Research Involving Sensitive Data

1
Research Involving Sensitive Data Databases

• Brenda Cuccherini, Ph.D., MPH
• VA Office of Research Development
• Fall 2006

2
Is This True?

• "The more the data banks record about each one of
  us, the less we exist
  
• Marshall McLuhan
• Canadian philosopher educator

3
Topics To Be Covered

• Sensitive data
• Database handbook
• Definitions
• Data Uses
• Prepatory to research
• One time use
• Data Repositories
• Long term storage
• Re-use of data
• Responsibilities

4
Sensitive Data Information

• Definition All Department data which
  requires protection due to the risk of harm that
  could result from inadvertent or deliberate
  disclosure, alteration, or destruction of the
  information.
• VA Handbook 6504
• June 7, 2006

5
Examples of Sensitive Data

• Data when improperly used or disclosed could
  adversely affect the ability of an agency to
  accomplish its mission
  
• Proprietary information
• Records about individuals requiring protection
  under Privacy Act, HIPAA, or other statutes
  
• Information that can be withheld under FOIA

6
Applicability to Research

• VHA researchers develop, collect, use, share,
  /or store all categories of sensitive data
  
• Researchers primarily think about protecting
  subjects and patient data and not other data
  
• Misuse or disclosure of other data may have a
  major impact on
  
• VHA and individual facilities
• VHAs ability to care for veterans conduct
  research

7
Protecting Sensitive Data

• Careful thought
• Situational awareness
• Universal Precautions
• Guidance
• Policy

8

• Draft policy Use of Data Data Repositories in
  Research

9

• "Then, with your permission, we will leave it
• at that, Mr. Mac. The temptation to form
• premature theories upon insufficient data is
• the bane of our profession."
• Sir Arthur Doyle
• The Valley of Fear

10
Scope of Database Handbook

• Applies to all research activities involving the
  use of data and data repositories that are
  conducted in VA approved research, within VHA,
  and/or by VA investigators while on duty.
• VA investigators maybe
• Compensated
• WOC
• IPA
• Contractors similar requirements will be in
  contract/SOW

11
Terms Defined for This Discussion

• Coded data
• DUA
• Existing data
• De-identified data

12
Definition Coded Data

• Information for which the source person can be
  identified through intermediate links (coded)
  used alone or in combination with other
  information.

13
Coded Date Human Subjects Research

• Human subjects research When individually
  identifiable information is used
  
• Individually identifiable information (38 CFR
  16.102(f) When the investigator can link data to
  specific persons directly or through codes.
  
• Common Rule definition differs from HIPAA
  definition of Individually Identifiable Health
  Information (III)
  
• Example IIIany information including religious
  beliefs) IIH physical health, mental health,
  or condition of the individual

14
Coded Non-human Subjects Research

• Data not collected specifically for current
  research
  
• Code not based on the 18 HIPAA identifiers, e.g.,
  last 4 digits of SSN, scrambled SSN, initials
  
• Investigator cannot readily ascertain identity of
  individual
  
• Key to code is destroyed or the investigator
  cannot get access to the key
  
• Investigator can not otherwise ascertain the
  identify of the individuals
  

15
Data Use Agreement

• A written agreement that defines
• What data may be used
• How data may be used
• How it will be stored and secured
• Who may access it
• To whom it may be disclosed
• Disposition of data after termination of
  research
  
• Required actions if lost or stolen
• Requirement for DUA
• HIPAA when data disclosed outside the covered
  entity
  
• Privacy Handbook (VHA 1605.1) disclosure outside
  of VHA
  
• Database HB any use by others

16
Existing Data

• Data that have already been collected when the
  research proposal is submitted to a VA reviewing
  committee

17
De-identified Data

• De-identified data must meet both the following
• definitions
• HIPAA definition of de-identified
• Removal of all 18 identifiers that could be used
  to identify the individual, individuals
  relatives, employers, or household members
  
• Common Rule definition of de-identified
• Removal of all information that would identify
  the individual or would be used to readily
  ascertain the identity of the individual

18

• DATA AND ITS USES

19
Sources of Data

• Internal sources
• Austin Automation Service
• PBM
• VistaWeb
• BIRLS Other administrative and clinical databases
  
  
• Research databases
• External sources

20
Uses of Data

• Prepatory to research
• Per research protocol without reuse or storage
• Per research protocol with plans for storage and
  reuse
  
• Populate a research data repository

21
Prepatory to Research

• Access only to prepare protocol prior to
  submission to IRB RD committee
  
• Can record aggregate data for background, justify
  the research or show adequate number of subject
  available, etc.
  
• Cannot
• Record identifiers
• Use information reviewed for recruitment or to
  conduct pilot studies
  

22
Prepatory to Research (cont.)

• PI must make representation per HIPAA
• Access only to prepare protocol
• No PHI removed from covered entity
• Access necessary for research
• Documentation of representation placed in PIs
  files

23
Use of Data For One Protocol Only

• Protocol approved by
• IRB if human subjects
• RD Committee
• Database administrator or owner
• Review by Privacy Officer or other expert to
  ensure all Privacy Act, HIPAA and security issues
  are addressed
  
• Use must be consistent with the protocol
• Data can not be re-used or stored beyond the
  retention period
  
• Consent and HIPAA Authorization Issues addressed
  e.g., required to obtain or waived

24

• RESEARCH DATA REPOSITORIES

25
Data Repositories

• Long term storage of data
• Data saved for future use regardless of the time
  frame
  
• Long term storage data repository
• Location of long term storage
• In a new or existing data repository under VA
  control
  
