Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research.

Published byMeredith Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research."— Presentation transcript:

1 Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE June 1, 2011

2 Human Research Protection Program (HRPP)* Every office, committee, & individual who is involved in human research Institutional Official (IO) – Medical Center Director Research Team – Investigator & Research Staff Research Office – ACOS & AO IRB – Staff & Members Research & Development (R&D) Committee Research Compliance Officer Research Pharmacy Privacy Officer Information Security Officer *VHA Handbook 1200.05, 3ee 2

3 VHA Handbook 1200.05 – “Requirements for the Protection of Human Subjects in Research” Responsible Program Office – ORD ORO, OI&T, & the VHA Privacy Office collaborated & concurred on relevant content Establishes procedures for the protection of human subjects in VA Research Defines the procedures for implementing the Common Rule in VA Research 3

4 Common Rule “Protection of Human Subjects” VA is one of 17 Federal departments & agencies that have agreed to follow the Common Rule 38 Code of Federal Regulations (CFR) Part 16 38 CFR 16.111 (also known as the “111 Criteria”) – Criteria for IRB approval of research include provisions such as Risks to subjects are minimized Risks are reasonable in relation to anticipated benefits Informed consent will be sought & documented When appropriate, there are adequate provisions to protect the privacy of subjects & to maintain the confidentiality of data (16.111(a)(7)) 4

5 Privacy Officer & ISO Role in HRPP* Must be appointed as a non-voting member of either The IRB, or The R&D Committee Must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively *VHA Handbook 1200.05, 12m 5

6 VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities Privacy Officer Ensuring proposed research complies with requirements for privacy & confidentiality Information Security Officer Ensuring proposed research complies with requirements for information security 6

7 VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities Cannot approve or disapprove a study Do not have the authority to prevent or delay IRB approval of a study 7

8 VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities Reviewing the proposed protocol & other relevant materials submitted with the IRB application Informing the IRB of their findings Identifying deficiencies in the proposed research Making recommendations to the Principal Investigator (PI) of options to correct the deficiencies Following up with the PI, in a timely manner, to ensure the proposed research is in compliance before the study is initiated 8

9 Amendments & Continuing Review Privacy Officers & ISOs do not have to review all amendments & continuing reviews, but they do have to serve in an advisory role to the IRB which may include assisting the IRB in the review of amendments & continuing reviews when the IRB has concerns about privacy, confidentiality, &/or information security issues. See VHA Handbook 1200.05, 12m(2): “Regardless of whether they are appointed to be ex officio [i.e., non-voting] members of the IRB or R&D Committee, the facility Privacy Officer & ISO must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively.” 9

10 1 Checklist for Reviewing Privacy, Confidentiality and Information Security in Research: Purpose, Development and Implementation Alan Papier VA Local Accountability for Research Meeting June 1, 2001

11 Purpose:  Develop a standard checklist to be used when reviewing research studies  Make it easier for Principal Investigators (PI) to provide complete documentation on their data protection plans  Make it easier for Privacy Officers (POs) and Information Security Officers (ISOs) to comprehensively review research studies for adherence to policy 11 The Information Protection in Research Work Group created a checklist to ensure the security, privacy and confidentiality of sensitive information in research studies

12 Representatives VA-wide provided input to the development of the research checklist  Field Security Service  Information Access and Privacy Service  Office of Cyber Security  VA Privacy Service  Research Integrity and Assurance  Office of Special Advisor on Policy and Emerging Issues  Health Data and Informatics  Office of Information and Technology (OIT) Office of Oversight and Compliance  VA Office of General Counsel 12

13 During development of the research checklist, 12 facilities were invited to field test the first draft  Portland, Region 1  Puget Sound, Region 1  Tucson, Region 1  Milwaukee, Region 2  Saint Louis, Region 2  Birmingham, Region 3  Cleveland, Region 3  Richmond, Region 3  Baltimore, Region 4  Lyons, Region 4  Pittsburgh, Region 4  Providence, Region 4 13

14 The research checklist is designed to encourage collaboration and ensure information protection 14

15 There are several important factors to keep in mind when implementing the research checklist The checklist is:  Coordinated by the Institutional Review Board (IRB) or Research and Development (R&D)  Completed manually or electronically  Suggested that PO and ISO sign once to indicate compliance with policy or recommend changes requiring further review and additional signatures  Signed electronically or with a wet signature, depending on the preference of the IRB 15

