1 / 45

ISO & Privacy Officer Responsibilities for Human Research Projects

This article discusses the specific responsibilities of the ISO (Information Security Officer) and Privacy Officer in reviewing human research projects, including compliance with privacy, confidentiality, and information security requirements.

kennedye
Download Presentation

ISO & Privacy Officer Responsibilities for Human Research Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE June 1, 2011

  2. Human Research Protection Program (HRPP)* • Every office, committee, & individual who is involved in human research • Institutional Official (IO) – Medical Center Director • Research Team – Investigator & Research Staff • Research Office – ACOS & AO • IRB – Staff & Members • Research & Development (R&D) Committee • Research Compliance Officer • Research Pharmacy • Privacy Officer • Information Security Officer *VHA Handbook 1200.05, 3ee

  3. VHA Handbook 1200.05 – “Requirements for the Protection of Human Subjects in Research” • Responsible Program Office – ORD • ORO, OI&T, & the VHA Privacy Office collaborated & concurred on relevant content • Establishes procedures for the protection of human subjects in VA Research • Defines the procedures for implementing the Common Rule in VA Research

  4. Common Rule “Protection of Human Subjects” • VA is one of 17 Federal departments & agencies that have agreed to follow the Common Rule • 38 Code of Federal Regulations (CFR) Part 16 • 38 CFR 16.111 (also known as the “111 Criteria”) – Criteria for IRB approval of research include provisions such as • Risks to subjects are minimized • Risks are reasonable in relation to anticipated benefits • Informed consent will be sought & documented • When appropriate, there are adequate provisions to protect the privacy of subjects & to maintain the confidentiality of data (16.111(a)(7))

  5. Privacy Officer & ISORole in HRPP* • Must be appointed as a non-voting member of either • The IRB, or • The R&D Committee • Must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively *VHA Handbook 1200.05, 12m

  6. VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities • Privacy Officer • Ensuring proposed research complies with requirements for privacy & confidentiality • Information Security Officer • Ensuring proposed research complies with requirements for information security

  7. VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities • Cannot approve or disapprove a study • Do not have the authority to prevent or delay IRB approval of a study

  8. VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities • Reviewing the proposed protocol & other relevant materials submitted with the IRB application • Informing the IRB of their findings • Identifying deficiencies in the proposed research • Making recommendations to the Principal Investigator (PI) of options to correct the deficiencies • Following up with the PI, in a timely manner, to ensure the proposed research is in compliance before the study is initiated

  9. Amendments & Continuing Review • Privacy Officers & ISOs do not have to review all amendments & continuing reviews, but they do have to serve in an advisory role to the IRB which may include assisting the IRB in the review of amendments & continuing reviews when the IRB has concerns about privacy, confidentiality, &/or information security issues. See VHA Handbook 1200.05, 12m(2): • “Regardless of whether they are appointed to be ex officio [i.e., non-voting] members of the IRB or R&D Committee, the facility Privacy Officer & ISO must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively.”

  10. Checklist for Reviewing Privacy, Confidentiality and Information Security in Research: Purpose, Development and Implementation Alan Papier VA Local Accountability for Research Meeting June 1, 2001 1

  11. The Information Protection in Research Work Group created a checklist to ensure the security, privacy and confidentiality of sensitive information in research studies Purpose: • Develop a standard checklist to be used when reviewing research studies • Make it easier for Principal Investigators (PI) to provide complete documentation on their data protection plans • Make it easier for Privacy Officers (POs) and Information Security Officers (ISOs) to comprehensively review research studies for adherence to policy

  12. Representatives VA-wide provided input to the development of the research checklist • Field Security Service • Information Access and Privacy Service • Office of Cyber Security • VA Privacy Service • Research Integrity and Assurance • Office of Special Advisor on Policy and Emerging Issues • Health Data and Informatics • Office of Information and Technology (OIT) Office of Oversight and Compliance • VA Office of General Counsel

  13. During development of the research checklist, 12 facilities were invited to field test the first draft • Portland, Region 1 • Puget Sound, Region 1 • Tucson, Region 1 • Milwaukee, Region 2 • Saint Louis, Region 2 • Birmingham, Region 3 • Cleveland, Region 3 • Richmond, Region 3 • Baltimore, Region 4 • Lyons, Region 4 • Pittsburgh, Region 4 • Providence, Region 4

  14. The research checklist is designed to encourage collaboration and ensure information protection

  15. There are several important factors to keep in mind when implementing the research checklist The checklist is: • Coordinated by the Institutional Review Board (IRB) or Research and Development (R&D) • Completed manually or electronically • Suggested that PO and ISO sign once to indicate compliance with policy or recommend changes requiring further review and additional signatures • Signed electronically or with a wet signature, depending on the preference of the IRB

