hcca research compliance conference june...according to the report, resolving incidents of identity...

HCCA Research Compliance Conference June 5‐8, 2016

1

A Call for Action: Examining Why IRB Review so Frequently Fails to Protect the Privacy of Human Subject Data and How IRBs and Researchers Can Build Meaningful Privacy and Security Controls into Human Subject Research

DAVID BEHINFAR, JD, LLM, CHC, CHRC, CCEP, HCISPP, CIPP/US HIPAA Privacy Officer, University of Wisconsin-Madison

KATHERINE GEORGER, JD, CHC, CIPP/US Privacy Officer & Director of Regulatory Affairs, WPS Health Insurance

DISCLAIMER

This presentation is similar to any other research compliance education materials designed to provide general information on pertinent legal and regulatory topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of our employers other than the speakers. Although we are attorneys, this presentation is not intended to create an attorney-client relationship between you. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.

OUTLINE

Privacy Foundations in Research Understanding Healthcare Privacy Breaches & Harm OCR’s Recent Enforcement Action Validating that Research Institutions Must

Protect Subject Privacy Inherent Problems in AMCs preventing Privacy and Security Reviews by the

IRB Conducting a HIPAA Risk Analysis Risk Analysis Modified to Apply to Research: Performing a Privacy & Security

Risk Analysis in the context of a Research Protocol Review


2

PRIVACY FOUNDATIONS IN RESEARCHAN EXAMINATION OF THE FOUNDING PRINCIPLES/LAWS GOVERNING HUMAN SUBJECT RESEARCH AND THE ANALYSIS OF SUBJECT RIGHTS TO PRIVACY EMBEDDED WITHIN

THINK OF THE US CONSTITUTION

Drafted in the late1700’s . . . but still applies today in 2016How can this possible?We take the principles expressed in the Constitution and update them for today’s social, economic and technological environment.

WE NEED TO FOLLOW THE SAME EXERCISE IN RESEARCH

Founding Principles in Research Consist of: Belmont Report Common Rule Nuremburg Code Declaration of Helsinki

All of these were written and developed BEFORE:• Modern Computers, Laptops, Smartphones, Tablets• The Internet • Electronic Medical Records


3

BELMONT REPORT (1979)

1. Respect for persons: Protect autonomy of all persons Treat all individuals with dignity and respect Provide human subjects with informed consent Researchers must be truthful and conduct no deception

2. Beneficence: “Do no harm” Maximize benefits to the project, while minimizing risks to human subjects

3. Justice Administer fair, reasonable, non-exploitive procedures Equal distribution of costs and benefits to potential participants

Respect for Persons

Beneficence

Human Subjects

Justice

COMMON RULE (1991)

45 CFR §46.111(a) Criteria for IRB approval of research. (1) Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not

unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.

(2) Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result…

(3) Selection of subjects is equitable. In making this assessment the IRB should take into account the purposes of the research and the setting in which the research will be conducted and should be particularly cognizant of the special problems of research involving vulnerable populations, such as children, prisoners, pregnant women, mentally disabled persons, or economically or educationally disadvantaged persons.

(4) Informed consent will be sought from each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by §46.116.

(5) Informed consent will be appropriately documented, in accordance with, and to the extent required by 45 CFR §46.117. (6) When appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of

subjects. (7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.

(b) When some or all of the subjects are likely to be vulnerable to coercion or undue influence, such as children, prisoners, pregnant women, mentally disabled persons, or economically or educationally disadvantaged persons, additional safeguards have been included in the study to protect the rights and welfare of these subjects.

NUREMBERG CODE (1947)

Human beings must be given the following:

Voluntary, informed consent from research participants

No coercion to participate in research

Only properly trained scientist should carry out research

Any risks must be outweighed by the humanitarian benefits of the research

Research should be designed to minimize risk and suffering

Participants can end experiment at any time, researchers must stop the research if it becomes apparent that the outcomes are clearly harmful


4

DECLARATION OF HELSINKI (1964) 8. While the primary purpose of medical research is to

generate new knowledge, this goal can never take precedence over the rights and interests of individual research subjects.

