Privacy and Information Security Essentials Stephania Griffin, Andrea Wilson and Charlie Stroup VHA Information Access and Privacy Office
Federal Information & Privacy Laws Title 38, United States Code (USC), Section 5701 Privacy Act of 1974, Title 5 USC 552a Title 38 USC Section 7332 HIPAA Privacy Rule, 45 CFR Parts 160 and 164
Relationship b/w Laws All applicable privacy laws and regulations must be applied when using or disclosing information for research. When conflicts arise between the laws: The more stringent law applies for use and disclosures. Often that is going to be the Privacy Act or 38 USC 7332. VHA Handbook 1605.1 provides privacy policy for VHA that encompasses the requirements of all of the Federal privacy laws and regulations.
Data Distinctions Individually Identifiable Information Scrambled SSN Protected Health Information Scrambled SSN De-identified Information Coded Data Limited Data Set
Individually Identifiable Information Any information that pertains to the individual that would identify the individual Includes protected health Information (PHI) Retrieved by the individuals name or other unique identifier, such as SSN
Scrambled SSN What is a Scrambled SSN? A unique identifier created by an algorithm using the SSN Not considered a re-identification code as it is derived by the SSN Any data containing a scrambled SSN is NOT de-identified.
De-Identified Information - HIPAA Health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify the individual based on: 1. A person with appropriate knowledge and experience with acceptable statistical and scientific principles and methods for rendering information not individually identifiable. This person determines the risk that the information could be used alone or in combination with other data, to identify the person is considered very small. This person must document the method and results to justify the determination .
De-Identified Information 2. All of the below 18 data elements have been removed: Name Geographic subdivisions smaller than a State, including street address, city, county etc. All elements of dates directly related to an individual, including birth date, admission date, date of death, etc. Telephone numbers Fax numbers Electronic mail addresses SSN Medical Record Number
De-Identified Information Health Plan Beneficiary Number Account Numbers Certificate or License numbers Vehicle identifiers Device Identifiers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Biometrics Full Face Images Any other unique identifying number, characteristics, or code
Coded vs. De-Identification of Data Coded Data means that collected samples or data are unidentified for research purposes by use of a random or arbitrary alphanumeric code or symbol but the samples may still be linked to their sources through use of a key to the code available to an investigator or collaborator. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual . Both require deletion of direct identifiers Coded data is most often used with specimen collection and genetic research. Coded data is NOT de-identified.
HIPAA Authorization The term “HIPAA authorization” means prior written permission from the study subject to use and/or disclose the study subject’s PHI as required law. The written authorization must include all content elements, be signed and dated as required by VHA policy prior to any use or disclosure of information. A Research HIPAA Authorization form must comply with these requirements.
HIPAA Authorization Authorizes The Research HIPAA Authorization Form only authorizes the PI to use the data expressly listed and to disclose the data to the listed entities for the purposes specifically stated in the form/document. If you created your own Research HIPAA Authorization Form, you cannot put the VAF 10-5345 number on it. If the study subject’s data is to be used for an additional purpose or additional data is to be collected/used, a new Authorization must be obtained prior to that use of the data. This is why Research HIPAA Authorizations are written in as broad terms as permitted by law.
Use of Research Data Use is defined as the sharing, utilization, examination or analysis of information with VHA. Used includes viewing or accessing the data. VA Researchers must collect, use and access health information only as legally permissible: Signed, written Research HIPAA Authorization from the study subject; IRB approved Waiver of HIPAA Authorization, Data Use Agreement for Limited Data Set for Research; or De-identified Information.
Disclosure of Research Data Privacy Act Definition: Disclosure is the release of information contained in a system of records to any person, or to another agency, by any means of communication to any person, or to another agency. This definition encompasses use. VA Definition: The release, transfer, provision of access to or divulging in any other manner of information outside VA. Tracks the HIPAA Privacy Rule definition of disclosure.
Disclosure of Research Data VA Researchers must have legal authority under all applicable Federal Laws and regulations to disclose individually identifiable information and PHI. A signed, written Research HIPAA Authorization from the study subject usually provides sufficient legal authority for disclosure under all Federal laws and regulations. No signed, written Research HIPAA Authorization from study subject – consult your Privacy Officer.
Ownership of Research Data VA research is the property of the VA, not the Researcher. If a VA researcher would like to request a copy of the research study, they must make this request through their Privacy Officer who will ensure that this is legally permissible.
Limited Data Set Protected health information from which certain specified direct identifiers of the individual and their relatives, household members and employers have been removed. Basically, a limited data set has all of the direct patient identifiers removed like de-identified information but it may contain dates, city and full 5 or 9-digit zip codes. A limited data set requires a Data Use Agreement (DUA) as the authority for its use or disclosure.
