Title: Privacy,
1Privacy, Security
- Brenda Cuccherini, Ph.D., MPH
- VA Office of Research Development
- September 2007
2VHA Privacy
- VHA privacy program is complex
- VHA must comply with 6 statutes that govern
collection, maintenance release of information - VHA Handbook 1605.1 addresses most requirements
3Privacy Related Statutes
- HIPAA Privacy Rule
- Privacy Act of 1974
- FOIA
- VA Claims Confidentiality
- Confidentiality of Drug Abuse, Alcoholism
Alcohol Abuse, HIV, and Sickle Cell Anemia
Medical Records - Confidentiality of Healthcare Quality Assurance
Review Records
4HIPAA the Privacy Rule
- Title I Health Care Access, Portability,
Renewability - Title II Preventing Healthcare Fraud Abuse
Administrative Simplification Medical Liability
Reform - Privacy Rule,
- Transactions,
- Security
- Enforcement)
5HIPAA The Common Rule
- Represents 2 different, but not contradictory
regulations - Many terms similar but not the same
- IRB must make 2 separate determinations when
reviewing approving applicable research - The Common Rule
- HIPAA
6HIPAA Research
- Defines specific HIPAA identifiers
- Controls use of Personal Health Information (PHI)
- Within the covered entity
- Disclosures outside the covered entity
- Allows only the Minimum Necessary information
- Use of PHI requires an authorization or waiver of
authorization. Exceptions - Preparatory to research Note It does not include
recruiting subjects - Use of limited data sets as defined by HIPAA
7HIPAA Identifiers Remove All 18 to De-identify
for HIPAA
- (1) Names
- (2) All geographic subdivisions smaller than a
state, except - for the initial three digits of the zip
code if the - geographic unit formed by combining all zip
codes with - the same three initial digits contains more
than - 20,000 people
- (3) All elements of dates except year and all
ages over 89 - (4) Telephone numbers
- (5) Fax numbers
- (6) E-mail addresses
- (7) Social security numbers
- (8) Medical record numbers
8HIPAA Identifiers (Cont.)
- (9) Health plan beneficiary numbers
- (10) Account numbers
- (11) Certificate or license numbers
- (12) Vehicle identifiers and license plate
numbers - (13) Device identifiers and serial numbers
- (14) URLs
- (15) IP addresses
- (16) Biometric identifiers
- Full-face photographs and any comparable
- images
9HIPAA Identifiers (Cont.)
- Any other unique identifying number,
characteristic - or code, unless otherwise permitted by
the Privacy - Rule for re-identification
- Scrambled SSNs
- Initials
- Last four digits of SSN
- Employee numbers
- Etc.
- (19) A caveat HIPAA also states that the
entity does not have actual - knowledge that the remaining
information could be used alone - or in combination with other
information to identify an individual - who is the subject of the information
- If you can strip all 18 identifiers, it still may
not be de-identified
10Applicability of Identifiers
- HIPAA identifiers apply to
- The individual
- The individuals relatives
- The individuals employers
- The individuals household members
11Whats De-identified?
- If some one tells you data is de-identified, ask
them how they define it!
12De-identified VHAs Definition
- Information or data that meets the HIPAA Privacy
Rule and the Common Rule definitions of
de-identified - Does not contain any of the 18 HIPAA identifiers
- Has not met the criteria for de-identification by
statistical means as defined in HIPAA - Identity of the subject is not readily
ascertained by the researcher
13- Scrambled Social Security
- Numbers are identifiers!!!
14Protected Health Information (PHI)
- PHI is individually identifiable health
information (IIH) - IIH Health information including demographics
- Collected from an individual
- Relates to
- The past, present, or future physical, mental
health, or condition of an individual - Provision of health care to the individual
- Identifies the individual or there is a
reasonable basis to believe the information can
identify the individual - Is retrieved by name or other unique identifier
15Preparatory to Reach
- VHA Handbook 1605.1 states that contacting
research subjects or conducting pilot studies are
not Preparatory to Research activities - HHS states that the Preparatory to Research
provisions allow an investigator to use PHI to
contact prospective research subjects
16Limited Data Sets
- Does not require a HIPPA authorization or waiver
of authorization - Only allowed for research , public health, or
health care operations - Requires a DUA
- May contain identifiable information such as
scrambled SSNs, are still PHI - May still be human subjects research
17Limited Data Set (Cont.)
- Excludes certain direct identifiers
- Excluded identifiers apply to
- The individual,
- The individuals relatives
- The individuals employers
- The individuals household members
- May contain
- City, state, ZIP code,
- Elements of a date other numbers,
- Characteristics or codes not listed as direct
identifiers
18Limited Data Sets Direct Identifiers
- (1) Names
- (2) Postal address other than town, city, state,
- and ZIP code
- (3) Telephone numbers
- Fax numbers
- Electronic mail address
- (6) SSNs
- (7) Medical Record number
- (8) Health plan beneficiary numbers
- (9) Account numbers
19Limited Data Set Direct Identifiers (Cont.)
