Privacy,

About This Presentation

Title:

Privacy,

Description:

VHA must comply with 6 statutes that govern collection, maintenance & release of ... voice prints (16) Full-face photographic images and any. comparable images ... – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 51

Provided by: brendacucc2

Category:

Tags: privacy

more less

Transcript and Presenter's Notes

Title: Privacy,

1
Privacy, Security

Brenda Cuccherini, Ph.D., MPH
VA Office of Research Development
September 2007

2
VHA Privacy

VHA privacy program is complex
VHA must comply with 6 statutes that govern
collection, maintenance release of information
VHA Handbook 1605.1 addresses most requirements

3
Privacy Related Statutes

HIPAA Privacy Rule
Privacy Act of 1974
FOIA
VA Claims Confidentiality
Confidentiality of Drug Abuse, Alcoholism
Alcohol Abuse, HIV, and Sickle Cell Anemia
Medical Records
Confidentiality of Healthcare Quality Assurance
Review Records

4
HIPAA the Privacy Rule

Title I Health Care Access, Portability,
Renewability
Title II Preventing Healthcare Fraud Abuse
Administrative Simplification Medical Liability
Reform
Privacy Rule,
Transactions,
Security
Enforcement)

5
HIPAA The Common Rule

Represents 2 different, but not contradictory
regulations
Many terms similar but not the same
IRB must make 2 separate determinations when
reviewing approving applicable research
The Common Rule
HIPAA

6
HIPAA Research

Defines specific HIPAA identifiers
Controls use of Personal Health Information (PHI)
Within the covered entity
Disclosures outside the covered entity
Allows only the Minimum Necessary information
Use of PHI requires an authorization or waiver of
authorization. Exceptions
Preparatory to research Note It does not include
recruiting subjects
Use of limited data sets as defined by HIPAA

7
HIPAA Identifiers Remove All 18 to De-identify
for HIPAA

(1) Names
(2) All geographic subdivisions smaller than a
state, except
for the initial three digits of the zip
code if the
geographic unit formed by combining all zip
codes with
the same three initial digits contains more
than
20,000 people
(3) All elements of dates except year and all
ages over 89
(4) Telephone numbers
(5) Fax numbers
(6) E-mail addresses
(7) Social security numbers
(8) Medical record numbers

8
HIPAA Identifiers (Cont.)

(9) Health plan beneficiary numbers
(10) Account numbers
(11) Certificate or license numbers
(12) Vehicle identifiers and license plate
numbers
(13) Device identifiers and serial numbers
(14) URLs
(15) IP addresses
(16) Biometric identifiers
Full-face photographs and any comparable
images

9
HIPAA Identifiers (Cont.)

Any other unique identifying number,
characteristic
or code, unless otherwise permitted by
the Privacy
Rule for re-identification
Scrambled SSNs
Initials
Last four digits of SSN
Employee numbers
Etc.
(19) A caveat HIPAA also states that the
entity does not have actual
knowledge that the remaining
information could be used alone
or in combination with other
information to identify an individual
who is the subject of the information
If you can strip all 18 identifiers, it still may
not be de-identified

10
Applicability of Identifiers

HIPAA identifiers apply to
The individual
The individuals relatives
The individuals employers
The individuals household members

11
Whats De-identified?

If some one tells you data is de-identified, ask
them how they define it!

12
De-identified VHAs Definition

Information or data that meets the HIPAA Privacy
Rule and the Common Rule definitions of
de-identified
Does not contain any of the 18 HIPAA identifiers
Has not met the criteria for de-identification by
statistical means as defined in HIPAA
Identity of the subject is not readily
ascertained by the researcher

Scrambled Social Security
Numbers are identifiers!!!

14
Protected Health Information (PHI)

PHI is individually identifiable health
information (IIH)
IIH Health information including demographics
Collected from an individual
Relates to
The past, present, or future physical, mental
health, or condition of an individual
Provision of health care to the individual
Identifies the individual or there is a
reasonable basis to believe the information can
identify the individual
Is retrieved by name or other unique identifier

15
Preparatory to Reach

VHA Handbook 1605.1 states that contacting
research subjects or conducting pilot studies are
not Preparatory to Research activities
HHS states that the Preparatory to Research
provisions allow an investigator to use PHI to
contact prospective research subjects

16
Limited Data Sets

Does not require a HIPPA authorization or waiver
of authorization
Only allowed for research , public health, or
health care operations
Requires a DUA
May contain identifiable information such as
scrambled SSNs, are still PHI
May still be human subjects research

17
Limited Data Set (Cont.)

Excludes certain direct identifiers
Excluded identifiers apply to
The individual,
The individuals relatives
The individuals employers
The individuals household members
May contain
City, state, ZIP code,
Elements of a date other numbers,
Characteristics or codes not listed as direct
identifiers

