200 likes | 352 Views
Privacy Issues In Research. Stephania H. Putt, RHIA Department of Veterans Affairs VHA Privacy Officer. Federal Info & Privacy Laws. Title 38, United States Code (USC), Section 5701 Freedom of Information Act, Title 5 USC 552 Privacy Act of 1974, Title 5 USC 552a Title 38 USC Section 7332
E N D
Privacy Issues In Research Stephania H. Putt, RHIA Department of Veterans Affairs VHA Privacy Officer
Federal Info & Privacy Laws • Title 38, United States Code (USC), Section 5701 • Freedom of Information Act, Title 5 USC 552 • Privacy Act of 1974, Title 5 USC 552a • Title 38 USC Section 7332 • Standards on Privacy of Individually Identifiable Health Information, 45 CFR Part 164 • Title 38, Code of Federal Regulations, Sections 1.460 - 1.582
Title 38 USC 5701 • Applies to VA only • Predates FOIA and Privacy Act • Affords special protections to veteran’s names and addresses • Is still in effect even after veteran’s death
Freedom of Information Act (FOIA) • Federal records available to any person upon request unless authorized withholding under the law. • Pertains to all federal agency records: • agency rules, policy memorandum, directives, manuals, opinions • electronic mail messages • telephone directory, employee salaries • various records
FOIA within VA • Requests must be in writing and signed, as well as, contain a reasonable description of records sought. • Timeframes for responding to requesters with decision is 10 days. • Fees are to be charged for copying, search time, and direct employee cost. • Costs calculated according to 38 CFR §1.555). • Requester notified when charges exceed $25.00 • VA has no obligation to “create” information to meet a request.
Privacy Act (PA) • Pertains to any group of VA records (patient or employee) contained in a system of records. • Prohibits disclosure of any record contained in a system of records unless specifically authorized by the Act (5 U.S.C. §552a(b)) • Provides rights to the individuals to whom the records pertain
Privacy Act Definitions • System of Records – a group of any records under the control of any agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. • Disclosure - whenever VA (employees) communicates, by any means, to anyone in or outside of VA who is not aware of the information.
PA Disclosure of Information • Disclosure prohibited without specific written consent from the individual or Privacy Act authority, 5 USC §552a: • (b)(1) – employee of agency in order to perform duties • (b)(3) – published routine use • (b)(5) – statistical research • (b)(8) – health or safety of an individual • (b)(11) – court order
7332-Protected Information • 38 USC Section 7332-Protected information is any information relating to the condition of: • HIV or • Sickle Cell Anemia; • Or the condition and/or treatment of: • Drug abuse or • Alcoholism or alcohol abuse.
7332-Protected Information • Protected information may only be disclosed to a third party with the special written consent of the patient except where expressly authorized by 38 USC 7332. • VA can disclose this information to: • VA employees on a need to know basis - more restrictive than Privacy Act need to know. • Contractors who need the information in order to perform or fulfill the duties of the contract. • Researchers who provide assurances that the information will not be identified in any report.
HIPAA Privacy Rule • Notice of Privacy Practices • Authority to use and/or disclose information for treatment, payment or health care ops • Other authority to disclose information for purposes such as: • Law Enforcement • Public Health Reporting • Research with IRB Waiver • Authorization for other uses and/or disclosures of information not otherwise allowed
HIPAA Privacy Rule • Administrative Requirements • Privacy official • Privacy Policies • Training • Accounting of Disclosures • Individuals’ Right to: • Access their information • Request an Amendment • Receive Confidential Communications • Request Restrictions on the use or disclosure of their information
Relationship b/w Laws • All applicable privacy laws and regulations must be applied when: • Using or Disclosing information, and • Process Requests from individuals exercising their privacy rights. • When conflicts arise between the laws: • The more stringent law applies for disclosures, • The one that affords the greatest rights to the individual applies for privacy rights. • See VHA Handbook 1605.1
Use of Information • Employees must have authority to use information other than just a “need to know” to perform duties. • Authority to USE data for Research: • PA (b)(1) Provision • HIPAA Privacy Rule – Authorization as part of Informed Consent or IRB Approval of Waiver of Authorization • 38 USC 7332 – Employee official duties
Disclosure of Information • VHA must have authority in order to disclose information outside VA under all applicable laws. • Authority to disclose for Research: • FOIA – Written request with no exemptions • PA – Routine Use in system of records • HIPAA Privacy Rule – Authorization as part of Informed Consent or IRB Approval of Waiver of Authorization • 38 USC 7332 – Authorization as part of Informed Consent or assurance of no identified data in report
Disclosure from VHA • Requests for patient specific information must be in writing; and • Contain the written authorization of the patient or legal guardian/representative; or • Legal authority to disclose must be present. • VA can charge most third parties for search fees, copying fees, and abstracts • Accounting of disclosures must be maintained.
Accounting of Disclosures • VHA is required to keep an accurate accounting of disclosures for research. • The accounting must include: • Date, nature, and purpose of the disclosure; and • Name and address of the person or agency to whom the disclosure is made.
Accounting of Disclosures • Retain accounting for 6 years or life of the record, whichever is longer. • An accounting is NOT required for use of information for research.
Privacy Review • Review of Research Documentation to ensure all privacy requirements are met. • Verification of PI • Research Protocol • IRB Approval of Study • IRB Approval of Waiver of Authorization • Review of Informed Consent, if applicable
For Additional Information • VHA Privacy Office web site at: http://vaww.vhaco.va.gov/privacy • Contact: • Stephania H. Putt, VHA Privacy Officer, (727) 320-1839 • Clay Johnson, VHA FOIA Officer, (202) 273-6266