- (10) Certificate/license numbers
- (12) Vehicle identifiers and serial numbers
- including license plate numbers
- (12) Device identifiers serial numbers
- (13) Web universal resource locators (URLs)
- (14) Internet protocol (IP) address
- (15) Biometric identifiers, including
fingerprints - voice prints
- (16) Full-face photographic images and any
- comparable images
20Business Associate Agreements
- Business Associate An individual or entity who
on behalf of VHA - Performs or assists in performing functions or
activities involving the use or disclosure of PHI
or - Provides certain services to VHA which include
use or disclosure of PHI by VHA. - Activities must be related to treatment, payment,
or health care operations
21Business Associate Agreements
- BAAs required for
- Any person or entity meeting the definition of
Business Associate - BAAs not required for research or research
sponsors - Research is not a function or activity regulated
by HIPAA (treatment, payment, or health care
operations)
22HIPAA Authorization
- Authorization requirements
- Handbook 1605.1 Privacy Release of
Information - Poor authorizations
- Inadequate description of the data
- Does not specifically state if PHI related to
drug or alcohol abuse, alcoholism, HIV, or Sickle
Cell Anemia will be used - General statements regarding who will see data
- Failure to state what will happen with the data,
where it is sent, and how it is secured - Stand alone or incorporated into informed consent
23Waiver of Authorization
- IRB or Privacy Board (PB) may approve
- Full waiver of authorization
- Partial waiver of authorization
- Alteration of the disclosure
- IRB or Privacy Board
- Must make specific determination prior to
approving waiver - Must document specific findings
24Required Determinations 3 Criteria
- 1. The use or disclosure of PHI involves no more
than a minimal risk to the individual based on
at least the presence of the following elements - An adequate plan to Protect the identifiers from
improper use disclosure - An adequate plan to destroy the identifiers at
the earliest opportunity consistent with the
conduct of the research unless there is health
or research justification for retaining them or
retention or the retention is required by law
and - Adequate written assurance that the PHI will not
be reused or disclosed to any other person or
entity, except as required by law, for authorized
oversight of the research study, or for other
research for which the use of disclosure of PHI
would be permitted by this subpart
25Required Determinations 3 Criteria (Cont.)
- 2. The research could not practicably be
conducted without the waiver - 3. The research could not practicably be
conducted without access to and use of the
protected health information
26Required Documentation
- Name of IRB or PB date approved
- Statement IRB or PB determined the alteration or
waiver of authorization, in whole or in part,
satisfies the 3 criteria in the Rule - A brief description of the PHI for which use or
access has been determined to be necessary - A statement that the alteration or waiver of
authorization has been reviewed and approved
under either normal or expedited review
procedures, and - Signature of the chair or other member, as
designated by the chair, of the IRB or PB, as
applicable.
27Data Use Agreements (DUA)
- VHA and HHS require DUA for use of limited data
sets only - VHA and ORD policy also requires a combined DUA
and Data Transfer Agreement (DTA) for anytime
you transfer data within VHA for research
purposes unless - The consent allows transfer to the sponsor
- The transfer is within the scope of the protocol
e.g., transferring data to a data coordinating
center - DUA/DTA requirements will be published soon
28 29Privacy Act of 1974
- Purpose To balance the governments need to
maintain information about individuals with the
rights of individuals to be protected against
unwarranted invasions of their privacy - Background Watergate era and Congress concerned
with - Curbing illegal surveillance investigations
- Potential abuses presented by governments
increasing use of computers to store retrieve
personal data
30Privacy Act Objectives
- Restrict disclosure of personally identifiable
records by agencies - Grant individuals
- Increased rights of access to agency records
- The right to seek amendment of agency records
- Establish code of fair information practices for
agencies
31A Privacy Act Requirement
- Agencies that maintain a system of records "shall
promulgate rules, in accordance with notice and
comment rulemaking - Systems of Records (SOR) A group of records
under agency control from which information is
retrieved by the name of the individual or by
some identifying number, symbol, or other
identifying particular assigned to the
individual.
