1

HIPAA, Privacy, & Cybersecurity

Brenda Cuccherini, Ph.D., MPH

VA Office of Research & Development

January 2007

2

A New Mind Set

“Old habit of mind is one of the toughest things to get away from in the world. It transmits itself like physical form and features…”

Mark Twain

A Connecticut Yankee in King Author’s Court

3

VHA & Privacy

• VHA privacy program is “complex”

• VHA must comply with 6 statutes that govern collection, maintenance & release of information

4

Privacy Related Statutes• HIPAA• Privacy Act of 1974• FOIA• VA Claims Confidentiality• Confidentiality of Drug Abuse, Alcoholism

& Alcohol Abuse, HIV, and Sickle Cell Anemia Medical Records

• Confidentiality of Healthcare Quality Assurance Review Records

5

HIPAA Title II: The Privacy Rule(45 CFR 160 and 164)

6

HIPAA Topics To Be Covered

• HIPAA & the Common Rule

• HIPAA Identifiers

• Limited Data Sets

• Business Associate Agreements

• De-identification

• Waiver of Authorization

• VA & HHS Differences

7

HIPAA & the Privacy Rule

• Title I: Health Care Access, Portability, & Renewability

• Title II: Preventing Healthcare Fraud & Abuse; Administrative Simplification; Medical Liability & Reform

• Privacy Rule, • Transactions, • Security & • Enforcement)

8

HIPAA & The Common Rule

• Represents 2 different but not contradictory regulations

• Many terms similar but not alike

• IRB must make 2 separate determinations when reviewing & approving applicable research

9

HIPAA “Identifiers”:Remove to De-identify for HIPAA

(1) Names(2) All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people(3) All elements of dates except year and all ages over 89(4) Telephone numbers(5) Fax numbers(6) E-mail addresses(7) Social security numbers(8) Medical record numbers

10

HIPAA “Identifiers” (Cont.)

(9) Health plan beneficiary numbers(10) Account numbers(11) Certificate or license numbers(12) Vehicle identifiers and license plate numbers(13) Device identifiers and serial numbers(14) URLs(15) IP addresses(16) Biometric identifiers(17) Full-face photographs and any comparable images

11

HIPAA Identifiers (Cont.)

(18) Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification

• Scrambled SSNs• Initials• Last four digits of SSN• Employee numbers• Etc.

(“19”) A caveat: HIPAA also states that the entity does not have actual knowledge that the [remaining] information could be used alone or in combination with other information to identify an individual who is the subject of the information

• If you can strip all 18 identifiers, it still may not be de-identified

12

Applicability of Identifiers

• HIPAA identifiers apply to:– The individual – The individual’s relatives– The individual’s employers– The individual’s household members

13

What’s De-identified?

• If some one tells you data is de-identified, ask them how they define it!

• Definition of “de-identified”:– All HIPAA identifiers must be removed, plus “The

entity must have no knowledge…” [the caveat from the last slide] and

– It meets the Common Rule definition of de-identified

14

Limited Data Sets

• Does not require a HIPPA authorization or waiver of authorization

• Only allowed for research , public health, or health care operations

• Requires a DUA

• May contain identifiable information such as scrambled SSNs, & are still PHI

• May still be human subjects research

15

Limited Data Set (Cont.)

• Excludes certain direct identifiers• Excluded identifiers apply to:

– The individual, – The individual’s relatives– The individual’s employers – The individual’s household members

• May contain:– City, state, ZIP code,– Elements of a date & other numbers, – Characteristics or codes not listed as direct identifiers

16

Limited Data Sets: Direct Identifiers

(1) Names(2) Postal address other than town, city, state, and ZIP code(3) Telephone numbers(4) Fax numbers(5) SSNs(6) Medical Record number(7) Health plan beneficiary numbers(8) Account numbers

17

Limited Data Set: Direct Identifiers (Cont.)

