va research data security and privacy

VA Research Data Security and Privacy

Veterans Health Administration

Office of Research and Development

http://www.research.va.gov/default.cfm

Module 1:

Sensitive VA Research Information


What is VA Research and Sensitive VA Research Data?

VA research is any research that has been approved (or requires approval) by a VA Research and Development (R&D) Committee. Generally this includes any research conducted with VA resources, including funds, staff time, equipment, or space.

VA research data consist of information that has been collected for, used in or derived from the conduct of VA research.

VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.

This term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, or records about individuals requiring protection under various confidentiality provisions such as the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It also includes information that can be withheld under the Freedom of Information Act (FOIA).


VA Protected Information (VAPI) is VA sensitive information, Privacy Act Information, Protected Health Information (PHI), or other VA information that has not been deliberately classified as public information for public distribution.

Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information.

Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE.

Note: Although results of sensitive VA research are considered “sensitive” data, once they have been summarized and submitted for publication or published in compliance with all applicable requirements, the summarized data are not considered “sensitive.”


Why Is It Important To Protect VA Research Data?

The VA is committed to protecting information about our veterans and employees. When individuals who have served our country volunteer to participate in VA research, they entrust us to keep their personal and health information safe.

Inadvertent loss of private information, including real or scrambled Social Security Numbers (SSNs), violates veterans’ and employees’ privacy and exposes them to the possibility of identity theft with its attendant economic, legal and social consequences. These can include substantial risks to their financial security, employability, insurability or reputation, and can have other serious implications.


Approximately one in 10 laptop computers is stolen (Gartner Group, 2002). Hospitals and universities are particularly common targets for theft of laptops and other portable media because thieves know these facilities have so much computer equipment.

Several recent sentinel events in the VA, as well as in the academic and private sectors, have demonstrated that, to honor the sacred trust our veterans and employees have in us, we must be vigilant and take strict precautions to keep their research data secure and confidential.


How Can You Protect VA Research Data?

We all need to remember it is a privilege to be involved in VA research. This privilege, however, comes with many responsibilities. One of the most important is to ensure that all sensitive VA research information is secure and confidential and that the privacy of our VA research subjects is protected.

Since VA research data are owned by the VA, everyone involved in VA research must meet all Federal requirements for the storage, use, security and confidentiality of the data and for the privacy of the research subjects.


The purpose of this training is to heighten your awareness of the requirements and remind you of common sense precautions you can take. Some general measures include:

Treating all VA research data as if they are sensitive unless you are absolutely certain they are not sensitive

Fostering teamwork and a supportive culture where everyone helps each other remember to implement strict security controls and privacy standards

Remembering that, to keep sensitive VA research data secure and confidential, it takes all three legs of the three-legged stool:

1. Technical safeguards

2. Physical safeguards

3. Good work practices

Your efforts will not only help protect veterans’ rights and welfare, but also the future of VA research.


Module 2:

Privacy of Subjects and Confidentiality of VA Research Data


Privacy Statutes

Every VHA employee must comply with all applicable Federal privacy and confidentiality statutes and regulations when collecting, using, sharing or disclosing individually identifiable information, which includes sensitive VA research data.

The applicable Federal statutes and regulations are:

The Freedom of Information Act (FOIA), 5 U.S.C. 552

The Privacy Act (PA) of 1974, 5 U.S.C 552a

The VA Claims Confidentiality Statute, 38 U.S.C. 5701

Confidentiality of Drug Abuse, Alcoholism & Alcohol Abuse, Infection With the Human Immunodeficiency Virus (HIV) and Sickle Cell Anemia Medical Records, 38 U.S.C. 7332

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 Code of Federal Regulations Parts 160 and 164

Confidentiality of Healthcare Quality Assurance Review Records, 38 U.S.C. 5705


Fortunately, you do not have to read and learn the content of these six statutes and regulations to be able to comply with the privacy requirements they set forth. VHA Handbook 1605.1, Privacy and Release of Information, establishes guidance on privacy practice and provides VHA policy for the use and disclosure of individually identifiable information, and for individuals’ rights in regard to VHA data.

By following privacy policies in VHA Handbook 1605.1, you are simultaneously applying all six statutes and regulations so that the result will be the application of the most stringent provisions for all uses and/or disclosures of sensitive VA research data.


