Presentation on theme: "What is VA Research and Sensitive VA Research Data?"— Presentation transcript:
1VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC
2What is VA Research and Sensitive VA Research Data? VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space.VA research data consist of information that has been collected for, used in or derived from the conduct of VA research.VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act (FOIA).
3VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information (PHI), or other VA information that has not been deliberately classified as public information for public distribution.Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information.Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE.Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”
4As a member of the Research Community it is quite simply our DUTYto protect the sensitive research data of the Veterans who have served and protected our country and who now volunteer as Research Subjects!
5WHY ARE WE AT RISK?Approximately one in 10 laptop computers is stolen (Gartner Group, 2001)…Hospitals and universities are particularly common targets for theft of laptops and other portable media , thus...We need to be vigilant in the storage, use, security and confidentiality of data and for the privacy of the research subjects
8The loss of data: Violates veterans’ and employees privacy. Exposes them to the possibility of identity theft.Possibly resulting in risk to their financial security, employability, insurability and reputation.Instills a lack of trust in the VA system.
9Consider this when dealing with Sensitive Data Lead by example!Treat all research data as sensitive unless you are absolutely sure they are not!Foster camaraderie in this quest!Utilize technical safeguards, physical safeguards and good work practices!
10VHA HandbookUtilizing VHA Handbook will lead to compliance with the privacy requirements set forth in all six Federal privacy & confidentiality statures and regulations regarding theCOLLECTIONUSINGSHARNGor DISCLOSING of individually identifiable information
11Data Collection & UseCollect the minimum information needed to conduct the research.Use data as outlined by the protocol and signed authorization.Never re-use or share data without the appropriate approvals
12Sharing or Disclosing Information Disclosure of individually identifiable information from official VHA records is acceptable only when:The VHA has first obtained the signed, written (HIPAA) authorization of the individual, orWaiver of HIPAA authorization is approved by the Privacy Board.
13HIPAA Authorization must contain the following information: Expiration date, event or conditionIndividual to whom the requested info pertainsDescription of the information requestedStatement regarding revocationStatement that VA treatment & benefits are not effected by the authorizationThe signature of the individual whose info will be used or disclosed.Date of the signature
14Waiver of HIPAA Authorization Must be approved by the facility IRB or Privacy Board.Approval is based on 3 criteria:The use or disclosure must involve no more that minimal risk to the individualThe research cannot practicably be conducted without the waiverThe research cannot be performed without access to, and use of, the protected health information
15Data Use Agreements (DUA) A written DUA may be obtained when data will be disclosed outside of the VHA for non-VA research.The DUA must include the following:What and how data may be usedHow data will be stored & securedWho may access data & by what legal authorityDisposition of data after the termination of researchActions required if data are lost or stolen
16Certificates of Confidentiality Under Federal law, researchers must obtainan advance grant of confidentiality from theNIH, known as a Certificate ofConfidentiality, to protect data pertaining tosensitive issues such as illegal behavior,alcohol or drug use, or sexual practices orpreferences.
17What About De-identified Data? Is your data truly de-identified, thus containing none of the 18 types of identifiers as outlined by VHA Handbook , Appendix B?Does your data involve the removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual?
18Can you actually recite the 18 types of identifiers that MUST be removed to assure that the data is… DE-IDENTIFIED?
19Names or initialsAll geographic subdivisions smaller than a stateAll elements of dates except the year and all ages over 89Telephone numbersFax numbersaddressesSocial Security Numbers (or scrambled Social Security Numbers)Medical record numbersHealth plan beneficiary numbersAccount numbersCertificate or license numbersVehicle identifiers and license plate numbersDevice identifiers and serial numbersURLsIP addressesBiometric identifiers, including finger and voice printsFull-face photographs and any comparable imagesAny other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification*HIPAA identifiers also pertain to the person’s employer, relatives, and household members.
20Limited Data Sets Exclude certain direct identifiers that apply to: The individualThe individual’s relativesThe individual’s employersThe individual’s household membersThey may contain:City, state, ZIPElements of a date and other numbersCharacteristics or codes not used as direct identifiersIdentifiable information, such as scrambled SS#s.
21Coded Data Coding consists of labeling info with a code that : Does not include any patient identifiersIs not derived from or related to the 18 HIPAA identifiersCannot be translated so as to identify the individualIf data are coded, the key to linking the code with these identifiersmust be stored within the VA, but it should not be stored with thecoded data.
22Lets Just Be Sensible!Log off from your computer when you are not physically using it.Do not leave printed private data on the printer.Pick up your Fax's in a timely fashion.Use only approved hardware, software, solutions and connections.Control access to data.Avoid using automatic password-saving features.Do not talk about private information in a public place.
23Steps We Have Taken to Assure Compliance with Regulations Additional Medical Center Memorandums to includeLoaning of Research IT EquipmentResearch Management of LaptopsSecurity of PHI/sensitive info held by Researchers
24Additional Steps…Addition of the Privacy Officer to the R&D Committee.Questions regarding data security and privacy asked at the pre-consenting interview held with the PI and coordinator.More stringent exiting procedures.Annual PI Certification and Data Security Checklist.Annual certification of compliance by MCD.
25What we are currently working on PKI compliance.Quarterly walk-thru inspections of work areas within Research.Reviewing and updating SOPs (as needed) to include appropriate language regarding data security and privacy.Creating a database that provides information regarding data security and privacy by protocol.Adding the Privacy Officer and the Information Security Officer to our semi-annual all research staff meetings.
26Final Words of Wisdom Err on the side of caution! Keep regulations at hand, it is extremely difficult to remember everything!Work closely with your Privacy Officer & the Information Security Officer!Ask for assistance from VACO!Steadily work to improve and modify as necessary in a timely fashion!Be positive and optimistic…nothing hinders the process more than pessimism!Keep your Medical Center Director up to date with any new information or process.Be an example!