Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Research Involving Sensitive Data & Databases Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007.

Published byHelen Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Research Involving Sensitive Data & Databases Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007."— Presentation transcript:

1 1 Research Involving Sensitive Data & Databases Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007

2 2 Is This True? "The more the data banks record about each one of us, the less we exist” Marshall McLuhan Canadian philosopher & educator

3 3 Topics To Be Covered Sensitive data Database handbook –Definitions –Data Uses –Preparatory to research –One time use –Data Repositories Long term storage Re-use of data –Responsibilities

4 4 Definition: VA Sensitive Data & Information All Department data which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. VA Handbook 6504 June 7, 2006

5 5 Examples of Sensitive Data Data when improperly used or disclosed could adversely affect the ability of an agency to accomplish its mission Proprietary information Records about individuals requiring protection under Privacy Act, HIPAA, or other statutes Information that can be withheld under FOIA

6 6 Applicability to Research VHA researchers develop, collect, use, share, &/or store all categories of sensitive data Researchers primarily think about protecting subjects’ and patient data and not other data Misuse or disclosure of other data may have a major impact on: –VHA and individual facilities –VHA’s ability to care for veterans & conduct research

7 7 Protecting Sensitive Data Careful thought Situational awareness “Universal Precautions” Guidance Policy

8 8 Draft policy: Use of Data & Data Repositories in Research (Draft Policy but Good Guidance)

9 9 A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal. Mohandas Gandhi

10 10 Scope of Database Handbook Applies to all research activities involving the use of data and data repositories that are conducted in VA approved research, within VHA, and/or by VA investigators while on duty. VA investigators maybe –Compensated –WOC –IPA Contractors: similar requirements will be in contract/SOW

11 11 Terms Defined for This Discussion Coded data DUA or Data Transfer Agreement Existing data De-identified data

12 12 Definition: Coded Data Information for which the source person can be identified through intermediate links (“coded”) used alone or in combination with other information.

13 13 Coded Date & Human Subjects Research Human subjects research: When individually identifiable information (III) is used –Individually identifiable information (38 CFR 16.102(f)): When the investigator can link data to specific persons directly or through codes. Common Rule definition differs from HIPAA definition of Individually Identifiable Health Information (IIHI) –Example: III=any information including religious beliefs; IIHI = physical health, mental health, or condition of the individual

14 14 Coded Data: Is It Non-human Subjects Research? Data not collected specifically for current research Code not based on the 18 HIPAA identifiers, e.g., last 4 digits of SSN, scrambled SSN, initials Investigator cannot readily ascertain identity of individual –Key to code is destroyed or the investigator cannot get access to the key –Investigator can not otherwise ascertain the identify of the individuals

15 15 Definition: Data Use Agreement ( Data Transfer Agreement (DTA) ) A written agreement that defines: –What data may be used –How data may be used –How it will be stored and secured –Who may access it –To whom it may be disclosed –Disposition of data after termination of research –Required actions if lost or stolen Requirement for DUA –HIPAA: when data disclosed outside the covered entity –Privacy Handbook (VHA 1605.1) disclosure outside of VHA Requirement for DUA or DTA –Database HB: any use of data by others

16 16 Definition: Existing Data Data that have already been collected when the research proposal is submitted to a VA reviewing committee

17 17 Definition: De-identified Data De-identified data must meet both the following definitions: HIPAA definition of de-identified –Removal of all 18 identifiers that could be used to identify the individual, individual’s relatives, employers, or household members Common Rule “definition” of de-identified –Removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual

18 18 DATA AND ITS USES

19 19 Sources of Data Internal sources –Austin Automation Service –PBM –VistAWeb –BIRLS –Other administrative and clinical databases –Research databases External sources Research subjects

20 20 Uses of Data Preparatory to research Within a research protocol – Without reuse or storage – With plans for storage and reuse Populate a research data repository

21 21 Preparatory to Research Access only to prepare protocol prior to submission to IRB & R&D committee Can record aggregate data for background, justify the research, or show adequate number of subject available, etc. Cannot: –Record identifiers –Use information reviewed for recruitment or to conduct pilot studies

22 22 Preparatory to Research (cont.) PI must make representation per HIPAA –Access only to prepare protocol –No PHI removed from covered entity –Access necessary for research Documentation of representation placed in PI’s files

23 23 Use of Data For Research Protocol approved by: –IRB (if human subjects) & R&D Committee –Database administrator or “owner” Review by Privacy Officer or other expert –To ensure all Privacy Act, HIPAA and security issues are addressed Use must be consistent with the protocol Data can not be re-used or stored beyond the retention period, if not covered in protocol Consent and HIPAA Authorization Issues addressed, e.g., obtained or waived

24 24 RESEARCH DATA REPOSITORIES

25 25 Data Repository Data repository = storage & reuse Location: –At VA on VA servers –Permission required to house elsewhere Data sources: any –Research or non-research –VA or non-VA

26 26 Creation of Research Repositories Structure –Administrator or administrative board –Advisory committees (science, ethics) –Policies & procedures –IRB of record for oversight Content –Identified or de-identified data Location: within VA on VA servers unless waiver obtained

27 27 Repository SOPs Administrative structure Conflict of Interest Adding data to repository Accessing data Record keeping requirements Privacy & confidentiality Storage & security Termination of repository