Authorization for Disclosure of Information

VHA employees may disclose individually identifiable information from official VHA records only when:

The VHA has first obtained the prior signed, written authorization of the individual, or

Other legal authority in the above statutes and regulations permits the disclosure without written authorization (see your Privacy Officer for advice on specific cases)


When a written authorization from the individual is required, the request and authorization must contain the following information:

An expiration date, event or condition The individual to whom the requested information pertains The permitted recipient(s) or user(s) of the information A description of the information requested A statement regarding revocation A statement that VA treatment and benefits are not conditioned

on the signing of the authorization The signature of the individual whose information will be used or

disclosed The date of signature of the individual whose information will be

used or disclosed


Investigators and others involved in research should

Limit their request to the minimum information needed to conduct the research

Always use data in a manner that is consistent with the protocol and the signed authorization

Never re-use or share data without the appropriate approvals


Waiver of HIPAA-Compliant Authorization

A waiver of HIPAA-Compliant authorization may be approved by the Institutional Review Board (IRB) or Privacy Board at your facility. There are three criteria required for approving a waiver:

The use or disclosure must involve no more than minimal risk to the individuals

The research cannot practicably be conducted without the waiver

The research cannot be conducted without access to, and use of, the protected health information


Data Use Agreements

A Data Use Agreement (DUA) may be obtained when data will be disclosed outside of VHA for non-VA research (VHA Handbook 1605.1, “Privacy and Release of Information,” Appendix E).

A data use agreement is a written contract that defines the following:

What data may be used How data may be used How data will be stored and secured Who may access data Legal authority under privacy for access to data Disposition of data after the research has been terminated Actions required if data are lost or stolen


Certificates of Confidentiality

Under Federal law, researchers must obtain an advance grant of confidentiality from the National Institutes of Health, known as a Certificate of Confidentiality, to protect data pertaining to sensitive issues such as illegal behavior, alcohol or drug use, or sexual practices or preferences.

This document will provide protection against compulsory disclosure of research data (e.g., for a subpoena).


De-Identification of Data

De-identified data is health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

VHA would consider health information no longer protected health information (PHI) if it has been appropriately de-identified in accordance with the HIPAA Privacy Rule as outlined in VHA Handbook 1605.1, Appendix B.


For protected health information to be de-identified, all of the following 18 types of identifiers must be removed:

1. Names or initials2. All geographic subdivisions smaller than a state3. All elements of dates except the year and all ages over 894. Telephone numbers5. Fax numbers6. E-mail addresses7. Social Security Numbers (or scrambled Social Security Numbers)8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers11. Certificate or license numbers12. Vehicle identifiers and license plate numbers13. Device identifiers and serial numbers14. URLs15. IP addresses16. Biometric identifiers, including finger and voice prints17. Full-face photographs and any comparable images18. Any other unique identifying number, characteristic or code, unless otherwise permitted by

the Privacy Rule for re-identification


HIPAA identifiers also pertain to the person’s employer, relatives, and household members. Along with removing the 18 identifiers, HIPAA also states that for the information to be considered de-identified, the entity does not have actual knowledge that the remaining information could be used alone or in combination with other information to identify and individual who is the subject of the information.

According to the Common Rule, de-identification involves removal of all information that would identify the individual or would be used to readily ascertain the identity of the individual.

Note: For VA research purposes, VA research data are considered to be “de-identified” only if they meet the de-identification criteria of BOTH HIPAA (i.e., removal of all 18 identifiers) AND the Common Rule.


Limited Data Sets

The use of limited data sets does not require HIPAA-Compliant authorization or a waiver of HIPAA-Compliant authorization, but does require a data use agreement (DUA). Their use is only allowed for research, public health, or health care operations. Your Institutional Review Board (IRB) or Privacy Officer (PO) can help you determine if use of a limited data set is appropriate for your research project.


Limited data sets have the following characteristics:

They exclude certain direct identifiers that apply to• The individual• The individual’s relatives• The individual’s employers• The individual’s household members

They may contain• City, state, ZIP code• Elements of a date and other numbers• Characteristics or codes not listed as direct identifiers• Identifiable information, such as scrambled Social Security Numbers (SSNs)

Note: The use of limited data sets may constitute human subjects research and, therefore, it may require IRB approval.


Coded Data Coding consists of labeling information with a code that

Does not include any patient identifiers (see HIPAA identifiers noted previously) Is not derived from or related to the 18 HIPAA identifiers Cannot be translated so as to identify the individual. Thus, initials, Social Security

Numbers (SSNs) and so on may not be used as codes, even in partial or scrambled form.

Codes provide a link by which identities can be accessed through a key held separated from the research and the researchers. For example, the code might be a barcode or a combination of random numbers and letters.

If sensitive VA research data are coded, the key to linking the code with these identifiers must be stored within the VA, but it should not be stored with the coded data.

Note: If the investigator has access to the code, the coded information is not considered “de-identified.”


Common Sense Ways to Protect Subjects’ Privacy and the Confidentiality of Their InformationWhen research subjects (or potential subjects) provide information about themselves, they do so with an assumption of trust. Your common sense will help you will come up with many ways to help protect their privacy and the confidentiality of their information.