9. It is the duty of physicians who are involved in medical research to protect the life, health, dignity, integrity, right to self-determination, privacy, and confidentiality of personal information of research subjects. The responsibility for the protection of research subjects must always rest with the physician or other health care professionals and never with the research subjects, even though they have given consent.

16. In medical practice and in medical research, most interventions involve risks and burdens. Medical research involving human subjects may only be conducted if the importance of the objective outweighs the risks and burdens to the research subjects.

24. Every precaution must be taken to protect the privacy of research subjects and the confidentiality of their personal information.

MODERN INTERPRETATION OF ESTABLISHED RESEARCH PRINCIPLES

COMMON THEME Minimizing Harm and Risks

Respect for Subject Autonomy and Independence

Treating individuals with Dignity and Respect

Apply these principles to for the digital age in the 21st Century where sensitive medical information is in electronic format

CONCLUSION The privacy rights of subjects were already well established in existing research

principles even before HIPAA

PRIVACY IS NOT JUST ABOUT HIPAA, IT’S ALSO ABOUT THE IRB

The Privacy rights of a human research subject are not the sole concern of the HIPAA Privacy Officer

Modern Human Subject Research is founded on common principles, including a fundamental basis for protecting the privacy rights of subjects

The IRB must take primary responsibility for ensuring that a subject’s privacy rights are adequately protected


5

HIPAA PRIVACY RULE & RESEARCHRisks of a data breach in clinical settings are analogous to risks of a data breach within research settings:

• Human subjects research concerned with confidentiality risks associated with the research right to be free from unauthorized release of information that the individual has disclosed in a relationship of trust, with the expectation that it will not be disclosed to others without permission.

• The HIPAA Privacy Rule is broadly concerned with the risk to the subject's privacy associated with the use and disclosure of the subject's PHI. Understanding between participant and investigator (as set forth in the consent and authorization documents) as to how participant information will be handled, managed and disclosed to others as part of the research.

• Respect for persons—researchers actively protect privacy (HIPAA authorizations or waivers of authorization) and use appropriate privacy and security measures (data security safeguards) to avoid breaching participant confidentiality.

• Beneficence—use of private information justified by benefit of research and minimizing harm from research, including intrusion into privacy and breaches of confidentiality

• Justice—balance description of risks of breach of confidentiality with the measures you will take to prevent breach

UNDERSTANDING HEALTHCARE PRIVACY BREACHES & HARMTO APPRECIATE THE IMPORTANCE OF PROTECTING THE PRIVACY RIGHTS OF HUMAN SUBJECTS IT IS CRITICAL THAT RESEARCHERS AND THE IRB UNDERSTAND THE POTENTIAL HARM SUBJECTS MAY FACE IN THE EVENT OF A BREACH

APPRECIATING HARM RESULTING FROM PRIVACY BREACHES

Year over year = increasing frequency of medical record thefts and identity theft Value of medical records

Stolen patient health records can earn as much as $363 per record (PonemonInstitute)

Records that include a Medicare number, name, birth date, social security numbers, policy numbers and billing numbers can sell for close to $500 a record

Intended use by criminals Open multiple credit lines Create fake IDs Purchase medical equipment or pharmaceuticals that can be resold at a profit

and defraud insurance companies.


6

IDENTITY THEFT CAN GO UNDETECTED FOR MANY YEARS Unlike credit card fraud that usually manifests within days and

can be shut down quickly, identity theft can go undetected for months or even years especially if children are involved

“Security consultant Frank Abagnale, who inspired the movie Catch Me If You Can, said an identity thief would rather have the Social Security number of an elementary school student with no money than a middle-aged person worth millions.

"They will always take the child over the adult," Abagnale told NBC News. "And the younger the child is the better, because they have longer to use that identity before someone finds out."

