Presentation is loading. Please wait.

Presentation is loading. Please wait.

2012 VA Human Research Protection Program Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office Common Privacy Findings in Research.

Published byFelix Holland Modified over 9 years ago

Similar presentations

Presentation on theme: "2012 VA Human Research Protection Program Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office Common Privacy Findings in Research."— Presentation transcript:

1 2012 VA Human Research Protection Program Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office Common Privacy Findings in Research San Francisco, CA June 26-27, 2012

2 VHA Office of Informatics and Analytics Privacy Officer (PO)Issues  Consistency among protocol, Informed Consent Form and HIPAA authorization  De-identified Information & HIPAA Identifiers  When a Data Use Agreement is Required  Notice of Privacy Practices to Non-Veterans  Requirements for Pictures & Audio-Recordings  Email Communication with Subjects  Retention and Storage of Research Data  Accounting of Disclosure  Re-Use of Data  Miscellaneous Information 2

3 VHA Office of Informatics and Analytics Consistency between Informed Consent and HIPAA authorization  Information being collected  Who is using the data  Who will be receiving data outside VA  Clarity as to non-VA entities receiving protected health information (PHI), limited data sets (LDS) or just aggregate information  Retention/disposal of information Good News: An official VHA research HIPAA Authorization form is forthcoming

4 VHA Office of Informatics and Analytics De-identified Information  A covered entity (VHA) can find that health information is not individually identifiable in two ways:

5 VHA Office of Informatics and Analytics HIPAA Identifiers The 18 types of identifiers of the individual or of relatives, employers, or household members of the individual that must be removed are: (1) Names (2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geo codes, except for the initial three digits of a zip code, according to the current publicly available data from the Bureau of the Census

6 VHA Office of Informatics and Analytics HIPAA Identifiers (3) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (4) Telephone numbers (8) MR numbers (5) Fax numbers. (9) Health Plan (6) E-mail addresses Beneficiary (7) SSN numbers

7 VHA Office of Informatics and Analytics HIPAA Identifiers (10) Account numbers. (11) Certificate and/or license numbers. (12) Vehicle identifiers and serial numbers, including license plate numbers. (13) Device identifiers and serial numbers. (14) Web Universal Resource Locators (URLs). (15) Internet Protocol (IP) address numbers. (16) Biometric identifiers, including finger and voice prints. (17) Full-face photographic images and any comparable images. (18) Any other unique identifying number, characteristic, or code, except as permitted by § 164.514(c)

8 VHA Office of Informatics and Analytics De-identified Information - Challenges  PI may erroneously refer to information within protocol as being de-identified (deletion of patient name, SSN, address, DOB) when the protocol actually contains other HIPAA identifiers, such as dates, study ID number, or study code which makes this identifiable  Problem areas when de-identifying data  Age 89 years and older unless placed into one single category of 90 or above  Dates must list year only, exclude month/day  Geographic data o Same initial three digits of ZIP codes may be included except when population is <20,000 then use 000

9 VHA Office of Informatics and Analytics Limited Data Sets (LDS)  LDS refers to PHI that excludes 16 of the above direct identifiers but the research data still may include two of the HIPAA identifiers:  Dates: o Date of visit/encounter o Date of birth or death o Admission or discharge date  Certain geographic information o City o State o Zip code

10 VHA Office of Informatics and Analytics Limited Data Sets (LDS)  The HIPAA Privacy Rule permits VHA as a covered entity to use and disclose a LDS for research activities without obtaining an authorization or documentation of a waiver of HIPAA authorization  LDS can be used or disclosed by VHA for research purposes to  VA research staff  Another covered entity  A non-VA researcher who is not a covered entity NOTE:  A Data Use Agreement with VHA is required to disclose a LDS to anyone (including other VA staff)

11 VHA Office of Informatics and Analytics Limited Data Sets (LDS)  Recipients of LDS  Cannot use or disclose the information other than permitted by the agreement or otherwise required by law  Must use appropriate safeguards to protect the LDS  Must require the recipient to report any violations of the agreement to VHA  Must hold any agent of the recipient (including subcontractors) to the same agreement conditions  Must not identify the information or contact the individual

12 VHA Office of Informatics and Analytics Data Use Agreement (DUA)  VA researchers are required to enter into a DUA if they are obtaining information from a data repository  Reference: VHA Handbook 1200.12  A data repository is a database or a collection of databases that have been created or organized to facilitate the conduct of multiple research protocols, including future protocols not yet envisioned

13 VHA Office of Informatics and Analytics Data Use Agreement (DUA)  If VHA retains ownership of the data, a DUA can legally bind the recipient to specific uses or place limitations on the use of the data  A Contractor, or  Non-VA collaborator

14 VHA Office of Informatics and Analytics Data Use Agreement (DUA)  A DUA establishes who will have access to and control of the information at both origination and recipient locations as to  Use  Disclosure  Storage  Processing  Making copies  Transfer of Data  Disposition of Data

15 VHA Office of Informatics and Analytics Examples of Repositories  VISN data warehouses  National Database Systems (NDS)  Veterans Affairs/Department of Defense Identity Repository (VADIR)  Corporate Data Warehouse  Pharmacy Benefits Management  VistA/CPRS  Center for Medicare and Medicaid (CMS) data  Specific research repository

16 VHA Office of Informatics and Analytics When a Data Use Agreement is Required  A DUA is required when data is transferred for research from  One VA facility (not engaged) to another VA facility (engaged)  A VA repository (VISN warehouse, national database, or a research data repository) to a VA investigator for a VA-approved research project  To a non-VA person or entity who is serving as a contractor or collaborator on the PI’s VA-approved protocol  Preparatory to research for review by PI or staff when data is obtained from a repository