For instance, Do not walk away from a computer without logging off Do not print private data and leave it on the printer Access information systems only through approved hardware, software, solutions and

connections Take appropriate steps to protect information, network access, passwords and

information (not just electronic versions, but also hard copies, audio- and videotapes) Control access to patient files or data that you have saved on a disk – or, better yet, do

not use a disk, but backup your data on a VA server, instead (see Module 4) Do not access information you don’t really need Avoid using automatic password-saving features Do not talk about a subject’s information in a public place


Module 3:

VA Research Projects


Preparatory to Research

Data use preparatory to research does not require a written authorization or a waiver of HIPAA-Compliant authorization. Within VHA, “preparatory to research” refers to activities that are necessary for the development of a specific protocol. Protected health information (PHI) from data repositories or medical records may be reviewed during this process, but only aggregate data may be recorded and used in the protocol.

“Preparatory to research” does not involve the identification of potential subjects or the recording of data for the purpose of recruiting these subjects or to link to other data.

For example, accessing VA medical records to count how many patients had a specific complication of diabetes prior to developing a retrospective study of these patients is an activity “preparatory to research,” but recording their names and contact information is not.


The “preparatory to research” activity ends once the protocol has been approved by the IRB and the R&D Committee.

The PI must document in his/her “preparatory to research” files that Access was limited to protocol preparation No protected health information (PHI) was removed Access was necessary to prepare for the research

Note: VHA protected health information may never be disclosed for non-VA “preparatory to research” activities.


Pilot Studies

Pilot studies are early studies designed to test an idea or treatment. The information gathered in pilot studies usually is used to help design a larger study. Pilot projects must be reviewed and approved by the IRB and R&D Committee and must meet all applicable research requirements.

Even if they are performed in preparation for a research grant application, pilot studies are not considered to be “preparatory to research,” but full-fledged research projects.


Research Protocol

During the early stages of planning a research project, an investigator should think about how sensitive research data will be stored and accessed, as well as how to protect subjects’ privacy. When the principal investigator (PI) submits a research study that involves the collection, use and/or storage of sensitive information (e.g., subject identifiers or protected health information (PHI)) to an IRB and a R&D Committee, his/her submission for approval must contain specific information on

All sites where the data will be used or stored Specifically who will have access to the data How the data will be transmitted or transported How the data will be secured If copies of the data will be placed on laptops or portable media, a discussion of

the security measures If the data will be re-used for subsequent or future research protocols, provisions

for future use in the informed consent form, and HIPAA-Compliant authorization If relevant, provisions to ensure sponsor data storage guidelines are met and do

not conflict with VA policies


Note: The principal investigator (PI) must certify that all VA sensitive information associated with each specific study is being used, stored and secured in accordance with applicable VA and VHA policies and guidance.

The following forms must be stored with the research protocol files:

Data Security Checklist for Principal Investigators Principal Investigator’s Certification: Storage and Security of VA

Research Information


IRB Approval

Prior to accessing or collecting ANY data involving human subjects (other than “preparatory to research” as previously discussed), the PI must obtain written approval from the IRB. As part of its review, the IRB will determine

If the protocol is exempt from IRB review. If it is not, then If written informed consent can be waived or altered. If not, then If the written consent form contains appropriate information and is

consistent with the protocol

The IRB or a Privacy Board also will determine if the criteria for granting a waiver of authorization are met. If they are, the IRB or Privacy Board will document its specific findings regarding the criteria and the approval of the waiver of authorization as required by HIPAA.


Exemption from IRB approval may be granted under the following conditions:

Research involves the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures, or the observation of public behavior unless

• The information is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects, and

• Any disclosure of the subjects’ responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability, or reputation

Research involves the analysis of existing data or documents if these sources are publicly available, or if the information is recorded so that subjects cannot be identified, either directly or through identifiers linked to the subjects

Note: The IRB must determine whether or not a protocol is exempt from IRB review. This determination cannot be made by the investigator.

Note: Even if a protocol is exempt from IRB review it may still require the IRB to grant a waiver of HIPAA-Compliant authorization.


Waiver of written documentation of informed consent may be granted by the IRB if it finds either

That the only record linking the subject and the research would be the informed consent document and the principal risk to the subject would be potential harm resulting from a breach of confidentiality, or

That the research presents no more than minimal risk of harm to subjects and involves no procedures for which written informed consent is normally required outside of the research context

In these situations, consent must still be obtained, but the requirement for a signed consent document is waived. The IRB may require that a written statement about the research be given to the subject. If it does, the IRB should review and approve this statement.


