1. MS, RHIA, CIPP/G, CHPS, CHPC
Research Privacy
Stephania Griffin
JD, RHIA, CIPP/G
Pat Christensen,
MS, RHIA, CIPP/G, CHPS, CHPC
Thank you Joe! Today I am going to talk about privacy issues and requirements within research.

2. Objectives Define privacy requirements for research
Describe the privacy requirements for research and their applicability to various situations including data collection, de-identification and records retention.
Define the terms for personally identifiable information, protected health information, non-identifiable information and VA sensitive information.

3. Objectives Define privacy requirements for research
Define terms used to describe VHA privacy information
Define the terms for personally identifiable information, protected health information, non-identifiable information and VA sensitive information.
Determine what requirements must be met for audio-recording of interviews or surveys.

4. Objectives Define privacy requirements for research
Define terms used to describe VHA privacy information
Determine requirements for use of Photographs/Audio-recording/Surveys
Determine what requirements must be met for audio-recording of interviews or surveys.
Appropriately identify when a Combined Research Authorization including conditioned and unconditioned aspects of the research study is required.

5. Objectives Define privacy requirements for research
Define terms used to describe VHA privacy information
Determine requirements for use of Photographs/Audio-recording/Surveys
Identify when combined research authorization required
Appropriately identify when a Combined Research Authorization including conditioned and unconditioned aspects of the research study is required.

6. Poll Question
The study protocol involves a simple survey of VA staff, with no health information. Is a HIPAA authorization or waiver required?
Yes No
Before we get started with the presentation I’d like to ask a poll question.
The study protocol involves a simple survey of VA staff. No health information. Is a HIPAA authorization or waiver required?
To answer this question, use the blue polling icon above my head. We’ll move on and come back to your results in just a moment.

7. Privacy Laws and Requirements for VA Research
We are going to start with an overview of the privacy laws and regulations applicable to research.

8. Federal Information & Privacy Laws
Title 38, United States Code (USC), Section 5701
Title 38 USC Section 7332
Privacy Act of 1974, Title 5 USC 552a
HIPAA Privacy Rule, 45 CFR Parts 160 and 164
There are four main federal privacy laws and regulations VA researchers must follow. State them.
We will go over each in detail in just a minute.
Whenever a conflicts arises between these laws - the most stringent law applies.
Because outside or non-federal researchers do not have to comply with the Privacy Act or 7332, many VA researchers are only concerned with the HIPAA Privacy Rule. However, the Privacy Act and 7332 are often the more stringent law and their requirements must be followed beyond what HIPAA requires.

9. Veteran Names & Addresses and their Beneficiaries Need-to-Know
Statute
Protected
Information
Authority
38 U.S.C. 5701
Veteran Names & Addresses and their Beneficiaries
Need-to-Know
Survives death
N/A to employees
38 U.S.C. 7332
HIV
Sickle Cell Anemia
Alcohol Abuse/ Alcoholism
Drug Abuse
Subject authorization, or
Disclosure to non-VA requires assurance
5701: Provides for the confidentiality of all VA patient and claimant names and home addresses (present and former armed forces personnel) and of their dependents and permits disclosure of the information only when specifically authorized by the statute. Workforce names or any other name are not considered protected information under this statute still applies even after the Veteran is deceased.
7332: Provides for the confidentiality of certain patient medical record information related to the diagnosis of sickle cell anemia and HIV (including HIV testing), and the referral and/or treatment of drug abuse, alcoholism or alcohol abuse even when the patient refuses treatment also still applies after the Veteran is deceased.

10. All agency information retrieved by a unique identifier
Statute
Protected
Information
Authority
Privacy Act of 1974
All agency information retrieved by a unique identifier
As needed in performance of official job duty
HIPAA
Protected health information by a covered entity
Subject authorization, or
IRB waiver
Survives death
PA: Provides for the confidentiality of personal information about an individual and is retrieved by the individual’s name or other unique identifier (e.g., SSN). Such information is contained in a system of records (SOR) and must be protected. Prohibits disclosure of any record contained in a SOR unless specifically authorized under a routine use or authorization. Provides rights to the individuals to whom the personal information pertains. The Privacy Act no longer applies after the individual dies.
The HIPAA Privacy Rule establishes a set of basic national standards for the protection of health information maintained by health care providers, health care clearinghouses and health plans, which are known as covered entities. It addresses the use and disclosure of individuals’ health information and provides individuals with privacy rights regarding their health information. HIPAA continues to apply for 50 years after the death of the individual.
The HIPAA Privacy Rule is what requires the Research HIPAA Authorization or IRB approved waiver of HIPAA Authorization prior to the use or disclosure of health information for a research study.

