Data Security Checklist for Principal Investigators by edk10782

VIEWS: 8 PAGES: 3

									                                         VA Maryland Health Care System
                                 Data Protection Checklist for Research Protocols
 DATE                   Name of Protocol                                                                      Protocol Number


 Name of PI                           PI Telephone number and Email address


                                      ISO Name, Email address and phone: Lucy M. Fleming,     lucy.fleming@va.gov,   410-605-7141
 ISO and PO Contacts:
                                      Privacy Officer Name, Email Address and phone: Janice H. Crosby,   Janice.crosby@va.gov,   410-605-7328


To check boxes electronically, double click the boxes. The dialogue box will allow you to change the value to Checked.

#       YES        NO        N/A                                                   Submission Type

1                                     This submission is for annual review, amendment or update only. There are no changes to
                                      information security or privacy. If yes, skip to the Confirmation of Principal Investigator section.

#       YES        NO        N/A                                     Information Security Requirements
2                                     Only paper documents will be maintained in conjunction with this protocol.


3                                     All electronic VA sensitive research information and all copies will be used and stored behind the
                                      VA firewall.

4                                     Only non-sensitive, non-identifiable VA data will be stored on a non-VA device.


                                      Permission to remove the data has been obtained from 1) Your immediate supervisor, 2) your
5
                                      ACOS/R&D, 3) the VA Information Security Officer (ISO), and 4) the Chief Information Officer
                                      (CIO).

6                                     Procedures for reporting theft or loss of sensitive data or the media such as a laptop, containing
                                      sensitive data are in place and familiar to the researcher and all others who have access to use,
                                      store, or transport the data.

7                                     A VA property pass for portable government furnished equipment has been obtained.


8                                     VA furnished laptops or other portable media devices will be VA encrypted and VA password
                                      protected. NOTE: Contact the VA ISO at your facility for encryption issues.

9                                     VA sensitive data will be transmitted only as attachments to protected e-mail messages (PKI).

                                      Electronic data sent via regular mail or delivery service will be encrypted. NOTE: It is
10                                    preferable to send data by a delivery service where there is a “chain of custody.”

                                      For VA data that will reside on a non-VA server, the server has been certified and accredited as
                                      required by Federal Information and Security Management Act (FISMA) of 2002 or a
11
                                      signed/approved ISA/MOU with the organization is in place or the device is encrypted. Your
                                      facility ISO may be consulted.

12                                    For VA data that will reside on a non-VA server, the data will be backed-up on a regular basis.




Version 1.2 / 012609                                                                                                                        Page 1 of 3
                                                                                                             Protocol # ______________

#      YES       NO     N/A                              Information Privacy Requirements
                              Does the study have adequate provisions to protect the privacy interest and confidentiality of
13
                              data?

14                            Does the signed IRB letter include the approved: consent form, HIPAA authorization, or HIPAA
                              waiver (as applicable)?

                              Names, addresses, and social security numbers (real & scrambled) have been replaced with a
15                            code. NOTE: Names, addresses, & social security numbers (real or scrambled) may only be
                              maintained on a VA server and documentation of the procedure by which the data were coded
                              must remain in the VA.

16                            Is there a plan to protect the identifiers from improper use and disclosure?


                              Is it clearly documented that the release of data will be performed in accordance with VHA
17                            regulations and policies?


     Please     reply   →     How long will the data be kept and how will it be returned/destroyed?
18
                              Note: Research data documented in CPRS will be maintained at least 75 years after last activity
                              in accordance with VA policy.

19                            Does the protocol use identifiable information? If so, are there provisions to destroy the
                              identifiable data once it is no longer needed?


20                            Will protected health information be used for recruitment, i.e. will names and addresses be
                              provided prior to the participant signing the HIPAA authorization? If no, proceed to Confirmation
                              of Principal Investigator section.

21                            Is the Request for Waiver or partial waiver of HIPAA Authorization attached?

22                            Is there an IRB Approval for Waiver or partial waiver of HIPAA Authorization?

                              In accordance with 38 USC 7332 (applicable to Drug Abuse, Alcohol Abuse, HIV Infection and
                              Sickle Cell Anemia Records) the PI must provide assurance in writing that the purpose of the
                              data is to conduct scientific research and that no personnel involved in the study may identify,
                              directly or indirectly, any individual subject in any report of such research or otherwise disclose
                              patient or subject identifies in any manner.

23                            Is the IRB Approval of Waiver or partial waiver of Authorization dated?

24                            Does the protocol include a statement of data use and of disclosure that indentifies who will
                              have access to the data?




Version 1.2 / 012609                                                                                                 Page 2 of 3
                                                                                                           Protocol # ______________




                               CONFIRMATION OF PRINCIPAL INVESTIGATOR

I confirm that I have reviewed the above requirements and accurately responded to each. I will refer privacy
and data security questions to the above named Privacy Officer or Information Security Officer respectively.



Principal Investigator Signature:                                                                                Date:




                           ISO ACCEPTANCE / REQUEST FOR MORE INFORMATION


   I have reviewed the research protocol and confirm that data security protections are adequate and the research is in
compliance with VA data security requirements.


     I have reviewed the research protocol and find that data security protections are not adequate and recommend the following
actions in order for the research to be in compliance with VA data security requirements.



Information Security Officer Signature:                                                                          Date:




                           PO ACCEPTANCE / REQUEST FOR MORE INFORMATION


    I have reviewed the research protocol and confirm that privacy protections are adequate and the research is in compliance with
VA privacy requirements.


     I have reviewed the research protocol and find that privacy protections are not adequate and recommend the following actions
in order for the research to be in compliance with VA privacy requirements.



Privacy Officer Signature:                                                                                        Date:




Version 1.2 / 012609                                                                                               Page 3 of 3

								
To top