Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security and Research 101 Completing Required Forms Kimberly Summers, PharmD Assistant Chief for Clinical Research South Texas Veterans Health Care.

Published byAndrea Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Security and Research 101 Completing Required Forms Kimberly Summers, PharmD Assistant Chief for Clinical Research South Texas Veterans Health Care."— Presentation transcript:

1 Data Security and Research 101 Completing Required Forms Kimberly Summers, PharmD Assistant Chief for Clinical Research South Texas Veterans Health Care System Research and Development Service (210) 617-5300 x 15969 KimberlyK.Summers@va.gov

2 Goal of VA Privacy and Information Security Protecting the privacy of our veterans Assuring the confidentiality of research subjects’ data Ensuring research will continue within the VA Ensuring the stackholder's and public’s confidence in the integrity of the data

3 Concerns Regarding VA Research And Cyber-Security Large data sets with PHI & identifiers –VA leads the world in electronic records –VA also receives Medicare Data –Genomic medicine raises new concerns VA investigators have many collaborators Abundance of devices Recent negative publicity regarding loss of VA- sensitive information

4 VHA Privacy Program Consists of 6 statues that govern collection, maintenance, and release of information –Provision of the Freedom of Information Act, Privacy Act, Title 38 United States Code (U.S.C.) (U.S.C. Sections 5701, 5705, 7332), and Standard of Privacy of Individually-Identifiable Health Information, 45 Code of Federal Regulations (CFR) Parts 160 and 164, hence Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule VHA Handbook 1605.1addresses most requirements –Investigators must have the authority to collect, use, or disclose private information

5 Investigator’s Certification: Storage and Security of VA Research Information February 2007 –Deputy Under Secretary for Health Operations and Management and Chief Research and Development Officer established a process by which PIs be certified as meeting the security requirements for VA research information All active protocols had to be certified by ACOS/Research, Information Security Officer (ISO), Privacy Officer, and Director as compliant The STVHCS research program (all protocols) was in jeopardy of being shut down if the entire program didn’t meet the standards

6 Annual Certification By April 15 of each year –PI must confirm all active research protocols continue to meet the VA data security standards and requirements Process for annual recertification in development Annual security training –Cyber Security, Privacy, and Data Security –Annual certifications are forwarded to the STVHCS Medical Center Director and VISN Director

7 Collection, Storage, and Use of VA- Sensitive Research Data All protocols submitted for IRB and R&D approval must: –Contain specific information on all sites where data will be used or stored –How data will be transmitted or transported –Who will have access to the data –How data will be secured Information contained in the Data Security Checklist

8 Completed by R&D office based on information provided by investigator during the pre-review process Returned to PI for signature Reviewed and signed off on by the ACOS/Research and ISO Forwarded to Hospital Director for certification

9 Information Requested From PI

10 Background and Definitions Required to Complete VA Research Data Security Checklist

11 VA-Sensitive Research Data Individually-identifiable research data collected on a veteran subject through a STVHCS approved protocol Individually-identifiable research data collected on a veteran or non-veteran within the STVHCS Individually-identifiable research data collected as part of a VA-funded study

12 Not VA-Sensitive Data Non-identifiable data Data collected on non-veterans outside of the VA on a non-VA funded project

13 HIPAA and Research Controls use of protected health information (PHI) –Within the covered entity (STVHCS) –Disclosures outside the covered entity –Allows only the “Minimum Necessary” information Use of PHI requires an authorization or waiver of authorization: –Informed consent / HIPAA authorization from patient –IRB waiver of authorization for exempt research 18 defined “HIPAA identifiers”

14 HIPAA Identifiers 1. Names 2. ALL geographic subdivisions smaller than the state 3. All elements of dates smaller than a year and all ages over 89 4. Phone numbers 5. Fax numbers 6. E-mail addresses 7. Social Security numbers (SSN) 8. Medical record number 9. Health plan beneficiary numbers 10. Any other account numbers 11. Certificate/license numbers 12. Vehicle identifiers and license plate numbers 13. Device identifiers and serial numbers 14. WEB URL's 15. Internet IP address numbers 16. Biometric identifiers (fingerprint, voice prints, retina scan, etc) 17. Full face photographs or comparable images 18. Any other unique number, characteristic or code

15 HIPAA Identifiers Continued Any other unique number, characteristic or code –Scrambled SSN –Initials –Last four digits of SSN –Employee numbers –Etc. HIPPA also states that the entity does not have actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual who is the subject of the information

16

17 HIPAA and The Common Rule Two different regulations VA requires de-identification by both Common Rule states the identity of the subject can not be readily ascertained by information remaining after removal of all 18 HIPAA identifiers –After stripping all 18 identifiers the remaining information may still be identifiable (e.g. through statistical analysis)

18 Keys To Coding Systems If non-identifiable information is linked to identifiable information with the use of log (e.g. coding system) –Logs are identifiable and VA-sensitive research data –Applies to data and specimen logs

19

20 If There Is No Collection of Identifiable Information Should be consistent with informed consent document and HIPAA authorization Should be consistent with protocol Provide IRB approval letter for exempt research or page(s) of protocol which clearly states no identifiable information will be collected