28 28 Accessing Data from Repository Access by VA investigators Specific protocol that has IRB, R&D approval Protocol must contain required information (discussed later) DUA or Data Transfer Agreement

29 29 Record Keeping Sufficient Information to track & understand repository activity –How/where data obtained –Data requests and the associated protocols and approvals –Communications with the requester Administrative activities such as committee meeting minutes Communications to and from the IRB and R&D committee

30 30 Oversight of a Repository Annual reporting to the IRB (repository treated as a research protocol) and R&D committee Report information –Source of data being added –Type of data released to others including the protocol for reuse that contains information on: Confidentiality Storage and security of data Disposition of data at end of study –Any unanticipated problems regarding risk to subjects, institutions, etc. –Any incidents of inadvertent disclosure, loss, or theft of data

31 31 RESPONSIBILITIES

32 32 Investigator Responsibilities Protocols must contain information on –Source of data & type of data (identified, de- identified) –Consent under which it was collected –How the data will be used –Planned use of & justification for use of real SSNs – Recruitment or re-contact of subjects –Storage ( where, any copies, who will have access, plans to share data) –Justification for waiver of authorization or consent –Privacy & confidentiality related to data

33 33 Investigator’s Responsibilities (Continued) If data collected directly from subjects: –Consent clearly states: Use of data If reuse allowed Who will have access to data (VA investigators, non-VA investigators, drug companies, etc.) Where it will be stored How it will be secured Disposition of data after study Certificate of Confidentially –HIPAA authorization meets all requirements in VHA Handbook 1605.1 (more then HIPAA)

34 34 Investigator’s Responsibilities (Continued) Data use consistent with protocol No re-disclosure of data Appropriate training When leaving VA data and all copies left at VA All other responsibilities per VHA policy

35 35 Identifiable Data: Special Concerns SSNs – real and scrambled Recruitment of subjects Re-contacting subjects Storage & Security Privacy & Confidentiality – next session

36 36 Approvals for Research Using Data From a Repository Who is responsible? –The investigator(s) facility’s IRB and R&D Committee Who is NOT responsible? –The IRB and R&D Committee for the facility that houses the repository –The IRB and R&D Committee for the facility from which the data came

37 37 IRB Responsibilities Sufficient expertise to review the protocol Determining if the project is: –Research –If yes, is it human subjects research –If human subjects, is it exempt from IRB review (may still need HIPAA authorization) Requiring sufficient information All responsibilities under 38 CFR 16

38 38 “Sufficient Information” for IRB Source of the data & purpose originally collected (non-research, research) If research: is the re-use consistent with the informed consent & authorization If collected for non-research purposes, do guidelines under which collected allow re- use for research Appropriate permissions are obtained to access the data

39 39 “Sufficient Information” (Cont.) Description of the data (de-identified, identified, coded) Justification for use of identified data Coded data: a description of the coding scheme and who controls the key Use of real SSNs adequately justified Confidentiality and privacy issues addressed Recruiting or re-contacting subjects

40 40 “Sufficient Information” (Cont.) Major issue: Will the data be safe? –Storage –Security –Transportation or transmission –Copies of data (location, media) –Access (VA and non-VA persons) –Disposition of data at end of study (destruction, storage, etc.) Risks (subjects, institution, system)

41 41 Recruiting from Databases: IRB Considerations Must have IRB and R&D Committee approvals May not represent minimal risk Minimal risk if –Investigator is subject’s health care provider (HCP) –Initial contact from subject’s HCP –Initial approach is general (not disease specific or address sensitive issues) –Initial contact in person or by mail Minimal concerns if person has agreed to be contacted

42 42 R&D Committee Responsibilities Sufficient expertise to review science Receive & review “sufficient information” as described for IRB Review findings of the IRB If facility does not hold an FWA: –Determine if it is research –If research, determine if it is human subjects research –If any questions regarding this determination, develop procedures for consultation with human subjects experts

43 43 Responsibilities of Others Local P&P must be developed to ensure compliance with applicable VA & VHA policies Identify knowledgeable person(s) –Privacy Officer –IRB administrator –Research compliance officer –Data repository administrator Additional training of “knowledgeable persons” may be required –Role: to serve as final check for privacy & security issues

44 44 Just a Thought… “Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order, to efficiency of operation, to scientific advancement and the like.” William O. Douglas Associate Justice U.S. Supreme Court From 1939-1975

45 45 A prudent question is one-half of wisdom. Francis Bacon

46 46 "To care for him who shall have borne the battle and for his widow and his orphan.“ Abraham Lincoln’s Second Inaugural Address “…To care for him who shall have borne the battle and for his widow and his orphan." Abraham Lincoln

Download ppt "1 Research Involving Sensitive Data & Databases Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007."

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
What is VA Research and Sensitive VA Research Data?

What is VA Research and Sensitive VA Research Data?
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.

HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
RESEARCH COMPLIANCE Agenda 1. No Destruction of local research documents after scanning 2. Training for shipping biological samples/specimens 3. Regulatory.

RESEARCH COMPLIANCE Agenda 1. No Destruction of local research documents after scanning 2. Training for shipping biological samples/specimens 3. Regulatory.
Criteria For Approval 45 CFR 46.111 25 CFR 56.111 Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.

Criteria For Approval 45 CFR CFR Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
Office of Research Oversight. Working Group Report Slide 2.

Office of Research Oversight. Working Group Report Slide 2.
Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.

Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

Similar presentations

Ads by Google