1. VA Research Data Security and Privacy Veterans Health Administration Office of Research and Development

2. Module 1: Sensitive VA Research Information

3. Page 3 What is VA Research and Sensitive VA Research Data? VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space. VA research data consist of information that has been collected for, used in or derived from the conduct of VA research. VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act (FOIA).

4. Page 4 VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information (PHI), or other VA information that has not been deliberately classified as public information for public distribution. Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information. Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE. Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”

5. Page 5 Why Is It Important To Protect VA Research Data? The VA is committed to protecting information about our veterans and employees. When individuals who have served our country volunteer to participate in VA research, they entrust us to keep their personal and health information safe. Inadvertent loss of private information, including real or scrambled Social Security Numbers (SSNs), violates veterans’ and employees’ privacy and exposes them to the possibility of identity theft with its attendant economic, legal and social consequences. These can include substantial risks to their financial security, employability, insurability or reputation, and can have other serious implications.

6. Page 6 Approximately one in 10 laptop computers is stolen (Gartner Group, 2002). Hospitals and universities are particularly common targets for theft of laptops and other portable media because thieves know these facilities have so much computer equipment. Several recent sentinel events in the VA, as well as in the academic and private sectors, have demonstrated that, to honor the sacred trust our veterans and employees have in us, we must be vigilant and take strict precautions to keep their research data secure and confidential.

7. Page 7 How Can You Protect VA Research Data? We all need to remember it is a privilege to be involved in VA research. This privilege, however, comes with many responsibilities. One of the most important is to ensure that all sensitive VA research information is secure and confidential and that the privacy of our VA research subjects is protected. Since VA research data are owned by the VA, everyone involved in VA research must meet all Federal requirements for the storage, use, security and confidentiality of the data and for the privacy of the research subjects.

8. Page 8 The purpose of this training is to heighten your awareness of the requirements and remind you of common sense precautions you can take. Some general measures include:  Treating all VA research data as if they are sensitive unless you are absolutely certain they are not sensitive  Fostering teamwork and a supportive culture where everyone helps each other remember to implement strict security controls and privacy standards  Remembering that, to keep sensitive VA research data secure and confidential, it takes all three legs of the three-legged stool: 1.Technical safeguards 2.Physical safeguards 3.Good work practices Your efforts will not only help protect veterans’ rights and welfare, but also the future of VA research.

9. Module 2: Privacy of Subjects and Confidentiality of VA Research Data

10. Page 10 Privacy Statutes Every VHA employee must comply with all applicable Federal privacy and confidentiality statutes and regulations when collecting, using, sharing or disclosing individually identifiable information, which includes sensitive VA research data. The applicable Federal statutes and regulations are:  The Freedom of Information Act (FOIA), 5 U.S.C. 552  The Privacy Act (PA) of 1974, 5 U.S.C 552a  The VA Claims Confidentiality Statute, 38 U.S.C. 5701  Confidentiality of Drug Abuse, Alcoholism & Alcohol Abuse, Infection With the Human Immunodeficiency Virus (HIV) and Sickle Cell Anemia Medical Records, 38 U.S.C. 7332  The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 Code of Federal Regulations Parts 160 and 164  Confidentiality of Healthcare Quality Assurance Review Records, 38 U.S.C. 5705

11. Page 11 Fortunately, you do not have to read and learn the content of these six statutes and regulations to be able to comply with the privacy requirements they set forth. VHA Handbook 1605.1, Privacy and Release of Information, establishes guidance on privacy practice and provides VHA policy for the use and disclosure of individually identifiable information, and for individuals’ rights in regard to VHA data. By following privacy policies in VHA Handbook 1605.1, you are simultaneously applying all six statutes and regulations so that the result will be the application of the most stringent provisions for all uses and/or disclosures of sensitive VA research data.

12. Page 12 Authorization for Disclosure of Information VHA employees may disclose individually identifiable information from official VHA records only when:  The VHA has first obtained the prior signed, written authorization of the individual, or  Other legal authority in the above statutes and regulations permits the disclosure without written authorization (see your Privacy Officer for advice on specific cases)

13. Page 13 When a written authorization from the individual is required, the request and authorization must contain the following information:  An expiration date, event or condition  The individual to whom the requested information pertains  The permitted recipient(s) or user(s) of the information  A description of the information requested  A statement regarding revocation  A statement that VA treatment and benefits are not conditioned on the signing of the authorization  The signature of the individual whose information will be used or disclosed  The date of signature of the individual whose information will be used or disclosed

14. Page 14 Investigators and others involved in research should  Limit their request to the minimum information needed to conduct the research  Always use data in a manner that is consistent with the protocol and the signed authorization  Never re-use or share data without the appropriate approvals

