/
ORO Findings on Privacy, Confidentiality, and Information S ORO Findings on Privacy, Confidentiality, and Information S

ORO Findings on Privacy, Confidentiality, and Information S - PowerPoint Presentation

luanne-stotts
luanne-stotts . @luanne-stotts
Follow
401 views
Uploaded On 2016-04-26

ORO Findings on Privacy, Confidentiality, and Information S - PPT Presentation

Peter N Poon JD MA CIPP G Office of Research Oversight 2012 Update Initially presented June 2011 at ORD Local Accountability Meeting Background of Findings Findings from the last 12 ORO Research Information Protection Program RIPP Reports ID: 293505

findings research phi authorization research findings authorization phi vasi preparatory information hipaa date individual waiver disclose facility irb identifiers

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "ORO Findings on Privacy, Confidentiality..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

ORO Findings on Privacy, Confidentiality, and Information Security

Peter N. Poon, JD, MA, CIPP/GOffice of Research Oversight

2012 Update

Initially presented June 2011 at ORD Local Accountability MeetingSlide2

Background of Findings

Findings from the last 12 ORO Research Information Protection Program (RIPP) ReportsSite visits from July 2010 to March 2011Research programs of varying sizes and complexity These are sample findings

April 2011 to April 2012Slide3

Of the following situations, which did the ORO RIPP team make the most noncompliance findings regarding?

Use of non-VA, non-encrypted thumb drivesPosting passwords on or near computerFailure to log-off or enable password protected screen saver when leaving work areaVASI not stored in locked file or cabinet when not in useSlide4

4. VASI was not stored in locked file or cabinet when not in use:

Herding Cats

10 Findings Non-VA, non-encrypted thumb drives: 2 Posting passwords: 0

No log-off or screen saver:

6

7 Findings

6

0

2Slide5

Complete the following sentence with the

best answer:Storage media such as CDs and DVDs…Must be locked in secure storage if they contain VASI

Must never contain VASIMust be encrypted if they contain VASIMust never leave the VA if they contain VASISlide6

3. Must be encrypted if they contain VASI:

5 Findings

Where Are My Keys??3 FindingsSlide7

VASI residing on non-VA owned equipment (OE) requires the approval of a supervisor AND:

Approval by the facility ISOWaiver by the VISN ISOWaiver by the VA CIO (Assistant Secretary IT) or designee (ADAS OCS)

Approval by ORDSlide8

Elephant in the Room

3. Waiver by VA CIO (Assistant Secretary IT) or designee (ADAS OCS)

:5 FindingsExceptions: MOU/ISA for system interconnections

Contract with a vendor, with security controls

6 FindingsSlide9

800 Pound Gorilla

Folders on the [VA facility] server that contained study specific information, including PHI, were not configured to permit only the appropriate staff access to the folder contents.

7 FindingsSlide10

Non-VA IT equipment (e.g., owned by the Academic Affiliate or Nonprofit Corporation) at a VA location:

Must never be used for VA researchMust be donated to VA if used for VA researchMust meet all VA standards if used for VA researchMust be accounted for in a VA property accountability system if used for VA researchSlide11

4. Must be accounted for in a VA property accountability system :

8 Findings

No Gatecrashers9 FindingsSlide12

HIPAA Authorizations must state that

treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on the individual:Signing the authorization

Participating in the researchNot withdrawing from the researchNot revoking the authorizationSlide13

1. Cannot be conditioned on individual signing (“completing”) the authorization:

8 Findings

Starting at Square One6 FindingsSlide14

Using identifiable information to

recruit subjects for VA research requires the IRB to approve both a waiver of HIPAA authorization and a waiver of informed consentTrueFalseSlide15

TRUE

House Rules

5 Findings6 FindingsSlide16

Which of the following is a HIPAA identifier?:

Subject X’s date of birthSubject Y’s date of medical treatmentSubject Z’s date of research interventionAll of the aboveSlide17

4. All of the above:

6 Findings

VHA Handbook 1605.1, Appendix B §2.b(3):All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.

A Rose is a Rose is a Rose

5 FindingsSlide18

What’s wrong with the following Privacy Policy statement?:

“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”

You need an authorization to use/disclose PHI for preparatory to researchYou need an authorization to use/disclose PHI for research itselfYou need a waiver of authorization for preparatory to researchNothing is wrongSlide19

2.

You need an authorization to use/disclose PHI for research itself:

9 FindingsHiding in Plain Sight“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”“The facility may use or disclose PHI for research without written authorization

from the individual for reviews preparatory to research, provided that the information is being sought solely

for

purposes preparatory to research or

research itself.”

12 FindingsSlide20

How many times did the ORO RIPP team find that the ISO or PO did not conduct a thorough review of the protocols?:

0479Slide21

4. 9 Findings

Drill, Baby, Drill

2 FindingsSlide22

The PO and ISO did not provide summary reports on each study to the IRB prior to, or at, the convened IRB meeting at which the study is to be reviewed.

Cart Before the Horse

5 FindingsSlide23

At the current time, local research records may be destroyed….

Never5 years after the studyWhenever the data is not needed anymoreAccording to FDA or sponsor guidelines, whichever is longerSlide24

1. Never:

7 Findings

The Venus FlytrapFor waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on … “an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.”

VHA Handbook 1200.05

§37.b(3)(a)

2

For

waivers of HIPAA authorizations

, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on …

“an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research,

unless

there is a health or research justification for retaining the identifiers or

such retention is otherwise mandated by applicable VA or other Federal requirements

.”

VHA Handbook 1200.05

§37.b(3)(a)

2

6 FindingsSlide25

Fantasy Finding

If I had a dollar for every time HIPAA is misspelled….Slide26

Health

Insurance Portability and Accountability Act

= HIPAASlide27

HIPPA