770 likes | 936 Views
VA Research Data Security and Privacy. Veterans Health Administration Office of Research and Development. Module 1: Sensitive VA Research Information. What is VA Research and Sensitive VA Research Data?.
E N D
VA Research Data Security and Privacy Veterans Health Administration Office of Research and Development
What is VA Research and Sensitive VA Research Data? • VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space. • VA research data consist of information that has been collected for, used in or derived from the conduct of VA research. • VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. • This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act(FOIA).
VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information(PHI), or other VA information that has not been deliberately classified as public information for public distribution. • Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information. • Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE. • Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”
Why Is It Important To Protect VA Research Data? • The VA is committed to protecting information about our veterans and employees. When individuals who have served our country volunteer to participate in VA research, they entrust us to keep their personal and health information safe. • Inadvertent loss of private information, including real or scrambled Social Security Numbers (SSNs), violates veterans’ and employees’ privacy and exposes them to the possibility of identity theft with its attendant economic, legal and social consequences. These can include substantial risks to their financial security, employability, insurability or reputation, and can have other serious implications.
Approximately one in 10 laptop computers is stolen (Gartner Group, 2002). Hospitals and universities are particularly common targets for theft of laptops and other portable media because thieves know these facilities have so much computer equipment. • Several recent sentinel events in the VA, as well as in the academic and private sectors, have demonstrated that, to honor the sacred trust our veterans and employees have in us, we must be vigilant and take strict precautions to keep their research data secure and confidential.
How Can You Protect VA Research Data? • We all need to remember it is a privilege to be involved in VA research. This privilege, however, comes with many responsibilities. One of the most important is to ensure that all sensitive VA research information is secure and confidential and that the privacy of our VA research subjects is protected. • Since VA research data are owned by the VA, everyone involved in VA research must meet all Federal requirements for the storage, use, security and confidentiality of the data and for the privacy of the research subjects.
The purpose of this training is to heighten your awareness of the requirements and remind you of common sense precautions you can take. Some general measures include: • Treating all VA research data as if they are sensitive unless you are absolutely certain they are not sensitive • Fostering teamwork and a supportive culture where everyone helps each other remember to implement strict security controls and privacy standards • Remembering that, to keep sensitive VA research data secure and confidential, it takes all three legs of the three-legged stool: • Technical safeguards • Physical safeguards • Good work practices • Your efforts will not only help protect veterans’ rights and welfare, but also the future of VA research.
Module 2: Privacy of Subjects and Confidentiality of VA Research Data
Privacy Statutes • Every VHA employee must comply with all applicable Federal privacy and confidentiality statutes and regulations when collecting, using, sharing or disclosing individually identifiable information, which includes sensitive VA research data. • The applicable Federal statutes and regulations are: • The Freedom of Information Act (FOIA), 5 U.S.C. 552 • The Privacy Act (PA) of 1974, 5 U.S.C 552a • The VA Claims Confidentiality Statute, 38 U.S.C. 5701 • Confidentiality of Drug Abuse, Alcoholism & Alcohol Abuse, Infection With the Human Immunodeficiency Virus (HIV) and Sickle Cell Anemia Medical Records, 38 U.S.C. 7332 • The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 Code of Federal Regulations Parts 160 and 164 • Confidentiality of Healthcare Quality Assurance Review Records, 38 U.S.C. 5705
Fortunately, you do not have to read and learn the content of these six statutes and regulations to be able to comply with the privacy requirements they set forth. VHA Handbook 1605.1, Privacy and Release of Information, establishes guidance on privacy practice and provides VHA policy for the use and disclosure of individually identifiable information, and for individuals’ rights in regard to VHA data. • By following privacy policies in VHA Handbook 1605.1, you are simultaneously applying all six statutes and regulations so that the result will be the application of the most stringent provisions for all uses and/or disclosures of sensitive VA research data.
