Presentation on theme: "Privacy and Information Security Essentials"— Presentation transcript:
1Privacy and Information Security Essentials Stephania Griffin, Andrea Wilsonand Charlie StroupVHA Information Access and Privacy Office
2Federal Information & Privacy Laws Title 38, United States Code (USC), Section 5701Privacy Act of 1974, Title 5 USC 552aTitle 38 USC Section 7332HIPAA Privacy Rule, 45 CFR Parts 160 and 164
4Data Distinctions Individually Identifiable Information Scrambled SSN Protected Health InformationScrambled SSNDe-identified InformationCoded DataLimited Data Set
5Individually Identifiable Information Any information that pertains to the individual that would identify the individualIncludes protected health Information (PHI)Retrieved by the individuals name or other unique identifier, such as SSN
6Scrambled SSN What is a Scrambled SSN? A unique identifier created by an algorithm using the SSNNot considered a re-identification code as it is derived by the SSNAny data containing a scrambled SSN is NOT de-identified.
7De-Identified Information - HIPAA Health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify the individual based on:1. A person with appropriate knowledge and experience with acceptable statistical and scientific principles and methods for rendering information not individually identifiable. This person determines the risk that the information could be used alone or in combination with other data, to identify the person is considered very small. This person must document the method and results to justify the determination .
8De-Identified Information 2. All of the below 18 data elements have been removed:NameGeographic subdivisions smaller than a State, including street address, city, county etc.All elements of dates directly related to an individual, including birth date, admission date, date of death, etc.Telephone numbersFax numbersElectronic mail addressesSSNMedical Record Number
9De-Identified Information Health Plan Beneficiary NumberAccount NumbersCertificate or License numbersVehicle identifiersDevice IdentifiersWeb Universal Resource Locators (URLs)Internet Protocol (IP) Address NumbersBiometricsFull Face ImagesAny other unique identifying number, characteristics, or code
10Coded vs. De-Identification of Data Coded Data means that collected samples or data are unidentified for research purposes by use of a random or arbitrary alphanumeric code or symbol but the samples may still be linked to their sources through use of a key to the code available to an investigator or collaborator.De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual .Both require deletion of direct identifiersCoded data is most often used with specimen collection and genetic research. Coded data is NOT de-identified.
11HIPAA AuthorizationThe term “HIPAA authorization” means prior written permission from the study subject to use and/or disclose the study subject’s PHI as required law. The written authorization must include all content elements, be signed and dated as required by VHA policy prior to any use or disclosure of information.A Research HIPAA Authorization form must comply with these requirements.
12HIPAA Authorization Authorizes The Research HIPAA Authorization Form only authorizes the PI to use the data expressly listed and to disclose the data to the listed entities for the purposes specifically stated in the form/document.If you created your own Research HIPAA Authorization Form, you cannot put the VAF number on it.If the study subject’s data is to be used for an additional purpose or additional data is to be collected/used, a new Authorization must be obtained prior to that use of the data.This is why Research HIPAA Authorizations are written in as broad terms as permitted by law.
13Use of Research DataUse is defined as the sharing, utilization, examination or analysis of information with VHA. Used includes viewing or accessing the data.VA Researchers must collect, use and access health information only as legally permissible:Signed, written Research HIPAA Authorization from the study subject;IRB approved Waiver of HIPAA Authorization,Data Use Agreement for Limited Data Set for Research; orDe-identified Information.
14Disclosure of Research Data Privacy Act Definition: Disclosure is the release of information contained in a system of records to any person, or to another agency, by any means of communication to any person, or to another agency. This definition encompasses use.VA Definition: The release, transfer, provision of access to or divulging in any other manner of information outside VA. Tracks the HIPAA Privacy Rule definition of disclosure.
15Disclosure of Research Data VA Researchers must have legal authority under all applicable Federal Laws and regulations to disclose individually identifiable information and PHI.A signed, written Research HIPAA Authorization from the study subject usually provides sufficient legal authority for disclosure under all Federal laws and regulations.No signed, written Research HIPAA Authorization from study subject – consult your Privacy Officer.
16Ownership of Research Data VA research is the property of the VA, not the Researcher.If a VA researcher would like to request a copy of the research study, they must make this request through their Privacy Officer who will ensure that this is legally permissible.
17Limited Data SetProtected health information from which certain specified direct identifiers of the individual and their relatives, household members and employers have been removed.Basically, a limited data set has all of the direct patient identifiers removed like de-identified information but it may contain dates, city and full 5 or 9-digit zip codes.A limited data set requires a Data Use Agreement (DUA) as the authority for its use or disclosure.
