1. Working Group on IT Security and Privacy in VA and NIH Sponsored Research Joel Kupersmith, MD Chief Research & Development Officer

2. 2 Background VA research depends on close collaboration with medical schools and their Universities Virtually all researchers have University appointments Memorandum #2, Affiliation Agreements and more recently the Blue Ribbon Panel have underscored this fundamental VA collaboration

3. 3 Background (cont ) Clinical data is essential to research Data IT systems are essential to clinical and health services research Data sharing is in turn essential to attain clinical and health services research goals Veterans’ opinions – Survey –Veterans strongly support VA research and maintenance of its privacy and security –Veterans also support sharing of data with medical schools

4. 4 Establishing the Working Group Because of the strong need for IT security and a breach of VA data, representatives of medical schools and the AAMC met with VA and VHA leadership regarding data security and research –Meeting included USH and Assistant Secretary for IT –Addressed serious problems in the affiliations Out of this meeting ultimately can the Working Group on Information and Technology Security and Privacy in VA and NIH-Sponsored Research Working Group consisted of –VA, including VHA and OIT –Medical School representatives –NIH –AAMC as conveners

5. 5 Working Group Charge “To examine and develop standard practices and processes that assure data security yet allow appropriate use of data in research”

6. 6 Initial Working Group Determination All the participating organizations uphold a strong commitment to data security and continue to seek out effective means of implementation Implementation and enforcement varies across organizations, regions and campuses There is a clear need to improve communication about security policies Security requirements should be standardized

7. 7 Working Group Principles 1.Ensure patient-centered security and privacy protection of all data 2.Maximize ability to conduct research at appropriate level of security risk 3.Foster inter- and intra-institutional collaboration 4.Make IT security and privacy requirements transparent 5.Ensure applicable, scalable and consistent security controls across organizations 6.Incorporate continuous improvement and flexibility into the security model 7.Have systems that ensure principles are implemented 8.Consider efficiency and effective use of resources

8. 8 Working Group Report Inclusions Included in the Working Group Report –Statement that policies need to be consistent across VA –Recommendations on databases attained with research subject consent –Recommendations on databases where IRBs determined that it is unreasonably difficult to obtain consent Identified and de-identified –Statement on importance of FIPS (Federal Information Processing Standards) 199

9. 9 Working Group Report Tools Pathways for disclosing data to academic affiliates for research purposes (Appendix 1) Sample provisions for Data Use Agreements (Appendix 2) Information security and privacy assessment tool for research and data sharing between VA and Academic Affiliates (Appendix 3)

10. 10 Working Group on IT Conclusion IT Working Group brought together relevant Offices of VA, Universities and NIH to develop uniform procedures to ensure security and privacy protection of all data VA has concurred on this report