2012 va human research protection program
DESCRIPTION
2012 VA Human Research Protection Program. Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office. Common Privacy Findings in Research. San Francisco, CA June 26-27, 2012. Privacy Officer (PO)Issues. Consistency among protocol, Informed Consent Form and HIPAA authorization - PowerPoint PPT PresentationTRANSCRIPT
2012 VA Human Research Protection Program
Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC
VHA Privacy Office
Common Privacy Findings in Research
San Francisco, CAJune 26-27, 2012
VHA Office of Informatics and Analytics
Privacy Officer (PO)Issues Consistency among protocol, Informed
Consent Form and HIPAA authorization De-identified Information & HIPAA
Identifiers When a Data Use Agreement is Required Notice of Privacy Practices to Non-Veterans Requirements for Pictures & Audio-
Recordings Email Communication with Subjects Retention and Storage of Research Data Accounting of Disclosure Re-Use of Data Miscellaneous Information2
VHA Office of Informatics and Analytics
Consistency between Informed Consent and HIPAA authorization Information being collected Who is using the data Who will be receiving data outside VAClarity as to non-VA entities receiving
protected health information (PHI), limited data sets (LDS) or just aggregate information
Retention/disposal of information
Good News: An official VHA research HIPAA Authorization form is forthcoming
VHA Office of Informatics and Analytics
De-identified Information A covered entity (VHA) can find that health
information is not individually identifiable in two ways:
HIPAA Privacy RuleDe-identification Methods
Removal of 18 types of identifiers
No actual knowledge residual information can
identify individual
Apply statistical or scientific principles
Very small risk that anticipated recipient
could identify individual
Safe Harbor§ 164.514(b)(2)
Expert Determination§ 164.514(b)(1)
VHA Office of Informatics and Analytics
HIPAA IdentifiersThe 18 types of identifiers of the individual
or of relatives, employers, or household members of the individual that must be removed are:(1) Names(2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo codes, except for the initial three digits of a zip code, according to the current publicly available data from the Bureau of the Census
VHA Office of Informatics and Analytics
HIPAA Identifiers(3) All elements of dates (except year) for
dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;(4) Telephone numbers (8) MR numbers(5) Fax numbers. (9) Health Plan(6) E-mail addresses Beneficiary (7) SSN numbers
VHA Office of Informatics and Analytics
HIPAA Identifiers(10) Account numbers.(11) Certificate and/or license numbers.(12) Vehicle identifiers and serial numbers, including license plate numbers.(13) Device identifiers and serial numbers.
(14) Web Universal Resource Locators (URLs).(15) Internet Protocol (IP) address numbers.(16) Biometric identifiers, including finger and voice prints.(17) Full-face photographic images and any comparable images.(18) Any other unique identifying number, characteristic, or code, except as permitted by §164.514(c)
VHA Office of Informatics and Analytics
De-identified Information - Challenges PI may erroneously refer to information within
protocol as being de-identified (deletion of patient name, SSN, address, DOB) when the protocol actually contains other HIPAA identifiers, such as dates, study ID number, or study code which makes this identifiable
Problem areas when de-identifying dataAge 89 years and older unless placed into one
single category of 90 or aboveDates must list year only, exclude month/dayGeographic data o Same initial three digits of ZIP codes may be
included except when population is <20,000 then use 000
VHA Office of Informatics and Analytics
Limited Data Sets (LDS) LDS refers to PHI that excludes 16 of the
above direct identifiers but the research data still may include two of the HIPAA identifiers: Dates: o Date of visit/encountero Date of birth or deatho Admission or discharge date
Certain geographic informationo Cityo Stateo Zip code
VHA Office of Informatics and Analytics
Limited Data Sets (LDS) The HIPAA Privacy Rule permits VHA as a
covered entity to use and disclose a LDS for research activities without obtaining an authorization or documentation of a waiver of HIPAA authorization
LDS can be used or disclosed by VHA for research purposes to VA research staffAnother covered entityA non-VA researcher who is not a covered entityNOTE:
A Data Use Agreement with VHA is required to disclose a LDS to anyone (including other VA staff)
VHA Office of Informatics and Analytics
Limited Data Sets (LDS) Recipients of LDSCannot use or disclose the information other than
permitted by the agreement or otherwise required by law
Must use appropriate safeguards to protect the LDS
Must require the recipient to report any violations of the agreement to VHA
Must hold any agent of the recipient (including subcontractors) to the same agreement conditions
Must not identify the information or contact the individual
VHA Office of Informatics and Analytics
Data Use Agreement (DUA) VA researchers are required to enter into a
DUA if they are obtaining information from a data repositoryReference: VHA Handbook 1200.12
A data repository is a database or a collection of databases that have been created or organized to facilitate the conduct of multiple research protocols, including future protocols not yet envisioned
VHA Office of Informatics and Analytics
Data Use Agreement (DUA)
If VHA retains ownership of the data, a DUA can legally bind the recipient to specific uses or place limitations on the use of the dataA Contractor, or Non-VA collaborator
VHA Office of Informatics and Analytics
Data Use Agreement (DUA) A DUA establishes who will have access to