All too often, this fraud is not detected until the child reaches legal age and applies for a student loan or tries to get a credit card. By that time, their credit history is ruined and it could take years to undo the damage.”

http://www.nbcnews.com/business/personal-finance/millions-children-exposed-id-theft-through-anthem-breach-n308116

INDUSTRY RESEARCH INDICATES INCREASING INSTANCES OF MEDICAL IDENTITY THEFT

Incidents of medical identity theft in 2014 saw almost 500,000 people fall victim to sham companies committing insurance fraud, or impostors seeking free medical care, according to a 2015 report released by the Ponemon Institute. http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft/

INDUSTRY RESEARCH INDICATES INCREASING INSTANCES OF MEDICAL IDENTITY THEFT

“Dude ! I can’t believe I failed

that drug test . . . someone must have

stolen my identity and taken that

drug test pretending to be me!”

According to the report, resolving incidents of identity theft cost victims an average of $13,500 in expenses, such as paying medical bills racked up in their name or legal fees. In 19 percent of cases reviewed by the researchers, the victims said erroneous information added to their medical records by an impostor, like a positive drug test, cost them career opportunities. http://medidfraud.org/2014-fifth-annual-study-on-medical-identity-theft


7

EXPERIAN DATA BREACH REPORTS SUGGEST HEALTHCARE BREACHES WILL CONTINUE TO RISE

Experian singles out healthcare as one industry ripe for more havoc with its data, noting that the "expanding number of access points" to protected health information via electronic health records – coupled with the increasing popularity of wearable wellness technology –makes healthcare a "vulnerable and attractive target for cybercriminals."

Indeed, say Experian officials, "several factors suggest the healthcare industry will continue to be plagued with data breach headlines."

http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-experian.pdf

THE THREAT IS REAL AND CRIMINALS ARE ACTIVELY SEEKING MEDICAL RECORDS

“The healthcare industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable,” said Tom Kellermann, chief cybersecurity officer at Trend Micro Inc. http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually

Medical records, which often contain Social Security numbers, insurance IDs, addresses and medical details, sell for as much as 20 times the price of a stolen credit-card number, according to Dell SecureWorks, a unit of Dell Inc.

http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-experian.pdf

HOW DOES THE STOLEN DATA GET EXCHANGED?

Data is resold on private forums that specialize in selling stolen credit cards or Social Security numbers, or on the dark web, where users’ identities are hidden and transactions are done anonymously in Bitcoins, said Patrick Peterson, chief executive officer of data security firm Agari Data Inc. http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually


8

KEEP IN MIND THOUGH, CRIMINAL ATTACKS AREN’T THE ONLY CAUSE OF HARM

Subjects can be harmed by any loss of data (lost laptop, paper, smartphone) that results in a breach. Harm occurs when a subject does not know if or when the

information may be used by whoever might find it – this can last a lifetime.

Existing laws do not sufficiently compensate for the potential of future harm (1 year of credit monitoring does not erase electronic data – once it is out there, it is out there for good). So the harm is persistent.

Mental anguish is generally not compensated in the event of a breach with no evidence of misuse, so affected individuals often fail to reach closure when receiving breach notices.

OCR ENFORCEMENT ACTION VALIDATES THAT RESEARCH INSTITUTIONS MUST PROTECT SUBJECT PRIVACY

March 17, 2016, Feinstein Institute for Medical Research (biomedical research institute) entered into a settlement of $3.9 million to settle potential violations and enter into a corrective action plan.

On September 2, 2012, an unencrypted laptop computer containing approximately 13,000 patients and research participants data was stolen from an employee’s car.

The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’S RECENT ENFORCEMENT ACTION AGAINST A RESEARCH INSTITUTION


9

OCR’S SPECIFIC FINDINGS AGAINST THE RESEARCH INSTITUTION:

• Security management process insufficient (limited in scope, incomplete, was ill equipped to address risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity).

• Lack of policies and procedures for authorizing access to ePHI by its workforce members.

• Failed to implement safeguards to restrict access to unauthorized users.

• Lacked policies & procedures to govern receipt and removal of laptops that contained ePHI into and out of its facilities.

