oro findings on privacy, confidentiality, and information security peter n. poon, jd, ma, cipp/g...
TRANSCRIPT
![Page 1: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/1.jpg)
ORO Findings on Privacy, Confidentiality, and Information Security
Peter N. Poon, JD, MA, CIPP/GOffice of Research Oversight
2012 Update
Initially presented June 2011 at ORD Local Accountability Meeting
![Page 2: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/2.jpg)
Background of Findings
• Findings from the last 12 ORO Research Information Protection Program (RIPP) Reports
• Site visits from July 2010 to March 2011• Research programs of varying sizes and complexity • These are sample findings
April 2011 to April 2012
![Page 3: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/3.jpg)
Of the following situations, which did the ORO RIPP team make the most noncompliance findings regarding?
• Use of non-VA, non-encrypted thumb drives• Posting passwords on or near computer• Failure to log-off or enable password protected
screen saver when leaving work area• VASI not stored in locked file or cabinet when not in
use
![Page 4: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/4.jpg)
4. VASI was not stored in locked file or cabinet when not in use:
Herding Cats
10 Findings
• Non-VA, non-encrypted thumb drives: 2• Posting passwords: 0• No log-off or screen saver: 6
7 Findings
60
2
![Page 5: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/5.jpg)
Complete the following sentence with the best answer:Storage media such as CDs and DVDs…
• Must be locked in secure storage if they contain VASI• Must never contain VASI• Must be encrypted if they contain VASI• Must never leave the VA if they contain VASI
![Page 6: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/6.jpg)
3. Must be encrypted if they contain VASI: 5 Findings
Where Are My Keys??
3 Findings
![Page 7: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/7.jpg)
VASI residing on non-VA owned equipment (OE) requires the approval of a supervisor AND:
• Approval by the facility ISO• Waiver by the VISN ISO• Waiver by the VA CIO (Assistant Secretary IT) or
designee (ADAS OCS)• Approval by ORD
![Page 8: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/8.jpg)
Elephant in the Room
3. Waiver by VA CIO (Assistant Secretary IT) or designee (ADAS OCS) : 5 Findings
Exceptions:• MOU/ISA for system interconnections• Contract with a vendor, with security controls
6 Findings
![Page 9: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/9.jpg)
800 Pound Gorilla
Folders on the [VA facility] server that contained study specific information, including PHI, were not configured to permit only the appropriate staff access to the folder contents. 7 Findings
![Page 10: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/10.jpg)
Non-VA IT equipment (e.g., owned by the Academic Affiliate or Nonprofit Corporation) at a VA location:
• Must never be used for VA research• Must be donated to VA if used for VA research• Must meet all VA standards if used for VA research• Must be accounted for in a VA property
accountability system if used for VA research
![Page 11: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/11.jpg)
4. Must be accounted for in a VA property accountability system : 8 Findings
No Gatecrashers
9 Findings
![Page 12: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/12.jpg)
HIPAA Authorizations must state that treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on the individual:
• Signing the authorization• Participating in the research• Not withdrawing from the research• Not revoking the authorization
![Page 13: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/13.jpg)
1. Cannot be conditioned on individual signing (“completing”) the authorization: 8 Findings
Starting at Square One
6 Findings
![Page 14: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/14.jpg)
Using identifiable information to recruit subjects for VA research requires the IRB to approve both a waiver of HIPAA authorization and a waiver of informed consent
• True• False
![Page 15: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/15.jpg)
TRUE
House Rules
5 Findings6 Findings
![Page 16: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/16.jpg)
Which of the following is a HIPAA identifier?:
• Subject X’s date of birth• Subject Y’s date of medical treatment• Subject Z’s date of research intervention• All of the above
![Page 17: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/17.jpg)
4. All of the above: 6 Findings
VHA Handbook 1605.1, Appendix B §2.b(3):
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.
A Rose is a Rose is a Rose
5 Findings
![Page 18: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/18.jpg)
What’s wrong with the following Privacy Policy statement?:“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”
• You need an authorization to use/disclose PHI for preparatory to research
• You need an authorization to use/disclose PHI for research itself• You need a waiver of authorization for preparatory to research• Nothing is wrong
![Page 19: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/19.jpg)
2. You need an authorization to use/disclose PHI for research itself: 9 Findings
Hiding in Plain Sight
“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”
“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”
12 Findings
![Page 20: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/20.jpg)
How many times did the ORO RIPP team find that the ISO or PO did not conduct a thorough review of the protocols?:
• 0• 4• 7• 9
![Page 21: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/21.jpg)
4. 9 Findings
Drill, Baby, Drill
2 Findings
![Page 22: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/22.jpg)
The PO and ISO did not provide summary reports on each study to the IRB prior to, or at, the convened IRB meeting at which the study is to be reviewed.
Cart Before the Horse
5 Findings
![Page 23: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/23.jpg)
At the current time, local research records may be destroyed….
• Never• 5 years after the study• Whenever the data is not needed anymore• According to FDA or sponsor guidelines, whichever is
longer
![Page 24: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/24.jpg)
1. Never: 7 Findings
The Venus Flytrap
For waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on …
“an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.”
VHA Handbook 1200.05 §37.b(3)(a)2
For waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on …
“an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.”
VHA Handbook 1200.05 §37.b(3)(a)2
6 Findings
![Page 25: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/25.jpg)
Fantasy FindingIf I had a dollar for every time HIPAA is misspelled….
![Page 26: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/26.jpg)
Health Insurance Portability and Accountability Act
= HIPAA
![Page 27: ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649cd75503460f949a0050/html5/thumbnails/27.jpg)
HIPPA