15. Page 15 Waiver of HIPAA-Compliant Authorization A waiver of HIPAA-Compliant authorization may be approved by the Institutional Review Board (IRB) or Privacy Board at your facility. There are three criteria required for approving a waiver:  The use or disclosure must involve no more than minimal risk to the individuals  The research cannot practicably be conducted without the waiver  The research cannot be conducted without access to, and use of, the protected health information

16. Page 16 Data Use Agreements A Data Use Agreement (DUA) may be obtained when data will be disclosed outside of VHA for non-VA research (VHA Handbook 1605.1, “Privacy and Release of Information,” Appendix E). A data use agreement is a written contract that defines the following:  What data may be used  How data may be used  How data will be stored and secured  Who may access data  Legal authority under privacy for access to data  Disposition of data after the research has been terminated  Actions required if data are lost or stolen

17. Page 17 Certificates of Confidentiality Under Federal law, researchers must obtain an advance grant of confidentiality from the National Institutes of Health, known as a Certificate of Confidentiality, to protect data pertaining to sensitive issues such as illegal behavior, alcohol or drug use, or sexual practices or preferences. This document will provide protection against compulsory disclosure of research data (e.g., for a subpoena).

18. Page 18 De-Identification of Data De-identified data is health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. VHA would consider health information no longer protected health information (PHI) if it has been appropriately de- identified in accordance with the HIPAA Privacy Rule as outlined in VHA Handbook 1605.1, Appendix B.

19. Page 19 For protected health information to be de-identified, all of the following 18 types of identifiers must be removed: 1.Names or initials 2.All geographic subdivisions smaller than a state 3.All elements of dates except the year and all ages over 89 4.Telephone numbers 5.Fax numbers 6.E-mail addresses 7.Social Security Numbers (or scrambled Social Security Numbers) 8.Medical record numbers 9.Health plan beneficiary numbers 10.Account numbers 11.Certificate or license numbers 12.Vehicle identifiers and license plate numbers 13.Device identifiers and serial numbers 14.URLs 15.IP addresses 16.Biometric identifiers, including finger and voice prints 17.Full-face photographs and any comparable images 18.Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification

20. Page 20 HIPAA identifiers also pertain to the person’s employer, relatives, and household members. Along with removing the 18 identifiers, HIPAA also states that for the information to be considered de-identified, the entity does not have actual knowledge that the remaining information could be used alone or in combination with other information to identify and individual who is the subject of the information. According to the Common Rule, de-identification involves removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual. Note: For VA research purposes, VA research data are considered to be “de-identified” only if they meet the de-identification criteria of BOTH HIPAA (i.e., removal of all 18 identifiers) AND the Common Rule.

21. Page 21 Limited Data Sets The use of limited data sets does not require HIPAA-Compliant authorization or a waiver of HIPAA-Compliant authorization, but does require a data use agreement (DUA). Their use is only allowed for research, public health, or health care operations. Your Institutional Review Board (IRB) or Privacy Officer (PO) can help you determine if use of a limited data set is appropriate for your research project.

22. Page 22 Limited data sets have the following characteristics:  They exclude certain direct identifiers that apply to The individual The individual’s relatives The individual’s employers The individual’s household members  They may contain City, state, ZIP code Elements of a date and other numbers Characteristics or codes not listed as direct identifiers Identifiable information, such as scrambled Social Security Numbers (SSNs) Note: The use of limited data sets may constitute human subjects research and, therefore, it may require IRB approval.

23. Page 23 Coded Data Coding consists of labeling information with a code that  Does not include any patient identifiers (see HIPAA identifiers noted previously)  Is not derived from or related to the 18 HIPAA identifiers  Cannot be translated so as to identify the individual. Thus, initials, Social Security Numbers (SSNs) and so on may not be used as codes, even in partial or scrambled form. Codes provide a link by which identities can be accessed through a key held separated from the research and the researchers. For example, the code might be a barcode or a combination of random numbers and letters. If sensitive VA research data are coded, the key to linking the code with these identifiers must be stored within the VA, but it should not be stored with the coded data. Note: If the investigator has access to the code, the coded information is not considered “de-identified.”