IMPORTANT IMPLICATIONS OF OCR’S RECENT SETTLEMENT WITH A RESEARCH INSTITUTION:

OCR Director Jocelyn Samuels offered this cautionary warning:“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities…For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”OCR Press Release, March 17. 2016

http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-health-information-results-in-hipaa-settlement.html

INHERENT PROBLEMS IN ACADEMIC MEDICAL CENTERS


10

ROADBLOCKS IN AMCS THAT DERAIL DATA PROTECTION EFFORTS IN RESEARCH

A. An IRB at an academic medical center is dependent on a robust information privacy program at the University/Hospital/School of Medicine

B. Lack of resources (budget/ funding issues at most higher education institutions)

C. Institutional politics that foster protectionism for the IRB D. Lack of information privacy and security expertise at the IRB. How

many IRBs allow/invite information privacy and/or security personnel a seat at the table?

FIRST STEP: CONDUCTING A HIPAA RISK ANALYSISCONSIDER WHETHER A HIPAA RISK ANALYSIS MIGHT OFFER SOME INSIGHT INTO HOW PRIVACY AND SECURITY CONTROLS MIGHT BE EVALUATED IN HUMAN SUBJECT RESEARCH

HIPAA RISK ANALYSIS AND ITS RELEVANCE IN RESEARCH

Can a HIPAA Risk Analysis, as it is discussed in the HIPAA Security Rule in the context of its application to the Covered Entity as a whole, offer any insight into how an IRB might review information privacy and security controls in the context of reviewing an IRB application for human subjects research?


11

WELL, LET’S FIRST START OFF WITH ANSWERING THIS QUESTION: WHAT IS A HIPAA RISK ANALYSIS ?

In a risk analysis the organization will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.

OCR ENFORCEMENT - FOCUS ON RISK ANALYSIS

Feinstein Institute for Medical Research (stolen unencrypted laptop 13,000 subjects) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI $3.9 million (3-17-16)

North Memorial Healthcare (unencrypted laptops stolen from vendor) failed to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information $1.55 million (3-16-16)

Lahey Medical Center has received OCR fines for widespread HIPAA violations (stolen laptop with 599 patients information - on stand with a portable CT scanner). Failure to conduct a thorough risk analysis. $850,000 (11/25/2015)

UW Medicine Failure to implement policies to prevent, detect, contain, and correct security violations. Employee downloaded email containing malware – affecting 90,000 individuals/patients who had their ePHI accessed. Underscores need for organization-wide risk analysis. $750,000 (12/14/2015)

Triple S Management Corporation (insurance co - multiple violations) Failure to conduct accurate and thorough risk analysis is cited by OCR as a reason for the fine. $3.5 million(11/30/2015)

Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the HIPAASecurity Rule.

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four requiredimplementation specifications that provide instructions to implement the Security Management Process standard.

http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

A Risk Analysis is a legal requirement for covered entities


12

ELEMENTS OF A RISK ANALYSIS There are numerous methods of performing risk analysis and there is no single method or “best practice” Scope of the Analysis includes the potential risks and vulnerabilities to the confidentiality,

availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.

Identify and Document Potential ThreatsOrganizations must identify and document reasonably anticipated threats to e-PHI.

Assess Current Security Measures Determine the Likelihood of Threat Occurrence Determine the Potential Impact of Threat Occurrence Determine the Level of Risk

The Key is Documenting the Risk Analysis

CONTEXT FOR CONSIDERING A RISK ANALYSIS: UNDERSTANDING THE DATA LIFE CYCLE FOR EPHI

Collection or Creation

of ePHI

Storing ePHI

Using / Analyzing

ePHI

Releasing / Transmitting

ePHI

Archiving ePHI

Destroying ePHI

HIPAA RISK ANALYSIS The results of the Risk Analysis drive the HIPAA Privacy and Security

Program. The outcome of the risk analysis process will drive the institution’s information privacy and security compliance framework, including: Identify what data to backup and how. (45 C.F.R. §

164.308(a)(7)(ii)(A).) Decide whether and how to use encryption. (45 C.F.R. §§

164.312(a)(2)(iv) and (e)(2)(ii).) Determine the appropriate manner for protecting health

information transmissions. (45 C.F.R. § 164.312(e)(1).)