11. Issues Related to 38 USC 7332 HIPAA Authorization: HIPAA Waiver:
Explicitly list 7332-protected information
HIPAA Waiver:
Assurance in writing (e.g., in protocol)
No identifying subject in any report
No further disclosure of any direct or indirect identifiers
Research HIPAA Authorization must explicitly list 7332-protected information if it is to be used, collected or disclosed.
If no Research HIPAA Authorization, the VA Research may still disclose outside of VA 7332-protected information if there is assurance in writing from the VA Researcher that the purpose of the data is to conduct scientific research and that no personnel involved in the study may identify, directly or indirectly, any individual patient or subject in any report of such research or otherwise disclose patient or subject identities in any manner.
This written assurance may be documented in the research protocol.
VHA must have legal authority under all of the federal laws and regulations we just discussed in order to use or disclose VHA individually identifiable information for VA research.

12. Poll Results
The study protocol involves a simple survey of VA staff, with no health information. Is a HIPAA authorization or waiver required?
Yes No
Changing poll results answer….merge new ppt notes…
Now let’s pause for a moment and take a look at your poll results.
The correct answer is No.
Ad-lib to the audience results, then advance to move on.

13. Poll Results
The study protocol involves a simple survey of VA staff, with no health information. Is a HIPAA authorization or waiver required?
Yes No
(Click to cue studio)

14. Viewing Collecting Accessing
Use of Research Data
Viewing
Collecting
Accessing
Before we discuss the terms used to described VHA data, I want to define use and disclosure within VHA.
Use is defined as the sharing, employment, application, utilization, examination or analysis of information with VHA. It includes viewing, collecting or accessing the data.
VA Researchers must collect and use health information only as legally permissible:
Signed, written Research HIPAA Authorization from the study subject;
IRB approved Waiver of HIPAA Authorization,
Data Use Agreement for Limited Data Set for Research; or
Information is De-identified.
We will be talking about these requirements in more detail later in the presentation.

15. Disclosure of Research Data
Privacy Act (PA) Definition: Information from system of records communicated by any means to any person
VA Definition: Information released outside VA
Privacy Act Definition: Disclosure is the release of information contained in a system of records to any person, or other agency, by any means of communication including verbal. This definition encompasses use.
You may ask – what is a system of records. A system of records is a collection of records containing personal information on an individual that is retrieved by the individual’s name or other unique identifier. There is a specific system of records covering research which is titled, “Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA” 34VA12.
VA Definition: The release, transfer, provision of access to or divulging in any other manner of information outside VA. This definition aligns with the HIPAA Privacy Rule definition of disclosure.
VA Researchers must have legal authority under all applicable Federal privacy Laws and regulations before disclosing VHA data or information.
How does one determine the applicable legal authority? You first have to understand what type of information you are dealing with – which lead us to our next topic.

16. Multiple Terms to Describe VHA
Data or
Information
There are multiple terms that are used to describe or categorize VHA data or information. Each type of information has different privacy legal requirements.
We will discuss several of these terms and show how they relate and interact with each other.

17. Sensitive Personal Information (SPI)
Any information maintained by VA about an individual
Education
Financial transactions
Medical History
Criminal or employment history
Distinguish the individual’s identity
First we have sensitive personal information, which is one of the broadest types of information. This term was established by Congress in a VA-specific statute around security.
Sensitive Personal Information means, with respect to an individual, any information about the individual maintained by VA, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records.
SPI is a subset of VA Sensitive Information/Data, which is even broader.