  16. Additional Factors… • The form will work best if the PI documents are in a specific section of the application or protocol • It is not necessary to document every item in the application or protocol -If it does not apply, check N/A • Checklist should be used for initial submissions • Checklist is not expected to be submitted for previously approved studies • IRB can decide whether to use for continuing reviews or amendments

  17. Additional Factors…(con’t) • Checklist provides guidance to the PI on topics to document and provides them with the policy reference if they want to look it up • IRB may adapt the form to its needs or use it as is • It is not intended to be an exhaustive list of requirements but rather a brief list to reference • Each requirement is clearly titled with a subject that can be used by the PI as an outline to writing the information protection portion of the study application

  18. Visit the Information Security (IS) Portal for a copy of the research checklist https://vaww.infoprotection.va.gov/fieldsecurity/default.aspx

  19. Contacts • Information Security Issues • Joseph Holston • Lucy Fleming • Privacy and Confidentiality Issues • Patricia Christensen • Stephania Griffin • Research Policy • Brenda Cuccherini

  20. Questions

  21. Checklist for Reviewing Privacy, Confidentiality and Information Security in Research -Development and Purpose Alan Papier, ISO Director, Region 4

  22. Is your IRB/RDC using the Checklist? • Yes (47%) • No (53%)

  23. Does your IRB/RDC plan to use the Checklist? • Yes (76%) • No (24%)

  24. If you are not planning to use the Checklist, why not? • We have another checklist that works better. (32.6%) • The Checklist is too complicated. (32.6%) • The IRB hates it. (19.6%) • The Privacy Officer does not want to use it. (8.7%) • The Information Security Officer does not want to use it. (6.5%)

  25. Has your IRB attempted to use the Checklist? • We tried it, but didn’t like it. (28.6%) • IRB reviewed it and rejected it without a test. (14.3%) • IRB rejected it without reviewing it. (10.7%) • IRB did not want to discuss it. We have our own IRB. (7.1%) • IRB did not want to discuss it. We use an affiliate IRB as the IRB of record. (39.3%)

  26. If you are using the Checklist, has it made the process work better? • Better (24.6%) • No difference (7.7%) • Worse (20%) • Need more time to evaluate (47.7%)

  27. If you are using the Checklist, are you using a paper version or electronic version? • Paper (50%) • Electronic (50%)

  28. If you are using the Checklist, does your review take less time than before you began using it? • Significantly less time (6.8%) • Somewhat less time (6.8%) • About the same amount of time (23.7%) • Somewhat more time (30.5%) • Significantly more time (32.2%)

  29. Does the content of the Checklist help guide you through a comprehensive review? • Review is now much more comprehensive (47.7%) • Somewhat more comprehensive (29.2%) • About the same (15.4%) • Somewhat less comprehensive (6.2%) • Much less comprehensive (1.5%)

  30. Privacy Officer & ISO ResponsibilitiesHuman Research Review • The Privacy Officer & ISO are expected to review studies against the requirements in the checklist (but not necessarily use the checklist itself) • It is not sufficient to only review the checklist & not the protocol & related materials themselves (1200.05, 38b Note) because • The checklist cannot cover all contingencies • The PI &/or study team may not fill it out correctly

  31. Privacy Officer & ISO ResponsibilitiesReports • The IRB or Research Office needs to work with their Privacy Officers & ISOs to develop Standard Operating Procedures (SOPs) defining local policy on how the Privacy Officers & ISOs should document their findings (e.g., checklist, memoranda, etc.) • So everyone knows what is expected • To facilitate auditing of files (e.g., by RCOs) • To facilitate site visits (e.g., by ORO, PCA, ITOC, & AAHRPP)

  32. Privacy Officer & ISO ResponsibilitiesDocumentation • Summary reports* = interim or initial reports of their review & assessment that either • Identify specific questions, concerns, required changes, & suggested options for correcting deficiencies, or • Final reports** = when all requirements have been met • You do not have to submit a “summary report” if all the requirements have been met. A “final report” will suffice *VHA Handbook 1200.05, 38g ** VHA Handbook 1200.05, 38h

  33. Privacy Officer & ISO ResponsibilitiesWhat Goes Into the Reports?* • Date of report • Study title • PI’s name • If issues • Questions, concerns, required changes • Options for correcting deficiencies • If no deficiencies • Statement that the study meets all requirements • Approval *Models = Checklist or VA Central IRB Forms for PI Application, Privacy Officer, & ISO

