Overview of the Report (Holly H. Birdsall)

1
Overview of the Report
Holly H. Birdsall, MD, PhD Acting Deputy Chief
of Research Development Officer, ORD
2
Why was this working group formed?

• Discovery and innovation rely on an extensive
  research system, requiring collaboration,
  exchange, and mutual support
• Both VA and NIH are federal agencies governed by
  requirements of FISMA. Requirements do not
  extend to recipients of NIH grants

3
Recommendations (p5)

• Clear, common performance-based standard for
  assurance and data security
• Patient consent and authorization have primacy
• Data should be disclosed promptly
• An IRB may determine when and if data can be
  transferred and used without written consent and
  authorization. Data Use Agreements (DUA) are
  required
• Data should be classified based on organizations
  information and systems confidentiality,
  integrity, and availability. Starting
  classification should be Moderate.
• Ongoing evaluation of data security requirements

4
Contents of the Report
Appendix 1 (page 7 9) Checklist and Decision
Tree for Evaluation of Data Requirements and Need
for DUA Appendix 2 (page 10 14) Data Use
Agreement Template Appendix 3 (pp 17
34) Information Security and Privacy Assessment
Tool
5
When is a DUA Required? (page 7)
Research Data Type DUA Required?
De-identified No
Consent Authorization Obtained No
Consent Authorization waived by IRB Yes
IRB Determined Study is Exempt Yes
Limited Data Set Yes
Review Preparatory to Research N/A (VA policy does not allow disclosure of identifiable data in prep. review)
Subject to other regulations, e.g. 38 USC 7332 Yes
6
De-identified Data
Page 8 of report
7
Identifiable, but with consent HIPAA
authorization
8
Identifiable waiver of HIPAA Authorization
9
DUA
10
Appendices 2 3
Appendix 2 Sample provisions for Data Use
Agreement Templates Suggested content Review
with Local Counsel Appendix 3 Information
Security and Privacy Assessment Tool for Research
Data Sharing Between the VA and Academic
Affiliates