Presentation is loading. Please wait.

Presentation is loading. Please wait.

ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June.

Published byBarnaby Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June."— Presentation transcript:

1 ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June 2011 at ORD Local Accountability Meeting

2 Background of Findings Findings from the last 12 ORO Research Information Protection Program (RIPP) Reports Site visits from July 2010 to March 2011 Research programs of varying sizes and complexity These are sample findings April 2011 to April 2012

3 Of the following situations, which did the ORO RIPP team make the most noncompliance findings regarding? Use of non-VA, non-encrypted thumb drives Posting passwords on or near computer Failure to log-off or enable password protected screen saver when leaving work area VASI not stored in locked file or cabinet when not in use

4 4. VASI was not stored in locked file or cabinet when not in use: Herding Cats 10 Findings Non-VA, non-encrypted thumb drives: 2 Posting passwords: 0 No log-off or screen saver: 6 7 Findings 6 0 2

5 Complete the following sentence with the best answer: Storage media such as CDs and DVDs… Must be locked in secure storage if they contain VASI Must never contain VASI Must be encrypted if they contain VASI Must never leave the VA if they contain VASI

6 3. Must be encrypted if they contain VASI:5 Findings Where Are My Keys?? 3 Findings

7 VASI residing on non-VA owned equipment (OE) requires the approval of a supervisor AND: Approval by the facility ISO Waiver by the VISN ISO Waiver by the VA CIO (Assistant Secretary IT) or designee (ADAS OCS) Approval by ORD

8 Elephant in the Room 3. Waiver by VA CIO (Assistant Secretary IT) or designee (ADAS OCS) : 5 Findings Exceptions: MOU/ISA for system interconnections Contract with a vendor, with security controls 6 Findings

9 800 Pound Gorilla Folders on the [VA facility] server that contained study specific information, including PHI, were not configured to permit only the appropriate staff access to the folder contents. 7 Findings

10 Non-VA IT equipment (e.g., owned by the Academic Affiliate or Nonprofit Corporation) at a VA location: Must never be used for VA research Must be donated to VA if used for VA research Must meet all VA standards if used for VA research Must be accounted for in a VA property accountability system if used for VA research

11 4. Must be accounted for in a VA property accountability system : 8 Findings No Gatecrashers 9 Findings

12 HIPAA Authorizations must state that treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on the individual: Signing the authorization Participating in the research Not withdrawing from the research Not revoking the authorization

13 1. Cannot be conditioned on individual signing (“completing”) the authorization: 8 Findings Starting at Square One 6 Findings

14 Using identifiable information to recruit subjects for VA research requires the IRB to approve both a waiver of HIPAA authorization and a waiver of informed consent True False

15 TRUE House Rules 5 Findings 6 Findings

16 Which of the following is a HIPAA identifier?: Subject X’s date of birth Subject Y’s date of medical treatment Subject Z’s date of research intervention All of the above

17 4. All of the above:6 Findings VHA Handbook 1605.1, Appendix B §2.b(3): All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death. A Rose is a Rose is a Rose 5 Findings

18 What’s wrong with the following Privacy Policy statement?: “The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.” You need an authorization to use/disclose PHI for preparatory to research You need an authorization to use/disclose PHI for research itself You need a waiver of authorization for preparatory to research Nothing is wrong

19 2. You need an authorization to use/disclose PHI for research itself: 9 Findings Hiding in Plain Sight “The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.” 12 Findings

20 How many times did the ORO RIPP team find that the ISO or PO did not conduct a thorough review of the protocols?: 0 4 7 9

21 4. 9 Findings Drill, Baby, Drill 2 Findings

22 The PO and ISO did not provide summary reports on each study to the IRB prior to, or at, the convened IRB meeting at which the study is to be reviewed. Cart Before the Horse 5 Findings

23 At the current time, local research records may be destroyed…. Never 5 years after the study Whenever the data is not needed anymore According to FDA or sponsor guidelines, whichever is longer

24 1. Never:7 Findings The Venus Flytrap For waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on … “an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.” VHA Handbook 1200.05 §37.b(3)(a)2 For waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on … “an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.” VHA Handbook 1200.05 §37.b(3)(a)2 6 Findings

25 Fantasy Finding If I had a dollar for every time HIPAA is misspelled….

26 Health Insurance Portability and Accountability Act = HIPAA

27

Download ppt "ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June."

Similar presentations

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.

SIMPLIFYING PRIVACY: HIPAA PRIVACY STANDARDS AND RESEARCH Angela M. Vieira General Counsel Childrens Hospital and Health Center June 5, 2004.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
ICF & HIPAA waivers Human Subject Protection Office UConn Health Center Monika Haugstetter, MHA, RN, MSN & HSPO/IRB Staff.

ICF & HIPAA waivers Human Subject Protection Office UConn Health Center Monika Haugstetter, MHA, RN, MSN & HSPO/IRB Staff.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
RESEARCH COMPLIANCE Agenda 1. No Destruction of local research documents after scanning 2. Training for shipping biological samples/specimens 3. Regulatory.

RESEARCH COMPLIANCE Agenda 1. No Destruction of local research documents after scanning 2. Training for shipping biological samples/specimens 3. Regulatory.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Informed Consent.

Informed Consent.
UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR 46.109(e) An IRB shall conduct continuing review of research covered by this.

UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR (e) An IRB shall conduct continuing review of research covered by this.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Common Errors to avoid in IRB- 03 (VA) Applications.

Common Errors to avoid in IRB- 03 (VA) Applications.
What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.

What does this form mean? HIPAA Authorization means prior written permission for use and disclosure of protected health information (PHI) from the information’s.
Office of Research Oversight. Working Group Report Slide 2.

Office of Research Oversight. Working Group Report Slide 2.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.

Office of Research Oversight. Challenges & Opportunities Related to “Collaborative” Research with Affiliates Challenges –Federal Records Retention Requirements.
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

Similar presentations

Ads by Google