2012 VA IRB Administrators Meeting
13
2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer Role and Reviews Baltimore, MD August 14 – 15, 2012
description
2012 VA IRB Administrators Meeting. Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy . Privacy Officer Role and Reviews. Baltimore, MD August 14 – 15 , 2012. Overview of Discussion. Role of Facility Privacy Officer - PowerPoint PPT Presentation
Transcript of 2012 VA IRB Administrators Meeting
2012 VA IRB Administrators Meeting
Stephania H. Griffin, JD, RHIA, CIPP/GVHA Privacy OfficerDirector, Information Access and Privacy
Privacy Officer Role and Reviews
Baltimore, MDAugust 14 – 15, 2012
VHA Office of Informatics and Analytics
Overview of Discussion Role of Facility Privacy Officer Non-voting Member of IRB or R&D
Committee• Final Privacy Review For Research • Common Privacy Issues• Important Points• Resources
1
VHA Office of Informatics and Analytics
Role of Facility Privacy Officer• VHA Handbook 1200.05, Requirements for
the Protection of Human Subjects in Research, Paragraph 38, Privacy Officer and Information Security Officer (ISO) Responsibilities
• Non-voting Member of IRB or to R&D Committee
• Participate in IRB or R&D Committee meetings in order to raise privacy issues directly
• Provide summary reports prior to, or at, the convened IRB meeting at which the study is to reviewed or, in the case of expedited review, prior to, the IRB approval determination of the IRB Chair, or designee.
• Providing their final reports to the IRB staff timely.
2
VHA Office of Informatics and Analytics
Final Privacy Review of Research Required after IRB approval of research
study and/or approval of waiver of HIPAA-compliant authorization
Ensure legal authority exists prior to the use of Protected Health Information (PHI) for Research – must review: HIPAA Authorization; and/or IRB approval of waiver of HIPAA
Authorization; and Agreements, in rare instances where
contractors will have access to PHI.
3
VHA Office of Informatics and Analytics
Final Privacy Review of Research Ensure legal authority exists prior to the
disclosure of PHI to outside entities (e.g., outside study sponsor) for Research – must review: HIPAA Authorization; or IRB approval of waiver of HIPAA Authorization
Ensure process exists for the maintenance of an accounting of all disclosures resulting from the Research.
Review and approve HIPAA Authorization Meets all content requirements prescribed by
HIPAA Privacy Rule Consistency with Informed Consent
4
VHA Office of Informatics and Analytics
Common Privacy Issues Inconsistency between Informed Consent
and HIPAA Authorization De-identified Information NOT actually de-
identified (e.g., dates included with data) When a Data Use Agreement is Required Consent Requirements for Pictures &
Audio-Recordings Email Communication with Subjects Retention and Storage of Research Data Accounting of Disclosures
5
VHA Office of Informatics and Analytics
Accounting of Disclosures Accounting required even if HIPAA
Authorization obtained due to Privacy Act requirements
Standard Accounting – Retrospectively or Concurrently Created• For each disclosure
The name of the Veteran or subject The date the disclosure was made The name and, if known, address of the
person or entity receiving PHI A brief description of the PHI disclosed A brief statement of the reason for the
disclosure6
VHA Office of Informatics and Analytics
Accounting of Disclosures (cont’d) “Retrospectively Created” means that the
accounting does not have to be created at the time the disclosure is made, as long as, it can be created later upon request. All of the required information must be
maintained somewhere within the research records.
The accounting of disclosures must be maintained for 6 years or the life of the record. Currently, life of research records is
indefinite. So you must either maintain (concurrent) or
be able to create (retrospective) the accounting even after the research study has ended.
7
VHA Office of Informatics and Analytics
Important Points Privacy Officers DO NOT approve research. Privacy Officers ensure privacy
requirements are met prior to the use of VHA data for research.
The collection, extraction, and/or use of VHA data for research CANNOT start until all privacy requirements are met, as determined by the Privacy Officer. However, other research-related activities could be initiated, e.g., development of materials.
8
VHA Office of Informatics and Analytics
Important Points The IRB and R&D Committee CANNOT
override privacy requirements. Any debate between a Privacy Officer and the IRB should be elevated. You can contact the VHA Privacy Office for assistance.
A contract for survey services, mailings for recruitment, etc. as part of a research study requires an appropriate Agreement.
Do not forget about the accounting of disclosure requirement.
9
VHA Office of Informatics and Analytics
Resources Privacy Fact Sheets June 2006, Vol. 06, No. 3 - Privacy
Requirements for Use of VHA Data by VHA Researchers
June 2006, Vol. 06, No. 4 - Privacy Requirements for Disclosure for Research to Non-VA Researchers
Available at http://vaww.vhaco.va.gov/privacy/FactSheets.htm
10
VHA Office of Informatics and Analytics
Resources Procedure and Checklist for Privacy Review
of Research Documentation (aka Research Checklist) Available at http
://vaww.vhaco.va.gov/privacy/research.htm.
11
VHA Office of Informatics and Analytics
Contact Information
Stephania H. Griffin, VHA Privacy Officer, Director, Information Access and Privacy Office Phone: 704-245-2492 Email: [email protected]
12