16 Additional Factors…  The form will work best if the PI documents are in a specific section of the application or protocol  It is not necessary to document every item in the application or protocol -If it does not apply, check N/A  Checklist should be used for initial submissions  Checklist is not expected to be submitted for previously approved studies  IRB can decide whether to use for continuing reviews or amendments 16

17  Checklist provides guidance to the PI on topics to document and provides them with the policy reference if they want to look it up  IRB may adapt the form to its needs or use it as is  It is not intended to be an exhaustive list of requirements but rather a brief list to reference  Each requirement is clearly titled with a subject that can be used by the PI as an outline to writing the information protection portion of the study application 8 Additional Factors…(con’t)

18 Visit the Information Security (IS) Portal for a copy of the research checklist https://vaww.infoprotection.va.gov/fieldsecurity/default.aspx 18

19 Contacts  Information Security Issues –Joseph Holston –Lucy Fleming  Privacy and Confidentiality Issues –Patricia Christensen –Stephania Griffin  Research Policy –Brenda Cuccherini 19

20 Questions 20

21 Checklist for Reviewing Privacy, Confidentiality and Information Security in Research - Development and Purpose Alan Papier, ISO Director, Region 4

22 IS YOUR IRB/RDC USING THE CHECKLIST? 1.Yes (47%) 2.No (53%)

23 DOES YOUR IRB/RDC PLAN TO USE THE CHECKLIST? 1.Yes (76%) 2.No (24%)

24 IF YOU ARE NOT PLANNING TO USE THE CHECKLIST, WHY NOT? 1. We have another checklist that works better. (32.6%) 2.The Checklist is too complicated. (32.6%) 3.The IRB hates it. (19.6%) 4.The Privacy Officer does not want to use it. (8.7%) 5.The Information Security Officer does not want to use it. (6.5%)

25 HAS YOUR IRB ATTEMPTED TO USE THE CHECKLIST? 1.We tried it, but didn’t like it. (28.6%) 2.IRB reviewed it and rejected it without a test. (14.3%) 3.IRB rejected it without reviewing it. (10.7%) 4.IRB did not want to discuss it. We have our own IRB. (7.1%) 5.IRB did not want to discuss it. We use an affiliate IRB as the IRB of record. (39.3%)

26 IF YOU ARE USING THE CHECKLIST, HAS IT MADE THE PROCESS WORK BETTER? 1.Better (24.6%) 2.No difference (7.7%) 3.Worse (20%) 4.Need more time to evaluate (47.7%)

27 IF YOU ARE USING THE CHECKLIST, ARE YOU USING A PAPER VERSION OR ELECTRONIC VERSION? 1.Paper (50%) 2.Electronic (50%)

28 IF YOU ARE USING THE CHECKLIST, DOES YOUR REVIEW TAKE LESS TIME THAN BEFORE YOU BEGAN USING IT? 1.Significantly less time (6.8%) 2.Somewhat less time (6.8%) 3.About the same amount of time (23.7%) 4.Somewhat more time (30.5%) 5.Significantly more time (32.2%)

29 DOES THE CONTENT OF THE CHECKLIST HELP GUIDE YOU THROUGH A COMPREHENSIVE REVIEW? 1.Review is now much more comprehensive (47.7%) 2.Somewhat more comprehensive (29.2%) 3.About the same (15.4%) 4.Somewhat less comprehensive (6.2%) 5.Much less comprehensive (1.5%)

30 Privacy Officer & ISO Responsibilities Human Research Review The Privacy Officer & ISO are expected to review studies against the requirements in the checklist (but not necessarily use the checklist itself) It is not sufficient to only review the checklist & not the protocol & related materials themselves (1200.05, 38b Note) because The checklist cannot cover all contingencies The PI &/or study team may not fill it out correctly 30

31 Privacy Officer & ISO Responsibilities Reports The IRB or Research Office needs to work with their Privacy Officers & ISOs to develop Standard Operating Procedures (SOPs) defining local policy on how the Privacy Officers & ISOs should document their findings (e.g., checklist, memoranda, etc.) So everyone knows what is expected To facilitate auditing of files (e.g., by RCOs) To facilitate site visits (e.g., by ORO, PCA, ITOC, & AAHRPP) 31