Authorization for Disclosure of Information • VHA employees may disclose individually identifiable information from official VHA records only when: • The VHA has first obtained the prior signed, written authorization of the individual, or • Other legal authority in the above statutes and regulations permits the disclosure without written authorization (see your Privacy Officer for advice on specific cases)
When a written authorization from the individual is required, the request and authorization must contain the following information: • An expiration date, event or condition • The individual to whom the requested information pertains • The permitted recipient(s) or user(s) of the information • A description of the information requested • A statement regarding revocation • A statement that VA treatment and benefits are not conditioned on the signing of the authorization • The signature of the individual whose information will be used or disclosed • The date of signature of the individual whose information will be used or disclosed
Investigators and others involved in research should • Limit their request to the minimum information needed to conduct the research • Always use data in a manner that is consistent with the protocol and the signed authorization • Never re-use or share data without the appropriate approvals
Waiver of HIPAA-Compliant Authorization • A waiver of HIPAA-Compliant authorization may be approved by the Institutional Review Board (IRB) or Privacy Board at your facility. There are three criteria required for approving a waiver: • The use or disclosure must involve no more than minimal risk to the individuals • The research cannot practicably be conducted without the waiver • The research cannot be conducted without access to, and use of, the protected health information
Data Use Agreements • A Data Use Agreement (DUA) may be obtained when data will be disclosed outside of VHA for non-VA research (VHA Handbook 1605.1, “Privacy and Release of Information,” Appendix E). • A data use agreement is a written contract that defines the following: • What data may be used • How data may be used • How data will be stored and secured • Who may access data • Legal authority under privacy for access to data • Disposition of data after the research has been terminated • Actions required if data are lost or stolen
Certificates of Confidentiality • Under Federal law, researchers must obtain an advance grant of confidentiality from the National Institutes of Health, known as a Certificate of Confidentiality, to protect data pertaining to sensitive issues such as illegal behavior, alcohol or drug use, or sexual practices or preferences. • This document will provide protection against compulsory disclosure of research data (e.g., for a subpoena).
De-Identification of Data • De-identified data is health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. • VHA would consider health information no longer protected health information (PHI) if it has been appropriately de-identified in accordance with the HIPAA Privacy Rule as outlined in VHA Handbook 1605.1, Appendix B.
For protected health information to be de-identified, all of the following 18 types of identifiers must be removed: • Names or initials • All geographic subdivisions smaller than a state • All elements of dates except the year and all ages over 89 • Telephone numbers • Fax numbers • E-mail addresses • Social Security Numbers (or scrambled Social Security Numbers) • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate or license numbers • Vehicle identifiers and license plate numbers • Device identifiers and serial numbers • URLs • IP addresses • Biometric identifiers, including finger and voice prints • Full-face photographs and any comparable images • Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification
HIPAA identifiers also pertain to the person’s employer, relatives, and household members. Along with removing the 18 identifiers, HIPAA also states that for the information to be considered de-identified, the entity does not have actual knowledge that the remaining information could be used alone or in combination with other information to identify and individual who is the subject of the information. • According to the Common Rule, de-identification involves removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual. • Note: For VA research purposes, VA research data are considered to be “de-identified” only if they meet the de-identification criteria of BOTH HIPAA (i.e., removal of all 18 identifiers) AND the Common Rule.
Limited Data Sets • The use of limited data sets does not require HIPAA-Compliant authorization or a waiver of HIPAA-Compliant authorization, but does require a data use agreement (DUA). Their use is only allowed for research, public health, or health care operations. Your Institutional Review Board (IRB) or Privacy Officer (PO) can help you determine if use of a limited data set is appropriate for your research project.
Limited data sets have the following characteristics: • They exclude certain direct identifiers that apply to • The individual • The individual’s relatives • The individual’s employers • The individual’s household members • They may contain • City, state, ZIP code • Elements of a date and other numbers • Characteristics or codes not listed as direct identifiers • Identifiable information, such as scrambled Social Security Numbers (SSNs) • Note: The use of limited data sets may constitute human subjects research and, therefore, it may require IRB approval.
Coded Data • Coding consists of labeling information with a code that • Does not include any patient identifiers (see HIPAA identifiers noted previously) • Is not derived from or related to the 18 HIPAA identifiers • Cannot be translated so as to identify the individual. Thus, initials, Social Security Numbers (SSNs) and so on may not be used as codes, even in partial or scrambled form. • Codes provide a link by which identities can be accessed through a key held separated from the research and the researchers. For example, the code might be a barcode or a combination of random numbers and letters. • If sensitive VA research data are coded, the key to linking the code with these identifiers must be stored within the VA, but it should not be stored with the coded data. • Note: If the investigator has access to the code, the coded information is not considered “de-identified.”