18Data Use Agreements A DUA is an agreement that: Governs the sharing of data between an Information Custodian and a Requestor.Establishes the specific terms for VA and non-VA User uses.Provides a means to transfer liability for the protection of the information to an outside party.May serve as a means to establish criteria for using, disclosing, storing, processing, and disposing of dataMust be implemented in accordance with policies established by Information Access and Privacy (IAP), and, if required, by the Information Custodian (IC).Satisfies HIPAA requirements when providing information within a limited data set (LDS)
19When Do You Need a Data Use Agreement A DUA is required in the following instances:1) by Federal laws or regulations when sharing Limited Data Sets (LDS) as defined by the HIPAA Privacy Rule (45 C.F.R (e)), or2) when VHA data is requested by entities outside of VA unless there is another binding written agreement.
20What are the Current Expectations of old DUA until the new one Comes out VHA program offices and facilities should continue to use their current DUA templatesEstablished VHA policy or program guidelines which address the application of data use agreements (DUA) should be followed
21Issues Related to 38 USC 7332Research HIPAA Authorization must explicitly list 7332-protected information if it is to be used or disclosed.If no Research HIPAA Authorization, the VA Research may still use 7332-protected information if there is assurance in writing from the VA Researcher that the purpose of the data is to conduct scientific research and that no personnel involved in the study may identify, directly or indirectly, any individual patient or subject in any report of such research or otherwise disclose patient or subject identities in any manner.This written assurance may be documented in the research protocol.
22Disclosure related to 38 USC 7332 If no Research HIPAA Authorization:The Under Secretary for Health or designee determines that the requester of the patient identifying information:(1) Is qualified to conduct the research.(2) Has an approved research protocol under which the information will be maintained in accordance with the security requirements of Sec ; and will not be redisclosed except back to VA.(3) Has furnished a written statement that the research protocol has been reviewed by an IRB who found that the rights of patients would be adequately protected and that the potential benefits of the research outweigh any potential risks to patient confidentiality posed by the disclosure of records.
23VA FormIf the protocol requires a voice, video or photograph to be taken of a subject who is an inpatient or outpatient that is not for treatment purposes, then VAF must be filled out and signed by the subject, or his legal representative.For employee and other non-patient subjects, the information may be contained in the Informed Consent and separately obtaining VAF is not required.This is a Joint Commission requirement of the facility that is in addition to the HIPAA Authorization or Informed Consent.
24Research Agreement Requirements A Research Agreement is required when a non-VA entity (such as a contractor) is performing a service on behalf of the VA Researcher where PHI is required by the non-VA entity (contractor). For example,Contractor performing phone interviews of study subjects and collecting the data for VA ResearcherList of names provided to contractor to call potential research subjects
25Incompetent SubjectsIncompetent subjects can participate in research studies and the Next-of-Kin can sign the Informed Consent. BUT…The Next-of-Kin cannot sign the HIPAA Authorization unless that person is the legal guardian of the patient or has power of attorney.The HIPAA Authorization must be signed by the patient or a person with legal authority to act on behalf of the patient.
26Case Study 1: The only difference between a Limited Data Set and De-identified information is a limited data set requires a Data Use agreement for Research?TrueFalse
27Answer to Question 1 B. False There are actually several differences between a limited data set (LDS) and de-identified information:De-identified information must have all 18 elements removed while a LDS contains and permits the use of dates, city and zip codes.A LDS requires a DUA for research and public health reporting.
28Case 2 Study: What if you start to add a random but unique study subject code to other data contained in the limited data set for research? Is it still considered a limited data set?TrueFalse
29Case 2 AnswerB. FalseWhen you start adding unique identifiers (even those created just for the study) to the limited data set it is no longer a limited data set. It is instead individually identifiable information which you will need a HIPAA Authorization or a waiver of HIPAA Authorization.
30Case 3 StudyResearcher wants to do a study and will need to take pictures of the subjects. This is not for treatment and the subjects are all inpatients. However a waiver of authorization has not been granted by the IRB so authorizations will be needed. Blood tests will be performed. Some of the study group have been declared legally incompetent . The Next of Kin has signed all forms.Are you ready to move forward with your research study?
32Answer to Case 3 Answer is No The next of Kin can sign the Informed ConsentThey can not sign VAF or VAFThey do not have authority to sign either forms or as they are not the Veterans legal representative i.e. Legal guardian or Power of AttorneyIf the person does sign the authorization form it will be invalid therefore the person has not given you authority to use their information