18. Personally Identifiable Information (PII)
Information used to distinguish or trace an individual's identity, or
Combined with other personal or identifying information
Information does not have to be retrieved by any specific individual or unique identifier to be personally identifiable information.
The term personally identifiable information was established by the Office of Management and Budget (OMB) and is used by all federal agencies.
Personally identifiable information is any information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc.. alone, OR when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name.
Information does not have to be retrieved by any specific individual or unique identifier (i.e., covered by the Privacy Act) to be personally identifiable information.
The term “Personally Identifiable Information” is used synonymously and interchangeably with “Sensitive Personal Information (SPI)”

19. Individually Identifiable Information (III)
Any information
Pertaining to an individual
Retrieved by the individual’s name or other unique identifier
Usually covered by a Privacy Act system of records
The term individually identifiable information (III) was established by VHA and has been adopted by VA in policy.
Individually Identifiable Information is any information pertaining to an individual that is retrieved by the individual’s name or other unique identifier. III includes individually identifiable health information.
Individually Identifiable Information is a subset of Personally Identifiable Information and is protected by the Privacy Act.

20. Health Information Any health information, orally or recorded
Created by provider, health plan and certain other specified entities
Relates to:
Past, present or future physical or mental health or condition of the individual;
Provision of health care; or
Payment for health care of individual
VHA deals with a lot of health information.
Health Information is any information, including genetic information, whether oral or recorded in any form or medium, created or received by a health care provider, health plan, public health authority, employer, life insurers, school or university, or health care clearinghouse or health plan that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for the provision of health care to an individual.
This encompasses information pertaining to examination, medical history, diagnosis, and findings or treatment, including laboratory examinations, X-rays, microscopic slides, photographs, and prescriptions, etc..
You will note that this definition does not require the individual to be identified. That is covered in our next term individually identifiable health information.

21. Individually Identifiable Health Information
Health information, including demographic information
Relates to past, present or future
Identifies or reasonably could identify an individual
Individually identifiable health information or IIHI is a subset of Health Information.
IIHI is health information , including demographic information collected from an individual, that: (1) is created or received by a health care provider, health plan, or health care clearinghouse (e.g., a HIPAA-covered entity, such as VHA); (2) relates to the past, present, or future physical or mental condition of an individual, or provision of or payment for health care to an individual; and (3) identifies the individual or where a reasonable basis exists to believe the information can be used to identify the individual.
VHA uses the term IIHI as a means of indicating the Privacy Act, 38 USC 5701 and 7332 applies in addition to the HIPAA Privacy Rule.
As a matter of policy, all Veteran information maintained by VHA is individually identifiable health information even if it is just demographic information or identity traits.

22. Protected Health Information
Individually Identifiable Health Information transmitted or maintained in any form or medium by a covered entity, such as VHA. PHI excludes employment records but includes occupational health records.
Protected Health Information or PHI is Individually Identifiable Health Information transmitted or maintained in any form by a covered entity, such as VHA. PHI excludes employment records but includes occupational health records.
VHA uses the term protected health information to define information that is covered by HIPAA but, unlike individually-identifiable health information, it may or may not also be covered by the Privacy Act or Title 38 confidentiality statutes 5701 and When health information is ONLY protected by HIPAA, VHA policy will use the term PHI as opposed to IIHI.
In many ways, PHI is a very bad descriptor of information. We will discuss why in a few minutes.

23. De-identified Information
Health information cannot be used to identify the individual All 18 HIPAA patient identifiers have been removed
De-identified information is health information that is presumed not to identify an individual and with respect to which there is no reasonable basis to believe that the information could be used to identify an individual because the 18 Patient Identifiers described in the HIPAA Privacy Rule have been removed.
De-identified information is no longer covered by the Privacy Act, 38 U.S.C. §§ 5701, 7332, or the HIPAA Privacy Rule.

24. What are Patient Identifiers?
Any of the 18 HIPAA data elements attributed to an individual
So, what are patient identifiers?
Patient identifiers are the 18 data elements attributed to an individual under the HIPAA Privacy Rule that must be removed from health information for it to be de-identified and no longer covered by HIPAA.

