Definitions by chenshu


									Tissue Banks & Data
     October 2007
Helpful Definitions
    Definition: VA Sensitive Data
             & Information

All Department data on any storage media, or
any form, or format which requires protection
due to the risk of harm that could result from
inadvertent or deliberate disclosure,
alteration, or destruction of the information.
                                 VA Handbook 6500
                                     Sept.18, 2007
        Definition: Sensitive Personal
               Information (SPI)
• Any information about the individual maintained by an agency,
    –   Education
    –   Financial transactions
    –   Medical history
    –   Criminal or employment history

• AND can be used to distinguish or trace the individual’s identity
    –   Name
    –   SSN
    –   DOB
    –   Mother’s maiden name
    –   Biometric records
                                                 VA Handbook 6500
                                                 Sept. 18, 2007
    Definition: VA Data or VA

Information owned or in the possession of
VA or any entity acting for or on the behalf
of VA

                               VA Handbook 6500
                                   Sept.18, 2007
    De-identified data is health or other information
    about an individual that:

•   Does not contain any of the 18 HIPAA identifiers
•   Is de-identified according to the Common Rule

    Coded information is not considered de-
    identified if the tissue bank or data
    coordinating center has access to the
HIPAA “Identifiers”: Remove All 18
    to De-identify for HIPAA
(1) Names
(2) All geographic subdivisions smaller than a state, except
    for the initial three digits of the zip code if the
    geographic unit formed by combining all zip codes with
    the same three initial digits contains more than
    20,000 people
(3) All elements of dates except year and all ages over 89
(4) Telephone numbers
(5) Fax numbers
(6) E-mail addresses
(7) Social security numbers
(8) Medical record numbers
       HIPAA “Identifiers” (Cont.)
(9)    Health plan beneficiary numbers
(10)   Account numbers
(11)   Certificate or license numbers
(12)   Vehicle identifiers and license plate numbers
(13)   Device identifiers and serial numbers
(14)   URLs
(15)   IP addresses
(16)   Biometric identifiers
(17)   Full-face photographs and any comparable
        HIPAA Identifiers (Cont.)
(18) Any other unique identifying number, characteristic
     or code, unless otherwise permitted by the Privacy
     Rule for re-identification
        •   Scrambled SSNs
        •   Initials
        •   Last four digits of SSN
        •   Employee numbers
        •   Etc.

(“19”) A caveat: HIPAA also states that the entity does not have actual
       knowledge that the [remaining] information could be used alone
       or in combination with other information to identify an individual
       who is the subject of the information

        •   If you can strip all 18 identifiers, it still may not be de-identified
Tissue Banking
         Banked Specimens
• Specimens may not be banked at a non-
  academic, for-profit institution.
• Specimens must be labeled with a code
  that does not contain any of the 18 HIPAA
• The key to the code must be maintained at
  the VA unless there is a compelling reason
        On-Site Tissue Banks

• A tissue bank established at a VA site by a
  VA-paid investigator does not require ORD

• The ACOS/R or research office should
  maintain records of all tissue banks within
  the facility.
  On-Site Tissue Banks (cont’d)
• If a VA site does not have the resources to
  bank specimens may be banked
  – At any VA site with an established tissue bank
  – At the Massachusetts Veterans Epidemiology
    Research and Information Center (MAVERIC)
    core laboratory at the Boston VA.
     • Cooperative Studies Program (CSP) Genetic
       Tissue Core Laboratory
• Either option is considered on-site banking
        Off-Site Tissue Banks
• A waiver from ORD
• Off-site tissue banks are approved on a per
  protocol basis only
• Exception: National Cancer Institute (NCI)-
  sponsored cooperative tissue banks listed on
  the next slide
  – Letter of understanding with the NCI
  – These banks are designated as VA-approved if they
    are used for one of their protocols.
  – Example: SWOG-supported tissue bank can be used
    for SWOG protocols without ORD approval.
                 NCI Tissue Banks
• Clinical Trials Cooperative Groups Tissue Resources,
  which include
    –   American College of Surgeons Oncology Group (ACOSOG)
    –   Cancer and Leukemia Group B (CALGB)
    –   Eastern Cooperative Oncology Group (ECOG)
    –   Gynecologic Oncology Group (GOG)
    –   North Central Cancer Treatment Group (NCCTG)
    –   National Surgical Adjuvant Breast and Bowel Project (NSABP)
    –   Radiation Therapy Oncology Group (RTOG)
    –   Southwest Oncology Group (SWOG)
•   Cooperative Breast Cancer Tissue Resource
•   Cooperative Human Tissue Network
•   Gynecologic Oncology Group Tissue Network
•   Cancer Prevention Network
 Data Related to Banked Specimens