17 VHA Office of Informatics and Analytics When a Data Use Agreement is not Required  A DUA is not required when data is transferred for research when  Disclosed to a research sponsor  One VA facility/VA investigator transfers data to another VA facility/VA Investigator when transfer is  required to conduct a protocol,  the transfer is described within the protocol,  the protocol is approved by each site’s IRB, and  the protocol is then active at each site  all parties are “engaged” in the research project e.g., Multiple sites in a VA-approved clinical trial transferring data to a Cooperative Studies Program (CSP) coordinating center

18 VHA Office of Informatics and Analytics NOPP (IB 10-163) to Non-Veterans  Provide non-Veterans enrolled in VA studies that collect PHI with a copy of IB10-163, Notice of Privacy Practices (NOPP) at the time of non- Veteran’s first research visit  Non-Veteran must acknowledge receipt of the NOPP on VAF 10-0483  Bullets are square  Font is Myriad Web Pro  Each indented line is 2 pts smaller than line above  Single spacing hanging index.31

19 VHA Office of Informatics and Analytics Requirements for Pictures, Video- & Audio-Recordings for Research Subjects  Informed Consent to take a picture, video- or audio-recording cannot be waived, but documentation of informed consent can be waived by the IRB  For patient subjects (Veteran or non-Veteran):  Utilize VAF 10-3203 (in addition to informed consent form)

20 VHA Office of Informatics and Analytics Disposition Requirements for Pictures, Video- & Audio-Recordings for Research Subjects  There is no NARA disposition for research pictures, video- & audio-recordings  If use of digital transcription service, the contract with the service may need to specify that the voice recordings cannot be destroyed  If use of tapes, the PI must maintain these tapes and not re-record over the tape recording another subject  A research agreement may be required if service is provided by a non-VA entity

21 VHA Office of Informatics and Analytics Retention and Storage of Research Data  All research records must be retained because research records have no schedule for destruction  NOTE: Records include crosswalks and lists of identifiers for recruitment  What can be destroyed  Personal papers  Copies of research documents, but not originals

22 VHA Office of Informatics and Analytics Accounting of Disclosure  VHA, and its employees, are responsible for maintaining an accounting of all disclosures of protected health information made by VHA employees.  The accounting of disclosure is required by both the Privacy Act of 1974 and HIPAA’s Privacy Rule  Accounting is not required if the information disclosed is de-identified or a limited data set  Accounting is required with or without patient authorization

23 VHA Office of Informatics and Analytics Accounting of Disclosures  Although not a requirement for your facility RCO, this is a call for assistance in reminding PI’s that if they disclose PHI to a sponsor, study monitor, academic affiliate or another non-VA entity who is not a research team member an accounting of disclosure is required  Direct PI to the Privacy Officer for assistance on how to maintain an accounting of disclosures.

24 VHA Office of Informatics and Analytics Re-use of Data  If the expiration date on the HIPAA authorization passes, the PI can no longer use any of the information previously collected unless the PI obtains a waiver of HIPAA authorization from the IRB  Re-use of data has to be consistent with the original informed consent and HIPAA authorization

25 VHA Office of Informatics and Analytics Miscellaneous Information  No Business Associate Agreement (BAA) is required for an entity involved in VA research as a contractor or who has a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) to be involved in the research  Even though a researcher is orally (either through telephone calls or on-line surveys) collecting IIHI, a HIPAA authorization or a waiver would be required

26 VHA Office of Informatics and Analytics Miscellaneous Information  Signature on the HIPAA authorization cannot be waived (e.g., a legally authorized representative must sign for comatose subjects)  Privacy breaches must be reported to the supervisor, Privacy Officer, and Information Security Officer within one hour. Examples include  No HIPAA authorization  No subject signature on HIPAA authorization  Sending unencrypted PHI by email  Disclosure to non-VA entity not listed on HIPAA authorization

27 VHA Office of Informatics and Analytics Miscellaneous Information  When emails are used for VA research  Only work email addresses should be used o Home emails should not be listed due to privacy and security concerns  Encrypt any emails that contain IIHI

28 VHA Office of Informatics and Analytics Pat ChristensenVHA Privacy Office VHA Privacy SpecialistVHAPrivIssues@va.govVHAPrivIssues@va.gov patricia.christensen@va.gov Contact Information/Questions?

Download ppt "2012 VA Human Research Protection Program Patricia L. Christensen, MS, RHIA, CIPP/G, CHPS, CHPC VHA Privacy Office Common Privacy Findings in Research."

Similar presentations

What is VA Research and Sensitive VA Research Data?

What is VA Research and Sensitive VA Research Data?
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
HIPAA Privacy Rule and Research

HIPAA Privacy Rule and Research
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.

HIPAA, Privacy & Confidentiality Local Accountability for Research Protection in VA Facilities VA Office of Research & Development Baltimore, February.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA Requirements for Patient Oriented Research

HIPAA Requirements for Patient Oriented Research
Informed Consent.

Informed Consent.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.

HIPAA Training Presentation for New Employees How did we get here? HIPAA Police 1.
Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.

Training In HIPAA Privacy Regulations for Researchers and Research Staff Adapted from a presentation prepared by Human Subjects Division, University of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center

Nora B. McCann Privacy Manager Corporate Compliance Fox Chase Cancer Center
ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June.

ORO Findings on Privacy, Confidentiality, and Information Security Peter N. Poon, JD, MA, CIPP/G Office of Research Oversight Initially presented June.

Similar presentations

Ads by Google