Data Use Agreements A DUA is an agreement that: Governs the sharing of data between an Information Custodian and a Requestor. Establishes the specific terms for VA and non-VA User uses. Provides a means to transfer liability for the protection of the information to an outside party. May serve as a means to establish criteria for using, disclosing, storing, processing, and disposing of data Must be implemented in accordance with policies established by Information Access and Privacy (IAP), and, if required, by the Information Custodian (IC). Satisfies HIPAA requirements when providing information within a limited data set (LDS)
When Do You Need a Data Use Agreement A DUA is required in the following instances: 1) by Federal laws or regulations when sharing Limited Data Sets (LDS) as defined by the HIPAA Privacy Rule (45 C.F.R. 164.514(e)), or 2) when VHA data is requested by entities outside of VA unless there is another binding written agreement.
What are the Current Expectations of old DUA until the new one Comes out VHA program offices and facilities should continue to use their current DUA templates Established VHA policy or program guidelines which address the application of data use agreements (DUA) should be followed
Issues Related to 38 USC 7332 Research HIPAA Authorization must explicitly list 7332-protected information if it is to be used or disclosed. If no Research HIPAA Authorization, the VA Research may still use 7332-protected information if there is assurance in writing from the VA Researcher that the purpose of the data is to conduct scientific research and that no personnel involved in the study may identify, directly or indirectly, any individual patient or subject in any report of such research or otherwise disclose patient or subject identities in any manner. This written assurance may be documented in the research protocol.
Disclosure related to 38 USC 7332 If no Research HIPAA Authorization: The Under Secretary for Health or designee determines that the requester of the patient identifying information: (1) Is qualified to conduct the research. (2) Has an approved research protocol under which the information will be maintained in accordance with the security requirements of Sec. 1.466; and will not be redisclosed except back to VA. (3) Has furnished a written statement that the research protocol has been reviewed by an IRB who found that the rights of patients would be adequately protected and that the potential benefits of the research outweigh any potential risks to patient confidentiality posed by the disclosure of records.
VA Form 10-3203 If the protocol requires a voice, video or photograph to be taken of a subject who is an inpatient or outpatient that is not for treatment purposes, then VAF 10-3203 must be filled out and signed by the subject, or his legal representative. For employee and other non-patient subjects, the information may be contained in the Informed Consent and separately obtaining VAF 10-3203 is not required. This is a Joint Commission requirement of the facility that is in addition to the HIPAA Authorization or Informed Consent.
Research Agreement Requirements A Research Agreement is required when a non-VA entity (such as a contractor) is performing a service on behalf of the VA Researcher where PHI is required by the non-VA entity (contractor). For example, Contractor performing phone interviews of study subjects and collecting the data for VA Researcher List of names provided to contractor to call potential research subjects
Incompetent Subjects Incompetent subjects can participate in research studies and the Next-of-Kin can sign the Informed Consent. BUT… The Next-of-Kin cannot sign the HIPAA Authorization unless that person is the legal guardian of the patient or has power of attorney. The HIPAA Authorization must be signed by the patient or a person with legal authority to act on behalf of the patient.
Case Study 1: The only difference between a Limited Data Set and De-identified information is a limited data set requires a Data Use agreement for Research? True False
Answer to Question 1 B. False There are actually several differences between a limited data set (LDS) and de-identified information: De-identified information must have all 18 elements removed while a LDS contains and permits the use of dates, city and zip codes. A LDS requires a DUA for research and public health reporting.
Case 2 Study: What if you start to add a random but unique study subject code to other data contained in the limited data set for research? Is it still considered a limited data set? True False
Case 2 Answer B. False When you start adding unique identifiers (even those created just for the study) to the limited data set it is no longer a limited data set. It is instead individually identifiable information which you will need a HIPAA Authorization or a waiver of HIPAA Authorization.
Case 3 Study Researcher wants to do a study and will need to take pictures of the subjects. This is not for treatment and the subjects are all inpatients. However a waiver of authorization has not been granted by the IRB so authorizations will be needed. Blood tests will be performed. Some of the study group have been declared legally incompetent . The Next of Kin has signed all forms. Are you ready to move forward with your research study?
Case 3 Question Yes- Why? No- Why?
Answer to Case 3 Answer is No The next of Kin can sign the Informed Consent They can not sign VAF10-3203 or VAF 10-5345 . They do not have authority to sign either forms or as they are not the Veterans legal representative i.e. Legal guardian or Power of Attorney If the person does sign the authorization form it will be invalid therefore the person has not given you authority to use their information