“Short form” signed documentation of informed consent may be permitted by the IRB for some kinds of projects. The subject is given an oral presentation that includes all the elements of consent. The following are required when a “short form” signed consent document is used:

A witness to the oral presentation

IRB approval of the written summary of what is to be presented orally

Only the short form be signed by the subject or the legal representative of the subject

The witness to sign both the short form and the summary

The person actually obtaining consent to sign the summary

A copy of the summary and the short form to be given to the subject or the legal representative of the subject


Waiver of one, several, or all of the elements of informed consent may be approved by the IRB where it finds

The research involves no more than minimal risk to the subjects

The waiver or alteration will not adversely affect the rights and welfare of the subjects

The research could not practicably be carried out without the waiver or alteration and

Whenever appropriate, the subjects will be provided with additional pertinent information after participation


Approval from Other EntitiesIn addition to approval from the IRB, the investigator must have written approval from the local VA Research and Development (R&D) Committee before starting a VA research project. Depending on the nature of the project, other approvals also may be required before it can be implemented. Some examples include approvals by

Institutional Animal Care and Use Committees (IACUC) for research involving animals

The VA Office of Research and Development (ORD) for international research or research involving children or prisoners

The appropriate union for research involving union employees

The Office of Management and Budget (OMB) for survey research

A database manager when data are being accessed through a database

A Privacy Officer (PO) when privacy regulations apply (if the IRB does not serve this function)

VA Operations and Management (10N) when employees are to be surveyed


Re-Use of Data

VA research data may be used only in accordance with the provisions in the approved protocol and informed consent. If an investigator wants to use VA research data for another purpose, he/she must submit a new proposal to the IRB, Research and Development (R&D) Committee and any other relevant entities. Data may not be re-used until the investigator has obtained all the appropriate approvals for their re-use.


Using Data from Deceased Individuals

Whenever data are retained for any period of time some participants may die. The Common Rule does not cover deceased subjects, but HIPAA and other Federal privacy statutes do. Consent of next-of-kin or other legally authorized representatives may be required for release, use or disclosure of the data about deceased individuals.


Data Repositories and ProceduresA data repository must be created if data are to be retained, re-used or shared for future studies. Creation of a data repository requires development of policies and procedures that must be approved by the Institutional Review Board (IRB) and Research and Development (R&D) Committee at the institution where the repository resides. Your facility’s Privacy Officer can assist in ensuring you do not have any Privacy Act system of records issues.

For VA research data, the data repository must be located at a VA facility on a VA server, unless all appropriate permissions are obtained to house it elsewhere (see Module 5).

To access data from a repository, an investigator must have a specific protocol that has been approved by his/her local IRB and R&D Committee. The protocol must contain the specific data elements requested, including sufficient justification for any request for identifiable information.

The repository and the investigator must sign a Data Transfer Agreement (DTA) that details the authorized uses of the data and stipulates that the data may not be re-disclosed.


Module 4:

Storage and Security of VA Research Data


Requirements

Everyone involved in VA research must be in compliance with all applicable Federal laws, regulations, policies and guidance related to privacy of research subjects, and confidentiality, storage and security of research data.

Specific requirements are found in VA Directive 6504, “Restrictions, Transportation and Use of, and Access to, VA Data Outside of VA Facilities;” VA IT Directive 06-02, “Safeguarding Confidential and Privacy Act-Protected Data at Alternative Work Locations;” VA IT Directive 06-06, “Safeguarding Removable Media;” and VA Memorandum, February 6, 2007, “Certification by Principal Investigators: Security Requirements for VA Research Information.”

Note: Your Information Security Officer (ISO) can help you understand, and advise you on how to implement, these requirements.

To keep sensitive VA research data secure and confidential, investigators and everyone else involved in research must pay strict attention to all three legs of the three-legged stool:

1. Technical safeguards2. Physical safeguards3. Good work practices


Restricted Access

Access to sensitive VA research data should be restricted to those

Individuals named in the research protocol, on the research informed consent and the HIPAA-Compliant authorization form

Individuals who are responsible for oversight of the research program

VA investigators who require access “preparatory to research” if their activity meets the requirements for “preparatory to research” set forth in VHA policy


Technical Safeguards

The appropriate use of technical safeguards is extremely important to protect against unauthorized access, disclosure or loss of VA research data.


