HIPAA, Privacy, & Cybersecurity Brenda Cuccherini, Ph.D., MPH

HIPAA, Privacy, & Cybersecurity Brenda Cuccherini, Ph.D., MPH VA Office of Research & Development January 2007 1

A New Mind Set “Old habit of mind is one of the toughest things to get away from in the world. It transmits itself like physical form and features ” Mark Twain A Connecticut Yankee in King Author’s Court 2

VHA & Privacy VHA privacy program is “complex” VHA must comply with 6 statutes that govern collection, maintenance & release of information 3

Privacy Related Statutes HIPAA Privacy Act of 1974 FOIA VA Claims Confidentiality Confidentiality of Drug Abuse, Alcoholism & Alcohol Abuse, HIV, and Sickle Cell Anemia Medical Records Confidentiality of Healthcare Quality Assurance Review Records 4

HIPAA Title II: The Privacy Rule (45 CFR 160 and 164) 5

HIPAA Topics To Be Covered HIPAA & the Common Rule HIPAA Identifiers Limited Data Sets Business Associate Agreements De-identification Waiver of Authorization VA & HHS Differences 6

HIPAA & the Privacy Rule Title I: Health Care Access, Portability, & Renewability Title II: Preventing Healthcare Fraud & Abuse; Administrative Simplification; Medical Liability & Reform Privacy Rule, Transactions, Security & Enforcement) 7

HIPAA & The Common Rule Represents 2 different but not contradictory regulations Many terms similar but not alike IRB must make 2 separate determinations when reviewing & approving applicable research 8

HIPAA “Identifiers”: Remove to De-identify for HIPAA (1) Names (2) All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people (3) All elements of dates except year and all ages over 89 (4) Telephone numbers (5) Fax numbers (6) E-mail addresses (7) Social security numbers (8) Medical record numbers 9

HIPAA “Identifiers” (Cont.) (9) (10) (11) (12) (13) (14) (15) (16) (17) Health plan beneficiary numbers Account numbers Certificate or license numbers Vehicle identifiers and license plate numbers Device identifiers and serial numbers URLs IP addresses Biometric identifiers Full-face photographs and any comparable images 10

HIPAA Identifiers (Cont.) (18) Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification Scrambled SSNs Initials Last four digits of SSN Employee numbers Etc. (“19”) A caveat: HIPAA also states that the entity does not have actual knowledge that the [remaining] information could be used alone or in combination with other information to identify an individual who is the subject of the information If you can strip all 18 identifiers, it still may not be de-identified 11

Applicability of Identifiers HIPAA identifiers apply to: – The individual – The individual’s relatives – The individual’s employers – The individual’s household members 12

What’s De-identified? If some one tells you data is de-identified, ask them how they define it! Definition of “de-identified”: – All HIPAA identifiers must be removed, plus “The entity must have no knowledge ” [the caveat from the last slide] and – It meets the Common Rule definition of de-identified 13

Limited Data Sets Does not require a HIPPA authorization or waiver of authorization Only allowed for research , public health, or health care operations Requires a DUA May contain identifiable information such as scrambled SSNs, & are still PHI May still be human subjects research 14

Limited Data Set (Cont.) Excludes certain direct identifiers Excluded identifiers apply to: – – – – The individual, The individual’s relatives The individual’s employers The individual’s household members May contain: – City, state, ZIP code, – Elements of a date & other numbers, – Characteristics or codes not listed as direct identifiers 15

Limited Data Sets: Direct Identifiers (1) Names (2) Postal address other than town, city, state, and ZIP code (3) Telephone numbers (4) Fax numbers (5) SSNs (6) Medical Record number (7) Health plan beneficiary numbers (8) Account numbers 16

Limited Data Set: Direct Identifiers (Cont.) (9) Certificate/license numbers (10) Vehicle identifiers and serial numbers including license plate numbers (11) Device identifiers & serial numbers (12) Web universal resource locators (URLs) (13) Internet protocol (IP) address (14) Biometric identifiers, including fingerprints & voice prints (15) Full-face photographic images and any comparable images 17