Common Sense Ways to Protect Subjects’ Privacy and the Confidentiality of Their Information • When research subjects (or potential subjects) provide information about themselves, they do so with an assumption of trust. Your common sense will help you will come up with many ways to help protect their privacy and the confidentiality of their information. • For instance, • Do not walk away from a computer without logging off • Do not print private data and leave it on the printer • Access information systems only through approved hardware, software, solutions and connections • Take appropriate steps to protect information, network access, passwords and information (not just electronic versions, but also hard copies, audio- and videotapes) • Control access to patient files or data that you have saved on a disk – or, better yet, do not use a disk, but backup your data on a VA server, instead (see Module 4) • Do not access information you don’t really need • Avoid using automatic password-saving features • Do not talk about a subject’s information in a public place
Preparatory to Research • Data use preparatory to research does not require a written authorization or a waiver of HIPAA-Compliant authorization. Within VHA, “preparatory to research” refers to activities that are necessary for the development of a specific protocol. Protected health information (PHI) from data repositories or medical records may be reviewed during this process, but only aggregate data may be recorded and used in the protocol. • “Preparatory to research” does not involve the identification of potential subjects or the recording of data for the purpose of recruiting these subjects or to link to other data. • For example, accessing VA medical records to count how many patients had a specific complication of diabetes prior to developing a retrospective study of these patients is an activity “preparatory to research,” but recording their names and contact information is not.
The “preparatory to research” activity ends once the protocol has been approved by the IRB and the R&D Committee. • The PI must document in his/her “preparatory to research” files that • Access was limited to protocol preparation • No protected health information (PHI) was removed • Access was necessary to prepare for the research • Note: VHA protected health information may never be disclosed for non-VA “preparatory to research” activities.
Pilot Studies • Pilot studies are early studies designed to test an idea or treatment. The information gathered in pilot studies usually is used to help design a larger study. Pilot projects must be reviewed and approved by the IRB and R&D Committee and must meet all applicable research requirements. • Even if they are performed in preparation for a research grant application, pilot studies are not considered to be “preparatory to research,” but full-fledged research projects.
Research Protocol • During the early stages of planning a research project, an investigator should think about how sensitive research data will be stored and accessed, as well as how to protect subjects’ privacy. When the principal investigator (PI) submits a research study that involves the collection, use and/or storage of sensitive information (e.g., subject identifiers or protected health information (PHI)) to an IRB and a R&D Committee, his/her submission for approval must contain specific information on • All sites where the data will be used or stored • Specifically who will have access to the data • How the data will be transmitted or transported • How the data will be secured • If copies of the data will be placed on laptops or portable media, a discussion of the security measures • If the data will be re-used for subsequent or future research protocols, provisions for future use in the informed consent form, and HIPAA-Compliant authorization • If relevant, provisions to ensure sponsor data storage guidelines are met and do not conflict with VA policies
Note: The principal investigator (PI) must certify that all VA sensitive information associated with each specific study is being used, stored and secured in accordance with applicable VA and VHA policies and guidance. • The following forms must be stored with the research protocol files: • Data Security Checklist for Principal Investigators • Principal Investigator’s Certification: Storage and Security of VA Research Information
IRB Approval • Prior to accessing or collecting ANY data involving human subjects (other than “preparatory to research” as previously discussed), the PI must obtain written approval from the IRB. As part of its review, the IRB will determine • If the protocol is exempt from IRB review. If it is not, then • If written informed consent can be waived or altered. If not, then • If the written consent form contains appropriate information and is consistent with the protocol • The IRB or a Privacy Board also will determine if the criteria for granting a waiver of authorization are met. If they are, the IRB or Privacy Board will document its specific findings regarding the criteria and the approval of the waiver of authorization as required by HIPAA.
Exemption from IRB approval may be granted under the following conditions: • Research involves the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures, or the observation of public behavior unless • The information is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects, and • Any disclosure of the subjects’ responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability, or reputation • Research involves the analysis of existing data or documents if these sources are publicly available, or if the information is recorded so that subjects cannot be identified, either directly or through identifiers linked to the subjects • Note: The IRB must determine whether or not a protocol is exempt from IRB review. This determination cannot be made by the investigator. • Note: Even if a protocol is exempt from IRB review it may still require the IRB to grant a waiver of HIPAA-Compliant authorization.