Password ProtectionPasswords are important tools for protecting VA information systems. They ensure that VA researchers have access to the information they need. Here are some important password-related requirements for VA employees:

Passwords must meet VA password requirements

“Blank” and default user names and passwords cannot be used

User credentials, including passwords, must be protected appropriately because they are considered VA sensitive information

Passwords should never be shared with anyone else

Passwords must be stored in a safe and secure place that no one else knows about

Password-protected screensavers must be configured to activate after 15 minutes of inactivity

The “save password” feature cannot be used on VA equipment or programs that provide access to the operating system or VA network services

Passwords or other authentication information cannot be stored on remote systems unless those systems have been encrypted according to VA requirements


Protection from Viruses and Other Malicious CodesIt is important to protect VA research data from computer viruses and other malicious codes. Here are some key points to remember:

Always use VA-approved antivirus software on all VA-owned AND non-VA computers that contain sensitive VA research data

• Local ISOs will provide the software for VA-owned equipment

Immediately stop using any computer or software you suspect is infected

• Immediately isolate the computer from any VA network connections

• Do not reboot the system since many viruses are triggered to propagate upon system reboot

• If it appears that a negative activity is occurring, the system must be shut off and left off until a clean Antivirus boot media is used to clean the system

• Employees not authorized to attempt recovery and restoration must not remove the suspected software themselves, but must contact a qualified IT Specialist

• Only VA-approved software and tools may be used to attempt recovery from infection with a virus or other malicious code

If a non-VA technician is called to work on non-VA owned equipment, use caution to protect the VA information, including any information that facilitates access to VA private networks

If a hard drive or other storage medium that contains VA research data becomes infected, never surrender or swap it with an outside party


Encryption

Additional security controls, such as encryption, are required to guard sensitive research data stored on computers used outside VA facilities or when transmitting sensitive data via remote access. You must use encryption for the following:

When you use either VA-owned or non-VA equipment in a mobile environment outside the VA (e.g., a laptop)

When you use a personal computer (PC) at an alternative work site When you access a VA network from a remote location

Note: All encryption modules used to protect sensitive VA research data must meet National Institute of Standards and Technology (NIST) standards and be Federal Information Processing Standards (FIPS) 140-2 certified.


Physical Safeguards

Physical security measures are just as important as technical safeguards for protecting VA research data. The following rules for physical security of data apply to all VA employees, and they apply whether the data are stored on VA-owned or non-VA equipment, inside or outside of VA facilities:

Do not take equipment, information, or software containing sensitive VA research data to non-VA sites without the express authorization of your supervisor, Associate Chief of Staff for Research and Development (ACOS/R&D), Privacy Officer (PO) AND your Information Security Officer (ISO)

See that equipment is housed and protected to reduce the risks from environmental threats and hazards, and protected against opportunities for unauthorized access, use, loss, removal or theft

Secure portable computers that have sensitive VA research data on their storage devices or have software that provides access to VA networks under lock and key when you or another responsible employee is not in the immediate vicinity


Note: Thumb drives are of particular concern since they are small, can store considerable data and are easy to misplace or lose.

Use physical locks to secure portable computers to immovable objects when you must leave computers in areas where individuals other than authorized employees have access

When in an uncontrolled environment, follow “clear desk” practices for media to reduce the risk of unauthorized access to, loss of, and/or damage to the sensitive research information

Note: This means that you cannot leave storage media or hard copies containing sensitive VA research data unsecured.


Guard against disclosing VA research data to unauthorized personnel through eavesdropping, overhearing, or unauthorized personnel actually “seeing” the data on a computer screen

When traveling, keep portable computers and storage devices with you at all times and do not check them as baggage

Protect data and system backups with the same or equally effective physical security as you provide the source computer, its media and the information contained on them

Store backups where they are physically secure yet accessible within a reasonable time frame

Note: Do not store original sensitive VA research data on laptops or portable media.

Note: If you store data on a VA server, you do not need to back them up to portable media since VA servers are routinely backed up.


File Sharing

Note: You must not create a shared file or a drive containing sensitive VA research data on a device that you use for remote computing. You can share files of sensitive VA research data only through authorized VA servers.


Data Retention and DestructionYou must retain VA research data in accordance with VA, VHA, local and IRB policies, protocol sponsor guidelines, or Privacy Act system of records notice, whichever is most restrictive. During the period that data are retained after a protocol closes, you must provide the same security and privacy measures as when the protocol was active, including all physical and technical safeguards.

Note: VHA research data belong to the VA. If an investigator leaves a facility or the VA system, all data must be kept and stored within the VA so as to be easily accessible to facility officials. Investigators cannot take copies with them.

Once the required retention period has lapsed, the data may be destroyed using a method that will render them unreadable, undecipherable and irretrievable.

Note: This pertains to both VA and non-VA owned computer equipment and storage devices.

Investigators should consult their local ISOs for local policies and procedures for media destruction and for computer and portable device sanitation.

Note: Pushing the delete button is not sufficient to permanently delete data.


Just as for electronic media, you are responsible for ensuring that hard-copy documents or physical media, such as audio and videotapes, that contain sensitive VA research data are protected from improper disclosure, including inadvertent disclosure. When you no longer need them, you must also destroy hard copies and other physical media by a method rendering them unreadable, undecipherable and irretrievable.