24. Page 24 Common Sense Ways to Protect Subjects’ Privacy and the Confidentiality of Their Information When research subjects (or potential subjects) provide information about themselves, they do so with an assumption of trust. Your common sense will help you will come up with many ways to help protect their privacy and the confidentiality of their information. For instance,  Do not walk away from a computer without logging off  Do not print private data and leave it on the printer  Access information systems only through approved hardware, software, solutions and connections  Take appropriate steps to protect information, network access, passwords and information (not just electronic versions, but also hard copies, audio- and videotapes)  Control access to patient files or data that you have saved on a disk – or, better yet, do not use a disk, but backup your data on a VA server, instead (see Module 4)  Do not access information you don’t really need  Avoid using automatic password-saving features  Do not talk about a subject’s information in a public place

25. Module 3: VA Research Projects

26. Page 26 Preparatory to Research Data use preparatory to research does not require a written authorization or a waiver of HIPAA-Compliant authorization. Within VHA, “preparatory to research” refers to activities that are necessary for the development of a specific protocol. Protected health information (PHI) from data repositories or medical records may be reviewed during this process, but only aggregate data may be recorded and used in the protocol. “Preparatory to research” does not involve the identification of potential subjects or the recording of data for the purpose of recruiting these subjects or to link to other data. For example, accessing VA medical records to count how many patients had a specific complication of diabetes prior to developing a retrospective study of these patients is an activity “preparatory to research,” but recording their names and contact information is not.

27. Page 27 The “preparatory to research” activity ends once the protocol has been approved by the IRB and the R&D Committee. The PI must document in his/her “preparatory to research” files that  Access was limited to protocol preparation  No protected health information (PHI) was removed  Access was necessary to prepare for the research Note: VHA protected health information may never be disclosed for non-VA “preparatory to research” activities.

28. Page 28 Pilot Studies Pilot studies are early studies designed to test an idea or treatment. The information gathered in pilot studies usually is used to help design a larger study. Pilot projects must be reviewed and approved by the IRB and R&D Committee and must meet all applicable research requirements. Even if they are performed in preparation for a research grant application, pilot studies are not considered to be “preparatory to research,” but full-fledged research projects.

29. Page 29 Research Protocol During the early stages of planning a research project, an investigator should think about how sensitive research data will be stored and accessed, as well as how to protect subjects’ privacy. When the principal investigator (PI) submits a research study that involves the collection, use and/or storage of sensitive information (e.g., subject identifiers or protected health information (PHI)) to an IRB and a R&D Committee, his/her submission for approval must contain specific information on  All sites where the data will be used or stored  Specifically who will have access to the data  How the data will be transmitted or transported  How the data will be secured  If copies of the data will be placed on laptops or portable media, a discussion of the security measures  If the data will be re-used for subsequent or future research protocols, provisions for future use in the informed consent form, and HIPAA-Compliant authorization  If relevant, provisions to ensure sponsor data storage guidelines are met and do not conflict with VA policies

30. Page 30 Note: The principal investigator (PI) must certify that all VA sensitive information associated with each specific study is being used, stored and secured in accordance with applicable VA and VHA policies and guidance. The following forms must be stored with the research protocol files:  Data Security Checklist for Principal Investigators  Principal Investigator’s Certification: Storage and Security of VA Research Information

31. Page 31 IRB Approval Prior to accessing or collecting ANY data involving human subjects (other than “preparatory to research” as previously discussed), the PI must obtain written approval from the IRB. As part of its review, the IRB will determine  If the protocol is exempt from IRB review. If it is not, then  If written informed consent can be waived or altered. If not, then  If the written consent form contains appropriate information and is consistent with the protocol The IRB or a Privacy Board also will determine if the criteria for granting a waiver of authorization are met. If they are, the IRB or Privacy Board will document its specific findings regarding the criteria and the approval of the waiver of authorization as required by HIPAA.

32. Page 32 Exemption from IRB approval may be granted under the following conditions:  Research involves the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures, or the observation of public behavior unless The information is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects, and Any disclosure of the subjects’ responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability, or reputation  Research involves the analysis of existing data or documents if these sources are publicly available, or if the information is recorded so that subjects cannot be identified, either directly or through identifiers linked to the subjects Note: The IRB must determine whether or not a protocol is exempt from IRB review. This determination cannot be made by the investigator. Note: Even if a protocol is exempt from IRB review it may still require the IRB to grant a waiver of HIPAA-Compliant authorization.

33. Page 33 Waiver of written documentation of informed consent may be granted by the IRB if it finds either  That the only record linking the subject and the research would be the informed consent document and the principal risk to the subject would be potential harm resulting from a breach of confidentiality, or  That the research presents no more than minimal risk of harm to subjects and involves no procedures for which written informed consent is normally required outside of the research context In these situations, consent must still be obtained, but the requirement for a signed consent document is waived. The IRB may require that a written statement about the research be given to the subject. If it does, the IRB should review and approve this statement.

