1 / 44

Tissue Banks & Data Repositories

Tissue Banks & Data Repositories. SRA October 2007. Helpful Definitions. Definition: VA Sensitive Data & Information.

andrew
Download Presentation

Tissue Banks & Data Repositories

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tissue Banks & Data Repositories SRA October 2007

  2. Helpful Definitions

  3. Definition: VA Sensitive Data & Information All Department data on any storage media, or any form, or format which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. VA Handbook 6500 Sept.18, 2007

  4. Definition: Sensitive Personal Information (SPI) • Any information about the individual maintained by an agency, including: • Education • Financial transactions • Medical history • Criminal or employment history • AND can be used to distinguish or trace the individual’s identity including: • Name • SSN • DOB • Mother’s maiden name • Biometric records VA Handbook 6500 Sept. 18, 2007

  5. Definition: VA Data or VA Information Information owned or in the possession of VA or any entity acting for or on the behalf of VA VA Handbook 6500 Sept.18, 2007

  6. De-identified De-identified data is health or other information about an individual that: • Does not contain any of the 18 HIPAA identifiers AND • Is de-identified according to the Common Rule Coded information is not considered de-identified if the tissue bank or data coordinating center has access to the codes.

  7. HIPAA “Identifiers”: Remove All 18 to De-identify for HIPAA (1) Names (2) All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people (3) All elements of dates except year and all ages over 89 (4) Telephone numbers (5) Fax numbers (6) E-mail addresses (7) Social security numbers (8) Medical record numbers

  8. HIPAA “Identifiers” (Cont.) (9) Health plan beneficiary numbers (10) Account numbers (11) Certificate or license numbers (12) Vehicle identifiers and license plate numbers (13) Device identifiers and serial numbers (14) URLs (15) IP addresses (16) Biometric identifiers • Full-face photographs and any comparable images

  9. HIPAA Identifiers (Cont.) • Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification • Scrambled SSNs • Initials • Last four digits of SSN • Employee numbers • Etc. (“19”) A caveat: HIPAA also states that the entity does not have actual knowledge that the [remaining] information could be used alone or in combination with other information to identify an individual who is the subject of the information • If you can strip all 18 identifiers, it still may not be de-identified

  10. Tissue Banking

  11. Banked Specimens • Specimens may not be banked at a non-academic, for-profit institution. • Specimens must be labeled with a code that does not contain any of the 18 HIPAA identifiers. • The key to the code must be maintained at the VA unless there is a compelling reason otherwise.

  12. On-Site Tissue Banks • A tissue bank established at a VA site by a VA-paid investigator does not require ORD approval. • The ACOS/R or research office should maintain records of all tissue banks within the facility.

  13. On-Site Tissue Banks (cont’d) • If a VA site does not have the resources to bank specimens may be banked • At any VA site with an established tissue bank • At the Massachusetts Veterans Epidemiology Research and Information Center (MAVERIC) core laboratory at the Boston VA. • Cooperative Studies Program (CSP) Genetic Tissue Core Laboratory • Either option is considered on-site banking

  14. Off-Site Tissue Banks • A waiver from ORD • Off-site tissue banks are approved on a per protocol basis only • Exception: National Cancer Institute (NCI)-sponsored cooperative tissue banks listed on the next slide • Letter of understanding with the NCI • These banks are designated as VA-approved if they are used for one of their protocols. • Example: SWOG-supported tissue bank can be used for SWOG protocols without ORD approval.

  15. VA-Approved NCI Tissue Banks • Clinical Trials Cooperative Groups Tissue Resources, which include • American College of Surgeons Oncology Group (ACOSOG) • Cancer and Leukemia Group B (CALGB) • Eastern Cooperative Oncology Group (ECOG) • Gynecologic Oncology Group (GOG) • North Central Cancer Treatment Group (NCCTG) • National Surgical Adjuvant Breast and Bowel Project (NSABP) • Radiation Therapy Oncology Group (RTOG) • Southwest Oncology Group (SWOG) • Cooperative Breast Cancer Tissue Resource • Cooperative Human Tissue Network • Gynecologic Oncology Group Tissue Network • Cancer Prevention Network

  16. Data Related to Banked Specimens • If data linked to the sample leaves the VA, then they must be de-identified or stored in a database that is encrypted according to FIPS 140-2 standards. • See VA Handbook 6500 “Information Security Program” for additional information

  17. Non-Banked Specimens Stored at Non-Academic For-Profit Sites • If held for greater than 90 days, then a waiver must be obtained from ORD. • Only analyses/tests listed in the protocol and informed consent may be performed. • The code must be maintained at the VAMC. • All specimens and associated data must be de-identified. • DNA and RNA may not be analyzed • The company must inform the PI in writing when samples are destroyed.

  18. Non-Banked Specimens Stored at Non-Academic For-Profit Sites (cont’d) • HIPAA authorization must expire. • Case reports may not contain initials if they leave VA. • Specimens must be destroyed upon request of the subject. • Before company personnel may view files at the VA, they must complete VA security and privacy training. • Specimens must be destroyed within 1 year of the study completion date.

  19. Application Process • The investigator must complete VA form 10-0436. • This is a pdf form that can be filled in and saved using Acrobat Reader version 7 or higher (http://www.va.gov/vaforms/medical/pdf/vha-10-0436-fill.pdf). • The information requested on page 5 of the application can be scanned and attached to the pdf or to the e-mail. • Biographical sketch of the PI • Research protocol • Tissue bank manual or SOPs • VA consent form

  20. Application Process (cont’d) • The application should be e-mailed to Marilyn Mason (Marilyn.Mason@va.gov). The ACOS/R must be carbon copied OR • The form and requested information can be mailed to the address given on the form.