Waiver of written documentation of informed consent may be granted by the IRB if it finds either • That the only record linking the subject and the research would be the informed consent document and the principal risk to the subject would be potential harm resulting from a breach of confidentiality, or • That the research presents no more than minimal risk of harm to subjects and involves no procedures for which written informed consent is normally required outside of the research context • In these situations, consent must still be obtained, but the requirement for a signed consent document is waived. The IRB may require that a written statement about the research be given to the subject. If it does, the IRB should review and approve this statement.
“Short form” signed documentation of informed consent may be permitted by the IRB for some kinds of projects. The subject is given an oral presentation that includes all the elements of consent. The following are required when a “short form” signed consent document is used: • A witness to the oral presentation • IRB approval of the written summary of what is to be presented orally • Only the short form be signed by the subject or the legal representative of the subject • The witness to sign both the short form and the summary • The person actually obtaining consent to sign the summary • A copy of the summary and the short form to be given to the subject or the legal representative of the subject
Waiver of one, several, or all of the elements of informed consent may be approved by the IRB where it finds • The research involves no more than minimal risk to the subjects • The waiver or alteration will not adversely affect the rights and welfare of the subjects • The research could not practicably be carried out without the waiver or alteration and • Whenever appropriate, the subjects will be provided with additional pertinent information after participation
Approval from Other Entities • In addition to approval from the IRB, the investigator must have written approval from the local VA Research and Development (R&D) Committee before starting a VA research project. Depending on the nature of the project, other approvals also may be required before it can be implemented. Some examples include approvals by • Institutional Animal Care and Use Committees (IACUC) for research involving animals • The VA Office of Research and Development (ORD) for international research or research involving children or prisoners • The appropriate union for research involving union employees • The Office of Management and Budget (OMB) for survey research • A database manager when data are being accessed through a database • A Privacy Officer (PO) when privacy regulations apply (if the IRB does not serve this function) • VA Operations and Management (10N) when employees are to be surveyed
Re-Use of Data • VA research data may be used only in accordance with the provisions in the approved protocol and informed consent. If an investigator wants to use VA research data for another purpose, he/she must submit a new proposal to the IRB, Research and Development (R&D) Committee and any other relevant entities. Data may not be re-used until the investigator has obtained all the appropriate approvals for their re-use.
Using Data from Deceased Individuals • Whenever data are retained for any period of time some participants may die. The Common Rule does not cover deceased subjects, but HIPAA and other Federal privacy statutes do. Consent of next-of-kin or other legally authorized representatives may be required for release, use or disclosure of the data about deceased individuals.
Data Repositories and Procedures • A data repository must be created if data are to be retained, re-used or shared for future studies. Creation of a data repository requires development of policies and procedures that must be approved by the Institutional Review Board (IRB) and Research and Development (R&D) Committee at the institution where the repository resides. Your facility’s Privacy Officer can assist in ensuring you do not have any Privacy Act system of records issues. • For VA research data, the data repository must be located at a VA facility on a VA server, unless all appropriate permissions are obtained to house it elsewhere (see Module 5). • To access data from a repository, an investigator must have a specific protocol that has been approved by his/her local IRB and R&D Committee. The protocol must contain the specific data elements requested, including sufficient justification for any request for identifiable information. • The repository and the investigator must sign a Data Transfer Agreement (DTA) that details the authorized uses of the data and stipulates that the data may not be re-disclosed.
Requirements • Everyone involved in VA research must be in compliance with all applicable Federal laws, regulations, policies and guidance related to privacy of research subjects, and confidentiality, storage and security of research data. • Specific requirements are found in VA Directive 6504, “Restrictions, Transportation and Use of, and Access to, VA Data Outside of VA Facilities;” VA IT Directive 06-02, “Safeguarding Confidential and Privacy Act-Protected Data at Alternative Work Locations;” VA IT Directive 06-06, “Safeguarding Removable Media;” and VA Memorandum, February 6, 2007, “Certification by Principal Investigators: Security Requirements for VA Research Information.” • Note: Your Information Security Officer (ISO) can help you understand, and advise you on how to implement, these requirements. • To keep sensitive VA research data secure and confidential, investigators and everyone else involved in research must pay strict attention to all three legs of the three-legged stool: • Technical safeguards • Physical safeguards • Good work practices
Restricted Access • Access to sensitive VA research data should be restricted to those • Individuals named in the research protocol, on the research informed consent and the HIPAA-Compliant authorization form • Individuals who are responsible for oversight of the research program • VA investigators who require access “preparatory to research” if their activity meets the requirements for “preparatory to research” set forth in VHA policy
Technical Safeguards • The appropriate use of technical safeguards is extremely important to protect against unauthorized access, disclosure or loss of VA research data.
