Get documents about "Research Involving Sensitive Data Databases
Document Sample
Research Involving Sensitive
Data & Databases
Brenda Cuccherini, Ph.D., MPH
VA Office of Research & Development
January 2007
1
Is This True?
"The more the data banks record about each
one of us, the less we exist”
Marshall McLuhan
Canadian philosopher & educator
2
Topics To Be Covered
• Sensitive data
• Database handbook
– Definitions
– Data Uses
– Preparatory to research
– One time use
– Data Repositories
• Long term storage
• Re-use of data
– Responsibilities
3
Definition: VA Sensitive Data
& Information
All Department data which requires
protection due to the risk of harm that
could result from inadvertent or deliberate
disclosure, alteration, or destruction of the
information.
VA Handbook 6504
June 7, 2006
4
Examples of Sensitive Data
• Data when improperly used or disclosed
could adversely affect the ability of an
agency to accomplish its mission
• Proprietary information
• Records about individuals requiring
protection under Privacy Act, HIPAA, or
other statutes
• Information that can be withheld under
FOIA
5
Applicability to Research
• VHA researchers develop, collect, use, share,
&/or store all categories of sensitive data
• Researchers primarily think about protecting
subjects’ and patient data and not other data
• Misuse or disclosure of other data may have a
major impact on:
– VHA and individual facilities
– VHA’s ability to care for veterans & conduct research
6
Protecting Sensitive Data
• Careful thought
• Situational awareness
• “Universal Precautions”
• Guidance
• Policy
7
Draft policy: Use of Data & Data
Repositories in Research
(Draft Policy but Good Guidance)
8
A policy is a temporary creed liable to be
changed, but while it holds good it has got
to be pursued with apostolic zeal.
Mohandas Gandhi
9
Scope of Database Handbook
• Applies to all research activities involving the
use of data and data repositories that are
conducted in VA approved research, within VHA,
and/or by VA investigators while on duty.
• VA investigators maybe
– Compensated
– WOC
– IPA
• Contractors: similar requirements will be in
contract/SOW
10
Terms Defined for This Discussion
• Coded data
• DUA or Data Transfer Agreement
• Existing data
• De-identified data
11
Definition: Coded Data
Information for which the source person
can be identified through intermediate
links (“coded”) used alone or in
combination with other information.
12
Coded Date & Human Subjects
Research
• Human subjects research: When individually
identifiable information (III) is used
– Individually identifiable information (38 CFR
16.102(f)): When the investigator can link data to
specific persons directly or through codes.
• Common Rule definition differs from HIPAA
definition of Individually Identifiable Health
Information (IIHI)
– Example: III=any information including religious
beliefs; IIHI = physical health, mental health, or
condition of the individual
13
Coded Data: Is It Non-human
Subjects Research?
• Data not collected specifically for current
research
• Code not based on the 18 HIPAA identifiers,
e.g., last 4 digits of SSN, scrambled SSN, initials
• Investigator cannot readily ascertain identity of
individual
– Key to code is destroyed or the investigator cannot
get access to the key
– Investigator can not otherwise ascertain the identify of
the individuals
14
Definition: Data Use Agreement
(Data Transfer Agreement (DTA))
• A written agreement that defines:
– What data may be used
– How data may be used
– How it will be stored and secured
– Who may access it
– To whom it may be disclosed
– Disposition of data after termination of research
– Required actions if lost or stolen
• Requirement for DUA
– HIPAA: when data disclosed outside the covered entity
– Privacy Handbook (VHA 1605.1) disclosure outside of VHA
• Requirement for DUA or DTA
– Database HB: any use of data by others
15
Definition: Existing Data
Data that have already been collected
when the research proposal is submitted
to a VA reviewing committee
16
Definition: De-identified Data
De-identified data must meet both the following
definitions:
• HIPAA definition of de-identified
– Removal of all 18 identifiers that could be used to
identify the individual, individual’s relatives,
employers, or household members
• Common Rule “definition” of de-identified
– Removal of all information that would identify the
individual or would be used to readily ascertain the
identity of the individual
17
DATA AND ITS USES
18
Sources of Data
• Internal sources
– Austin Automation Service
– PBM
– VistAWeb
– BIRLS
– Other administrative and clinical databases
– Research databases
• External sources
• Research subjects
19
Uses of Data
• Preparatory to research
• Within a research protocol
– Without reuse or storage
– With plans for storage and reuse
• Populate a research data repository
20
Preparatory to Research
• Access only to prepare protocol prior to
submission to IRB & R&D committee
• Can record aggregate data for
background, justify the research, or show
adequate number of subject available, etc.
• Cannot:
– Record identifiers
– Use information reviewed for recruitment or to
conduct pilot studies
21
Preparatory to Research (cont.)