34. Page 34 “Short form” signed documentation of informed consent may be permitted by the IRB for some kinds of projects. The subject is given an oral presentation that includes all the elements of consent. The following are required when a “short form” signed consent document is used:  A witness to the oral presentation  IRB approval of the written summary of what is to be presented orally  Only the short form be signed by the subject or the legal representative of the subject  The witness to sign both the short form and the summary  The person actually obtaining consent to sign the summary  A copy of the summary and the short form to be given to the subject or the legal representative of the subject

35. Page 35 Waiver of one, several, or all of the elements of informed consent may be approved by the IRB where it finds  The research involves no more than minimal risk to the subjects  The waiver or alteration will not adversely affect the rights and welfare of the subjects  The research could not practicably be carried out without the waiver or alteration and  Whenever appropriate, the subjects will be provided with additional pertinent information after participation

36. Page 36 Approval from Other Entities In addition to approval from the IRB, the investigator must have written approval from the local VA Research and Development (R&D) Committee before starting a VA research project. Depending on the nature of the project, other approvals also may be required before it can be implemented. Some examples include approvals by  Institutional Animal Care and Use Committees (IACUC) for research involving animals  The VA Office of Research and Development (ORD) for international research or research involving children or prisoners  The appropriate union for research involving union employees  The Office of Management and Budget (OMB) for survey research  A database manager when data are being accessed through a database  A Privacy Officer (PO) when privacy regulations apply (if the IRB does not serve this function)  VA Operations and Management (10N) when employees are to be surveyed

37. Page 37 Re-Use of Data VA research data may be used only in accordance with the provisions in the approved protocol and informed consent. If an investigator wants to use VA research data for another purpose, he/she must submit a new proposal to the IRB, Research and Development (R&D) Committee and any other relevant entities. Data may not be re-used until the investigator has obtained all the appropriate approvals for their re-use.

38. Page 38 Using Data from Deceased Individuals Whenever data are retained for any period of time some participants may die. The Common Rule does not cover deceased subjects, but HIPAA and other Federal privacy statutes do. Consent of next-of-kin or other legally authorized representatives may be required for release, use or disclosure of the data about deceased individuals.

39. Page 39 Data Repositories and Procedures A data repository must be created if data are to be retained, re-used or shared for future studies. Creation of a data repository requires development of policies and procedures that must be approved by the Institutional Review Board (IRB) and Research and Development (R&D) Committee at the institution where the repository resides. Your facility’s Privacy Officer can assist in ensuring you do not have any Privacy Act system of records issues. For VA research data, the data repository must be located at a VA facility on a VA server, unless all appropriate permissions are obtained to house it elsewhere (see Module 5). To access data from a repository, an investigator must have a specific protocol that has been approved by his/her local IRB and R&D Committee. The protocol must contain the specific data elements requested, including sufficient justification for any request for identifiable information. The repository and the investigator must sign a Data Transfer Agreement (DTA) that details the authorized uses of the data and stipulates that the data may not be re-disclosed.

40. Module 4: Storage and Security of VA Research Data

41. Page 41 Requirements Everyone involved in VA research must be in compliance with all applicable Federal laws, regulations, policies and guidance related to privacy of research subjects, and confidentiality, storage and security of research data. Specific requirements are found in VA Directive 6504, “Restrictions, Transportation and Use of, and Access to, VA Data Outside of VA Facilities;” VA IT Directive 06-02, “Safeguarding Confidential and Privacy Act-Protected Data at Alternative Work Locations;” VA IT Directive 06-06, “Safeguarding Removable Media;” and VA Memorandum, February 6, 2007, “Certification by Principal Investigators: Security Requirements for VA Research Information.” Note: Your Information Security Officer (ISO) can help you understand, and advise you on how to implement, these requirements. To keep sensitive VA research data secure and confidential, investigators and everyone else involved in research must pay strict attention to all three legs of the three-legged stool: 1.Technical safeguards 2.Physical safeguards 3.Good work practices

42. Page 42 Restricted Access Access to sensitive VA research data should be restricted to those  Individuals named in the research protocol, on the research informed consent and the HIPAA-Compliant authorization form  Individuals who are responsible for oversight of the research program  VA investigators who require access “preparatory to research” if their activity meets the requirements for “preparatory to research” set forth in VHA policy

43. Page 43 Technical Safeguards The appropriate use of technical safeguards is extremely important to protect against unauthorized access, disclosure or loss of VA research data.

44. Page 44 Password Protection Passwords are important tools for protecting VA information systems. They ensure that VA researchers have access to the information they need. Here are some important password-related requirements for VA employees:  Passwords must meet VA password requirements  “Blank” and default user names and passwords cannot be used  User credentials, including passwords, must be protected appropriately because they are considered VA sensitive information  Passwords should never be shared with anyone else  Passwords must be stored in a safe and secure place that no one else knows about  Password-protected screensavers must be configured to activate after 15 minutes of inactivity  The “save password” feature cannot be used on VA equipment or programs that provide access to the operating system or VA network services  Passwords or other authentication information cannot be stored on remote systems unless those systems have been encrypted according to VA requirements

