Peter N Poon JD MA CIPP G Office of Research Oversight 2012 Update Initially presented June 2011 at ORD Local Accountability Meeting Background of Findings Findings from the last 12 ORO Research Information Protection Program RIPP Reports ID: 293505
Download Presentation The PPT/PDF document "ORO Findings on Privacy, Confidentiality..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
ORO Findings on Privacy, Confidentiality, and Information Security
Peter N. Poon, JD, MA, CIPP/GOffice of Research Oversight
2012 Update
Initially presented June 2011 at ORD Local Accountability MeetingSlide2
Background of Findings
Findings from the last 12 ORO Research Information Protection Program (RIPP) ReportsSite visits from July 2010 to March 2011Research programs of varying sizes and complexity These are sample findings
April 2011 to April 2012Slide3
Of the following situations, which did the ORO RIPP team make the most noncompliance findings regarding?
Use of non-VA, non-encrypted thumb drivesPosting passwords on or near computerFailure to log-off or enable password protected screen saver when leaving work areaVASI not stored in locked file or cabinet when not in useSlide4
4. VASI was not stored in locked file or cabinet when not in use:
Herding Cats
10 Findings Non-VA, non-encrypted thumb drives: 2 Posting passwords: 0
No log-off or screen saver:
6
7 Findings
6
0
2Slide5
Complete the following sentence with the
best answer:Storage media such as CDs and DVDs…Must be locked in secure storage if they contain VASI
Must never contain VASIMust be encrypted if they contain VASIMust never leave the VA if they contain VASISlide6
3. Must be encrypted if they contain VASI:
5 Findings
Where Are My Keys??3 FindingsSlide7
VASI residing on non-VA owned equipment (OE) requires the approval of a supervisor AND:
Approval by the facility ISOWaiver by the VISN ISOWaiver by the VA CIO (Assistant Secretary IT) or designee (ADAS OCS)
Approval by ORDSlide8
Elephant in the Room
3. Waiver by VA CIO (Assistant Secretary IT) or designee (ADAS OCS)
:5 FindingsExceptions: MOU/ISA for system interconnections
Contract with a vendor, with security controls
6 FindingsSlide9
800 Pound Gorilla
Folders on the [VA facility] server that contained study specific information, including PHI, were not configured to permit only the appropriate staff access to the folder contents.
7 FindingsSlide10
Non-VA IT equipment (e.g., owned by the Academic Affiliate or Nonprofit Corporation) at a VA location:
Must never be used for VA researchMust be donated to VA if used for VA researchMust meet all VA standards if used for VA researchMust be accounted for in a VA property accountability system if used for VA researchSlide11
4. Must be accounted for in a VA property accountability system :
8 Findings
No Gatecrashers9 FindingsSlide12
HIPAA Authorizations must state that
treatment, payment, enrollment, or eligibility for benefits cannot be conditioned on the individual:Signing the authorization
Participating in the researchNot withdrawing from the researchNot revoking the authorizationSlide13
1. Cannot be conditioned on individual signing (“completing”) the authorization:
8 Findings
Starting at Square One6 FindingsSlide14
Using identifiable information to
recruit subjects for VA research requires the IRB to approve both a waiver of HIPAA authorization and a waiver of informed consentTrueFalseSlide15
TRUE
House Rules
5 Findings6 FindingsSlide16
Which of the following is a HIPAA identifier?:
Subject X’s date of birthSubject Y’s date of medical treatmentSubject Z’s date of research interventionAll of the aboveSlide17
4. All of the above:
6 Findings
VHA Handbook 1605.1, Appendix B §2.b(3):All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.
A Rose is a Rose is a Rose
5 FindingsSlide18
What’s wrong with the following Privacy Policy statement?:
“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”
You need an authorization to use/disclose PHI for preparatory to researchYou need an authorization to use/disclose PHI for research itselfYou need a waiver of authorization for preparatory to researchNothing is wrongSlide19
2.
You need an authorization to use/disclose PHI for research itself:
9 FindingsHiding in Plain Sight“The facility may use or disclose PHI for research without written authorization from the individual for reviews preparatory to research, provided that the information is being sought solely for purposes preparatory to research or research itself.”“The facility may use or disclose PHI for research without written authorization
from the individual for reviews preparatory to research, provided that the information is being sought solely
for
purposes preparatory to research or
research itself.”
12 FindingsSlide20
How many times did the ORO RIPP team find that the ISO or PO did not conduct a thorough review of the protocols?:
0479Slide21
4. 9 Findings
Drill, Baby, Drill
2 FindingsSlide22
The PO and ISO did not provide summary reports on each study to the IRB prior to, or at, the convened IRB meeting at which the study is to be reviewed.
Cart Before the Horse
5 FindingsSlide23
At the current time, local research records may be destroyed….
Never5 years after the studyWhenever the data is not needed anymoreAccording to FDA or sponsor guidelines, whichever is longerSlide24
1. Never:
7 Findings
The Venus FlytrapFor waivers of HIPAA authorizations, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on … “an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise mandated by applicable VA or other Federal requirements.”
VHA Handbook 1200.05
§37.b(3)(a)
2
For
waivers of HIPAA authorizations
, the IRB must document that the use/disclosure of PHI involves no more than minimal risk to the individual’s privacy based on …
“an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research,
unless
there is a health or research justification for retaining the identifiers or
such retention is otherwise mandated by applicable VA or other Federal requirements
.”
VHA Handbook 1200.05
§37.b(3)(a)
2
6 FindingsSlide25
Fantasy Finding
If I had a dollar for every time HIPAA is misspelled….Slide26
Health
Insurance Portability and Accountability Act
= HIPAASlide27
HIPPA