  34. Privacy Officer & ISO ResponsibilitiesWhen are Summary/Final Reports Due?* • For convened IRB Review – due prior to, or at, the convened IRB meeting • For expedited review - due prior to IRB approval by the IRB Chair or designee • For exempt studies (i.e., exempt from IRB review) – go to the ACOS/R&D *VHA Handbook 1200.05, 38g

  35. Privacy Officer & ISO ResponsibilitiesWhen are Final Reports Due? • Final reports must go to the IRB (VA or affiliate IRB) “in a timely manner”* • Privacy Review • HIPAA Authorization • The Privacy Officer must receive a copy of the final HIPAA authorization before signing off on a final report to ensure it is a valid authorization (the final sign off can be at the IRB meeting) • Waiver of HIPAA Authorization • The Privacy Officer must receive documentation of IRB approval of a waiver of HIPAA authorization before signing off on a final report (can be at meeting) *VHA Handbook 1200.05, 38h

  36. Privacy Officer & ISO Responsibilities Communication With the PI • The Privacy Officer & ISO • Must feel free to engage all stakeholders • May work directly with the PI (&/or study team) • The IRB &/or Research Office staff • Should work with the Privacy Officer & ISO to develop SOPs to address communication of privacy, confidentiality, & information security issues with the PI • Must submit all documented questions, concerns, &/or changes to the PI for resolution • Should provide the Privacy Officer &/or ISO a copy of the PI’s response, along with the next IRB agenda

  37. What Happens if the PI is Unresponsive? • If the PI does not satisfactorily address deficiencies identified by the Privacy Officer &/or ISO, & the project is not in compliance with relevant requirements • The Privacy Officer &/or ISO will not be able to provide final approval, & • The PI cannot collect or use data

  38. What if the Privacy Officer & ISO are Non-Voting Members of the R&D Committee? • They must submit their summary/final report prior to, or at, the convened IRB meeting (1200.05, 38g) • They must be provided adequate time before the IRB meeting to perform their review (e.g., 2 weeks)

  39. What if the IRB of Record is at the Affiliate? • Nothing changes. The Privacy Officer & ISO must ensure the privacy, confidentiality, & information security plan are in accordance with all relevant requirements • Waiver of HIPAA authorization. The affiliate IRB should approve it because the IRB has reviewed the project & is familiar with • Why the investigators need the waiver • Why the investigators cannot perform the study without a waiver

  40. What is the Role of the Local Privacy Officer & ISO in a Multi-Site Project? • VA Central IRB reviews the project • The Privacy Officer for the VA Central IRB reviews the project for all sites (PI site & local sites) • The local Privacy Officer does not have to review the project • The ISO for the VA Central IRB reviews the project for all sites, but • The ISO at local site may need to review the project if there are special local information security issues • Other multi-site studies • The local Privacy Officers & ISOs review the study as it will be conducted at the local site

  41. What Happens if the PI & Privacy Officer &/or ISO Disagree ? Who Mediates? • The Privacy Officer will contact the VHA Privacy Office • The ISO will contact the Network ISO or the Senior ISO for Research • When applicable, guidance may be sought from ORD &/or ORO • A written response will be provided to the PI

  42. Who Follows Up to Ensure the PI Makes the Required Changes? • The IRB Administrator or Research Office staff • They provide the PI’s response to the Privacy Officer &/or ISO

  43. How Others Can Help Privacy Officers & ISOs Fulfill Their Responsibilities • PIs • Must dedicate sections of the protocol or develop an additional document(s) (e.g., the checklist) to address all privacy & information security issues (1200.05, 10i&j) • IRB Administrators &/or Research Office • Can work with the Privacy Officer & ISO to build into their SOPs provisions for • Giving Privacy Officers & ISOs sufficient time for their reviews • Defining how Privacy Officers & ISOs provide documentation • Defining how the flow of communications with the PI • Work with PIs to get their responses

  44. Others’ Roles in Helping Privacy Officers & ISOs Fulfill Their Responsibilities • IRB • Reports to the Privacy Officer any unauthorized use, loss, or disclosure of individually-identifiable subject information (1200.05, 14o) • Reports to the ISO violations of VA information security requirements (1200.05, 14p)

  45. Panel Stephania Griffin, RHIA VHA Privacy Officer Patricia L. Christensen, MS, RHIA, CHPS, CIPP/G, CHPC VHA Privacy Specialist, VHA Privacy Office Alan Papier, CISSP, ISSMP, CISM Information Security Director, Region 4 Lucy Fleming, RHIA, CAP ISO, Baltimore Joseph Holston Senior Research ISO, ORD Brenda Cuccherini, PhD, MPH Special Advisor for Policy & Emerging Issues, ORD

More Related