Record number
• (8) Health plan beneficiary numbers
• (9) Account numbers

19
Limited Data Set Direct Identifiers (Cont.)

• (10) Certificate/license numbers
• (12) Vehicle identifiers and serial numbers
• including license plate numbers
• (12) Device identifiers serial numbers
• (13) Web universal resource locators (URLs)
• (14) Internet protocol (IP) address
• (15) Biometric identifiers, including
  fingerprints
• voice prints
• (16) Full-face photographic images and any
• comparable images

20
Business Associate Agreements

• Business Associate An individual or entity who
  on behalf of VHA
• Performs or assists in performing functions or
  activities involving the use or disclosure of PHI
  or
• Provides certain services to VHA which include
  use or disclosure of PHI by VHA.
• Activities must be related to treatment, payment,
  or health care operations

21
Business Associate Agreements

• BAAs required for
• Any person or entity meeting the definition of
  Business Associate
• BAAs not required for research or research
  sponsors
• Research is not a function or activity regulated
  by HIPAA (treatment, payment, or health care
  operations)

22
HIPAA Authorization

• Authorization requirements
• Handbook 1605.1 Privacy Release of
  Information
• Poor authorizations
• Inadequate description of the data
• Does not specifically state if PHI related to
  drug or alcohol abuse, alcoholism, HIV, or Sickle
  Cell Anemia will be used
• General statements regarding who will see data
• Failure to state what will happen with the data,
  where it is sent, and how it is secured
• Stand alone or incorporated into informed consent

23
Waiver of Authorization

• IRB or Privacy Board (PB) may approve
• Full waiver of authorization
• Partial waiver of authorization
• Alteration of the disclosure
• IRB or Privacy Board
• Must make specific determination prior to
  approving waiver
• Must document specific findings

24
Required Determinations 3 Criteria

• 1. The use or disclosure of PHI involves no more
  than a minimal risk to the individual based on
  at least the presence of the following elements
• An adequate plan to Protect the identifiers from
  improper use disclosure
• An adequate plan to destroy the identifiers at
  the earliest opportunity consistent with the
  conduct of the research unless there is health
  or research justification for retaining them or
  retention or the retention is required by law
  and
• Adequate written assurance that the PHI will not
  be reused or disclosed to any other person or
  entity, except as required by law, for authorized
  oversight of the research study, or for other
  research for which the use of disclosure of PHI
  would be permitted by this subpart

25
Required Determinations 3 Criteria (Cont.)

• 2. The research could not practicably be
  conducted without the waiver
• 3. The research could not practicably be
  conducted without access to and use of the
  protected health information

26
Required Documentation

• Name of IRB or PB date approved
• Statement IRB or PB determined the alteration or
  waiver of authorization, in whole or in part,
  satisfies the 3 criteria in the Rule
• A brief description of the PHI for which use or
  access has been determined to be necessary
• A statement that the alteration or waiver of
  authorization has been reviewed and approved
  under either normal or expedited review
  procedures, and
• Signature of the chair or other member, as
  designated by the chair, of the IRB or PB, as
  applicable.

27
Data Use Agreements (DUA)

• VHA and HHS require DUA for use of limited data
  sets only
• VHA and ORD policy also requires a combined DUA
  and Data Transfer Agreement (DTA) for anytime
  you transfer data within VHA for research
  purposes unless
• The consent allows transfer to the sponsor
• The transfer is within the scope of the protocol
  e.g., transferring data to a data coordinating
  center
• DUA/DTA requirements will be published soon

28

• Privacy Act of 1974

29
Privacy Act of 1974

• Purpose To balance the governments need to
  maintain information about individuals with the
  rights of individuals to be protected against
  unwarranted invasions of their privacy
• Background Watergate era and Congress concerned
  with
• Curbing illegal surveillance investigations
• Potential abuses presented by governments
  increasing use of computers to store retrieve
  personal data

30
Privacy Act Objectives

• Restrict disclosure of personally identifiable
  records by agencies
• Grant individuals
• Increased rights of access to agency records
• The right to seek amendment of agency records
• Establish code of fair information practices for
  agencies

31
A Privacy Act Requirement

• Agencies that maintain a system of records "shall
  promulgate rules, in accordance with notice and
  comment rulemaking
• Systems of Records (SOR) A group of records
  under agency control from which information is
  retrieved by the name of the individual or by
  some identifying number, symbol, or other
  identifying particular assigned to the
  individual.