Business Associate Agreements Business Associate: An individual or entity who on behalf of VHA – Performs or assists in performing functions or activities involving the use or disclosure of PHI or Activities must be related to treatment, payment, or health care operations 18

Business Associate Agreements BAA’s not required for research or research sponsors – Research is not a function or activity regulated by HIPAA (treatment, payment, or health care operations) 19

Waiver of Authorization IRB or Privacy Board (PB) may approve: – Full waiver of authorization – Partial waiver of authorization – Alteration of the disclosure IRB or Privacy Board: – Must make specific determination prior to approving waiver – Must document specific findings 20

Required Determinations: 3 Criteria 1. The use or disclosure of PHI involves no more than a minimal risk to the individual based on at least the presence of the following elements: – An adequate plan to Protect the identifiers from improper use & disclosure – An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research unless there is health or research justification for retaining them or retention or the retention is required by law; and – Adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use of disclosure of PHI would be permitted by this subpart 21

Required Determinations: 3 Criteria (Cont.) 2. The research could not practicably be conducted without the waiver 3. The research could not practicably be conducted without access to and use of the protected health information 22

Required Documentation Name of IRB or PB & date approved Statement: IRB or PB determined the alteration or waiver of authorization, in whole or in part, satisfies the 3 criteria in the Rule AND include the criteria A brief description of the PHI for which use or access has been determined to be necessary A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, and Signature of the chair or other member, as designated by the chair, of the IRB or PB, as applicable. 23

Investigator’s Responsibility Include all necessary information in the submission to the IRB or PB Request use of the minimal necessary information to conduct the research Use of data consistent with the protocol No re-use or sharing of data without approvals 24

Differences: VHA vs. HHS Preparatory To Research Authorization Elements Accounting for Disclosures Data Use Agreements 25

Preparatory to Reach VHA Handbook 1605.1 states that contacting research subjects or conducting pilot studies are not “Preparatory to Research” activities HHS states that the “Preparatory to Research” provisions allow an investigator to use PHI to contact prospective research subjects 26

HIPAA Authorization VHA requirements differ from HHS’s – A description of the information to be used or disclosed AND specifically identify HIV, Sickle cell anemia, drug and/or alcohol abuse treatment information 27

Accounting for disclosure Not so much a “difference” but a clarification VHA research is conducted inside a single covered entity; MOST research does not involve “disclosure,” only “use” of PHI 28

Data Use Agreements VHA and HHS requires DUA for use of limited data sets only ORD policy will additionally require a DUA (Data Transfer Agreement) for anytime you transfer data within VHA for research purposes 29

Privacy Act of 1974 30

An American has no sense of privacy. He does not know what it means. There is no such thing in the country. George Bernard Shaw 31

Privacy Act of 1974 Purpose: To balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy Background: Watergate era and Congress concerned with: – Curbing illegal surveillance & investigations – Potential abuses presented by government’s increasing use of computers to store & retrieve personal data 32

Privacy Act Objectives Restrict disclosure of personally identifiable records by agencies Grant individuals – Increased rights of access to agency records – The right to seek amendment of agency records Establish code of fair information practices for agencies 33

A Privacy Act Requirement Agencies that maintain a system of records "shall promulgate rules, in accordance with notice and comment rulemaking” Systems of Records (SOR): “A group of records under agency control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 34

System of Records Content Category of individuals covered by the system Categories of records in the system Purpose of the records Routine uses of records Storage (storage medium) Retrievability (name, numbers or identifier) 35

SORs and Research 34VA12 -- Veteran, Patient, Employee, and Volunteer Research and Development Project Records 121VA19 -- National Patient Databases VA 36

SOR’s Impact on Research All release/disclosure of information must be consistent with the SOR and routine uses Investigators can not release information to nonVA investigators or institutions unless: – Written permissions/authorization from individual or – Permission of the USH Release of information is through the Privacy Office 37