  21. Application Process (cont’d) • It generally takes ORD 2 weeks to process the application. • Longer if a large number of applications are received in a short time period • After it is reviewed • PI and ACOS/R will receive a memo listing any issues found with the application • Frequently, the informed consent needs to be modified

  22. Multi-Site Trials • If several VAMCs are planning to participate in the same clinical trial • Only one of the VA sites needs to apply for a waiver. • A list of multi-site clinical trials in which more than one VAMC is participating is posted on the VA R&D web site.

  23. RESEARCH DATA REPOSITORIES(Depositing & Reusing of Data)

  24. Data Repository • Data repository = storage & reuse • Location: • At VA on VA servers • Permission required to house elsewhere • Data sources: any • Research or non-research • VA or non-VA

  25. Creation of Research Repositories • Structure • Administrator or administrative board • Advisory committees (science, ethics) • Policies & procedures • IRB of record for oversight • Content • Identified or de-identified data • Location: within VA on VA servers unless waiver obtained

  26. Repository SOPs • Administrative structure • Conflict of Interest • Adding data to repository • Accessing data • Record keeping requirements • Privacy & confidentiality • Storage & security • Termination of repository

  27. Accessing Data from Repository • Access by VA investigators • Specific protocol that has IRB, R&D approval • Protocol must contain required information (discussed later) • DUA or Data Transfer Agreement

  28. Record Keeping • Sufficient Information to track & understand repository activity • How/where data obtained • Data requests and the associated protocols and approvals • Communications with the requester • Administrative activities such as committee meeting minutes • Communications to and from the IRB and R&D committee

  29. Oversight of a Repository • Annual reporting to the IRB (repository treated as a research protocol) and R&D committee • Report information • Source of data being added • Type of data released to others including the protocol for reuse that contains information on: • Confidentiality • Storage and security of data • Disposition of data at end of study • Any unanticipated problems regarding risk to subjects, institutions, etc. • Any incidents of inadvertent disclosure, loss, or theft of data

  30. Impact of New Policies on the Investigator, the IRB, and the R&D Committee

  31. The Protocol • Must contain specific information on: • Recruitment plan • Justification for use of identifiers • In depth privacy & security plan • Discussion of “Flow of data through its lifetime” • Security plan • If future use of data is planned

  32. Protocol: Database Research • Protocols must contain information on • Source of data & type of data (identified, de-identified) • Consent under which it was collected • How the data will be used • Planned use of & justification for use of real SSNs • Justification for waiver of authorization and/or consent

  33. Research Consents • If data collected directly from subjects: • Consent clearly states: • Use of data • If reuse allowed • Who will have access to data (VA investigators, non-VA investigators, drug companies, etc.) • Where they will be stored (VA, non-VA) • How they will be secured • Disposition of data after study • Certificate of Confidentially • HIPAA authorization meets all requirements in VHA Handbook 1605.1 (more then HIPAA)

  34. Investigator’s Responsibilities • Protocol contains all required information • Ensure data storage & security meets all VA requirements • Data use consistent with protocol • No re-disclosure of data • When leaving VA, data and all copies left at VA

  35. IRB and R&D Committee • Must carefully review discussion of: • Privacy • Flow of data • Security • Plans for re-use or placement in repository

  36. Approvals for Research Using Data From a Repository • Who is responsible? • The investigator’s facility’s IRB and R&D Committee • Who is NOT responsible? • The IRB and R&D Committee for the facility that houses the repository • The IRB and R&D Committee for the facility from which the data came

  37. Lessons Learned

  38. What We Learned: Loss of Data • Report it immediately! • OMB requires reporting within 1 hour • Real or suspected loss • Do not underestimate the amount of data or what identifiers are included • Inventory data on portable media frequently

  39. What We Learned: Security • Ensure physical space security • Review by VA police & ISO • Ensure proper information security controls • Do not remove data from VA without appropriate permissions • Maintain data on VA server • Limit number of copies & copies with identifiers • Encryption of portable media • Positions sensitivity levels are appropriate • Different levels have different background checks & re-checks • Suitability issues arise after initial employment • Untoward event • Change in duties (greater access or administrator rights)

  40. What We Learned: Access to Data (1) • Inappropriate access to multiple data sources • Storing large amounts of data without IRB permission or not in formal repository • Programmer level access without sufficient authorization • Receipt of unauthorized data files • Report immediately • Return immediately if on portable media • ISO to assist with deleting data if on hard drive or server

  41. What We Learned: Access to Data (2) • IRB must be aware of what data will be used prior to approving protocol • Data steward: release minimum necessary data • Access with applicable permissions to • Austin Automation Center • VistaWeb • VISN Data Warehouses • Medicare data • Use of data consistent with protocol

  42. What We Learned: Supervisory Control • Supervisory management • Direct assessment of staff at intervals • Be aware of active protocols, data collections, security, portable media • Appropriate management structure • MCD and ACOS responsibility & line authority over all research • Investigator initiated • Drug company • Centers and Reaps • R&D Committee responsible for oversight of research programs

  43. What We Learned: Miscellaneous Issues • E-mails • VA e-mail address for official VA communications • Can not automatically forward from you VA e-mail • Periodic audit for compliance • Privacy & confidentiality protections • Information security requirements • HIPAA authorization or waiver of authorization • Protocol requirements & only what the IRB approved • Appointing of ISO & Privacy Officer to IRB or R&D Committee

  44. A Changing Climate • Cannot remove data without permissions • Store data on VA servers • Must encrypt portable media containing VA sensitive information • Working copies require same level of security as originals • Destroy copies when no longer needed • Sensitive data must always be controlled • Know all applicable policies & guidance

More Related