(9) Certificate/license numbers(10) Vehicle identifiers and serial numbers including license plate numbers(11) Device identifiers & serial numbers(12) Web universal resource locators (URLs)(13) Internet protocol (IP) address(14) Biometric identifiers, including fingerprints & voice prints(15) Full-face photographic images and any comparable images

18

Business Associate Agreements

• Business Associate: An individual or entity who on behalf of VHA– Performs or assists in performing functions or

activities involving the use or disclosure of PHI or

• Activities must be related to treatment, payment, or health care operations

19

Business Associate Agreements

• BAA’s not required for research or research sponsors– Research is not a function or activity

regulated by HIPAA (treatment, payment, or health care operations)

20

Waiver of Authorization

• IRB or Privacy Board (PB) may approve:– Full waiver of authorization– Partial waiver of authorization– Alteration of the disclosure

• IRB or Privacy Board: – Must make specific determination prior to

approving waiver– Must document specific findings

21

Required Determinations: 3 Criteria

1. The use or disclosure of PHI involves no more than a minimal risk to the individual based on at least the presence of the following elements:

– An adequate plan to Protect the identifiers from improper use & disclosure

– An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research unless there is health or research justification for retaining them or retention or the retention is required by law; and

– Adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use of disclosure of PHI would be permitted by this subpart

22

Required Determinations: 3 Criteria (Cont.)

2. The research could not practicably be conducted without the waiver

3. The research could not practicably be conducted without access to and use of the protected health information

23

Required Documentation

• Name of IRB or PB & date approved• Statement: IRB or PB determined the alteration or waiver

of authorization, in whole or in part, satisfies the 3 criteria in the Rule AND include the criteria

• A brief description of the PHI for which use or access has been determined to be necessary

• A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, and

• Signature of the chair or other member, as designated by the chair, of the IRB or PB, as applicable.

24

Investigator’s Responsibility

• Include all necessary information in the submission to the IRB or PB

• Request use of the minimal necessary information to conduct the research

• Use of data consistent with the protocol

• No re-use or sharing of data without approvals

25

Differences: VHA vs. HHS

• Preparatory To Research• Authorization Elements • Accounting for Disclosures• Data Use Agreements

26

Preparatory to Reach

• VHA Handbook 1605.1 states that contacting research subjects or conducting pilot studies are not “Preparatory to Research” activities

• HHS states that the “Preparatory to Research” provisions allow an investigator to use PHI to contact prospective research subjects

27

HIPAA Authorization

• VHA requirements differ from HHS’s– A description of the information to be used or

disclosed AND specifically identify HIV, Sickle cell anemia, drug and/or alcohol abuse treatment information

28

Accounting for disclosure

• Not so much a “difference” but a clarification

• VHA research is conducted inside a single covered entity; MOST research does not involve “disclosure,” only “use” of PHI

29

Data Use Agreements

• VHA and HHS requires DUA for use of limited data sets only

• ORD policy will additionally require a DUA (Data Transfer Agreement) for anytime you transfer data within VHA for research purposes

30

Privacy Act of 1974

31

An American has no sense of privacy.

He does not know what it means.

There is no such thing in the country.

George Bernard Shaw

32

Privacy Act of 1974

• Purpose: To balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy

• Background: Watergate era and Congress concerned with: – Curbing illegal surveillance & investigations– Potential abuses presented by government’s

increasing use of computers to store & retrieve personal data

33

Privacy Act Objectives

• Restrict disclosure of personally identifiable records by agencies

• Grant individuals– Increased rights of access to agency records– The right to seek amendment of agency

records

• Establish code of fair information practices for agencies

34

A Privacy Act Requirement

• Agencies that maintain a system of records "shall promulgate rules, in accordance with notice and comment rulemaking”

• Systems of Records (SOR): “A group of records under agency control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

35

System of Records Content

• Category of individuals covered by the system

• Categories of records in the system

• Purpose of the records

• Routine uses of records

• Storage (storage medium)

• Retrievability (name, numbers or identifier)

36

SORs and Research

• 34VA12 -- Veteran, Patient, Employee, and Volunteer Research and Development Project Records

• 121VA19 -- National Patient Databases - VA

37

SOR’s Impact on Research

• All release/disclosure of information must be consistent with the SOR and routine uses

• Investigators can not release information to non-VA investigators or institutions unless:– Written permissions/authorization from individual or– Permission of the USH

• Release of information is through the Privacy Office

38

Privacy Issues Resources

• VHA Privacy Officer: Stephania Putt

• Local privacy officer

• VHA privacy program:– http://vaww.vhaco.va.gov/privacy/– Links to all Federal statutes, regulations, &

policies including security policies– Privacy Fact Sheets

39

Cybersecurity

40

To err is human– and to blame it on a computer is even more so.