32 Privacy Officer & ISO Responsibilities Documentation Summary reports* = interim or initial reports of their review & assessment that either Identify specific questions, concerns, required changes, & suggested options for correcting deficiencies, or Final reports** = when all requirements have been met You do not have to submit a “summary report” if all the requirements have been met. A “final report” will suffice *VHA Handbook 1200.05, 38g ** VHA Handbook 1200.05, 38h 32

33 Privacy Officer & ISO Responsibilities What Goes Into the Reports?* Date of report Study title PI’s name If issues Questions, concerns, required changes Options for correcting deficiencies If no deficiencies Statement that the study meets all requirements Approval *Models = Checklist or VA Central IRB Forms for PI Application, Privacy Officer, & ISO 33

34 Privacy Officer & ISO Responsibilities When are Summary/Final Reports Due?* For convened IRB Review – due prior to, or at, the convened IRB meeting For expedited review - due prior to IRB approval by the IRB Chair or designee For exempt studies (i.e., exempt from IRB review) – go to the ACOS/R&D *VHA Handbook 1200.05, 38g 34

35 Privacy Officer & ISO Responsibilities When are Final Reports Due? Final reports must go to the IRB (VA or affiliate IRB) “in a timely manner”* Privacy Review HIPAA Authorization The Privacy Officer must receive a copy of the final HIPAA authorization before signing off on a final report to ensure it is a valid authorization (the final sign off can be at the IRB meeting) Waiver of HIPAA Authorization The Privacy Officer must receive documentation of IRB approval of a waiver of HIPAA authorization before signing off on a final report (can be at meeting) *VHA Handbook 1200.05, 38h 35

36 Privacy Officer & ISO Responsibilities Communication With the PI The Privacy Officer & ISO Must feel free to engage all stakeholders May work directly with the PI (&/or study team) The IRB &/or Research Office staff Should work with the Privacy Officer & ISO to develop SOPs to address communication of privacy, confidentiality, & information security issues with the PI Must submit all documented questions, concerns, &/or changes to the PI for resolution Should provide the Privacy Officer &/or ISO a copy of the PI’s response, along with the next IRB agenda 36

37 What Happens if the PI is Unresponsive? If the PI does not satisfactorily address deficiencies identified by the Privacy Officer &/or ISO, & the project is not in compliance with relevant requirements The Privacy Officer &/or ISO will not be able to provide final approval, & The PI cannot collect or use data 37

38 What if the Privacy Officer & ISO are Non- Voting Members of the R&D Committee? They must submit their summary/final report prior to, or at, the convened IRB meeting (1200.05, 38g) They must be provided adequate time before the IRB meeting to perform their review (e.g., 2 weeks) 38

39 What if the IRB of Record is at the Affiliate? Nothing changes. The Privacy Officer & ISO must ensure the privacy, confidentiality, & information security plan are in accordance with all relevant requirements Waiver of HIPAA authorization. The affiliate IRB should approve it because the IRB has reviewed the project & is familiar with Why the investigators need the waiver Why the investigators cannot perform the study without a waiver 39

40 What is the Role of the Local Privacy Officer & ISO in a Multi-Site Project? VA Central IRB reviews the project The Privacy Officer for the VA Central IRB reviews the project for all sites (PI site & local sites) The local Privacy Officer does not have to review the project The ISO for the VA Central IRB reviews the project for all sites, but The ISO at local site may need to review the project if there are special local information security issues Other multi-site studies The local Privacy Officers & ISOs review the study as it will be conducted at the local site 40

41 What Happens if the PI & Privacy Officer &/or ISO Disagree ? Who Mediates? The Privacy Officer will contact the VHA Privacy Office The ISO will contact the Network ISO or the Senior ISO for Research When applicable, guidance may be sought from ORD &/or ORO A written response will be provided to the PI 41

42 Who Follows Up to Ensure the PI Makes the Required Changes? The IRB Administrator or Research Office staff They provide the PI’s response to the Privacy Officer &/or ISO 42

43 How Others Can Help Privacy Officers & ISOs Fulfill Their Responsibilities PIs Must dedicate sections of the protocol or develop an additional document(s) (e.g., the checklist) to address all privacy & information security issues (1200.05, 10i&j) IRB Administrators &/or Research Office Can work with the Privacy Officer & ISO to build into their SOPs provisions for Giving Privacy Officers & ISOs sufficient time for their reviews Defining how Privacy Officers & ISOs provide documentation Defining how the flow of communications with the PI Work with PIs to get their responses 43