If you have any questions about the best method of disposal, consult your local ISO or Privacy Officer.


Backups

You must backup essential data and software at regular intervals and treat backups and archives according to their VA security classification.

You also must securely store any backups containing sensitive VA research data. You may backup data on a separate storage medium such as a network drive, CD, or DVD.

Note: As mentioned above, a VA server is the best place to create a backup because VA information technology (IT) staff ensure the safety of the network and that it is routinely backed up.


Loss or TheftThe loss or theft of sensitive VA research data or portable media such as laptops is covered in VA Directive 6504. In addition, local VA facilities should have their own local policies and procedures. Your research office will help you locate those documents.

At a minimum, the following should occur as soon as it is discovered that there has been a loss:

Report the loss or theft to security/police officers immediately• If you are in a VA facility, notify the VA police• If you are on travel or at another institution, notify the security/police officers at the

institution such as hotel security, university security, etc. as well as the police in the jurisdiction where the event occurred

• Obtain the case number and the name and badge number of the investigating officer(s). If possible, obtain a copy of the case report

Immediately call or email the following regarding the incident• Your supervisor• Your local Information Security Officer (ISO)• Your VA facility’s Privacy Officer (PO)• Your VA facility’s Security Officer

Your facility’s procedure may include notifying others such as the Chief of Staff or the Medical Center Director. You must determine the name of your facility’s PO and ISO so that you will have their names and contact information available.

The ISO will promptly determine whether the incident warrants further reporting and actions.


Best Practices to Help Ensure the Security and Confidentiality of Stored VA Research Data and the Privacy of Research Subjects

While the following measures are not included in official requirements, these common sense steps can help ensure the security and confidentiality of sensitive VA research data, and the privacy of VA research subjects:

Whenever possible, you should store VA research data on network drives with restricted access, not on your desktop computer

Keep data in one file location for ease in making backups (or, better yet, simply backup all your VA research data in one location on a VA server)

Label backup media with the file names and include the date the backup was created

Set your backup schedules to match the importance of the data (e.g., data containing protected health information or irreplaceable data should be backed up more often)

Storage media wear out, especially magnetic media; so change storage media as they age and as better storage technology becomes available


Module 5:

Safeguarding VA Research Data Outside the VA


Approvals

According to VA Directive 6504, “VA employees are permitted to transport, transmit, access and use VA data outside VA facilities only when such activities have been specifically approved by the employee’s supervisor and where appropriate security measures are taken to ensure that VA information and services are not compromised.“

To store, transport, transmit, access and use sensitive VA research data outside the VA, the principal investigator (PI) must obtain permission from ALL of the following:

1. His/her supervisor2. The Associate Chief of Staff for Research and Development (ACOS/R&D)3. The Information Security Officer (ISO), and4. The Privacy Officer (PO) when appropriate

Note: This includes storage on non-VA computer systems or servers, desk top computers located outside the VA, laptops or other portable media.

Note: Research subjects’ or veterans’ names, addresses and Social Security numbers (real or scrambled) may be stored only within the VA and on VA servers. If the data are coded, the key linking the code with these identifiers must also be stored within the VA, but not with the coded data.


Remote AccessLaptops and handheld computers, such as personal digital assistants (PDAs), owned by the VA are called Government Furnished Equipment (VAGFE). These electronic devices may be used to access the VA Intranet remotely. Only VA-approved remote access solutions may be used, and all remote connections to VA networks must be through VA-authorized configurations and access points.

Requirements for remote access include the following:

You can only access, use or send sensitive VA research information from a VA-owned laptop, handheld computer or storage device

You cannot share sensitive VA research data with anyone else

You must not share your username, password or instructions on how to access the VA network with anyone else

You may not use non-VA owned equipment to access the VA Intranet remotely or to process sensitive VA research data except when approved as above

Note: Only VA personnel may access VA-owned equipment that is used to process sensitive VA research information or access VA processing services.


Access to the VA Intranet using non-VA owned equipment will be provided via approved VA Virtual Private Network (VPN) access protocols, which will offer access to a limited set of VA applications and services. Only remote access users with VA government furnished equipment (VAGFE), with all required security software is installed and updated, will be permitted to connect to the VPN in such a way that grants full VA access.

If non-VA owned equipment is connected to a home or small office network with other workstations, all interconnected workstations must have virus protection. The anti-virus software must contain a real-time scanning feature, which must be enabled. You must update their antivirus software and check for viruses before using any diskette or file of uncertain or unauthorized origin.

In addition, if you use a computer to connect to the Internet outside the regular work site, whether VA government furnished equipment (VAGFE) or non-VA equipment, you must insure that the computer is protected by a firewall. If you use VA government furnished equipment (VAFGE), to be granted access, you must use the current Host-based Intrusion Prevention System (HIPS) software, including all critical updates and patches.