21 Disclosure of VA- Sensitive Research Data

22 Disclosure of Research Data Release, transfer, or provision of access to, or divulging in any other manner information outside the VA VHA Handbook 1605.1 STVHCS is required to maintain an accounting of all disclosures of individually-identifiable information including those for state reporting and research Disclosure of de-identified data, or a limited data set, does not require an accounting

23 Limited Data Set Data set that contains PHI that excludes 16 categories of direct identifiers May contain identifiable information –Scrambled SSN –City, State, ZIP code –Elements of date and other numbers –Characteristics or codes not listed as direct identifiers

24 Limited Data Sets: Direct Identifiers 1. Names 2. Postal address other than town, city, state, and ZIP code 3. All elements of dates smaller than a year and all ages over 89 4. Phone numbers 5. Fax numbers 6. E-mail addresses 7. Social Security numbers (SSN) 8. Medical record number 9. Health plan beneficiary numbers 10. Any other account numbers 11. Certificate/license numbers 12. Vehicle identifiers and license plate numbers 13. Device identifiers and serial numbers 14. WEB URL's 15. Internet IP address numbers 16. Biometric identifiers (fingerprint, voice prints, retina scan, etc) 17. Full face photographs or comparable images 18. Any other unique number, characteristic or code

25 Accounting of Disclosures For VA-Sensitive Research Excluding Limited Data Sets The accounting must include: –Date, nature, and purpose of the disclosure; and –Name and address of the person or agency to whom the disclosure is made Web-based database available –A paper format of the web-based database will be used as a contingency if needed

26

27

28 Privacy Office Review STVHCS Privacy Officer or designee –Provide consultation as needed in the pre- review process –Attends the R&D Committee meetings –Performs a final privacy approval prior to activation of any research protocol Signature required for R&D approval –Monitors the disclosures of private information at least quarterly

29 STVHCS Privacy Office Contacts Vickie Macdonald, RHIT –(210) 617-5661 –Vickie.Macdonald@va.govVickie.Macdonald@va.gov Mary Wohl –(210) 617-5300 ext 15602 –Mary.Wohl@va.govMary.Wohl@va.gov

30 Storage of VA Research Data

31 Storage of VA-Sensitive Paper Research Data Lower risk of loss or compromise Physical security controls –Within the VA system Locked room, locked cabinet Access limited to research staff –At the UTHSCSA Physical security arrangements must be inspected and approved by ACOS/Research and ISO

32 Storage of VA-Sensitive Electronic Research Data Risk of loss or compromise is high Must be stored within the VA system (e.g. behind the VA firewall) –VA research server recommended Accessed directly through the VA network from a VA computer or Through VPN from a non-VA computer –Encrypted VA computer in VA office Rare instances Explain requirement for storage outside the server

33 VA Research Server For instructions on how to set up an investigator folder on the VA Research server and/or To obtain VPN access –Contact R&D office Angela Casas (210) 617-5300 x15523 Angela.Casas@va.gov –Contact Information Security Officer (ISO) Gerald Steward (210) 617-5300 x14734 Gerald.Steward@va.gov

34 Transfer / Transmission of Research Data

35 Sharing Research Data: Often Appropriate and Necessary With collaborators With those who have specialized expertise With data coordinating centers for Multi-site studies With outside sponsors of research

36 Transfer or Transmission of Research Data Outside the VA Transfer to entity other than the sponsor or its designated data center –Requires prior written approval from ACOS/Research Privacy Officer Information Security Officer Applies to any VA-sensitive research data –Including limited data-sets Transfer of data should be described in the protocol and consent / HIPAA authorization Transfer or transmission requires an accounting of disclosure

37 Forms For Authorization of Transfer Data Use Agreement Data Transfer Agreement for within VHA Data Transfer Agreement for outside VHA Removable Storage Media Agreement For assistance obtaining the appropriate forms –Contact R&D office Angela Casas (210) 617-5300 x15523 Angela.Casas@va.gov Forms will be available on STVHCS Research website in future

38 Loss or Compromise of VA- Sensitive Research Data Must be reported promptly to: –Supervisor –ACOS/Research –Information Security Officer (ISO) –Privacy Officer –IRB Reported as an Unanticipated Problem Involving Risk to Subjects or Others (UPIRSO)

39 Loss of a Device Used to Transport, Access or Store VA-Sensitive Information Must be reported promptly to: –Supervisor –ISO –If within a VA facility to the VA police If traveling or at another institution report to the security/police officers of the institution and obtain: –Case number –Name and badge number of the investigation officer –Copy of the case report, if possible

40 Data Security and Research: The Stakes are High VA must assure information security & privacy protects research subjects and facilitates current and future research –May also protect the researcher Negative publicity impacts the local research program and investigators, VA research in general, and VHA health care

Download ppt "Data Security and Research 101 Completing Required Forms Kimberly Summers, PharmD Assistant Chief for Clinical Research South Texas Veterans Health Care."

Similar presentations

What is VA Research and Sensitive VA Research Data?

What is VA Research and Sensitive VA Research Data?
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.

HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
Office of Research Oversight. Working Group Report Slide 2.

Office of Research Oversight. Working Group Report Slide 2.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

Similar presentations

Ads by Google