• If data linked to the sample leaves the VA,
  then they must be de-identified or stored in
  a database that is encrypted according to
  FIPS 140-2 standards.

• See VA Handbook 6500 “Information
  Security Program” for additional
         Non-Banked Specimens
         Stored at Non-Academic
             For-Profit Sites
• If held for greater than 90 days, then a waiver
  must be obtained from ORD.
• Only analyses/tests listed in the protocol and
  informed consent may be performed.
• The code must be maintained at the VAMC.
• All specimens and associated data must be de-
• DNA and RNA may not be analyzed
• The company must inform the PI in writing when
  samples are destroyed.
       Non-Banked Specimens
       Stored at Non-Academic
       For-Profit Sites (cont’d)
• HIPAA authorization must expire.
• Case reports may not contain initials if they
  leave VA.
• Specimens must be destroyed upon request of
  the subject.
• Before company personnel may view files at the
  VA, they must complete VA security and privacy
• Specimens must be destroyed within 1 year of
  the study completion date.
            Application Process
• The investigator must complete VA form 10-
  – This is a pdf form that can be filled in and saved using
    Acrobat Reader version 7 or higher
• The information requested on page 5 of the
  application can be scanned and attached to the
  pdf or to the e-mail.
  –   Biographical sketch of the PI
  –   Research protocol
  –   Tissue bank manual or SOPs
  –   VA consent form
   Application Process (cont’d)
• The application should be e-mailed to
  Marilyn Mason (
  The ACOS/R must be carbon copied
• The form and requested information can
  be mailed to the address given on the
   Application Process (cont’d)
• It generally takes ORD 2 weeks to
  process the application.
  – Longer if a large number of applications are
    received in a short time period
• After it is reviewed
  – PI and ACOS/R will receive a memo listing
    any issues found with the application
  – Frequently, the informed consent needs to be
             Multi-Site Trials
• If several VAMCs are planning to
  participate in the same clinical trial
  – Only one of the VA sites needs to apply for a
• A list of multi-site clinical trials in which
  more than one VAMC is participating is
  posted on the VA R&D web site.

(Depositing & Reusing of Data)
           Data Repository
• Data repository = storage & reuse
• Location:
  – At VA on VA servers
  – Permission required to house elsewhere
• Data sources: any
  – Research or non-research
  – VA or non-VA
Creation of Research Repositories
• Structure
  – Administrator or administrative board
  – Advisory committees (science, ethics)
  – Policies & procedures
  – IRB of record for oversight
• Content
  – Identified or de-identified data
• Location: within VA on VA servers unless
  waiver obtained
           Repository SOPs
•   Administrative structure
•   Conflict of Interest
•   Adding data to repository
•   Accessing data
•   Record keeping requirements
•   Privacy & confidentiality
•   Storage & security
•   Termination of repository
Accessing Data from Repository
• Access by VA investigators
• Specific protocol that has IRB, R&D
• Protocol must contain required information
  (discussed later)
• DUA or Data Transfer Agreement
             Record Keeping
• Sufficient Information to track & understand
  repository activity
  – How/where data obtained
  – Data requests and the associated protocols and
  – Communications with the requester
• Administrative activities such as committee
  meeting minutes
• Communications to and from the IRB and R&D
     Oversight of a Repository
• Annual reporting to the IRB (repository treated
  as a research protocol) and R&D committee
• Report information
  – Source of data being added
  – Type of data released to others including the protocol
    for reuse that contains information on:
     • Confidentiality
     • Storage and security of data
     • Disposition of data at end of study
  – Any unanticipated problems regarding risk to
    subjects, institutions, etc.
  – Any incidents of inadvertent disclosure, loss, or theft
    of data
Impact of New Policies on the
Investigator, the IRB, and the
       R&D Committee
              The Protocol
• Must contain specific information on:
  – Recruitment plan
  – Justification for use of identifiers
  – In depth privacy & security plan
  – Discussion of “Flow of data through its
  – Security plan
• If future use of data is planned
  Protocol: Database Research
• Protocols must contain information on
  – Source of data & type of data (identified, de-
  – Consent under which it was collected
  – How the data will be used
  – Planned use of & justification for use of real
  – Justification for waiver of authorization and/or
           Research Consents
• If data collected directly from subjects:
   – Consent clearly states:
      • Use of data
      • If reuse allowed
      • Who will have access to data (VA investigators, non-VA
        investigators, drug companies, etc.)
      • Where they will be stored (VA, non-VA)
      • How they will be secured
      • Disposition of data after study
      • Certificate of Confidentially
   – HIPAA authorization meets all requirements in VHA
     Handbook 1605.1 (more then HIPAA)
  Investigator’s Responsibilities