25. 13. Device identifiers & serial numbers 16. Biometric Identifiers
18 HIPAA Identifiers
1. Name
2. Address
3. Dates
4. Telephone numbers
5. Fax numbers
6. address
7. SSN
8. MR numbers
9. Health Plan numbers
10. Account numbers
11.
Certificate/
license #
12. Vehicle identifiers
13. Device identifiers & serial numbers
14. URLs
15. IP address numbers
16. Biometric Identifiers
17. Photo ID images
18. Other identifier
These are the 18 HIPAA Identifiers or Patient Identifiers.
You may want to keep this slide on hand for future use. So we have provided this slide as handout, click the green download icon above my head.
Two Patient identifiers that are important to understand are address and dates.
The Address data elements to be removed are all geographic subdivisions smaller than a State except for the first three digits of a zip code.
For Dates, all elements of dates directly related to an individual except for the year of dates must be removed. This includes DOB, DOD, Adm/Disch Dates and so forth.

26. What are Unique Identifiers?
An individual’s name, address, SSN or some other identifying number, symbol, or code assigned only to that individual
We have also Unique identifiers are the individual’s name, address, SSN or other identifying number. If these identifiers are removed, then the information is no longer Individually Identifiable Information and is no longer covered by the Privacy Act, 38 U.S.C. § 5701, or 38 U.S.C. § 7332.
However, if the information was originally IIHI, then it would still be covered by the HIPAA Privacy Rule unless all 18 Patient Identifiers listed in the de-identification standard have been removed.
So if information with all of the unique identifiers removed is no longer individually identifiable information, what is it?

27. Non-identifiable Information
Removal of all “unique” identifiers
Still PHI unless de-identified
That would be non-identifiable information.
Non-identifiable Information is information from which all Unique Identifiers have been removed so that the information is no longer protected under the Privacy Act, 38 U.S.C. §5701, or 38 U.S.C. § 7332.
However as stated before, Non-identifiable Information has not necessarily been de-identified and may still be covered by the HIPAA Privacy Rule unless all 18 Patient Identifiers listed in the de-identification standards are removed.

28. Limited Data Set (LDS)
A Limited Data Set is PHI from which unique identifiers and certain patient identifiers have been removed
Name, SSN,
The two patient identifiers that can be used are
Dates
Postal address information that is limited to town or city, State or zip code
The last type of information we are going to discuss is a limited data set.
A Limited Data Set is protected health information from which all unique identifiers and 16 patient identifiers of the individuals and their relatives, household members, and employers have been removed.
The two patient identifiers that can be included in the data are dates and limited address information such as city, state and zip code.

29. Limited Data Set (LDS) LDS is not De-identified Information
It is covered by the HIPAA Privacy Rule
May be used and disclosed only for research, health care operations, and public health reporting pursuant to a Data Use Agreement
LDS is not de-identified information and it is covered under the HIPAA Privacy Rule. A LDS may only be used and disclosed for research, health care operations and public health reporting and requires a Data Use Agreement.
There are Data Use Agreements for LDS Templates available on the VA Intranet and the URL has been provided with the presentation materials.
(Do Not Say)

30. SPI/PII Data Relationships III IIHI PHI* LDS
Let’s take a minute to discuss the relationships between different types of information.
Sensitive Personal Information and Personally Identifiable Information are synonymous and encompass Individually Identifiable Information, Individually Identifiable Health Information and Protected Health Information.
Individually Identifiable Information encompasses Individually-identifiable Health Information. It may or may not be Protected health Information.
Individually Identified Health Information is maintained by VHA and is protected by the HIPAA Privacy Rule, as well as the Privacy Act and the Title 38 confidentiality statutes 5701 and IIHI will always be Protected Health Information or PHI.
PHI includes Limited Data Sets and Non-identifiable information. Also, PHI may encompass any of these data types, except when de-identified.
This is why PHI is a bad descriptor of information when trying to understand which laws apply to the information based on the information type.
For example, PHI may be III and as a result the Privacy Act, 38 USC 5701 and the HIPAA Privacy Rule apply. However, PHI may be a LDS and only the HIPAA Privacy Rule applies to it.
At this point, Pat Christensen will speak to you about some data distinctions and specific privacy requirements for research.

31. Data Distinctions Individually Identifiable Information Scrambled SSN
De-identified Information
Coded Data
Data Distinctions
If the information terms provided by Stephania is not confusing enough for you. Let me confuse you further by providing some additional terms commonly used within research.
Once more we will go over: Individually Identifiable Information with further distinctions
And in addition discuss
Scrambled SSN
De-identified Information
Coded Data
But before we go further, lets have a poll question.