45. Page 45 Protection from Viruses and Other Malicious Codes It is important to protect VA research data from computer viruses and other malicious codes. Here are some key points to remember:  Always use VA-approved antivirus software on all VA-owned AND non-VA computers that contain sensitive VA research data Local ISOs will provide the software for VA-owned equipment  Immediately stop using any computer or software you suspect is infected Immediately isolate the computer from any VA network connections Do not reboot the system since many viruses are triggered to propagate upon system reboot If it appears that a negative activity is occurring, the system must be shut off and left off until a clean Antivirus boot media is used to clean the system Employees not authorized to attempt recovery and restoration must not remove the suspected software themselves, but must contact a qualified IT Specialist Only VA-approved software and tools may be used to attempt recovery from infection with a virus or other malicious code  If a non-VA technician is called to work on non-VA owned equipment, use caution to protect the VA information, including any information that facilitates access to VA private networks  If a hard drive or other storage medium that contains VA research data becomes infected, never surrender or swap it with an outside party

46. Page 46 Encryption Additional security controls, such as encryption, are required to guard sensitive research data stored on computers used outside VA facilities or when transmitting sensitive data via remote access. You must use encryption for the following:  When you use either VA-owned or non-VA equipment in a mobile environment outside the VA (e.g., a laptop)  When you use a personal computer (PC) at an alternative work site  When you access a VA network from a remote location Note: All encryption modules used to protect sensitive VA research data must meet National Institute of Standards and Technology (NIST) standards and be Federal Information Processing Standards (FIPS) 140-2 certified.

47. Page 47 Physical Safeguards Physical security measures are just as important as technical safeguards for protecting VA research data. The following rules for physical security of data apply to all VA employees, and they apply whether the data are stored on VA- owned or non-VA equipment, inside or outside of VA facilities:  Do not take equipment, information, or software containing sensitive VA research data to non-VA sites without the express authorization of your supervisor, Associate Chief of Staff for Research and Development (ACOS/R&D), Privacy Officer (PO) AND your Information Security Officer (ISO)  See that equipment is housed and protected to reduce the risks from environmental threats and hazards, and protected against opportunities for unauthorized access, use, loss, removal or theft  Secure portable computers that have sensitive VA research data on their storage devices or have software that provides access to VA networks under lock and key when you or another responsible employee is not in the immediate vicinity

48. Page 48 Note: Thumb drives are of particular concern since they are small, can store considerable data and are easy to misplace or lose.  Use physical locks to secure portable computers to immovable objects when you must leave computers in areas where individuals other than authorized employees have access  When in an uncontrolled environment, follow “clear desk” practices for media to reduce the risk of unauthorized access to, loss of, and/or damage to the sensitive research information Note: This means that you cannot leave storage media or hard copies containing sensitive VA research data unsecured.

49. Page 49  Guard against disclosing VA research data to unauthorized personnel through eavesdropping, overhearing, or unauthorized personnel actually “seeing” the data on a computer screen  When traveling, keep portable computers and storage devices with you at all times and do not check them as baggage  Protect data and system backups with the same or equally effective physical security as you provide the source computer, its media and the information contained on them  Store backups where they are physically secure yet accessible within a reasonable time frame Note: Do not store original sensitive VA research data on laptops or portable media. Note: If you store data on a VA server, you do not need to back them up to portable media since VA servers are routinely backed up.

50. Page 50 File Sharing Note: You must not create a shared file or a drive containing sensitive VA research data on a device that you use for remote computing. You can share files of sensitive VA research data only through authorized VA servers.

51. Page 51 Data Retention and Destruction You must retain VA research data in accordance with VA, VHA, local and IRB policies, protocol sponsor guidelines, or Privacy Act system of records notice, whichever is most restrictive. During the period that data are retained after a protocol closes, you must provide the same security and privacy measures as when the protocol was active, including all physical and technical safeguards. Note: VHA research data belong to the VA. If an investigator leaves a facility or the VA system, all data must be kept and stored within the VA so as to be easily accessible to facility officials. Investigators cannot take copies with them. Once the required retention period has lapsed, the data may be destroyed using a method that will render them unreadable, undecipherable and irretrievable. Note: This pertains to both VA and non-VA owned computer equipment and storage devices. Investigators should consult their local ISOs for local policies and procedures for media destruction and for computer and portable device sanitation. Note: Pushing the delete button is not sufficient to permanently delete data.

52. Page 52 Just as for electronic media, you are responsible for ensuring that hard- copy documents or physical media, such as audio and videotapes, that contain sensitive VA research data are protected from improper disclosure, including inadvertent disclosure. When you no longer need them, you must also destroy hard copies and other physical media by a method rendering them unreadable, undecipherable and irretrievable. If you have any questions about the best method of disposal, consult your local ISO or Privacy Officer.