Password Protection • Passwords are important tools for protecting VA information systems. They ensure that VA researchers have access to the information they need. Here are some important password-related requirements for VA employees: • Passwords must meet VA password requirements • “Blank” and default user names and passwords cannot be used • User credentials, including passwords, must be protected appropriately because they are considered VA sensitive information • Passwords should never be shared with anyone else • Passwords must be stored in a safe and secure place that no one else knows about • Password-protected screensavers must be configured to activate after 15 minutes of inactivity • The “save password” feature cannot be used on VA equipment or programs that provide access to the operating system or VA network services • Passwords or other authentication information cannot be stored on remote systems unless those systems have been encrypted according to VA requirements
Protection from Viruses and Other Malicious Codes • It is important to protect VA research data from computer viruses and other malicious codes. Here are some key points to remember: • Always use VA-approved antivirus software on all VA-owned AND non-VA computers that contain sensitive VA research data • Local ISOs will provide the software for VA-owned equipment • Immediately stop using any computer or software you suspect is infected • Immediately isolate the computer from any VA network connections • Do not reboot the system since many viruses are triggered to propagate upon system reboot • If it appears that a negative activity is occurring, the system must be shut off and left off until a clean Antivirus boot media is used to clean the system • Employees not authorized to attempt recovery and restoration must not remove the suspected software themselves, but must contact a qualified IT Specialist • Only VA-approved software and tools may be used to attempt recovery from infection with a virus or other malicious code • If a non-VA technician is called to work on non-VA owned equipment, use caution to protect the VA information, including any information that facilitates access to VA private networks • If a hard drive or other storage medium that contains VA research data becomes infected, never surrender or swap it with an outside party
Encryption • Additional security controls, such as encryption, are required to guard sensitive research data stored on computers used outside VA facilities or when transmitting sensitive data via remote access. You must use encryption for the following: • When you use either VA-owned or non-VA equipment in a mobile environment outside the VA (e.g., a laptop) • When you use a personal computer (PC) at an alternative work site • When you access a VA network from a remote location • Note: All encryption modules used to protect sensitive VA research data must meet National Institute of Standards and Technology (NIST) standards and be Federal Information Processing Standards (FIPS) 140-2 certified.
Physical Safeguards • Physical security measures are just as important as technical safeguards for protecting VA research data. The following rules for physical security of data apply to all VA employees, and they apply whether the data are stored on VA-owned or non-VA equipment, inside or outside of VA facilities: • Do not take equipment, information, or software containing sensitive VA research data to non-VA sites without the express authorization of your supervisor, Associate Chief of Staff for Research and Development (ACOS/R&D), Privacy Officer (PO) AND your Information Security Officer (ISO) • See that equipment is housed and protected to reduce the risks from environmental threats and hazards, and protected against opportunities for unauthorized access, use, loss, removal or theft • Secure portable computers that have sensitive VA research data on their storage devices or have software that provides access to VA networks under lock and key when you or another responsible employee is not in the immediate vicinity
Note: Thumb drives are of particular concern since they are small, can store considerable data and are easy to misplace or lose. • Use physical locks to secure portable computers to immovable objects when you must leave computers in areas where individuals other than authorized employees have access • When in an uncontrolled environment, follow “clear desk” practices for media to reduce the risk of unauthorized access to, loss of, and/or damage to the sensitive research information • Note: This means that you cannot leave storage media or hard copies containing sensitive VA research data unsecured.
Guard against disclosing VA research data to unauthorized personnel through eavesdropping, overhearing, or unauthorized personnel actually “seeing” the data on a computer screen • When traveling, keep portable computers and storage devices with you at all times and do not check them as baggage • Protect data and system backups with the same or equally effective physical security as you provide the source computer, its media and the information contained on them • Store backups where they are physically secure yet accessible within a reasonable time frame • Note: Do not store original sensitive VA research data on laptops or portable media. • Note: If you store data on a VA server, you do not need to back them up to portable media since VA servers are routinely backed up.
File Sharing • Note: You must not create a shared file or a drive containing sensitive VA research data on a device that you use for remote computing. You can share files of sensitive VA research data only through authorized VA servers.