32. Poll Question
An investigator is releasing information that contains surgical dates, dx(es), device numbers, along with a randomly assigned study codes (A001, A002,…) to a study sponsor. Is this information considered:
PHI
De-identified
Limited Data Set
A and C
For this poll question
An investigator is releasing information that contains surgical dates which includes the month, day and year of the procedure, the Veterans’ diagnoses, an implantable device numbers, along with a randomly assigned study codes (A001, A002, etc.. This information will be given by the investigator to the non-VA study sponsor. Is this information considered
PHI
De-identified
Limited Data Set
A and C
To answer this question, please use the blue polling icon above my head. We’ll move on and come back to your results in just a moment.

33. Individually Identifiable Information
PHI is III when it includes the unique IDs
Stephania already discussed individually identifiable information as any information pertaining to an individual and PHI as any individually identifiable health information transmitted or maintained in any form by a HIPAA covered entity.
III is covered by all our federal privacy regulations within VHA whereas PHI is covered under the HIPAA Privacy Rule.
An example of III but not PHI is a providers credentialing and privileging records. C&P records are filed and retrieved by the providers unique identification making it (III). The C&P file may include health information but it is not PHI as the health information was given to the employer as part of the provider’s employment records. Employment records as Stephania noted earlier are not covered by HIPAA and as such is not PHI under this statute. Thus, this information is still protected by the Privacy Act but not HIPAA, the more stringent statute.
An example of PHI when it is not III is a Limited data set where certain direct patient identifiers have been removed from Veteran’s health information, such as name and SSN, but dates remain. Thus, we have the reverse. The information is covered by HIPAA Privacy Rule, as a limited data set, but covered by the Privacy Act as unique identifiers have been removed.

34. What is a Scrambled SSN?
A unique identifier created by an algorithm using the SSN
Not considered a re-identification code as it is derived by the SSN
So what is a scrambled SSN? Scrambled SSNs are a frequent occurrence when data is being pulled from a VA repository such as the Corporate Data Warehouse.
A scrambled SSN is a unique identifier created by using an algorithm that coverts the SSN to a new number. A scrambled SSN is not considered a re-identification code for de-identified data as it is derived directly from the SSN.
Research must protect and secure Scrambled SSNs just as you would the full SSN.
Any data containing a scrambled SSN is NOT considered de-identified.
Any data containing a scrambled SSN is NOT de-identified

35. De-identified Information - HIPAA
Health information that does not identify an individual No reasonable basis to believe that the information can be used to identify the individual
When principal investigators use the term “de-identified” within their protocol, it can be confusing for the reviewers when in actuality the PI is just deleting the name, SSN, or other unique identifier prior to disclosure to a non-VA entity or even to members of their own research team.
De-identified information under HIPAA is any health information that removes all the 18 HIPAA identifiers or there is no expectation that the information could be use to an individual or is reasonably expected to.
The next slide will provide you with HIPAA statutory guidance on de-identification.
Remember: health information within a limited data set is not de-identified data and as Stephania stated earlier, de-identified information is not protected by any federal privacy law or regulation. This information could be disclosed upon any written request from the general public.

36. In this slide, you will see the two methods used by a HIPAA covered entity to de-identify data.
The first method is by utilizing an expert to make this determination for you.
An Expert Determination is where a person with appropriate knowledge and experience with acceptable statistical and scientific principles and methods for rendering information not individually identifiable is used. This person, such as a facility biostatistician, can make the determination that risk of sharing this information, whether used alone or in combination with other data, is very small. This person must document the scientific method used and their results to justify their determination.
The second method is the Safe Harbor method where VHA removes all 18 HIPAA identifiers from the data set and there is no actual knowledge that the residual information can be used to re-identified any study participants.
CAUTIONARY NOTE: Everyone should be cognizant when disclosing a de-identified data set. It has come to our attention that data is being disclosed in what VHA feels is de-identifiable but the non-VA entity is obtaining other data sets and when merged, the information is now identifiable.