53. Page 53 Backups You must backup essential data and software at regular intervals and treat backups and archives according to their VA security classification. You also must securely store any backups containing sensitive VA research data. You may backup data on a separate storage medium such as a network drive, CD, or DVD. Note: As mentioned above, a VA server is the best place to create a backup because VA information technology (IT) staff ensure the safety of the network and that it is routinely backed up.

54. Page 54 Loss or Theft The loss or theft of sensitive VA research data or portable media such as laptops is covered in VA Directive 6504. In addition, local VA facilities should have their own local policies and procedures. Your research office will help you locate those documents. At a minimum, the following should occur as soon as it is discovered that there has been a loss:  Report the loss or theft to security/police officers immediately If you are in a VA facility, notify the VA police If you are on travel or at another institution, notify the security/police officers at the institution such as hotel security, university security, etc. as well as the police in the jurisdiction where the event occurred Obtain the case number and the name and badge number of the investigating officer(s). If possible, obtain a copy of the case report  Immediately call or email the following regarding the incident Your supervisor Your local Information Security Officer (ISO) Your VA facility’s Privacy Officer (PO) Your VA facility’s Security Officer  Your facility’s procedure may include notifying others such as the Chief of Staff or the Medical Center Director. You must determine the name of your facility’s PO and ISO so that you will have their names and contact information available. The ISO will promptly determine whether the incident warrants further reporting and actions.

55. Page 55 Best Practices to Help Ensure the Security and Confidentiality of Stored VA Research Data and the Privacy of Research Subjects While the following measures are not included in official requirements, these common sense steps can help ensure the security and confidentiality of sensitive VA research data, and the privacy of VA research subjects:  Whenever possible, you should store VA research data on network drives with restricted access, not on your desktop computer  Keep data in one file location for ease in making backups (or, better yet, simply backup all your VA research data in one location on a VA server)  Label backup media with the file names and include the date the backup was created  Set your backup schedules to match the importance of the data (e.g., data containing protected health information or irreplaceable data should be backed up more often)  Storage media wear out, especially magnetic media; so change storage media as they age and as better storage technology becomes available

56. Module 5: Safeguarding VA Research Data Outside the VA

57. Page 57 Approvals According to VA Directive 6504, “VA employees are permitted to transport, transmit, access and use VA data outside VA facilities only when such activities have been specifically approved by the employee’s supervisor and where appropriate security measures are taken to ensure that VA information and services are not compromised.“ To store, transport, transmit, access and use sensitive VA research data outside the VA, the principal investigator (PI) must obtain permission from ALL of the following: 1.His/her supervisor 2.The Associate Chief of Staff for Research and Development (ACOS/R&D) 3.The Information Security Officer (ISO), and 4.The Privacy Officer (PO) when appropriate Note: This includes storage on non-VA computer systems or servers, desk top computers located outside the VA, laptops or other portable media. Note: Research subjects’ or veterans’ names, addresses and Social Security numbers (real or scrambled) may be stored only within the VA and on VA servers. If the data are coded, the key linking the code with these identifiers must also be stored within the VA, but not with the coded data.

58. Page 58 Remote Access Laptops and handheld computers, such as personal digital assistants (PDAs), owned by the VA are called Government Furnished Equipment (VAGFE). These electronic devices may be used to access the VA Intranet remotely. Only VA-approved remote access solutions may be used, and all remote connections to VA networks must be through VA-authorized configurations and access points. Requirements for remote access include the following:  You can only access, use or send sensitive VA research information from a VA- owned laptop, handheld computer or storage device  You cannot share sensitive VA research data with anyone else  You must not share your username, password or instructions on how to access the VA network with anyone else  You may not use non-VA owned equipment to access the VA Intranet remotely or to process sensitive VA research data except when approved as above Note: Only VA personnel may access VA-owned equipment that is used to process sensitive VA research information or access VA processing services.

59. Page 59 Access to the VA Intranet using non-VA owned equipment will be provided via approved VA Virtual Private Network (VPN) access protocols, which will offer access to a limited set of VA applications and services. Only remote access users with VA government furnished equipment (VAGFE), with all required security software is installed and updated, will be permitted to connect to the VPN in such a way that grants full VA access. If non-VA owned equipment is connected to a home or small office network with other workstations, all interconnected workstations must have virus protection. The anti-virus software must contain a real-time scanning feature, which must be enabled. You must update their antivirus software and check for viruses before using any diskette or file of uncertain or unauthorized origin. In addition, if you use a computer to connect to the Internet outside the regular work site, whether VA government furnished equipment (VAGFE) or non-VA equipment, you must insure that the computer is protected by a firewall. If you use VA government furnished equipment (VAFGE), to be granted access, you must use the current Host-based Intrusion Prevention System (HIPS) software, including all critical updates and patches.