44 Others’ Roles in Helping Privacy Officers & ISOs Fulfill Their Responsibilities IRB Reports to the Privacy Officer any unauthorized use, loss, or disclosure of individually-identifiable subject information (1200.05, 14o) Reports to the ISO violations of VA information security requirements (1200.05, 14p) 44

45 Panel Stephania Griffin, RHIA VHA Privacy Officer Patricia L. Christensen, MS, RHIA, CHPS, CIPP/G, CHPC VHA Privacy Specialist, VHA Privacy Office Alan Papier, CISSP, ISSMP, CISM Information Security Director, Region 4 Lucy Fleming, RHIA, CAP ISO, Baltimore Joseph Holston Senior Research ISO, ORD Brenda Cuccherini, PhD, MPH Special Advisor for Policy & Emerging Issues, ORD 45

Download ppt "Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research."

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
VISN 20 Multi-Site IRB. VISN 20 Institutional Review Board Who we are: VISN 20 includes the states of Alaska, Washington, Oregon, most of the state of.

VISN 20 Multi-Site IRB. VISN 20 Institutional Review Board Who we are: VISN 20 includes the states of Alaska, Washington, Oregon, most of the state of.
The Institutional Review Board. What is an IRB? An IRB is committee set up by an institution to review, approve, and regulate research conducted under.

The Institutional Review Board. What is an IRB? An IRB is committee set up by an institution to review, approve, and regulate research conducted under.
UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR 46.109(e) An IRB shall conduct continuing review of research covered by this.

UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR (e) An IRB shall conduct continuing review of research covered by this.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Fundamentals of IRB Review. Regulatory Role of the IRB Authority to approve, require modifications in (to secure approval), or disapprove all research.

Fundamentals of IRB Review. Regulatory Role of the IRB Authority to approve, require modifications in (to secure approval), or disapprove all research.
Multisite Human Subjects Research CUNY HRPP Coordinator Training October 19, 2012.

Multisite Human Subjects Research CUNY HRPP Coordinator Training October 19, 2012.
IRB Review Mechanics: Looking under the hood IRB Administrators 2012 PRIDE Lucindia Shouse, MS, CIP May 31, 2012.

IRB Review Mechanics: Looking under the hood IRB Administrators 2012 PRIDE Lucindia Shouse, MS, CIP May 31, 2012.
Office of Research Oversight. Working Group Report Slide 2.

Office of Research Oversight. Working Group Report Slide 2.
Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.

Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.
IRB Determinations 1. AAHRPP Site Visit Results Site visitors observed a real commitment to human subject protections Investigator and research staff.

IRB Determinations 1. AAHRPP Site Visit Results Site visitors observed a real commitment to human subject protections Investigator and research staff.
Evaluating Risk 1 IRB CELT Presentation 2014-2015 Colleen Donaldson – IRB Administrator Julie Wilkens – IRB Coordinator.

Evaluating Risk 1 IRB CELT Presentation Colleen Donaldson – IRB Administrator Julie Wilkens – IRB Coordinator.
1 Developed by: U-MIC To start the presentation, click on this button in the lower right corner of your screen. The presentation will begin after the.

1 Developed by: U-MIC To start the presentation, click on this button in the lower right corner of your screen. The presentation will begin after the.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.

Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
VHA Handbook 1200.05 K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE HRPP 201 March 24, 2011.

VHA Handbook K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE HRPP 201 March 24, 2011.
Pharmacists Responsibilities in Clinical Studies Mike R Sather, PhD Crystal L Harris, PharmD February 26, 2004.

Pharmacists Responsibilities in Clinical Studies Mike R Sather, PhD Crystal L Harris, PharmD February 26, 2004.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer.

2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer.
Continuing Review VA Requirements Kevin L. Nellis, M.S., M.T. (A.S.C.P.) Program Analyst Program for Research Integrity Development and Education (PRIDE)

Continuing Review VA Requirements Kevin L. Nellis, M.S., M.T. (A.S.C.P.) Program Analyst Program for Research Integrity Development and Education (PRIDE)

Similar presentations

Ads by Google