37. Coded vs. De-Identification of Data
Coded Data means a random or arbitrary alphanumeric code or symbol
De-identified means there is no reasonable basis to believe that the information can be used to identify an individual.
Next we move on to coded vs de-identification of data. Many studies use codes assigned to either a subject or tissue sample.
Coded Data means that collected samples or data are unidentified for research purposes by use of a random or arbitrary alphanumeric code or symbol but the samples may still be linked to their sources through use of a key to the code available to an investigator or those collaborating with the research study.
De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual as we just went over.
Coded data is not considered de-identifiable unless there is a written agreement preventing the research team from accessing, or attempting to ascertain identifies of the source persons.
Coded data is NOT generally de-identified

38. Contractors A DUA if required by ORD Requires a contract
An authorization or waiver to disclose information unless de-identified
This slide on contractors discusses protocols that utilize contract staff who perform a specified research activity, such as transcription service, on behalf of the principal investigator and his or her research team. A contract or other written agreement such as an MOU is always required.
An actual data use agreement is only required when
Information is transferred from a VA data repository to an investigator as stipulated within VHA Handbook , or
When a limited data set is disclosed to an outside entity per the HIPAA Privacy Rule
The contract or DUA governs the
Sharing and Use of data between the PI and the contractor
Legal Authority to disclose
Defines Ownership
Establishes criteria for using, disclosing, storing, processing, and disposing of data
Transfers liability for protection of the data to the contractor
This use and disclosure of subject information to a contractor must be outlined within the HIPAA authorization or the HIPAA waiver.
I addition, I want to point out that a principal investigator cannot enter into a Business Associate Agreement (BAA) only the Medical Center Director or VHA Program Office can enter into these agreements. However, a PI can enter into a DUA. I personally still see BAAs noted within protocol without clarity as to who is signing the BAA.

39. Poll Results
An investigator is releasing information that contains surgical dates, dx(es), device numbers, along with a randomly assigned study codes (A001, A002,…) to a study sponsor. Is this information considered:
PHI
De-Identified
Limited Data Set
A and C
Now let’s pause for a moment and take a look at your poll results.
Answer is A. We can all agree that the study code is not a direct identifier as it is a random code that is not derived from any subject information. The surgical dates (month, day, years) along with the medical implant or device number are two direct identifiers as defined by the HIPAA Privacy Rule that must be protected when releasing to a non-VA entity, such as a study sponsor so this information is PHI and this information is not de-identified due to these two direct HIPAA identifiers. Also, it is not considered a limited data set as one of the direct identifiers is the study device number. Remember, a limited data set allows for the use of dates and limited address information only. To consider this study a LDS, the device number would have to be removed.
As this information is PHI , it will require a HIPAA authorization or waiver.

40. Poll Results
An investigator is releasing information that contains surgical dates, dx(es), device numbers, along with a randomly assigned study codes (A001, A002,…) to a study sponsor. Is this information considered:
PHI
De-Identified
Limited Data Set
A and C
(Click to cue studio)

41. Photos, Audio-Recordings, and Surveys
Next I would like to go into further discussion concerning photographs, audio-recordings and surveys that are utilized within a research protocol and what to watch out for.

42. Requirements for Photos & Audio Recordings for Research Subjects
The Joint Commission requires informed consent
Informed consent required if other than for purposes of treatment
The Joint Commission requires (RI ) that:
The hospital honors the patient’s right to give or withhold informed consent to produce or use recordings, films or other images of the patient for purpose other than his or her care
When hospitals make and use recordings, films, or other images of patients for internal use other than the identification, diagnosis, or treatment of the patient, the hospital must obtain and document informed consent prior to producing the recordings, films, or other images.

43. Requirements for Photos & Audio Recordings for Research Subjects
Informed Consent cannot be waived
Utilize VAF if VAF documentation is waived
Obtain verbal consent if not in person
Also applies to employees
Since The Joint Commission requires documentation of an Informed Consent, the IRB cannot waive this consent to take a picture or audio-recording when not for treatment. Currently, VHA Handbook , Requirements for the Protection of Human Subjects in Research, does not touch upon this subject. Until such time, this unofficial guidance has been provided:
Informed Consent and/or Informational Letter must include information about use and disclosure of photos or audio-recordings
If documentation of the Informed Consent has been waived, the PI must still submit VA Form , Consent for Use of Picture and/or Voice, or similar document to be signed by the subject, this includes studies involving Veterans and/or VA employees
If consent is verbal where the participant is not in-person, the audio-recording must stipulate the consent within the actual voice file