13

HIPAA RISK ANALYSIS – THE FINAL STAGE

Finalize Documentation of Analysis and Issue Final Report (often performed by an outside third party)

Build a workplan to address the organization’s decisions to eliminate, reduce/mitigate, accept and/or transfer risk (may be a multi-year plan; 3 - 5 years is common)

SO WHY NOT JUST PERFORM A RISK ANALYSIS FOR RESEARCH IN THE SAME MANNER IT IS PERFORMED ELSEWHERE THROUGHOUT THE COVERED ENTITY? PROBLEM: You can’t exactly perform a single risk analysis in

research. It’s not like an electronic medical record system where you can analyze the privacy and security controls of the system. Research is protocol specific and the systems, devices, modes of transmission, authorized users and nature and extent of PHI are dynamic and ever changing and are specific to each research proposal. IRB applications for human subjects research often times create a unique set of circumstances that are very different from one research protocol to another.

THE SOLUTION!

Create an ongoing risk analysis process for human subjects research involving PHI.


14

SOME ADJUSTMENTS WILL NEED TO OCCUR TO PERMIT YOU TO CONDUCT A RISK ASSESSMENT IN A RESEARCH CONTEXT

Institution

Conduct one single comprehensive risk analysis

Massive intense project

Develop guidance on controls for implementation in one or more systems

Determine level of risk and develop risk-based response for each identified finding

Incorporate into a workplan for the covered entity – may be a 3-5 year workplan

Research

Build a process for continuous and ongoing analyses

Lean and efficient Develop ongoing guidance

produced in a repeatable process and assign roles for participation in process

Design process to analyze risk in research on a case-by-case basis for each IRB research submission

Create a final summary document – recommendations, implementation requirements and residual risks

RISK ANALYSIS: MODIFIED TO APPLY TO RESEARCH PERFORMING A RISK ANALYSIS IN THE CONTEXT OF A RESEARCH IRB APPLICATION REVIEW

JOINT SECURITY & PRIVACY REVIEW (JSPR)1. What is JSPR? It is a process designed to provide a joint information privacy and security

review of a proposed activity – in a contemporaneous review with the IRB review process.

2. What is the role of JSPR? To assess the risks associated with the proposed project and document the review and provide guidance on appropriate information privacy and security controls.

3. How does JSPR integrate with IRB review? It is meant to support the IRB review and allow an expert opinion and recommendation for the IRB to include as part of its review through a formal process. It is meant to occur simultaneously with the IRB review.

4. Who participates in JSPR? ONLY privacy and security professionals – and others on an as-needed basis.

5. What are resources needed to implement JSPR? One privacy expert and one information security expert and maybe a website tab and some forms. Plus time . . . (always exceptions –additional people may be brought in as needed).

6. What is the documentation produced by JSPR? A final written report.


15

JSPR GOALS

Will not delay the IRB review process

Efficient – not a lot of time commitment from the requesting parties involved

Timely – IRB review should not have to wait on JSPR review

Repeatable – it is a defined process

Documentation – compliance with HIPAA

Defined scope – some things will not be reviewed

Risk-based approach

Customer –Faculty, Depts,

Researcher, Schools

Initial Intake

Risk Threshold

Above Threshold (Independent

Review)

IS Review

Periodic Discovery Meetings

No Additional Info Req’d

Final Statement

Signoffs / Approvals / Notice

to Stakeholder (Dean, Dept Chair)

Follow-up Audits

Request Additional Info

Privacy Review

Below Threshold (Statement to

Customer)

Best Practices

Business Owner Decision

Knoweldgebasearticles?

Not Enough Information

Send Back to Customer

Submitting request for BAAs, DUAs, QA/QI, Research

projects involving collection, use,

storage, release, disposal of PHI Threshold

Determination required for

which BAA’s, DUA’s, projects, research etc . . . receive which

level of review.

Intake form, request info, docs, diagrams; provide examples

others as needed

Periodic Discovery Meetings• Monthly—IS, Privacy• Include vendor, Legal,

others as needed

(BAA?)

