Data Repositories – Anticipated Policy VHA Handbook 1200.12

34 Slides1.17 MB

Data Repositories - Anticipated Policy VHA Handbook 1200.12 Research Accountability Meeting Human Subject Protection Laboratory Animal Welfare OR O Research Laboratory Safety/Security Research Misconduct Dr. Joan P. Porter Office of Research Oversight

DRAFT VHA Handbook 1200.12 “Use of Data and Data Repositories in VHA Research”

What will this new handbook cover? The Handbook is intended to define VHA policy on research use of data and data repositories. It addresses both the use of clinical and administrative data repositories for research as well as development and use of data repositories solely for research purposes. Examples: Austin and NSQIP are not research data bases, per se, but contain information that provides powerful research resources. HSR&D databases in Centers of Excellence are research data bases, for example. Some investigators have established large research databases.

What is a Research Data Repository? This term means: 1. a data repository created in advance from data assembled to conduct future research protocols (a bank or sorts), e.g. the Maveric database, or 2. data gathered in the course of conducting a research protocol that is maintained after completion of the research protocol and turned into a bank for future use. A research data repository is developed by researchers and used by researchers. The “protocol” may be for an individual research project or a “protocol” for creating and maintaining a repository for research.

Scope of Draft Database Handbook Applies to all VA-approved research activities involving the use of data and data repositories – Conducted in VA or space VA leases for its use – By VA investigators while on duty – Utilizing VA resources VA investigators – – – Compensated WOC IPA Contractors: similar requirements will be in contract/SOW

Non-VA Investigators Remember: you can give data to nonVA investigators only under limited circumstances (Remember — Joe Francis’ and Stephania Putt’s remarks [see VHA Handbook 1605.1])

Sources of Data Internal sources – – – – – Austin Automation Service PBM VistAWeb Other administrative and clinical databases (e.g., NSQIP) Research databases External sources Research subjects

Some Key Definitions: Human Subject — – A living individual about whom an investigator conduction research 1) obtains data through intervention or interaction with the individual, or 2) obtains identifiable private information. Individually-Identified Information — – When the investigator can link data to a specific person directly or through codes (38 CFR 16.102 – Common Rule); use of anyone of the 18 HIPAA identifiers (e.g. last 4 digits of SSN, scrambled SSN, initials, date of birth, date of admission . . . )

De-identified Data — must meet both the following definitions: HIPAA definition of de-identified – Removal of all 18 identifiers that could be used to identity the individual, individual’s relatives, employers, or household members Common Rule “definition” – Removal of all information that could identify the individual or could be used to readily ascertain the identity of the individual (Remember HIPAA is only about health data, the Common Rule applies any identifiable data.)

Definition: Coded Data Information for which the source person can be identified through intermediate links (“coded”) used alone or in combination with other information

VHA Draft Handbook also addresses the Use of Data Preparatory to Research

Preparatory to Research Access only to prepare protocol prior to submission to IRB and R&D Committee Can record aggregate data for background, to justify the research, or show adequate number of subjects available, etc. Cannot: – Record identifiers – Use information reviewed for recruitment or to conduct pilot studies continued . . .

Preparatory to Research (continued from previous page) PI must make representation per HIPAA – Access only to prepare protocol – No PHI removed from covered entity – Access is necessary for research Documentation of representation placed in PI’s files

Key Points for Use of Data for Research Purposes Minimum necessary data Approved use (IRBs and R&D Committees) Required approvals: The Principal Investigator and each co-investigators (regardless of site) must obtain approvals of: – – – IRB(s) – unless not human subjects or unless exempt R&D Committee(s) Others – union; Privacy Offices, ISOs, administrator of database

Responsibilities of VA Facilities Releasing Identifiable or De-identified Information from Their Records to Other VA Sites for Research Purposes A DUA/DTA must be implemented between the releasing facility and the receiving VA facility and investigator.

Data Use Agreement/ Data Transfer Agreement (DUA/DTA) A written agreement that defines: – What data may be used – How it will be used, stored, and secured – Who may access it – To whom it may be disclosed – Disposition of data after termination of research – Required actions if lost or stolen – IRB and R&D Committee approvals from each site – Documentation of the IRB’s waiver of informed consent and waiver of HIPAA authorization (if no consent or HIPAA authorization is to be obtained)

Who Signs the DUA/DTA? Receiving principal investigator ACOS/R of receiving institution ACOS/R of releasing institution (if a research database) Database owner ISO and Privacy Officer of releasing facility at discretion of releasing facility

Responsibilities of the Non-Research Data Repositories (Like NSQIP) Must develop policies and procedures to respond to requests for data: – Method of obtaining complete documentation from the investigator(s) – Address submission of all publications from use of data – Address Privacy Officer and ISO written approval of release of data – Address reports of serious adverse events and unanticipated problems – Release of any data beyond minimal necessary for the protocol – Devise policies and procedures for data preparatory to research

Special Responsibilities for Administration of Research Data Repositories The repository must have an administrative structure and include a VA investigator responsible for all activities of the repository. Oversight responsibilities of administrator of a research data repository – Develop policies and procedures for releasing data when all necessary information received – Review access requests – Maintain privacy and security continued . . .