When accessing the VA Intranet remotely

You cannot configure VPN client software to support split or dual tunneling, allowing a connection to the VA while simultaneously connected to another public network such as the Internet

You must terminate inactive sessions by logging off when you are finished or when you leave your workstation unattended

You must not turn off the device or monitor without first logging off

You must see that your password-protected screensaver is configured to activate after 15 minutes of inactivity

You are not authorized to use VA remote access services to engage in any activity that is illegal or violates VA policies


Remote access accounts are “as needed” accounts. Therefore

You must report unused accounts so they can be disabled and removed

Supervisors must ensure that remote access privileges are terminated as soon as they are no longer needed, when the account owner transfers out of the supervisor’s office or leaves the VA, or when an authorized official determines that remote access privileges should be revoked

If users have not logged into the VPN within 30 days, their account will be disabled

Users must contact their local ISO to have their accounts enabled


Data Storage and Security Outside the VA

In addition to the technical and physical safeguards and the remote access requirements covered previously, there are other requirements for storing sensitive VA research data outside the VA.

Note: “Outside the VA” means storage or use on any non-VA computer system, server, desk top computer, laptop or any other portable storage medium (e.g., CD, floppy disk, or thumb drive).

Note: Sensitive VA research information may not reside on non-VA systems or devices unless specifically designated and approved in advance and only where the non-VA systems or devices conform to, or exceed, applicable VA requirements.


Non-VA System Requirements

When sensitive VA research data are stored on non-VA systems, the system must meet all requirements set forth in Federal Information Security Act (FISMA), including the required certification and accreditation of the system. In addition, all hardware/software encryption must be FIPS 140-2 certified.

Note: If the system is not FIPS 140-2 certified, the data are considered unprotected.

If FIPS 140-2 certification is going to be a requirement for your protocol, you will need to contact your local ISO for further information on how to obtain verification of this requirement.

Note: ISOs are not responsible for approving removal of specific data from the VA, but they are responsible for ensuring all VA security requirements are followed.

Note: All sensitive VA research data residing on non-VA laptops and other portable media must be encrypted and password protected in accordance with VA-approved requirements with only authorized individuals having access to the data.


Module 6:

Roles and Responsibilities for VA Research Data Security and

Confidentiality, and for Privacy of VA Research Subjects


The Importance of Teamwork

As has been described in previous modules, every VA facility that performs research must maintain and implement policies and procedures to ensure appropriate storage, security and confidentiality of sensitive VA research data, and privacy of VA research subjects.

Although individuals and offices have their own roles and responsibilities, teamwork among the different disciplines is critical to ensuring that policies and procedures are implemented efficiently and effectively. It is important for all stakeholders to become familiar with each others’ expertise and responsibilities, and work closely to provide seamless protection for sensitive VA research data.


Local VA Institutional Responsibilities

Medical Center Directors have ultimate responsibility for ensuring the security and confidentiality of sensitive VA research data in their facilities. On an annual basis, the Medical Center Directors must certify to their VISN Directors that all principal investigators (PIs) have met the certification requirements related to storage and security of sensitive VA research data.

Research Offices and Research and Development (R&D) Committees must assure the security and confidentiality of sensitive VA research data, and the privacy of VA research subjects, by verifying principal investigators’ (PI) certification checklists (see below). They also have responsibility for ensuring that all investigators and everyone else involved in research is appropriately trained, credentialed and has research privileges and/or scopes of practice consistent with education, training and expertise.The R&D Committee is responsible for reviewing and evaluating all its subcommittees’ decisions, including IRB approval or exemption, before approving a research protocol.


Institutional Review Boards (IRBs) are subcommittees of VA R&D Committees. IRBs are responsible for protecting the rights and welfare of subjects. An IRB will not approve a protocol unless its data management plan includes certification from the investigator that the use, storage and security of all research information collected for, derived from, or used during the conduct of the research is in compliance with all relevant requirements.

The kinds of questions you may need to discuss with your IRB include: Is this project exempt from IRB review? Does this project require informed consent? If so, is written informed

consent needed? Does this project require a HIPAA-Compliant authorization?