44. Requirements for Photos & Audio Recordings for Research Subjects
If disclosed outside VA, the photo or audio-recording must be noted within the HIPAA authorization
Destruction of photos and/or Voice recordings are still not approved for research
A point to remember is if you are disclosing this photo or recording to an outside non-VA entity, the disclosure must be noted within the HIPAA authorization and these photos or audio-recordings cannot be destroyed until the Records Control Schedule is approved for research records. There is no RCS approval to destroy research audio-recordings even though the recording is transcribed into a text document. Both the audio-recording and text document must be maintained.

45. Surveys HIPAA authorization or waiver still required
In-person or telephonic
HIPAA authorization or waiver still required
Collection of individually identifiable health information
For surveys, the requirements for an authorization or waiver is still the same when collecting individually identifiable health information even though the PHI may not exist until after the survey is completed. An example would be a survey only where no CPRS or other agency information previously maintained is used by the investigator only the information provided by the subject participant to the survey questions.
Surveys can be conducted in-person, telephonic or even the latest trend in using web-base technology, and
Surveys can include Veterans, VA Healthcare Providers, or Non-Veterans, such as family members or caretakers.

46. Condition vs. Unconditioned Research
Let’s now go into the latest impact on research involving condition vs. unconditioned research.

47. Condition vs. Unconditioned
New HIPAA Omnibus Final Rule requirements for research - Effective
Requires participant to agree to each research activity
Main Research study
Creation or maintenance of a research database or repository
The new Omnibus requirements took effect requiring all research studies approved after that date to comply
What this new rule requires is for a research subject to agree to various portions of research explicitly…
Whether those research activities are part of the main study, or
The research activities are optional
As a friendly reminder if you haven’t already, any protocols that are still actively recruiting subjects after the 9/23 effective date where a protocol had both conditioned and unconditioned research activities, the protocol must comply with the new requirements. Either the Principal Investigator uses two separate HIPAA authorizations OR the PI can use the new HIPAA authorization template, VA Form recently provided to the field last week.

48. Condition vs. Unconditioned
A compound authorization must
One authorization with 2 or more different research components
Differentiate between the conditioned and unconditioned components
Provide the individual with an opportunity to opt in to the unconditioned components
The HIPAA Privacy Rule allows combining an authorization for the use or disclosure of PHI for a research study with another authorization for the creation or maintenance of a research database or repository or optional analysis of study data. This is what we term a compound authorization.
Any compound authorization created for research must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization
Examples would be:
Conditioned study: A study such as the Million Veteran Program, that collects information on the subjects medical history, diet, occupational exposures, and environmental exposures and also requires the subject to allow biological samples and the subjects data be used in future research projects.
All requirements must be met for the subject to be enrolled
Unconditioned study:  A study on a new therapy (investigational drug) for congestive heart failure would also like the subject to allow reuse of their biological samples and data for future use. If the subject does not agree, the subject can still participate in the main study that is testing the investigational drug but the PI can not stored the data and biological samples for future use.

49. Condition vs. Unconditioned
Use separate authorizations
One for the main activities of the study, and
Separate authorization for the tissue banking or data repository for  future use
Future use requires a new IRB approval to even include use of contact information
Our office is recommending a Principal Investigator use two separate authorizations to cover the main study and a separate authorization for the unconditional components unless you use the new VAF research HIPAA authorization which includes a supplemental agreement for any unconditioned components. VAF was developed for research use by the VHA Privacy Officer and the Office of Research and Development with input by the Office of Research Oversight.
If a PI choses to use a compound authorization, a separate signature for the unconditioned component(s) is required or at minimum a check-off box for the subject to complete and initial. The PI or individual obtaining the HIPAA authorization cannot check this box off. The informed consent must be written in a way that the subject is “opting-in” to this research activity not “opting-out”.
If separate authorizations are used, each must contain all the requirements for a valid authorization under the HIPAA regulations. 
Another friendly reminder regarding an individual’s Contact information, name and phone number, placed within a repository for future use is still PHI. The use of this contact information must be covered under the new study’s HIPAA waiver prior to use for recruitment purposes.