and control of the information at both origination and recipient locations as to Use DisclosureStorageProcessingMaking copiesTransfer of DataDisposition of Data
VHA Office of Informatics and Analytics
Examples of Repositories VISN data warehouses National Database Systems (NDS) Veterans Affairs/Department of Defense
Identity Repository (VADIR) Corporate Data Warehouse Pharmacy Benefits Management VistA/CPRS Center for Medicare and Medicaid (CMS)
data Specific research repository
VHA Office of Informatics and Analytics
When a Data Use Agreement is Required
A DUA is required when data is transferred for research fromOne VA facility (not engaged) to another VA
facility (engaged)A VA repository (VISN warehouse, national
database, or a research data repository) to a VA investigator for a VA-approved research project
To a non-VA person or entity who is serving as a contractor or collaborator on the PI’s VA-approved protocol
Preparatory to research for review by PI or staff when data is obtained from a repository
VHA Office of Informatics and Analytics
When a Data Use Agreement is not Required
A DUA is not required when data is transferred for research whenDisclosed to a research sponsorOne VA facility/VA investigator transfers data
to another VA facility/VA Investigator when transfer is required to conduct a protocol, the transfer is described within the protocol, the protocol is approved by each site’s IRB, and the protocol is then active at each site all parties are “engaged” in the research
projecte.g., Multiple sites in a VA-approved clinical trial transferring data to a Cooperative Studies Program (CSP) coordinating center
VHA Office of Informatics and Analytics
NOPP (IB 10-163) to Non-Veterans Provide non-Veterans enrolled in VA studies
that collect PHI with a copy of IB10-163, Notice of Privacy Practices (NOPP) at the time of non-Veteran’s first research visit
Non-Veteran must acknowledge receipt of the NOPP on VAF 10-0483
Bullets are square Font is Myriad Web Pro
Each indented line is 2 pts smaller than line above Single spacing hanging index .31
VHA Office of Informatics and Analytics
Requirements for Pictures, Video- & Audio-Recordings for Research Subjects Informed Consent to take a picture, video-
or audio-recording cannot be waived, but documentation of informed consent can be waived by the IRB
For patient subjects (Veteran or non-Veteran): Utilize VAF 10-3203 (in addition to informed
consent form)
VHA Office of Informatics and Analytics
Disposition Requirements for Pictures, Video- & Audio-Recordings for Research Subjects There is no NARA disposition for research
pictures, video- & audio-recordingsIf use of digital transcription service, the contract
with the service may need to specify that the voice recordings cannot be destroyed
If use of tapes, the PI must maintain these tapes and not re-record over the tape recording another subject
A research agreement may be required if service is provided by a non-VA entity
VHA Office of Informatics and Analytics
Retention and Storage of Research Data
All research records must be retained because research records have no schedule for destructionNOTE: Records include crosswalks and lists
of identifiers for recruitment
What can be destroyedPersonal papersCopies of research documents, but not
originals
VHA Office of Informatics and Analytics
Accounting of Disclosure VHA, and its employees, are responsible
for maintaining an accounting of all disclosures of protected health information made by VHA employees.
The accounting of disclosure is required by both the Privacy Act of 1974 and HIPAA’s Privacy Rule
Accounting is not required if the information disclosed is de-identified or a limited data set
Accounting is required with or without patient authorization
VHA Office of Informatics and Analytics
Accounting of Disclosures Although not a requirement for your facility
RCO, this is a call for assistance in reminding PI’s that if they disclose PHI to a sponsor, study monitor, academic affiliate or another non-VA entity who is not a research team member an accounting of disclosure is required
Direct PI to the Privacy Officer for assistance on how to maintain an accounting of disclosures.
VHA Office of Informatics and Analytics
Re-use of Data
If the expiration date on the HIPAA authorization passes, the PI can no longer use any of the information previously collected unless the PI obtains a waiver of HIPAA authorization from the IRB
Re-use of data has to be consistent with the original informed consent and HIPAA authorization
VHA Office of Informatics and Analytics
Miscellaneous Information No Business Associate Agreement (BAA) is
required for an entity involved in VA research as a contractor or who has a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) to be involved in the research
Even though a researcher is orally (either through telephone calls or on-line surveys) collecting IIHI, a HIPAA authorization or a waiver would be required
VHA Office of Informatics and Analytics
Miscellaneous Information Signature on the HIPAA authorization
cannot be waived (e.g., a legally authorized representative must sign for comatose subjects)
Privacy breaches must be reported to the supervisor, Privacy Officer, and Information Security Officer within one hour. Examples includeNo HIPAA authorizationNo subject signature on HIPAA authorizationSending unencrypted PHI by emailDisclosure to non-VA entity not listed on
HIPAA authorization
VHA Office of Informatics and Analytics
Miscellaneous Information When emails are used for VA researchOnly work email addresses should be used o Home emails should not be listed due to
privacy and security concernsEncrypt any emails that contain IIHI
VHA Office of Informatics and Analytics
Pat Christensen VHA Privacy Office
VHA Privacy [email protected]
Contact Information/Questions?