Oversight Responsibilities of Administrator of a Research Data Repository continued from previous page – The research repository that is large and frequently used should have an advisory committee(s) to provide scientific and ethical advice (e.g., experts in epidemiology, statistics, ethics, law, subject matter may help in policy development and review of requests). – Must have stable administrative oversight – Must have an IRB-of-record to oversee the “repository protocol” for managing the research repository – Must have R&D Committee approval – Must be physically located with space owned or leased by VA in a secure space continued . . .

Oversight Responsibilities of Administrator of a Research Data Repository continued from previous page – Good record keeping! Sources of data Retention requirements Terms and conditions of use Consent of subjects’ whose data are in repository Release of data – when, what, to whom, how? New use of data requests Communications IRB and R&D committee repository deliberations Minutes And so on . . . – Standard Operating Procedures to cover all of these areas

Research Data Repository SOPs Administrative structure Conflict of Interest Adding data to repository Accessing data Record keeping requirements Privacy and confidentiality Storage and security Termination of repository

Oversight of a Repository Annual reporting to the IRB (repository treated as a research protocol) and R&D Committee Report information – Source of data being added – Type of data released to others including the protocol for reuse that contains information on: Confidentiality Storage and security of data Disposition of data at end of study – Any unanticipated problems regarding risk to subjects, institutions, etc. – Any incidents of inadvertent disclosure, loss, or theft of data

Responsibilities of the Investigators The Investigator must provide: – IRB’s approval if human subjects research – R&D Committee’s approval – HIPAA authorizations or waiver or authorizations if human subjects research – Research Informed Consent or waiver if human subjects research – Summary of protocol or full protocols indicating Why? What databases? What is the justification for use of identifiers (e.g., SSNs)? Where stored? Who will have access? What is the physical and esecurity? What is the disposition of data? Is training up-to-date? What are the roles of Privacy Officers and ISOs in the review? How will reuse of data be handled? What are the amendment approval requirements? What are the adverse events and unanticipated problems reporting requirements? continued . . .

Investigator’s Responsibilities (continued from previous page) Protocol contains all required information Ensure data storage and security meets all VA requirements Data use consistent with protocol No re-disclosure of data When leaving VA data and all copies left at VA

Database Research protocols — PIs must take care in their preparation. Protocols must contain information on: – Source of data & type of data (identified, de-identified) – Consent under which it was/will be collected – How the data will be used – Planned use of & justification for use of real SSNs – Justification for waiver of authorization and/or consent

Research Consent — PIs must take care in preparation of informed consent documents and HIPAA authorizations. If data were/are to be collected directly from subjects: – Consent clearly states: Use of data If reuse is allowed Who will have access to data (VA investigators, non-VA investigators, drug companies, etc. Where it will be stored (VA, non-VA) How it will be secured Disposition of data after study Certificate of Confidentiality – HIPAA authorization meets all requirements in VHA Handbook 1605.1 (more than HIPAA)

This need not be a rough road.

IRB and R&D Committee Must carefully review discussion of: – – – – Privacy Flow of data Security Plans for re-use or placement in repository

Approvals for Individual Studies Using Data From a Repository Who is responsible? – The investigator’s facility’s IRB and R&D Committee Who is NOT responsible? – The IRB and R&D Committee for the facility that houses the repository – The IRB and R&D Committee for the facility from which the data came

Your questions will probably be just the tip of the iceberg.

Questions? Issues?

For Additional Information Contact Dr. Brenda Cuccherini Special Advisor for Policy and Emerging Issues [email protected] 810 Vermont Avenue, NW, Suite 574 (10R) Washington, DC 20420 Phone: (202) 254-0277 Fax: (202) 254-0460

Dr. Joan P. Porter Deputy Chief Officer Office of Research Oversight http://www.1.va.gov/oro 810 Vermont Avenue, NW, Suite 574 (10R) Washington, DC 20420 Phone: (202) 565-7191 Fax: (202) 565-9194

Back to top button