60. Page 60 When accessing the VA Intranet remotely  You cannot configure VPN client software to support split or dual tunneling, allowing a connection to the VA while simultaneously connected to another public network such as the Internet  You must terminate inactive sessions by logging off when you are finished or when you leave your workstation unattended  You must not turn off the device or monitor without first logging off  You must see that your password-protected screensaver is configured to activate after 15 minutes of inactivity  You are not authorized to use VA remote access services to engage in any activity that is illegal or violates VA policies

61. Page 61 Remote access accounts are “as needed” accounts. Therefore  You must report unused accounts so they can be disabled and removed  Supervisors must ensure that remote access privileges are terminated as soon as they are no longer needed, when the account owner transfers out of the supervisor’s office or leaves the VA, or when an authorized official determines that remote access privileges should be revoked  If users have not logged into the VPN within 30 days, their account will be disabled  Users must contact their local ISO to have their accounts enabled

62. Page 62 Data Storage and Security Outside the VA In addition to the technical and physical safeguards and the remote access requirements covered previously, there are other requirements for storing sensitive VA research data outside the VA. Note: “Outside the VA” means storage or use on any non-VA computer system, server, desk top computer, laptop or any other portable storage medium (e.g., CD, floppy disk, or thumb drive). Note: Sensitive VA research information may not reside on non-VA systems or devices unless specifically designated and approved in advance and only where the non-VA systems or devices conform to, or exceed, applicable VA requirements.

63. Page 63 Non-VA System Requirements When sensitive VA research data are stored on non-VA systems, the system must meet all requirements set forth in Federal Information Security Act (FISMA), including the required certification and accreditation of the system. In addition, all hardware/software encryption must be FIPS 140-2 certified. Note: If the system is not FIPS 140-2 certified, the data are considered unprotected. If FIPS 140-2 certification is going to be a requirement for your protocol, you will need to contact your local ISO for further information on how to obtain verification of this requirement. Note: ISOs are not responsible for approving removal of specific data from the VA, but they are responsible for ensuring all VA security requirements are followed. Note: All sensitive VA research data residing on non-VA laptops and other portable media must be encrypted and password protected in accordance with VA-approved requirements with only authorized individuals having access to the data.

64. Module 6: Roles and Responsibilities for VA Research Data Security and Confidentiality, and for Privacy of VA Research Subjects

65. Page 65 The Importance of Teamwork As has been described in previous modules, every VA facility that performs research must maintain and implement policies and procedures to ensure appropriate storage, security and confidentiality of sensitive VA research data, and privacy of VA research subjects. Although individuals and offices have their own roles and responsibilities, teamwork among the different disciplines is critical to ensuring that policies and procedures are implemented efficiently and effectively. It is important for all stakeholders to become familiar with each others’ expertise and responsibilities, and work closely to provide seamless protection for sensitive VA research data.

66. Page 66 Local VA Institutional Responsibilities Medical Center Directors have ultimate responsibility for ensuring the security and confidentiality of sensitive VA research data in their facilities. On an annual basis, the Medical Center Directors must certify to their VISN Directors that all principal investigators (PIs) have met the certification requirements related to storage and security of sensitive VA research data. Research Offices and Research and Development (R&D) Committees must assure the security and confidentiality of sensitive VA research data, and the privacy of VA research subjects, by verifying principal investigators’ (PI) certification checklists (see below). They also have responsibility for ensuring that all investigators and everyone else involved in research is appropriately trained, credentialed and has research privileges and/or scopes of practice consistent with education, training and expertise. The R&D Committee is responsible for reviewing and evaluating all its subcommittees’ decisions, including IRB approval or exemption, before approving a research protocol.

67. Page 67 Institutional Review Boards (IRBs) are subcommittees of VA R&D Committees. IRBs are responsible for protecting the rights and welfare of subjects. An IRB will not approve a protocol unless its data management plan includes certification from the investigator that the use, storage and security of all research information collected for, derived from, or used during the conduct of the research is in compliance with all relevant requirements. The kinds of questions you may need to discuss with your IRB include:  Is this project exempt from IRB review?  Does this project require informed consent? If so, is written informed consent needed?  Does this project require a HIPAA-Compliant authorization?