50. Role of a Privacy Officer
Ensures compliance prior to use and disclosure of information to PI
Cannot approve or disapprove a study
Works with IRB or PI by providing and interim and final review
So what is the role of the Privacy Officer within research? The Privacy Officer role is simply to ensure the proposed research complies with all the requirements for privacy & confidentiality for any submitted convened, expedited or exempt studies.
The Privacy Officer cannot approve or disapprove a study or prevent or delay IRB approval of the study. The PI or members of the research team cannot begin to use individually identifiable information before legal authority exists. If not, this would be considered a privacy breech reportable to the IRB and your Privacy Officer.
We also ask all Privacy Officers to prepare not only an interim review as determined by your IRB but a final review after the IRB has approved the study. Reason for the final review is that a modification to the study may occur after the initial review that may have an impact on the HIPAA authorization or waiver placing the study at risk for a potential privacy breach.

51. Role of IRB in Privacy Approves waiver of HIPAA Authorization
Documents its approval based on criteria
Documentation must be signed by the chair or other member
The role of the Institutional Review Board (or R&D Committee) is to approve and appropriately document their determination that the HIPAA waiver criteria was met under convened or expedited review procedures if the PI is not going to obtain a HIPAA authorization from study subjects.
IRB documentation is noted on
an approved locally developed IRB waiver form,
IRB minutes , and the
document must be signed off by the IRB chair or IRB designee and the waiver contains the IRB approval date.

52. HIPAA Waiver Approval Criteria
Minimal risk to individual’s privacy
Plan to protect identifiers
Plan to destroy identifiers
Re-Use or disclosure is permitted
In looking at a HIPAA waiver, the HIPAA waiver requires the PI needs describe why the collection of the individuals’ PHI has minimum risk for disclosure to others.
This plan must adequately describe how the PI will protect all 18 HIPAA identifiers not just unique identifiers.
Is the information secured in a locked location or locked cabinet. Is the placement of electronic information on a SharePoint drive behind the VA firewall? Is there limited access to information by other members of the research team? Who has access to the key code if used, etc.?
Next, how will the PI destroy the research data once the National Archivist has approved a Records Control Schedule (RCS 10-1). The protocol should outline destruction of any paper or electronic copies.
And the research team will not re-use information for another purpose and disclosure of the information will not be shared with others unless legal authority exists.

53. HIPAA Waiver Approval Criteria
Research requires a waiver
Research requires access to and use
Once minimal risk has been determined, the IRB must determine that this research could not practically be conducted without the waiver and the research could not practically be conducted without access to and use of the PHI

54. HIPAA Waiver Approval Criteria
Obtain HIPAA Waiver prior to use or collection of PHI
Amending HIPAA Waiver
The PI must obtain a HIPAA waiver before any use or collection of PHI information as approved by the IRB. This does not mean information required preparatory to research. The waiver must cover all uses prior to obtaining a signed HIPAA authorization from the research subject or the waiver covers the research study in its entirety.
A previously approved HIPAA waiver may be updated as the study changes but it is important to note that the original waiver can be updated to reflect new information but the PI must NEVER remove the original information on the waiver

55. Aware of privacy terms and statutes Data distinctions Use vs
Aware of privacy terms and statutes Data distinctions Use vs. Disclosure of information
In summary, I hope this presentation has re-enforced information concerning the privacy terms and legal authority within research. Your responsibility as a PI to outline what uses and disclosures are occurring within your research protocol and that the uses and disclosures of information is covered either by a HIPAA waiver, in whole or in part, or under a HIPAA authorization.
Avoid the using the term “de-identified” when you are actually only talking about “unique” identifiers, name and SSN, so it is clear what information is being provider to others.
DO NOT make the mistake that if you ask health questions of the subject in person or via a secured web link that a HIPAA waiver is not required. This is still considered a use that required a HIPAA waiver or authorization.
Lastly, know your Privacy Officer and ask for their input when creating your protocol.

56. Ask the Presenter
If you haven’t submitted your questions yet, there is still time to do so by clicking on the orange “Ask The Presenter” icon. We’re going to show a brief announcement and be right back to answer your questions.
(Stand still and smile until you see the video come up full screen)