18
Limited Data Sets Direct Identifiers

(1) Names
(2) Postal address other than town, city, state,
and ZIP code
(3) Telephone numbers
Fax numbers
Electronic mail address
(6) SSNs
(7) Medical Record number
(8) Health plan beneficiary numbers
(9) Account numbers

19
Limited Data Set Direct Identifiers (Cont.)

(10) Certificate/license numbers
(12) Vehicle identifiers and serial numbers
including license plate numbers
(12) Device identifiers serial numbers
(13) Web universal resource locators (URLs)
(14) Internet protocol (IP) address
(15) Biometric identifiers, including
fingerprints
voice prints
(16) Full-face photographic images and any
comparable images

20
Business Associate Agreements

Business Associate An individual or entity who
on behalf of VHA
Performs or assists in performing functions or
activities involving the use or disclosure of PHI
or
Provides certain services to VHA which include
use or disclosure of PHI by VHA.
Activities must be related to treatment, payment,
or health care operations

21
Business Associate Agreements

BAAs required for
Any person or entity meeting the definition of
Business Associate
BAAs not required for research or research
sponsors
Research is not a function or activity regulated
by HIPAA (treatment, payment, or health care
operations)

22
HIPAA Authorization

Authorization requirements
Handbook 1605.1 Privacy Release of
Information
Poor authorizations
Inadequate description of the data
Does not specifically state if PHI related to
drug or alcohol abuse, alcoholism, HIV, or Sickle
Cell Anemia will be used
General statements regarding who will see data
Failure to state what will happen with the data,
where it is sent, and how it is secured
Stand alone or incorporated into informed consent

23
Waiver of Authorization

IRB or Privacy Board (PB) may approve
Full waiver of authorization
Partial waiver of authorization
Alteration of the disclosure
IRB or Privacy Board
Must make specific determination prior to
approving waiver
Must document specific findings

24
Required Determinations 3 Criteria

1. The use or disclosure of PHI involves no more
than a minimal risk to the individual based on
at least the presence of the following elements
An adequate plan to Protect the identifiers from
improper use disclosure
An adequate plan to destroy the identifiers at
the earliest opportunity consistent with the
conduct of the research unless there is health
or research justification for retaining them or
retention or the retention is required by law
and
Adequate written assurance that the PHI will not
be reused or disclosed to any other person or
entity, except as required by law, for authorized
oversight of the research study, or for other
research for which the use of disclosure of PHI
would be permitted by this subpart

25
Required Determinations 3 Criteria (Cont.)

2. The research could not practicably be
conducted without the waiver
3. The research could not practicably be
conducted without access to and use of the
protected health information

26
Required Documentation

Name of IRB or PB date approved
Statement IRB or PB determined the alteration or
waiver of authorization, in whole or in part,
satisfies the 3 criteria in the Rule
A brief description of the PHI for which use or
access has been determined to be necessary
A statement that the alteration or waiver of
authorization has been reviewed and approved
under either normal or expedited review
procedures, and
Signature of the chair or other member, as
designated by the chair, of the IRB or PB, as
applicable.

27
Data Use Agreements (DUA)

VHA and HHS require DUA for use of limited data
sets only
VHA and ORD policy also requires a combined DUA
and Data Transfer Agreement (DTA) for anytime
you transfer data within VHA for research
purposes unless
The consent allows transfer to the sponsor
The transfer is within the scope of the protocol
e.g., transferring data to a data coordinating
center
DUA/DTA requirements will be published soon

Privacy Act of 1974

29
Privacy Act of 1974

Purpose To balance the governments need to
maintain information about individuals with the
rights of individuals to be protected against
unwarranted invasions of their privacy
Background Watergate era and Congress concerned
with
Curbing illegal surveillance investigations
Potential abuses presented by governments
increasing use of computers to store retrieve
personal data

30
Privacy Act Objectives

Restrict disclosure of personally identifiable
records by agencies
Grant individuals
Increased rights of access to agency records
The right to seek amendment of agency records
Establish code of fair information practices for
agencies

31
A Privacy Act Requirement

Agencies that maintain a system of records "shall
promulgate rules, in accordance with notice and
comment rulemaking
Systems of Records (SOR) A group of records
under agency control from which information is
retrieved by the name of the individual or by
some identifying number, symbol, or other
identifying particular assigned to the
individual.