Robert Orben

Magician and Comedy Writer

41

A Changing Climate

• Security must be addressed in: – Protocol, appendices, or other document– Facility SOPs

• New policies (VA & VHA) and requirements

• Sensitive data must be controlled at all times

42

It is VA policy that:• VA information may not reside on non-VA systems or

devices unless specifically authorized by VA guidance/policy– Federal Information Security Management Act of 2002 (FISMA):

Federal Security requirements apply to when contractors or “other organizations on behalf of an agency” possess or use Federal information

• You must obtain authorization to remove confidential & Privacy Act protected information– Approved protocol– Consult with supervisors/obtain permission– “Consult with supervisor and ISO to ensure that the data is

properly encrypted and password protected in accordance with VA policy” Secretary’s memo June.6, 2006

43

VA Policy on Protection of Data

• Data & system backups or copies: – Same confidentiality classification as originals– Laptops & portable media must NOT contain the only

copy of the data• VAPI stored on computers or other storage

media outside VA facilities must be encrypted per VA approved protection mechanisms

• Password or other authentication information:– Do not store on remote systems unless encrypted

• Data can not be transmitted by remote access without VA-approved protection mechanisms

44

VA policy on Government Laptops or Other Equipment

• Updated property pass • Updated virus protection• “House & protect” it from:

– Environmental threats & hazards– Unauthorized access, use, or removal

• Laptops, external hard drives, or other storage devices must be under lock & key when not in your immediate vicinity if it:– Contains sensitive/protected information (VAPI) or – Software to access VA private networks

45

What You Must Do

• Prior to receiving laptop or “sensitive” data:– Know the policies on protecting or responding to lost/stolen

laptops or data.

• Always be on guard: – Use common sense about where you leave it, who can access it

• Once laptop or data is discovered to be missing:– Report it to the police– Obtain a copy of the police report (name of officer, case number,

etc.)– Try to “inventory” what is on the laptop or the missing data.– Make required notifications

46

Reporting of Security Incidents

• OMB requires reporting of an incident within 1 hour of discovery to US-CERT – US-CERT: US Computer Emergency

Readiness Team is the operational arm of National Cyber Security Division (NCSD), Department of Homeland Security (DHS).

• Suspected and confirmed breaches must be reported

47

How to Report Security Incidents

• Immediately report to:– Supervisor– ISO– Privacy Officer– Others (Your facility may require reporting to other

facility administrators)• ISO will report it to the VA-Security Operations

Center (VA-SOC)• Privacy Officer will enter it into the Privacy

Violations Tracking System (PVTS)• VA-SOC will notify US-CERT & key VHA/VA

officials

48

Investigator’s Responsibilities

• Protocols contain sufficient information on security issues – Who uses information; – How it will be stored and secured; – Who has copies where; – Will it remain within VA – if not, will all data be

returned to VA – if not why; – Disposition of the data after protocol completed)

• Allowing access only to authorized individuals

49

Investigator’s Responsibilities (Cont.)

• Safeguarding laptops, portable drives, flash drives, and other medium

• Ensuring all contracts, DUAs, and BAAs contain required language

• Encrypting/password protecting all sensitive data

50

Policy Documents

• VA Directive 6504 – Waiver of requirements– Granted only by the VA Chief Information

Officer in CO – Waiver request only from an Administration

Head, Assistant Secretary, or other key official

• Majority of IT & security documents being redrafted on a very fast track

51

Finding Policies

• www.va.gov/vhapublications– Link on left banner to VA publications

• www.va.gov/research

• Call or e-mail:– Brenda Cuccherini, Ph.D. at (202)254-0277 or – brenda.cuccherini@va.gov

52

A single question can be more influential

than a thousand statements.Bo Bennett

Businessman

53