32
System of Records Content

• Category of individuals covered by the system
• Categories of records in the system
• Purpose of the records
• Routine uses of records
• Storage (storage medium)
• Retrievability (name, numbers or identifier)

33
SORs and Research

• 34VA12 -- Veteran, Patient, Employee, and
  Volunteer Research and Development Project
  Records
• 121VA19 -- National Patient Databases VA
• 97VA105 Consolidated Data Information System
  VA (contains Medicare data)

34
SORs Major Impact on Research

• All release/disclosure of information must be
  consistent with the SOR and routine uses
• Investigators can not release information to
  non-VA investigators or institutions unless
• Written permissions/authorization from individual
  or
• Permission of the USH or designee
• Release of information is through the Privacy
  Office

35
Privacy Issues Resources

• VHA Privacy Officer Stephania Putt
• Local privacy officer
• VHA privacy program
• http//vaww.vhaco.va.gov/privacy/
• Links to all Federal statutes, regulations,
  policies including security policies
• Privacy Fact Sheets

36

• Security

37
A Changing Climate

• Security must be addressed in
• Protocol, appendices, or other document
• Facility SOPs
• New policies (VA VHA) and requirements
• Sensitive data must be controlled at all times

38
It is VA policy that

• VA information may not reside on non-VA systems
  or devices unless specifically authorized by VA
  guidance/policy
• Federal Information Security Management Act of
  2002 (FISMA) Federal Security requirements apply
  to when contractors or other organizations on
  behalf of an agency possess or use Federal
  information
• You must obtain authorization to remove
  confidential Privacy Act protected information
• Approved protocol
• Consult with supervisors/obtain permission
• Consult with supervisor and ISO to ensure that
  the data is properly encrypted and password
  protected in accordance with VA policy
  Secretarys memo June.6, 2006

39
VA Policy on Protection of Data

• Data system backups or copies
• Same confidentiality classification as originals
• Laptops portable media must NOT contain the
  only copy of the data
• VAPI stored on computers or other storage media
  outside VA facilities must be encrypted per VA
  approved protection mechanisms
• Password or other authentication information
• Do not store on remote systems unless encrypted
• Data can not be transmitted by remote access
  without VA-approved protection mechanisms

40
VA policy on Government Laptops or Other Equipment

• Updated property pass
• Updated virus protection
• House protect it from
• Environmental threats hazards
• Unauthorized access, use, or removal
• Laptops, external hard drives, or other storage
  devices must be under lock key when not in your
  immediate vicinity if it
• Contains sensitive/protected information (VAPI)
  or
• Software to access VA private networks

41
What You Must Do

• Prior to receiving laptop or sensitive data
• Know the policies on protecting or responding to
  lost/stolen laptops or data.
• Always be on guard
• Use common sense about where you leave it, who
  can access it
• Once laptop or data is discovered to be missing
• Report it to the police
• Obtain a copy of the police report (name of
  officer, case number, etc.)
• Try to inventory what is on the laptop or the
  missing data.
• Make required notifications

42
Reporting of Security Incidents

• OMB requires reporting of an incident within 1
  hour of discovery to US-CERT
• US-CERT US Computer Emergency Readiness Team is
  the operational arm of National Cyber Security
  Division (NCSD), Department of Homeland Security
  (DHS).
• Suspected and confirmed breaches must be reported

43
How to Report Security Incidents

• Immediately report to
• Supervisor
• ISO
• Privacy Officer
• Others (Your facility may require reporting to
  other facility administrators)
• ISO will report it to the VA-Security Operations
  Center (VA-SOC)
• Privacy Officer will enter it into the Privacy
  Violations Tracking System (PVTS)
• VA-SOC will notify US-CERT key VHA/VA officials

44
Investigators Responsibility

• Include all necessary information in the
  submission to the IRB
• Describe type of data, data flow, individuals
  having access to data (VA, non-VA)
• Locations of data, computer systems, security
  measures
• Request use of the minimal necessary information
  to conduct the research
• Use of data consistent with the protocol
• No re-use or sharing of data without approvals

45
Investigators Responsibilities

• Protocols contain sufficient information on
  security issues
• Who uses information
• How it will be stored and secured
• Who has copies where
• Will it remain within VA if not, will all data
  be returned to VA if not why
• Disposition of the data after protocol completed)
• Allowing access only to authorized individuals

46
Investigators Responsibilities (Cont.)

• Safeguarding laptops, portable drives, flash
  drives, and other medium
• Ensuring all contracts, DUAs, and BAAs contain
  required language
• Encrypting/password protecting all sensitive data

47
IRB and RD Committee Additional Requirements

• Is the data to be used reasonable and necessary
  to conduct the research?
• What are the sources of the data?
• Who will have access to the data?
• Where will the original and all copies be stored
  or used?

48
IRB and RD Committee Additional Requirements
(Cont.)

• Will identifiable data be sent out of the VA?
• Does the consent authorization sufficiently
  describe where the data will go who will see
  it?
• Will names or SSNs be sent out of the VA?
• How will the data be secured (paper or
  electronic)?
• If real SSNs are used, is there an adequate
  justification?

49
Policy Documents

• VA Directive 6504 Waiver of requirements
• Granted only by the VA Chief Information Officer
  in CO
• Waiver request only from an Administration Head,
  Assistant Secretary, or other key official
• Majority of IT security documents being
  redrafted on a very fast track

50
Finding Policies

• www.va.gov/vhapublications
• Link on left banner to VA publications
• www.va.gov/research
• Call or e-mail
• Brenda Cuccherini, Ph.D. at (202)254-0277 or
• brenda.cuccherini_at_va.gov