va research data security and privacy presented by ellen graf rco, cincinnati vamc
TRANSCRIPT
![Page 1: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/1.jpg)
VA Research Data Security and Privacy
presented by Ellen GrafRCO, Cincinnati VAMC
![Page 2: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/2.jpg)
What is VA Research and Sensitive VA Research Data?
• VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space.
• VA research data consist of information that has been collected for, used in or derived from the conduct of VA research.
• VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.
• This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act (FOIA).
![Page 3: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/3.jpg)
VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information (PHI), or other VA information that has not been deliberately classified as public information for public distribution.
Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information.
Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE.
Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”
![Page 4: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/4.jpg)
As a member of the Research Community it is quite simply our
DUTY to protect the sensitive research data of the Veterans who have served and protected our country and who now
volunteer as Research Subjects!
![Page 5: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/5.jpg)
WHY ARE WE AT RISK?
• Approximately one in 10 laptop computers is stolen (Gartner Group, 2001)…
• Hospitals and universities are particularly common targets for theft of laptops and other portable media , thus...
• We need to be vigilant in the storage, use, security and confidentiality of data and for the privacy of the research subjects
![Page 6: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/6.jpg)
![Page 7: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/7.jpg)
![Page 8: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/8.jpg)
The loss of data:
• Violates veterans’ and employees privacy.
• Exposes them to the possibility of identity theft.
• Possibly resulting in risk to their financial security, employability, insurability and reputation.
• Instills a lack of trust in the VA system.
![Page 9: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/9.jpg)
Consider this when dealing with Sensitive Data
• Lead by example!
• Treat all research data as sensitive unless you are absolutely sure they are not!
• Foster camaraderie in this quest!
• Utilize technical safeguards, physical safeguards and good work practices!
![Page 10: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/10.jpg)
VHA Handbook 1605.1
• Utilizing VHA Handbook 1605.1 will lead to compliance with the privacy requirements set forth in all six Federal privacy & confidentiality statures and regulations regarding the – COLLECTION– USING– SHARNG– or DISCLOSING of individually identifiable
information
![Page 11: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/11.jpg)
Data Collection & Use
• Collect the minimum information needed to conduct the research.
• Use data as outlined by the protocol and signed authorization.
• Never re-use or share data without the appropriate approvals
![Page 12: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/12.jpg)
Sharing or Disclosing Information
• Disclosure of individually identifiable information from official VHA records is acceptable only when:
• The VHA has first obtained the signed, written (HIPAA) authorization of the individual, or
• Waiver of HIPAA authorization is approved by the Privacy Board.
![Page 13: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/13.jpg)
HIPAA Authorization must contain the following information:
• Expiration date, event or condition
• Individual to whom the requested info pertains
• Description of the information requested
• Statement regarding revocation
• Statement that VA treatment & benefits are not effected by the authorization
• The signature of the individual whose info will be used or disclosed.
• Date of the signature
![Page 14: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/14.jpg)
Waiver of HIPAA Authorization
• Must be approved by the facility IRB or Privacy Board.
• Approval is based on 3 criteria:– The use or disclosure must involve no more
that minimal risk to the individual– The research cannot practicably be
conducted without the waiver– The research cannot be performed without
access to, and use of, the protected health information
![Page 15: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/15.jpg)
Data Use Agreements(DUA)
• A written DUA may be obtained when data will be disclosed outside of the VHA for non-VA research.
• The DUA must include the following:– What and how data may be used – How data will be stored & secured– Who may access data & by what legal authority– Disposition of data after the termination of research– Actions required if data are lost or stolen
![Page 16: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/16.jpg)
Certificates of Confidentiality
Under Federal law, researchers must obtainan advance grant of confidentiality from the NIH, known as a Certificate of Confidentiality, to protect data pertaining tosensitive issues such as illegal behavior, alcohol or drug use, or sexual practices or preferences.
![Page 17: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/17.jpg)
What About De-identified Data?
• Is your data truly de-identified, thus containing none of the 18 types of identifiers as outlined by VHA Handbook 1605.1, Appendix B?
• Does your data involve the removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual?
![Page 18: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/18.jpg)
Can you actually recite the 18 types of identifiers that MUST be removed to assure that the data is…
DE-IDENTIFIED?
![Page 19: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/19.jpg)
Names or initialsAll geographic subdivisions smaller than a stateAll elements of dates except the year and all ages over 89Telephone numbersFax numbersE-mail addressesSocial Security Numbers (or scrambled Social Security
Numbers)Medical record numbersHealth plan beneficiary numbersAccount numbersCertificate or license numbersVehicle identifiers and license plate numbersDevice identifiers and serial numbersURLsIP addressesBiometric identifiers, including finger and voice printsFull-face photographs and any comparable imagesAny other unique identifying number, characteristic or code,
unless otherwise permitted by the Privacy Rule for re-identification
*HIPAA identifiers also pertain to the person’s employer, relatives, and household members.
![Page 20: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/20.jpg)
Limited Data Sets
• Exclude certain direct identifiers that apply to:– The individual– The individual’s relatives– The individual’s employers– The individual’s household members
• They may contain:– City, state, ZIP– Elements of a date and other numbers– Characteristics or codes not used as direct identifiers– Identifiable information, such as scrambled SS#s.
![Page 21: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/21.jpg)
Coded Data
• Coding consists of labeling info with a code that :– Does not include any patient identifiers– Is not derived from or related to the 18 HIPAA
identifiers– Cannot be translated so as to identify the
individualIf data are coded, the key to linking the code with these identifiersmust be stored within the VA, but it should not be stored with the coded data.
![Page 22: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/22.jpg)
Lets Just Be Sensible!
• Log off from your computer when you are not physically using it.
• Do not leave printed private data on the printer.• Pick up your Fax's in a timely fashion.• Use only approved hardware, software, solutions
and connections.• Control access to data.• Avoid using automatic password-saving
features.• Do not talk about private information in a public
place.
![Page 23: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/23.jpg)
Steps We Have Taken to Assure Compliance with Regulations
• Additional Medical Center Memorandums to include– Loaning of Research IT Equipment– Research Management of Laptops– Security of PHI/sensitive info held by
Researchers
![Page 24: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/24.jpg)
Additional Steps…
• Addition of the Privacy Officer to the R&D Committee.
• Questions regarding data security and privacy asked at the pre-consenting interview held with the PI and coordinator.
• More stringent exiting procedures.• Annual PI Certification and Data Security
Checklist.• Annual certification of compliance by MCD.
![Page 25: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/25.jpg)
What we are currently working on
• PKI compliance.• Quarterly walk-thru inspections of work areas
within Research.• Reviewing and updating SOPs (as needed) to
include appropriate language regarding data security and privacy.
• Creating a database that provides information regarding data security and privacy by protocol.
• Adding the Privacy Officer and the Information Security Officer to our semi-annual all research staff meetings.
![Page 26: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/26.jpg)
Final Words of Wisdom
• Err on the side of caution!• Keep regulations at hand, it is extremely difficult to
remember everything!• Work closely with your Privacy Officer & the Information
Security Officer!• Ask for assistance from VACO!• Steadily work to improve and modify as necessary in a
timely fashion!• Be positive and optimistic…nothing hinders the process
more than pessimism!• Keep your Medical Center Director up to date with any
new information or process. • Be an example!
![Page 27: VA Research Data Security and Privacy presented by Ellen Graf RCO, Cincinnati VAMC](https://reader035.vdocuments.mx/reader035/viewer/2022062312/5517605b5503460e6e8b49e1/html5/thumbnails/27.jpg)
IT IS A PRIVLEDGE TO NOW SERVE THEM!