32
System of Records Content

Category of individuals covered by the system
Categories of records in the system
Purpose of the records
Routine uses of records
Storage (storage medium)
Retrievability (name, numbers or identifier)

33
SORs and Research

34VA12 -- Veteran, Patient, Employee, and
Volunteer Research and Development Project
Records
121VA19 -- National Patient Databases VA
97VA105 Consolidated Data Information System
VA (contains Medicare data)

34
SORs Major Impact on Research

All release/disclosure of information must be
consistent with the SOR and routine uses
Investigators can not release information to
non-VA investigators or institutions unless
Written permissions/authorization from individual
or
Permission of the USH or designee
Release of information is through the Privacy
Office

35
Privacy Issues Resources

VHA Privacy Officer Stephania Putt
Local privacy officer
VHA privacy program
http//vaww.vhaco.va.gov/privacy/
Links to all Federal statutes, regulations,
policies including security policies
Privacy Fact Sheets

Security

37
A Changing Climate

Security must be addressed in
Protocol, appendices, or other document
Facility SOPs
New policies (VA VHA) and requirements
Sensitive data must be controlled at all times

38
It is VA policy that

VA information may not reside on non-VA systems
or devices unless specifically authorized by VA
guidance/policy
Federal Information Security Management Act of
2002 (FISMA) Federal Security requirements apply
to when contractors or other organizations on
behalf of an agency possess or use Federal
information
You must obtain authorization to remove
confidential Privacy Act protected information
Approved protocol
Consult with supervisors/obtain permission
Consult with supervisor and ISO to ensure that
the data is properly encrypted and password
protected in accordance with VA policy
Secretarys memo June.6, 2006

39
VA Policy on Protection of Data

Data system backups or copies
Same confidentiality classification as originals
Laptops portable media must NOT contain the
only copy of the data
VAPI stored on computers or other storage media
outside VA facilities must be encrypted per VA
approved protection mechanisms
Password or other authentication information
Do not store on remote systems unless encrypted
Data can not be transmitted by remote access
without VA-approved protection mechanisms

40
VA policy on Government Laptops or Other Equipment

Updated property pass
Updated virus protection
House protect it from
Environmental threats hazards
Unauthorized access, use, or removal
Laptops, external hard drives, or other storage
devices must be under lock key when not in your
immediate vicinity if it
Contains sensitive/protected information (VAPI)
or
Software to access VA private networks

41
What You Must Do

Prior to receiving laptop or sensitive data
Know the policies on protecting or responding to
lost/stolen laptops or data.
Always be on guard
Use common sense about where you leave it, who
can access it
Once laptop or data is discovered to be missing
Report it to the police
Obtain a copy of the police report (name of
officer, case number, etc.)
Try to inventory what is on the laptop or the
missing data.
Make required notifications

42
Reporting of Security Incidents

OMB requires reporting of an incident within 1
hour of discovery to US-CERT
US-CERT US Computer Emergency Readiness Team is
the operational arm of National Cyber Security
Division (NCSD), Department of Homeland Security
(DHS).
Suspected and confirmed breaches must be reported

43
How to Report Security Incidents

Immediately report to
Supervisor
ISO
Privacy Officer
Others (Your facility may require reporting to
other facility administrators)
ISO will report it to the VA-Security Operations
Center (VA-SOC)
Privacy Officer will enter it into the Privacy
Violations Tracking System (PVTS)
VA-SOC will notify US-CERT key VHA/VA officials

44
Investigators Responsibility

Include all necessary information in the
submission to the IRB
Describe type of data, data flow, individuals
having access to data (VA, non-VA)
Locations of data, computer systems, security
measures
Request use of the minimal necessary information
to conduct the research
Use of data consistent with the protocol
No re-use or sharing of data without approvals

45
Investigators Responsibilities

Protocols contain sufficient information on
security issues
Who uses information
How it will be stored and secured
Who has copies where
Will it remain within VA if not, will all data
be returned to VA if not why
Disposition of the data after protocol completed)
Allowing access only to authorized individuals

46
Investigators Responsibilities (Cont.)

Safeguarding laptops, portable drives, flash
drives, and other medium
Ensuring all contracts, DUAs, and BAAs contain
required language
Encrypting/password protecting all sensitive data

47
IRB and RD Committee Additional Requirements

Is the data to be used reasonable and necessary
to conduct the research?
What are the sources of the data?
Who will have access to the data?
Where will the original and all copies be stored
or used?

48
IRB and RD Committee Additional Requirements
(Cont.)

Will identifiable data be sent out of the VA?
Does the consent authorization sufficiently
describe where the data will go who will see
it?
Will names or SSNs be sent out of the VA?
How will the data be secured (paper or
electronic)?
If real SSNs are used, is there an adequate
justification?

49
Policy Documents

VA Directive 6504 Waiver of requirements
Granted only by the VA Chief Information Officer
in CO
Waiver request only from an Administration Head,
Assistant Secretary, or other key official
Majority of IT security documents being
redrafted on a very fast track

50
Finding Policies