68. Page 68 Principal Investigator Responsibilities The principal investigator’s (PI) responsibilities include:  Obtaining and documenting appropriate informed consent from study subjects  Obtaining written approval from the Institutional Review Board (IRB), Research and Development Committee (R&D), and arranging for approvals from any other applicable entity(s) (e.g., union, Office of Management and Budget, etc.) before starting the research project  Submitting a plan for maintaining privacy of research subjects and confidentiality of sensitive VA research data that includes: Storage provisions Security measures Transportation or transmission methods Provisions for controlling access to the data Encryptions methods Plans for how long identifiable information or linkages will be kept Provisions for disposition of the data at the end of the study

69. Page 69  Ensuring that the data are collected in compliance with relevant requirements at all study sites in multi-center studies  Certifying each protocol For all new research protocols, the principal investigator (PI) must certify that the use, storage and security of all information collected for, derived from, or used during the conduct of the research will be in compliance with all VA and VHA requirements. This will require that the PI complete two forms, the “Data Security Checklist” and the “Principal Investigator’s Certification: Storage & Security of VA Research” for each new protocol, submit them to the IRB and R&D Committee and retain a copy of each of these forms with the protocol files For currently active protocols, the PI is required to provide the same information at the time of continuing review For Just-In-Time review, the PI must submit the “Principal Investigator’s Certification: Storage & Security of VA Research” form to the Office of Research and Development (ORD) during the Just-In-Time process for the proposal to be considered for VA research funding The PI must complete this certification process annually

70. Page 70 Note: If, at any point in a study, the PI determines that the security or confidentiality of data being maintained on non-VA systems or otherwise outside the VA on portable equipment does not meet VA requirements, the PI is responsible for immediately ensuring that the data are returned to reside within the VA firewall.

71. Page 71 Information Security Officer Responsibilities Information Security Officers (ISOs) are knowledgeable about how to keep VA research data secure. They will answer your questions and advise you how to set up your security measures. If you have questions about the security of your research information, you should feel free to contact your ISO. Specifically, ISOs are responsible for  Reviewing and, when appropriate, approving PIs’ requests for storing VA research data outside the VA (Note: approval must also be obtained from the Privacy Officer, Associate Chief of Staff for Research and Development (ACOS/R&D) and investigator’s supervisor)  Providing help for local Research Offices and investigators in completing the certification checklist requirements  Coordinating requests for remote access within their region and facility(s)  Reviewing all policies and procedures pertaining to transportation, transmission, remote access and use of VA IT equipment  Ensuring that remote access accounts are immediately disabled for all persons no longer requiring remote access

72. Page 72 The types of issues you may need to discuss with your ISO include  How to set up and configure, or how to close, a remote access account  How to encrypt  When a wireless network can be used  How hardware and data can be protected from viruses  What to do if you suspect you have been attacked by a virus  What to do if you see someone using VA computers for theft or fraud  What to do if you lose data (e.g., a laptop, hard drive, portable media)

73. Page 73 VHA Privacy Office Responsibilities The VHA Privacy Office is the authoritative source for privacy within VHA and is responsible for developing and implementing a VHA Privacy Program; developing, issuing, reviewing and coordinating privacy policy for VHA in conjunction with policy efforts by VA; coordinating requirements and monitoring compliance with all Federal privacy law, regulations and guidance within VHA; and issuing direction on VHA privacy policies, practices and activities to the field.

74. Page 74 Privacy Officer Responsibilities The facility Privacy Officers are knowledgeable about how sensitive VA research data may be used and disclosed in accordance with Federal statutes and regulations and VHA policy. They will answer your questions and help you comply with privacy requirements. It is a good idea to enlist their aid early in the design of a research project to avoid delays in the approval process. Specifically, Privacy Officers are responsible for:  Ensuring the facility’s overall compliance with privacy policies and requirements  Ensuring the facility has a process to review all IRB-approved VA research for compliance with privacy requirements prior to the data’s being provided to the PI  Reporting incidents regarding protected health information (PHI) to the Privacy Violation Tracking System and participating in the investigation of such incidents  Ensuring all employees are trained on privacy annually

75. Page 75 Office of Research Oversight (ORO) Responsibilities The Office of Research Oversight (ORO) serves as the primary VHA office in advising the Under Secretary for Health on all matters of compliance and assurance regarding human subjects protections, animal welfare, research safety and research misconduct. ORO conducts its oversight through routine and for-cause reviews. At the request of the Under Secretary, ORO reviews facility compliance with information security requirements for research when staff conducts on- site reviews. The checklist ORO uses to guide its reviews of information security can be found on the ORO website at http://vaww1.va.gov/oro/. You may want to access this document to help conduct your own assessment of your facility's fulfillment of requirements.http://vaww1.va.gov/oro/

76. Submit questions to ResearchData@va.gov through your local research office. ResearchData@va.gov

77. Page 77 Certificates A web form to generate a certificate will appear at the end of this Live Meeting presentation. Please enter your First Name and Last Name. Click Submit. Scroll to the bottom of the document and click Print. Here is the web address in the event you cannot access or print your certificate from the web form: http://vaww.vistau.med.va.gov/vistau/securityprivacy/certs/traincertform.cfm?sessionid=2