HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

Slides:



Advertisements
Similar presentations
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Advertisements

Data Security Protocol
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
VOTER REGISTRATION AND IDENTIFICATION
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
June 04, 2013 Robin Thomas, NC III, Presenter. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or.
HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR (e) An IRB shall conduct continuing review of research covered by this.
CREATED BY: HMIS Security Awareness Approved 1/10/2012 Revised 1/29/2013 Revised 3/15/2013.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
FERPA 2008 New regulations enact updates from over a decade of interpretations.
Integrated Online Research Compliance System (iORC)
VA OI&T Field Security Service Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security.
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Federalwide Assurance Presentation for IRB Members.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances June 1, 2010.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
MATTHEW MATKOVICH MINE EQUIPMENT COMPLIANCE SPECIALIST QUALITY ASSURANCE & MATERIALS TESTING DIVISION MSHA – APPROVAL & CERTIFICATION CENTER 30CFR, PART.
 Understanding the IRB Process University of Tennessee Health Science Center Institutional Review Board.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
1 Defense Health Agency Privacy and Civil Liberties Office HIPAA Privacy Board Overview August 6, 2015.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
1 NTTC/NTC ERO Training 2011 Tax Year 2007 ERO TRAINING ELECTRONIC RETURN ORIGINATOR (ERO) (Transmitter in Tax-Wise)
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Managing a “Data Spill”
Office of Research Oversight What’s New in VHA Handbook Dated November 15, 2011 December 1, 2011.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
Retha E. Karnes, J.D., General Counsel Tel:
Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.
Protection of Minors Program Coordinators Information Session November 2015 Carolyn Brownawell Melisa Giraldo Dietrich Warner.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Nassau Association of School Technologists
Protecting PHI & PII 12/30/2017 6:45 AM
IRB reporting updates.
Amendments A how-to Prepared by: Christine Melton-Lopez, IRB Associate.
Providing Access to Your Data: Handling sensitive data
Obligations of Educational Agencies: Parents’ Bill of Rights
Privacy & Access to Information
Confidential Records and Protected Disclosures
Red Flags Rule An Introduction County College of Morris
HIPAA Overview.
The Health Insurance Portability and Accountability Act
Good Spirit School Division
Research Compliance: The Research/Privacy Nexus
HHS Reporting Requirements and Adverse Events
HQ Expectations of DOE Site IRBs
Student Data Privacy: National Trends and Wyoming’s Role
Policy on Prompt Reporting
Presentation transcript:

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White May 7, 2009 Office of Science

HQ Expectations of DOE Site IRBs Unanticipated Problems 45 CFR 46 calls for prompt reporting to the IRB(s), appropriate institutional and agency officials, and OHRP. OHRP guidance recommends that the PI report an unanticipated problem to the IRB(s) within 2 weeks and that the PI/the PI’s organization report the unanticipated problem to OHRP within 6 weeks (or within 1 month of notifying the IRB(s). DOE Order 443.1A also requires prompt reporting to the DOE HSR Program Manager, SC-23 (and the DOE HSR Program Manager, NA-1 for NA sites), and coordination with and approval from the HSR Program Manager(s) in determining plans to correct the unanticipated problem. While DOE Order 443.1A does not define “prompt,” we request that you notify the HSR Program Manager(s) within 48 hours of learning of any unanticipated problem that does not involve PII. Office of Science

HQ Expectations of DOE Site IRBs Unanticipated Problems (continued) If potential loss or compromise of PII is involved, report the incident immediately (as soon as you learn of the incident): –Through your Departmental Element; –To the DOE-Cyber Incident Response Capability (DOE-CIRC) at or ; and –To the DOE HSR Program Manager(s). Office of Science

PII – Related Expectations of DOE Site IRBs Operating Policies and Procedures: –Examine and expand as necessary to address unanticipated problems. –Ensure that they include a requirement for immediate notification of appropriate parties when there is potential loss or compromise of PII. –Outline the range of the IRB’s possible actions in response to reports of unanticipated problems. IRB-approved Protocols: –Examine and verify that protocol(s) have clear and detailed plan(s) for protecting PII in accordance with Federal/DOE requirements, including safe storage of PII (file cabinets, computers), encryption of data to be transferred, and immediate notification of incident(s) involving potential compromise or loss of PII data. Notify me (and, for NNSA sites, also John Ordaz) when the above actions have been completed. This should be a high priority for the IRBs, and should be completed as soon as possible and no later than June 30, New protocols : –Verify that there are clear and detailed plan(s) for protecting PII in accordance with Federal and DOE requirements Office of Science

Checklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements In accordance with the Privacy Act, the DOE has established requirements for the protection of Personally Identifiable Information (PII) with the: –DOE Privacy Program (DOE Order 206.1); –DOE Manual (M) for Identifying and Protecting Official Use Only Information (DOE M ); and –DOE Cyber Security Incident Management Manual (DOE M ). Research Protocols Must Include Description of Processes for: –Keeping PII confidential; –Releasing PII only under a procedure approved by the responsible IRB(s) and DOE, where required; –Using PII only for purposes of the DOE-approved research and/or EEOICPA; Office of Science

Checklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued) –Handling and marking documents containing PII as “containing PII” or “containing PHI”; –Establishing reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of PII; –Making no further use or disclosure of the PII except when approved by the responsible IRB(s) and DOE, where applicable, and then only: In an emergency affecting the health or safety of any individual; For use in another research project under these same conditions and with DOE written authorization; For disclosure to a person authorized by the DOE program office for the purpose of an audit related to the project; or When required by law. Office of Science

Checklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued) –Protecting PII data stored on removable media (CD, DVD, USB Flash Drives, etc.) using encryption products that are Federal Information Processing Standards (FIPS) certified; –Using FIPS certified encryption that meet the current DOE password requirements cited in DOE Guide ; –Shipping removable media containing PII, as required, by express overnight service with signature and tracking capability, and shipping hard copy documents double wrapped via express overnight service; –Encrypting data files containing PII that are being sent by with FIPS certified encryption products; –Sending passwords that are used to encrypt data files containing PII separately from the encrypted data file, i.e. separate , telephone call, separate letter; Office of Science

Checklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued) –Using FIPS certified encryption methods for websites established for the submission of information that includes PII; –Using two-factor authentication for logon access control for remote access to systems and databases that contain PII. (Two-factor authentication is contained in the National Institute of Standards and Technology (NIST) Special Publication Version found at: –In addition to other reporting requirements, reporting the loss or suspected loss of PII immediately upon discovery to: 1) the DOE Project Officer; and 2) the applicable IRBs. Office of Science

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.