Privacy Issues Resources VHA Privacy Officer: Stephania Putt Local privacy officer VHA privacy program: – http://vaww.vhaco.va.gov/privacy/ – Links to all Federal statutes, regulations, & policies including security policies – Privacy Fact Sheets 38

Cybersecurity 39

To err is human– and to blame it on a computer is even more so. Robert Orben Magician and Comedy Writer 40

A Changing Climate Security must be addressed in: – Protocol, appendices, or other document – Facility SOPs New policies (VA & VHA) and requirements Sensitive data must be controlled at all times 41

It is VA policy that: VA information may not reside on non-VA systems or devices unless specifically authorized by VA guidance/policy – Federal Information Security Management Act of 2002 (FISMA): Federal Security requirements apply to when contractors or “other organizations on behalf of an agency” possess or use Federal information You must obtain authorization to remove confidential & Privacy Act protected information – Approved protocol – Consult with supervisors/obtain permission – “Consult with supervisor and ISO to ensure that the data is properly encrypted and password protected in accordance with VA policy” Secretary’s memo June.6, 2006 42

VA Policy on Protection of Data Data & system backups or copies: – Same confidentiality classification as originals – Laptops & portable media must NOT contain the only copy of the data VAPI stored on computers or other storage media outside VA facilities must be encrypted per VA approved protection mechanisms Password or other authentication information: – Do not store on remote systems unless encrypted Data can not be transmitted by remote access without VA-approved protection mechanisms 43

VA policy on Government Laptops or Other Equipment Updated property pass Updated virus protection “House & protect” it from: – Environmental threats & hazards – Unauthorized access, use, or removal Laptops, external hard drives, or other storage devices must be under lock & key when not in your immediate vicinity if it: – Contains sensitive/protected information (VAPI) or – Software to access VA private networks 44

What You Must Do Prior to receiving laptop or “sensitive” data: – Know the policies on protecting or responding to lost/stolen laptops or data. Always be on guard: – Use common sense about where you leave it, who can access it Once laptop or data is discovered to be missing: – Report it to the police – Obtain a copy of the police report (name of officer, case number, etc.) – Try to “inventory” what is on the laptop or the missing data. – Make required notifications 45

Reporting of Security Incidents OMB requires reporting of an incident within 1 hour of discovery to US-CERT – US-CERT: US Computer Emergency Readiness Team is the operational arm of National Cyber Security Division (NCSD), Department of Homeland Security (DHS). Suspected and confirmed breaches must be reported 46

How to Report Security Incidents Immediately report to: – – – – Supervisor ISO Privacy Officer Others (Your facility may require reporting to other facility administrators) ISO will report it to the VA-Security Operations Center (VA-SOC) Privacy Officer will enter it into the Privacy Violations Tracking System (PVTS) VA-SOC will notify US-CERT & key VHA/VA officials 47

Investigator’s Responsibilities Protocols contain sufficient information on security issues – – – – Who uses information; How it will be stored and secured; Who has copies where; Will it remain within VA – if not, will all data be returned to VA – if not why; – Disposition of the data after protocol completed) Allowing access only to authorized individuals 48

Investigator’s Responsibilities (Cont.) Safeguarding laptops, portable drives, flash drives, and other medium Ensuring all contracts, DUAs, and BAAs contain required language Encrypting/password protecting all sensitive data 49

Policy Documents VA Directive 6504 – Waiver of requirements – Granted only by the VA Chief Information Officer in CO – Waiver request only from an Administration Head, Assistant Secretary, or other key official Majority of IT & security documents being redrafted on a very fast track 50

Finding Policies www.va.gov/vhapublications – Link on left banner to VA publications www.va.gov/research Call or e-mail: – Brenda Cuccherini, Ph.D. at (202)254-0277 or – [email protected] 51

A single question can be more influential than a thousand statements. Bo Bennett Businessman 52

53