• Protocol contains all required information
• Ensure data storage & security meets all
  VA requirements
• Data use consistent with protocol
• No re-disclosure of data
• When leaving VA, data and all copies left
  at VA
     IRB and R&D Committee

• Must carefully review discussion of:
  – Privacy
  – Flow of data
  – Security
  – Plans for re-use or placement in repository
Approvals for Research Using Data
       From a Repository
• Who is responsible?
  – The investigator’s facility’s IRB and R&D
• Who is NOT responsible?
  – The IRB and R&D Committee for the facility
    that houses the repository
  – The IRB and R&D Committee for the facility
    from which the data came
Lessons Learned
 What We Learned: Loss of Data

• Report it immediately!
  – OMB requires reporting within 1 hour
  – Real or suspected loss
• Do not underestimate the amount of data
  or what identifiers are included
• Inventory data on portable media
       What We Learned: Security
• Ensure physical space security
   – Review by VA police & ISO
• Ensure proper information security controls
   –   Do not remove data from VA without appropriate permissions
   –   Maintain data on VA server
   –   Limit number of copies & copies with identifiers
   –   Encryption of portable media
• Positions sensitivity levels are appropriate
   – Different levels have different background checks & re-checks
   – Suitability issues arise after initial employment
        • Untoward event
        • Change in duties (greater access or administrator rights)
             What We Learned:
             Access to Data (1)
• Inappropriate access to multiple data sources
• Storing large amounts of data without IRB
  permission or not in formal repository
• Programmer level access without sufficient
• Receipt of unauthorized data files
  – Report immediately
  – Return immediately if on portable media
  – ISO to assist with deleting data if on hard drive or
              What We Learned:
              Access to Data (2)
• IRB must be aware of what data will be used
  prior to approving protocol
• Data steward: release minimum necessary data
• Access with applicable permissions to
  –   Austin Automation Center
  –   VistaWeb
  –   VISN Data Warehouses
  –   Medicare data
• Use of data consistent with protocol
            What We Learned:
            Supervisory Control
• Supervisory management
  – Direct assessment of staff at intervals
  – Be aware of active protocols, data collections,
    security, portable media
• Appropriate management structure
• MCD and ACOS responsibility & line authority
  over all research
  – Investigator initiated
  – Drug company
  – Centers and Reaps
• R&D Committee responsible for oversight of
  research programs
             What We Learned:
            Miscellaneous Issues
• E-mails
  – VA e-mail address for official VA communications
  – Can not automatically forward from you VA e-mail
• Periodic audit for compliance
  –   Privacy & confidentiality protections
  –   Information security requirements
  –   HIPAA authorization or waiver of authorization
  –   Protocol requirements & only what the IRB approved
• Appointing of ISO & Privacy Officer to IRB or
  R&D Committee
        A Changing Climate
• Cannot remove data without permissions
• Store data on VA servers
• Must encrypt portable media containing
  VA sensitive information
• Working copies require same level of
  security as originals
  – Destroy copies when no longer needed
• Sensitive data must always be controlled
• Know all applicable policies & guidance

To top