32System of Records Content
- Category of individuals covered by the system
- Categories of records in the system
- Purpose of the records
- Routine uses of records
- Storage (storage medium)
- Retrievability (name, numbers or identifier)
33SORs and Research
- 34VA12 -- Veteran, Patient, Employee, and
Volunteer Research and Development Project
Records - 121VA19 -- National Patient Databases VA
- 97VA105 Consolidated Data Information System
VA (contains Medicare data)
34SORs Major Impact on Research
- All release/disclosure of information must be
consistent with the SOR and routine uses - Investigators can not release information to
non-VA investigators or institutions unless - Written permissions/authorization from individual
or - Permission of the USH or designee
- Release of information is through the Privacy
Office
35Privacy Issues Resources
- VHA Privacy Officer Stephania Putt
- Local privacy officer
- VHA privacy program
- http//vaww.vhaco.va.gov/privacy/
- Links to all Federal statutes, regulations,
policies including security policies - Privacy Fact Sheets
36 37A Changing Climate
- Security must be addressed in
- Protocol, appendices, or other document
- Facility SOPs
- New policies (VA VHA) and requirements
- Sensitive data must be controlled at all times
38It is VA policy that
- VA information may not reside on non-VA systems
or devices unless specifically authorized by VA
guidance/policy - Federal Information Security Management Act of
2002 (FISMA) Federal Security requirements apply
to when contractors or other organizations on
behalf of an agency possess or use Federal
information - You must obtain authorization to remove
confidential Privacy Act protected information - Approved protocol
- Consult with supervisors/obtain permission
- Consult with supervisor and ISO to ensure that
the data is properly encrypted and password
protected in accordance with VA policy
Secretarys memo June.6, 2006
39VA Policy on Protection of Data
- Data system backups or copies
- Same confidentiality classification as originals
- Laptops portable media must NOT contain the
only copy of the data - VAPI stored on computers or other storage media
outside VA facilities must be encrypted per VA
approved protection mechanisms - Password or other authentication information
- Do not store on remote systems unless encrypted
- Data can not be transmitted by remote access
without VA-approved protection mechanisms
40VA policy on Government Laptops or Other Equipment
- Updated property pass
- Updated virus protection
- House protect it from
- Environmental threats hazards
- Unauthorized access, use, or removal
- Laptops, external hard drives, or other storage
devices must be under lock key when not in your
immediate vicinity if it - Contains sensitive/protected information (VAPI)
or - Software to access VA private networks
41What You Must Do
- Prior to receiving laptop or sensitive data
- Know the policies on protecting or responding to
lost/stolen laptops or data. - Always be on guard
- Use common sense about where you leave it, who
can access it - Once laptop or data is discovered to be missing
- Report it to the police
- Obtain a copy of the police report (name of
officer, case number, etc.) - Try to inventory what is on the laptop or the
missing data. - Make required notifications
42Reporting of Security Incidents
- OMB requires reporting of an incident within 1
hour of discovery to US-CERT - US-CERT US Computer Emergency Readiness Team is
the operational arm of National Cyber Security
Division (NCSD), Department of Homeland Security
(DHS). - Suspected and confirmed breaches must be reported
43How to Report Security Incidents
- Immediately report to
- Supervisor
- ISO
- Privacy Officer
- Others (Your facility may require reporting to
other facility administrators) - ISO will report it to the VA-Security Operations
Center (VA-SOC) - Privacy Officer will enter it into the Privacy
Violations Tracking System (PVTS) - VA-SOC will notify US-CERT key VHA/VA officials
44Investigators Responsibility
- Include all necessary information in the
submission to the IRB - Describe type of data, data flow, individuals
having access to data (VA, non-VA) - Locations of data, computer systems, security
measures - Request use of the minimal necessary information
to conduct the research - Use of data consistent with the protocol
- No re-use or sharing of data without approvals
45Investigators Responsibilities
- Protocols contain sufficient information on
security issues - Who uses information
- How it will be stored and secured
- Who has copies where
- Will it remain within VA if not, will all data
be returned to VA if not why - Disposition of the data after protocol completed)
- Allowing access only to authorized individuals
46Investigators Responsibilities (Cont.)
- Safeguarding laptops, portable drives, flash
drives, and other medium - Ensuring all contracts, DUAs, and BAAs contain
required language - Encrypting/password protecting all sensitive data
47IRB and RD Committee Additional Requirements
- Is the data to be used reasonable and necessary
to conduct the research? - What are the sources of the data?
- Who will have access to the data?
- Where will the original and all copies be stored
or used?
48IRB and RD Committee Additional Requirements
(Cont.)
- Will identifiable data be sent out of the VA?
- Does the consent authorization sufficiently
describe where the data will go who will see
it? - Will names or SSNs be sent out of the VA?
- How will the data be secured (paper or
electronic)? - If real SSNs are used, is there an adequate
justification?
49Policy Documents
- VA Directive 6504 Waiver of requirements
- Granted only by the VA Chief Information Officer
in CO - Waiver request only from an Administration Head,
Assistant Secretary, or other key official - Majority of IT security documents being
redrafted on a very fast track
50Finding Policies
- www.va.gov/vhapublications
- Link on left banner to VA publications
- www.va.gov/research
- Call or e-mail
- Brenda Cuccherini, Ph.D. at (202)254-0277 or
- brenda.cuccherini_at_va.gov