VA Research Data Security and Privacy

presented by Ellen GrafRCO, Cincinnati VAMC

What is VA Research and Sensitive VA Research Data?

• VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space.

• VA research data consist of information that has been collected for, used in or derived from the conduct of VA research.

• VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.

• This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act (FOIA).

VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information (PHI), or other VA information that has not been deliberately classified as public information for public distribution.

Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information.

Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE.

Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”

As a member of the Research Community it is quite simply our

DUTY to protect the sensitive research data of the Veterans who have served and protected our country and who now

volunteer as Research Subjects!

WHY ARE WE AT RISK?

• Approximately one in 10 laptop computers is stolen (Gartner Group, 2001)…

• Hospitals and universities are particularly common targets for theft of laptops and other portable media , thus...

• We need to be vigilant in the storage, use, security and confidentiality of data and for the privacy of the research subjects

The loss of data:

• Violates veterans’ and employees privacy.

• Exposes them to the possibility of identity theft.

• Possibly resulting in risk to their financial security, employability, insurability and reputation.

• Instills a lack of trust in the VA system.

Consider this when dealing with Sensitive Data

• Lead by example!

• Treat all research data as sensitive unless you are absolutely sure they are not!

• Foster camaraderie in this quest!

• Utilize technical safeguards, physical safeguards and good work practices!

VHA Handbook 1605.1

• Utilizing VHA Handbook 1605.1 will lead to compliance with the privacy requirements set forth in all six Federal privacy & confidentiality statures and regulations regarding the – COLLECTION– USING– SHARNG– or DISCLOSING of individually identifiable

information

Data Collection & Use

• Collect the minimum information needed to conduct the research.

• Use data as outlined by the protocol and signed authorization.

• Never re-use or share data without the appropriate approvals

Sharing or Disclosing Information

• Disclosure of individually identifiable information from official VHA records is acceptable only when:

• The VHA has first obtained the signed, written (HIPAA) authorization of the individual, or

• Waiver of HIPAA authorization is approved by the Privacy Board.

HIPAA Authorization must contain the following information:

• Expiration date, event or condition

• Individual to whom the requested info pertains

• Description of the information requested

• Statement regarding revocation

• Statement that VA treatment & benefits are not effected by the authorization

• The signature of the individual whose info will be used or disclosed.

• Date of the signature

Waiver of HIPAA Authorization

• Must be approved by the facility IRB or Privacy Board.

• Approval is based on 3 criteria:– The use or disclosure must involve no more

that minimal risk to the individual– The research cannot practicably be

conducted without the waiver– The research cannot be performed without

access to, and use of, the protected health information

Data Use Agreements(DUA)

• A written DUA may be obtained when data will be disclosed outside of the VHA for non-VA research.

• The DUA must include the following:– What and how data may be used – How data will be stored & secured– Who may access data & by what legal authority– Disposition of data after the termination of research– Actions required if data are lost or stolen

Certificates of Confidentiality

Under Federal law, researchers must obtainan advance grant of confidentiality from the NIH, known as a Certificate of Confidentiality, to protect data pertaining tosensitive issues such as illegal behavior, alcohol or drug use, or sexual practices or preferences.

What About De-identified Data?

• Is your data truly de-identified, thus containing none of the 18 types of identifiers as outlined by VHA Handbook 1605.1, Appendix B?

• Does your data involve the removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual?

Can you actually recite the 18 types of identifiers that MUST be removed to assure that the data is…

DE-IDENTIFIED?

Names or initialsAll geographic subdivisions smaller than a stateAll elements of dates except the year and all ages over 89Telephone numbersFax numbersE-mail addressesSocial Security Numbers (or scrambled Social Security

Numbers)Medical record numbersHealth plan beneficiary numbersAccount numbersCertificate or license numbersVehicle identifiers and license plate numbersDevice identifiers and serial numbersURLsIP addressesBiometric identifiers, including finger and voice printsFull-face photographs and any comparable imagesAny other unique identifying number, characteristic or code,

unless otherwise permitted by the Privacy Rule for re-identification

*HIPAA identifiers also pertain to the person’s employer, relatives, and household members.

Limited Data Sets

• Exclude certain direct identifiers that apply to:– The individual– The individual’s relatives– The individual’s employers– The individual’s household members

• They may contain:– City, state, ZIP– Elements of a date and other numbers– Characteristics or codes not used as direct identifiers– Identifiable information, such as scrambled SS#s.

Coded Data

• Coding consists of labeling info with a code that :– Does not include any patient identifiers– Is not derived from or related to the 18 HIPAA

identifiers– Cannot be translated so as to identify the

individualIf data are coded, the key to linking the code with these identifiersmust be stored within the VA, but it should not be stored with the coded data.

Lets Just Be Sensible!

• Log off from your computer when you are not physically using it.

• Do not leave printed private data on the printer.• Pick up your Fax's in a timely fashion.• Use only approved hardware, software, solutions

and connections.• Control access to data.• Avoid using automatic password-saving

features.• Do not talk about private information in a public

place.

Steps We Have Taken to Assure Compliance with Regulations

• Additional Medical Center Memorandums to include– Loaning of Research IT Equipment– Research Management of Laptops– Security of PHI/sensitive info held by

Researchers

Additional Steps…

• Addition of the Privacy Officer to the R&D Committee.

• Questions regarding data security and privacy asked at the pre-consenting interview held with the PI and coordinator.

• More stringent exiting procedures.• Annual PI Certification and Data Security

Checklist.• Annual certification of compliance by MCD.

What we are currently working on

• PKI compliance.• Quarterly walk-thru inspections of work areas

within Research.• Reviewing and updating SOPs (as needed) to

include appropriate language regarding data security and privacy.

• Creating a database that provides information regarding data security and privacy by protocol.

• Adding the Privacy Officer and the Information Security Officer to our semi-annual all research staff meetings.

Final Words of Wisdom

• Err on the side of caution!• Keep regulations at hand, it is extremely difficult to

remember everything!• Work closely with your Privacy Officer & the Information

Security Officer!• Ask for assistance from VACO!• Steadily work to improve and modify as necessary in a

timely fashion!• Be positive and optimistic…nothing hinders the process

more than pessimism!• Keep your Medical Center Director up to date with any

new information or process. • Be an example!

IT IS A PRIVLEDGE TO NOW SERVE THEM!