Docstoc

_ ORO Findings on Privacy_ Confidentiality_ and Information Security

Document Sample
_ ORO Findings on Privacy_ Confidentiality_ and Information Security Powered By Docstoc
					   ORO Findings on Privacy, Confidentiality, and
              Information Security

               Peter N. Poon, JD, MA, CIPP/G
                Office of Research Oversight

Initially presented June 2011 at ORD Local Accountability Meeting
             Background of Findings

• Findings from the last 12 ORO Research Information
  Protection Program (RIPP) Reports
• Site visits from July 2010 to March 2012
                   April 2011 to April 2011
• Research programs of varying sizes and complexity
• These are sample findings
Of the following situations, which did the ORO RIPP team
make the most noncompliance findings regarding?

• Use of non-VA, non-encrypted thumb drives
• Posting passwords on or near computer
• Failure to log-off or enable password protected
  screen saver when leaving work area
• VASI not stored in locked file or cabinet when not in
  use
 Herding Cats

4. VASI was not stored in locked file or cabinet
   when not in use: 10 Findings 7 Findings
  • Non-VA, non-encrypted thumb drives: 2          6
  • Posting passwords: 0      0
  • No log-off or screen saver: 6 2
Complete the following sentence with the best answer:
Storage media such as CDs and DVDs…

•   Must be locked in secure storage if they contain VASI
•   Must never contain VASI
•   Must be encrypted if they contain VASI
•   Must never leave the VA if they contain VASI
  Where Are My Keys??

3. Must be encrypted if they contain VASI: 5 Findings
                                        3 Findings
VASI residing on non-VA owned equipment (OE)
requires the approval of a supervisor AND:

• Approval by the facility ISO
• Waiver by the VISN ISO
• Waiver by the VA CIO (Assistant Secretary IT) or
  designee (ADAS OCS)
• Approval by ORD
  Elephant in the Room



3. Waiver by VA CIO (Assistant Secretary IT) or
   designee (ADAS OCS) :      5 Findings 6 Findings
   Exceptions:
   • MOU/ISA for system interconnections
   • Contract with a vendor, with security controls
800 Pound Gorilla



   Folders on the [VA facility]
   server that contained study
   specific information, including
   PHI, were not configured to
   permit only the appropriate
   staff access to the folder
   contents.     7 Findings
Non-VA IT equipment (e.g., owned by the Academic
Affiliate or Nonprofit Corporation) at a VA location:

•   Must never be used for VA research
•   Must be donated to VA if used for VA research
•   Must meet all VA standards if used for VA research
•   Must be accounted for in a VA property
    accountability system if used for VA research
No Gatecrashers




 4. Must be accounted for in a VA property
    accountability system : 8 Findings
                           9 Findings
HIPAA Authorizations must state that
treatment, payment, enrollment, or eligibility for benefits
cannot be conditioned on the individual:

•   Signing the authorization
•   Participating in the research
•   Not withdrawing from the research
•   Not revoking the authorization
Starting at Square One

1. Cannot be conditioned on individual signing
   (“completing”) the authorization: 8 Findings
                                     6 Findings
Using identifiable information to recruit subjects for VA
research requires the IRB to approve both a waiver of HIPAA
authorization and a waiver of informed consent

• True
• False
House Rules




              TRUE
              5 Findings
              6 Findings
Which of the following is a HIPAA identifier?:

•   Subject X’s date of birth
•   Subject Y’s date of medical treatment
•   Subject Z’s date of research intervention
•   All of the above
A Rose is a Rose is a Rose

 4. All of the above:          6 Findings
                               5 Findings
  VHA Handbook 1605.1, Appendix B §2.b(3):

  All elements of dates (except year) for dates
  directly related to an individual, including birth
  date, admission date, discharge date, date of death.
What’s wrong with the following Privacy Policy statement?:
“The facility may use or disclose PHI for research without written
authorization from the individual for reviews preparatory to
research, provided that the information is being sought solely for
purposes preparatory to research or research itself.”

• You need an authorization to use/disclose PHI for preparatory
  to research
• You need an authorization to use/disclose PHI for research itself
• You need a waiver of authorization for preparatory to research
• Nothing is wrong
  Hiding in Plain Sight
“The facility may use or disclose PHI for
research without written authorization
from the individual for reviews
preparatory to research, provided that
the information is being sought solely
for purposes preparatory to research or
research itself.”

2. You need an authorization to
   use/disclose PHI for research
   itself: 9 Findings 12 Findings
How many times did the ORO RIPP team find that the ISO or
PO did not conduct a thorough review of the protocols?:

•   0
•   4
•   7
•   9
Drill, Baby, Drill

     4. 9 Findings   2 Findings
Cart Before the Horse




                   5 Findings

  The PO and ISO did not provide summary reports on each
  study to the IRB prior to, or at, the convened IRB meeting at
  which the study is to be reviewed.
At the current time, local research records may be
destroyed….

•   Never
•   5 years after the study
•   Whenever the data is not needed anymore
•   According to FDA or sponsor guidelines, whichever is
    longer
The Venus Flytrap

   1. Never: 7 Findings            6 Findings

 For waivers of HIPAA authorizations, the IRB must
 document that the use/disclosure of PHI involves no more
 than minimal risk to the individual’s privacy based on …

 “an adequate plan to destroy the identifiers at the earliest
 opportunity consistent with conduct of the research, unless
 there is a health or research justification for retaining the
 identifiers or such retention is otherwise mandated by
 applicable VA or other Federal requirements.”

 VHA Handbook 1200.05 §37.b(3)(a)2
Fantasy Finding
                  If I had a dollar for every time
                  HIPAA is misspelled….
Health Insurance Portability and
       Accountability Act


      = HIPAA

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:187
posted:10/29/2012
language:English
pages:27