• PI must make representation per HIPAA
– Access only to prepare protocol
– No PHI removed from covered entity
– Access necessary for research
• Documentation of representation placed in
PI’s files
22
Use of Data For Research
• Protocol approved by:
– IRB (if human subjects) & R&D Committee
– Database administrator or “owner”
• Review by Privacy Officer or other expert
– To ensure all Privacy Act, HIPAA and security issues
are addressed
• Use must be consistent with the protocol
• Data can not be re-used or stored beyond the
retention period, if not covered in protocol
• Consent and HIPAA Authorization Issues
addressed, e.g., obtained or waived
23
RESEARCH DATA REPOSITORIES
24
Data Repository
• Data repository = storage & reuse
• Location:
– At VA on VA servers
– Permission required to house elsewhere
• Data sources: any
– Research or non-research
– VA or non-VA
25
Creation of Research Repositories
• Structure
– Administrator or administrative board
– Advisory committees (science, ethics)
– Policies & procedures
– IRB of record for oversight
• Content
– Identified or de-identified data
• Location: within VA on VA servers unless
waiver obtained
26
Repository SOPs
• Administrative structure
• Conflict of Interest
• Adding data to repository
• Accessing data
• Record keeping requirements
• Privacy & confidentiality
• Storage & security
• Termination of repository
27
Accessing Data from Repository
• Access by VA investigators
• Specific protocol that has IRB, R&D
approval
• Protocol must contain required information
(discussed later)
• DUA or Data Transfer Agreement
28
Record Keeping
• Sufficient Information to track & understand
repository activity
– How/where data obtained
– Data requests and the associated protocols and
approvals
– Communications with the requester
• Administrative activities such as committee
meeting minutes
• Communications to and from the IRB and R&D
committee
29
Oversight of a Repository
• Annual reporting to the IRB (repository treated
as a research protocol) and R&D committee
• Report information
– Source of data being added
– Type of data released to others including the protocol
for reuse that contains information on:
• Confidentiality
• Storage and security of data
• Disposition of data at end of study
– Any unanticipated problems regarding risk to
subjects, institutions, etc.
– Any incidents of inadvertent disclosure, loss, or theft
of data
30
RESPONSIBILITIES
31
Investigator Responsibilities
• Protocols must contain information on
– Source of data & type of data (identified, de-
identified)
– Consent under which it was collected
– How the data will be used
– Planned use of & justification for use of real SSNs
– Recruitment or re-contact of subjects
– Storage ( where, any copies, who will have access,
plans to share data)
– Justification for waiver of authorization or consent
– Privacy & confidentiality related to data
32
Investigator’s Responsibilities
(Continued)
• If data collected directly from subjects:
– Consent clearly states:
• Use of data
• If reuse allowed
• Who will have access to data (VA investigators, non-VA
investigators, drug companies, etc.)
• Where it will be stored
• How it will be secured
• Disposition of data after study
• Certificate of Confidentially
– HIPAA authorization meets all requirements in VHA
Handbook 1605.1 (more then HIPAA)
33
Investigator’s Responsibilities
(Continued)
• Data use consistent with protocol
• No re-disclosure of data
• Appropriate training
• When leaving VA data and all copies left
at VA
• All other responsibilities per VHA policy
34
Identifiable Data: Special Concerns
• SSNs – real and scrambled
• Recruitment of subjects
• Re-contacting subjects
• Storage & Security
• Privacy & Confidentiality – next session
35
Approvals for Research Using Data
From a Repository
• Who is responsible?
– The investigator(s) facility’s IRB and R&D
Committee
• Who is NOT responsible?
– The IRB and R&D Committee for the facility
that houses the repository
– The IRB and R&D Committee for the facility
from which the data came
36
IRB Responsibilities
• Sufficient expertise to review the protocol
• Determining if the project is:
– Research
– If yes, is it human subjects research
– If human subjects, is it exempt from IRB
review (may still need HIPAA authorization)
• Requiring sufficient information
• All responsibilities under 38 CFR 16
37
“Sufficient Information” for IRB
• Source of the data & purpose originally
collected (non-research, research)
• If research: is the re-use consistent with
the informed consent & authorization
• If collected for non-research purposes, do
guidelines under which collected allow re-
use for research
• Appropriate permissions are obtained to
access the data
38
“Sufficient Information” (Cont.)
• Description of the data (de-identified,
identified, coded)
• Justification for use of identified data
• Coded data: a description of the coding
scheme and who controls the key
• Use of real SSNs adequately justified
• Confidentiality and privacy issues
addressed
• Recruiting or re-contacting subjects
39
“Sufficient Information” (Cont.)
• Major issue: Will the data be safe?
– Storage
– Security
– Transportation or transmission
– Copies of data (location, media)
– Access (VA and non-VA persons)
– Disposition of data at end of study
(destruction, storage, etc.)
• Risks (subjects, institution, system)
40
Recruiting from Databases:
IRB Considerations
• Must have IRB and R&D Committee approvals
• May not represent minimal risk
• Minimal risk if
– Investigator is subject’s health care provider (HCP)
– Initial contact from subject’s HCP
– Initial approach is general (not disease specific or
address sensitive issues)
– Initial contact in person or by mail
• Minimal concerns if person has agreed to be
contacted
41
R&D Committee Responsibilities
• Sufficient expertise to review science
• Receive & review “sufficient information” as
described for IRB
• Review findings of the IRB
• If facility does not hold an FWA:
– Determine if it is research
– If research, determine if it is human subjects research
– If any questions regarding this determination, develop
procedures for consultation with human subjects
experts
42
Responsibilities of Others
• Local P&P must be developed to ensure
compliance with applicable VA & VHA policies
• Identify knowledgeable person(s)
– Privacy Officer
– IRB administrator
– Research compliance officer
– Data repository administrator
• Additional training of “knowledgeable persons”
may be required
– Role: to serve as final check for privacy & security
issues
43
Just a Thought…
“Big Brother in the form of an increasingly
powerful government and in an increasingly
powerful private sector will pile the records high
with reasons why privacy should give way to
national security, to law and order, to efficiency
of operation, to scientific advancement and the
like.”
William O. Douglas
Associate Justice
U.S. Supreme Court
From 1939-1975
44
A prudent question is one-half of wisdom.
Francis Bacon
45
“…To care for him who shall have
borne the battle and for his widow
and his orphan." Abraham Lincoln
"To care for him who shall have borne the battle and for
his widow and his orphan.“ Abraham Lincoln’s
Second Inaugural Address
46
Related docs