• Incorporate provisions into Agreement with Vendor (BAA?)

• Implementation Req’s

• Implementation recommendations

• Residual risks

Objectives:• Formalized, consistent,

defined process• Streamlined, time-bound• Common intake for

customers• Simplify for customer• Resources & Risk drive what

level of review occurs• Residual risk acceptance

(customer)

JOINT SECURITY & PRIVACY REVIEW (JSPR)

THE JSPR INTAKE FORM

Preferably online – web-based link, fillable PDF (not paper)

Advertised on Privacy, Security and IRB websites – and IRB staff are all trained on the process (and support it)

Requires the following data from the requesting party: Their contact and department information

Purpose of the request (research, medical care, QA/QI, BAA, Fundraising, Operations, etc . . . )

Their IT support contact

Whether data is being received from or transmitted to a third party

Identifiers involved & types of medical information

A data flow diagram

Population of individuals for whom data will be used & number of individuals

Identification of any vendors & services


16

SAMPLE DATA FLOW DIAGRAMS

.

THE INTAKE FORM


17

THE RISK THRESHOLD

WHAT IS THE RISK THRESHOLD?

It is not possible or advisable to review all IRB applications for human subject research for privacy and security controls. So, it is important to only review those that present the highest level of risk. Research above the threshold triggers the review process.

Most Sensitive / Highest Risk

• SS#s, Mental Health, STDs, HIV, financial data, rare diseases (Ebola, Zika, etc.), cancer related diseases, sensitive diseases (like Hep C), alcohol and drug treatment, AND the number of subjects is 499+

Less SensitiveLow Risk

• Limited data set, common diseases and treatments, limited identifiers


18

RISK THRESHOLD EVALUATION

Everything ABOVE the Risk Threshold will be reviewed through the JSPR process

Everything BELOW will be directed to “other” resources. Like a website with guidance, tips and pointers for researchers and references to privacy and security policies for any number of topics including:

• Transmitting ePHI

• Setting up a database that will contain ePHI

• Encryption of portable electronic devices

• Communicating with subjects via email and text

DISCOVERY MEETINGS

DISCOVERY MEETING After you perform the Risk Threshold Analysis and determine that you will be reviewing the proposal, here’s what should happen: A meeting should be scheduled (note: you can also have these scheduled at set times

each month; for example: 2 times a month for 2 hours – and requesting parties can sign up for a 30 minute time slot)

The meeting should include: Business owner (the PI) Their technical support from their department / personnel responsible for technical

support/ implementation Technical representatives from the Vendor (if any) Any necessary research staff / IRB reviewer (optional) Privacy and security office representatives

What should be discussed: Implementation specifics; data flow diagram; proposed privacy and security controls


19

WAYS TO DERAIL JSPR

Be very cautious about Including parties other than privacy and security in the JSPR process as standing members While it is good to be collaborative, the inclusion of nursing, finance, risk, legal other administration and

management personnel can create inefficiencies that can delay the review and output of opinion letters. Remember, the focus is on privacy and security controls. Efficiency is a key goal.

Keep the review focused Do not go beyond what is necessary and recognize that it is OK to simply document that certain

aspects of the proposal were not reviewed.

Call out UNACCEPTABLE risks – but try and focus on improving the privacy and security posture without creating too many barriers or requirements that will turn away your customers (the researchers and the IRB staff)

THE FINAL PIECE OF THE PUZZLE

The Final Report Summary of proposal (include supporting documentation – like the data flow diagram)

What was reviewed / and what was not

Summary of Threats and Vulnerabilities

Classification of the Risks

Three part summary to include: 1) Implementation Requirements; 2) Recommendations; 3) Residual Risks

Sign-offs by: Preferred: Dean, Director, Department Chair – as well as the PI; or just the PI if that process does not fit your institution

Submission to the IRB

Auditable in the future to verify and validate compliance

QUESTIONS??

DAVID BEHINFAR [email protected]

KATHERINE GEORGER [email protected]

hcca research compliance conference june...according to the report, resolving incidents of identity...

Documents