• Source of data
• Research or non-research
• Original protocol under which data collected
• For a specific research project
• To collect data to place in a repository

26
Creation of Research Repositories

• Structure
• Administrator or administrative board
• Advisory committees (science, ethics)
• Policies procedures
• IRB of record for oversight
• Content
• Identified or de-identified data
• Location within VA on VA servers unless waiver
  obtained

27
Repository SOPs

• Administrative structure
• Conflict of Interest
• Adding data to repository
• Accessing data
• Record keeping requirements
• Privacy confidentiality
• Storage security
• Termination of repository

28
Accessing Data from Repository

• Access by VA investigators
• Specific protocol that has IRB, RD approval
• Protocol must contain required information
  (discussed later)
  
• DUA

29
Record Keeping

• Sufficient Information to track understand
  repository activity
  
• How/where data obtained
• Data request swith associated protocols and
  approvals
  
• Communications with the requester
• Administrative activities such as committee
  meeting minutes
  
• Communications to and from the IRB and RD
  committee
  

30
Oversight of a Repository

• Annual reporting to the IRB (repository treated
  as a research protocol) and RD committee
  
• Report information
• Source of data being added
• Type of data released to others for reuse
  including the protocol for reuse that contains
  information on
  
• Confidentiality
• Storage and security of data
• Disposition of data at end of study
• Any unanticipated problems regarding risk to
  subjects, institutions, etc.
  
• Any incidents of inadvertent disclosure, loss, or
  theft of data

31

• RESPONSIBILITIES

32
Investigator Responsibilities

• Protocols must contain information on
• Source of data type of data (identified,
  de-identified)
  
• Consent under which it was collected
• How the data will be used
• Planned use of real SSNs
• Recruitment or re-contact of subjects
• Storage ( any copies, who will have access, plans
  to share data)
  
• Justification for waiver of authorization or
  consent
  
• Privacy confidentiality related to data
• Appropriate training
• When leaving VA data must be left
• Data use consistent with protocol
• No re-disclosure of data

33
Consent HIPAA Authorization

• Consent clearly states
• Use of data
• Is reuse allowed
• Who will have access to data (VA investigators,
  non-VA investigators, drug companies, etc.)
  
• Where it will be stored
• How it will be secured
• Disposition of data after study
• Certificate of Confidentially
• HIPAA authorization meets all requirements in VHA
  Handbook 1605.1 (more then HIPAA)

34
Identifiable Data Special Concerns

• SSNs real and scrambled
• Recruitment of subjects
• Re-contacting subjects
• Decedents Data It is not human subjects but
  consent of next-of-kin may be required
  
• Privacy Confidentiality next session
• Certificates of Confidentiality

35
Approvals for Research Using Data From a
Repository

• Who is responsible?
• The investigator(s) facilitys IRB and RD
  Committee
  
• Who is NOT responsible?
• The IRB and RD Committee for the facility that
  houses the repository
  
• The IRB and RD Committee for the facility from
  which the data came

36
IRB Responsibilities

• Sufficient expertise to review the protocol
• Determining if the project is
• Research
• Is human subjects research
• If human subjects, is it exempt from IRB review
  (may still need HIPAA authorization)
  
• Requiring sufficient information
• All responsibilities under 38 CFR 16

37
Sufficient Information for IRB

• Source of the data purpose originally collected
  (non-research, research)
  
• If research is the re-use consistent with the
  informed consent authorization
  
• If collected for non-research purposes, do
  guidelines under which collected allow re-use for
  research
  
• Appropriate permissions are obtained to access
  the data

38
Sufficient Information (Cont.)

• Description of the data (de-identified,
  identified, coded)
  
• Justification for use of identified data
• Coded data a description of the coding scheme
  and who controls the key
  
• Use of real SSNs adequately justified
• Confidentiality and privacy issues addressed
• HIPAA
• Recruiting or re-contacting subjects

39
Sufficient Information (Cont.)

• Major issue Will the data be safe
• Storage
• Security
• Transportation or transmission
• Copies of data (location, media)
• Access (VA and non-VA persons)
• Disposition of data at end of study (destruction,
  storage, etc.)
  
• Risks (subjects, institution, system)

40
Recruiting from DatabasesIRB Considerations

• Must have IRB and RD Committee approvals
• May not be minimal risk
• Minimal risk if
• Investigator is subjects health care provider
  (HCP)
  
• Initial contact from subjects HCP
• Initial approach is general (not disease specific
  or address sensitive issues)
  
• Initial contact in person or by mail
• Minimal concerns if person has agreed to be
  contacted

41
RD Committee Responsibilities

• Sufficient expertise to review science
• Receive review sufficient information as
  described for IRB
  
• Review findings of the IRB
• If facility does not hold an FWA
• Determine if it is research
• If research, determine if it is human subjects
  research
  
• If any questions regarding this determination,
  develop procedures for consultation with human
  subjects experts

42
Responsibilities of Others

• Local PP must be developed to ensure compliance
  with applicable VA VHA policies
  
• Identify knowledgeable person(s)
• Privacy Officer
• IRB administrator
• Research compliance officer
• Data repository administrator
• Additional training of knowledgeable persons
  may be required
  
• Role to serve as final check for privacy
  security issues

43
Just a Thought

• Big Brother in the form of an increasingly
  powerful government and in an increasingly
  powerful private sector will pile the records
  high with reasons why privacy should give way to
  national security, to law and order, to
  efficiency of operation, to scientific
  advancement and the like.
• William O. Douglas
• Associate Justice
• U.S. Supreme Court
• From 1939-1975

44

• A prudent question is one-half of wisdom.
• Francis Bacon