Principal Investigator Responsibilities

The principal investigator’s (PI) responsibilities include:

Obtaining and documenting appropriate informed consent from study subjects

Obtaining written approval from the Institutional Review Board (IRB), Research and Development Committee (R&D), and arranging for approvals from any other applicable entity(s) (e.g., union, Office of Management and Budget, etc.) before starting the research project

Submitting a plan for maintaining privacy of research subjects and confidentiality of sensitive VA research data that includes:

• Storage provisions• Security measures• Transportation or transmission methods• Provisions for controlling access to the data• Encryptions methods• Plans for how long identifiable information or linkages will be kept• Provisions for disposition of the data at the end of the study


Ensuring that the data are collected in compliance with relevant requirements at all study sites in multi-center studies

Certifying each protocol

• For all new research protocols, the principal investigator (PI) must certify that the use, storage and security of all information collected for, derived from, or used during the conduct of the research will be in compliance with all VA and VHA requirements. This will require that the PI complete two forms, the “Data Security Checklist” and the “Principal Investigator’s Certification: Storage & Security of VA Research” for each new protocol, submit them to the IRB and R&D Committee and retain a copy of each of these forms with the protocol files

• For currently active protocols, the PI is required to provide the same information at the time of continuing review

• For Just-In-Time review, the PI must submit the “Principal Investigator’s Certification: Storage & Security of VA Research” form to the Office of Research and Development (ORD) during the Just-In-Time process for the proposal to be considered for VA research funding

• The PI must complete this certification process annually


Note: If, at any point in a study, the PI determines that the security or confidentiality of data being maintained on non-VA systems or otherwise outside the VA on portable equipment does not meet VA requirements, the PI is responsible for immediately ensuring that the data are returned to reside within the VA firewall.


Information Security Officer Responsibilities

Information Security Officers (ISOs) are knowledgeable about how to keep VA research data secure. They will answer your questions and advise you how to set up your security measures. If you have questions about the security of your research information, you should feel free to contact your ISO.

Specifically, ISOs are responsible for

Reviewing and, when appropriate, approving PIs’ requests for storing VA research data outside the VA (Note: approval must also be obtained from the Privacy Officer, Associate Chief of Staff for Research and Development (ACOS/R&D) and investigator’s supervisor)

Providing help for local Research Offices and investigators in completing the certification checklist requirements

Coordinating requests for remote access within their region and facility(s)

Reviewing all policies and procedures pertaining to transportation, transmission, remote access and use of VA IT equipment

Ensuring that remote access accounts are immediately disabled for all persons no longer requiring remote access


The types of issues you may need to discuss with your ISO include

How to set up and configure, or how to close, a remote access account

How to encrypt

When a wireless network can be used

How hardware and data can be protected from viruses

What to do if you suspect you have been attacked by a virus

What to do if you see someone using VA computers for theft or fraud

What to do if you lose data (e.g., a laptop, hard drive, portable media)


VHA Privacy Office Responsibilities

The VHA Privacy Office is the authoritative source for privacy within VHA and is responsible for developing and implementing a VHA Privacy Program; developing, issuing, reviewing and coordinating privacy policy for VHA in conjunction with policy efforts by VA; coordinating requirements and monitoring compliance with all Federal privacy law, regulations and guidance within VHA; and issuing direction on VHA privacy policies, practices and activities to the field.


Privacy Officer Responsibilities

The facility Privacy Officers are knowledgeable about how sensitive VA research data may be used and disclosed in accordance with Federal statutes and regulations and VHA policy. They will answer your questions and help you comply with privacy requirements. It is a good idea to enlist their aid early in the design of a research project to avoid delays in the approval process.

Specifically, Privacy Officers are responsible for:

Ensuring the facility’s overall compliance with privacy policies and requirements

Ensuring the facility has a process to review all IRB-approved VA research for compliance with privacy requirements prior to the data’s being provided to the PI

Reporting incidents regarding protected health information (PHI) to the Privacy Violation Tracking System and participating in the investigation of such incidents

Ensuring all employees are trained on privacy annually


Office of Research Oversight (ORO) Responsibilities

The Office of Research Oversight (ORO) serves as the primary VHA office in advising the Under Secretary for Health on all matters of compliance and assurance regarding human subjects protections, animal welfare, research safety and research misconduct. ORO conducts its oversight through routine and for-cause reviews. At the request of the Under Secretary, ORO reviews facility compliance with information security requirements for research when staff conducts on-site reviews. The checklist ORO uses to guide its reviews of information security can be found on the ORO website at http://vaww1.va.gov/oro/. You may want to access this document to help conduct your own assessment of your facility's fulfillment of requirements.

http://vaww1.va.gov/oro/


Submit questions to [email protected]

through your local research office.

mailto:[email protected]


Certificates

A web form to generate a certificate will appear at the end of this Live Meeting presentation.

Please enter your First Name and Last Name. Click Submit. Scroll to the bottom of the document and click Print.

Here is the web address in the event you cannot access or print your certificate from the web form:

http://vaww.vistau.med.va.gov/vistau/securityprivacy/certs/traincertform.cfm?sessionid=2




va research data security and privacy

Documents

va information

sensitive va research

conduct of va research

va research data security

va resources

va directive

va protected information

public information