HIPAA, Privacy, - PowerPoint PPT Presentation


PPT – HIPAA, Privacy, PowerPoint presentation | free to view - id: 42468e-ZGRlN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

HIPAA, Privacy,


Cyber Security, Privacy & HIPAA Last modified by: vhabhsriverp Created Date: 8/29/2006 2:45:51 PM Document presentation format: On-screen Show Company: Dept. VA – PowerPoint PPT presentation

Number of Views:507
Avg rating:3.0/5.0
Slides: 54
Provided by: BrendaCuc


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: HIPAA, Privacy,

HIPAA, Privacy, Cybersecurity
  • Brenda Cuccherini, Ph.D., MPH
  • VA Office of Research Development
  • January 2007

A New Mind Set
  • Old habit of mind is one of the toughest
    things to get away from in the world. It
    transmits itself like physical form and
  • Mark Twain
  • A Connecticut Yankee in King Authors Court

VHA Privacy
  • VHA privacy program is complex
  • VHA must comply with 6 statutes that govern
    collection, maintenance release of information

Privacy Related Statutes
  • Privacy Act of 1974
  • FOIA
  • VA Claims Confidentiality
  • Confidentiality of Drug Abuse, Alcoholism
    Alcohol Abuse, HIV, and Sickle Cell Anemia
    Medical Records
  • Confidentiality of Healthcare Quality Assurance
    Review Records

  • HIPAA Title II The Privacy Rule
  • (45 CFR 160 and 164)

HIPAA Topics To Be Covered
  • HIPAA the Common Rule
  • HIPAA Identifiers
  • Limited Data Sets
  • Business Associate Agreements
  • De-identification
  • Waiver of Authorization
  • VA HHS Differences

HIPAA the Privacy Rule
  • Title I Health Care Access, Portability,
  • Title II Preventing Healthcare Fraud Abuse
    Administrative Simplification Medical Liability
  • Privacy Rule,
  • Transactions,
  • Security
  • Enforcement)

HIPAA The Common Rule
  • Represents 2 different but not contradictory
  • Many terms similar but not alike
  • IRB must make 2 separate determinations when
    reviewing approving applicable research

HIPAA Identifiers Remove to De-identify for
  • (1) Names
  • (2) All geographic subdivisions smaller than a
    state, except
  • for the initial three digits of the zip
    code if the
  • geographic unit formed by combining all zip
    codes with
  • the same three initial digits contains more
  • 20,000 people
  • (3) All elements of dates except year and all
    ages over 89
  • (4) Telephone numbers
  • (5) Fax numbers
  • (6) E-mail addresses
  • (7) Social security numbers
  • (8) Medical record numbers

HIPAA Identifiers (Cont.)
  • (9) Health plan beneficiary numbers
  • (10) Account numbers
  • (11) Certificate or license numbers
  • (12) Vehicle identifiers and license plate
  • (13) Device identifiers and serial numbers
  • (14) URLs
  • (15) IP addresses
  • (16) Biometric identifiers
  • Full-face photographs and any comparable
  • images

HIPAA Identifiers (Cont.)
  • Any other unique identifying number,
  • or code, unless otherwise permitted by
    the Privacy
  • Rule for re-identification
  • Scrambled SSNs
  • Initials
  • Last four digits of SSN
  • Employee numbers
  • Etc.
  • (19) A caveat HIPAA also states that the
    entity does not have actual
  • knowledge that the remaining
    information could be used alone
  • or in combination with other
    information to identify an individual
  • who is the subject of the information
  • If you can strip all 18 identifiers, it still may
    not be de-identified

Applicability of Identifiers
  • HIPAA identifiers apply to
  • The individual
  • The individuals relatives
  • The individuals employers
  • The individuals household members

Whats De-identified?
  • If some one tells you data is de-identified, ask
    them how they define it!
  • Definition of de-identified
  • All HIPAA identifiers must be removed, plus The
    entity must have no knowledge the caveat from
    the last slide and
  • It meets the Common Rule definition of

Limited Data Sets
  • Does not require a HIPPA authorization or waiver
    of authorization
  • Only allowed for research , public health, or
    health care operations
  • Requires a DUA
  • May contain identifiable information such as
    scrambled SSNs, are still PHI
  • May still be human subjects research

Limited Data Set (Cont.)
  • Excludes certain direct identifiers
  • Excluded identifiers apply to
  • The individual,
  • The individuals relatives
  • The individuals employers
  • The individuals household members
  • May contain
  • City, state, ZIP code,
  • Elements of a date other numbers,
  • Characteristics or codes not listed as direct

Limited Data Sets Direct Identifiers
  • (1) Names
  • (2) Postal address other than town, city, state,
  • and ZIP code
  • (3) Telephone numbers
  • (4) Fax numbers
  • (5) SSNs
  • (6) Medical Record number
  • (7) Health plan beneficiary numbers
  • (8) Account numbers

Limited Data Set Direct Identifiers (Cont.)
  • (9) Certificate/license numbers
  • (10) Vehicle identifiers and serial numbers
  • including license plate numbers
  • (11) Device identifiers serial numbers
  • (12) Web universal resource locators (URLs)
  • (13) Internet protocol (IP) address
  • (14) Biometric identifiers, including
  • voice prints
  • (15) Full-face photographic images and any
  • comparable images

Business Associate Agreements
  • Business Associate An individual or entity who
    on behalf of VHA
  • Performs or assists in performing functions or
    activities involving the use or disclosure of PHI
  • Activities must be related to treatment, payment,
    or health care operations

Business Associate Agreements
  • BAAs not required for research or research
  • Research is not a function or activity regulated
    by HIPAA (treatment, payment, or health care

Waiver of Authorization
  • IRB or Privacy Board (PB) may approve
  • Full waiver of authorization
  • Partial waiver of authorization
  • Alteration of the disclosure
  • IRB or Privacy Board
  • Must make specific determination prior to
    approving waiver
  • Must document specific findings

Required Determinations 3 Criteria
  • 1. The use or disclosure of PHI involves no more
    than a minimal risk to the individual based on
    at least the presence of the following elements
  • An adequate plan to Protect the identifiers from
    improper use disclosure
  • An adequate plan to destroy the identifiers at
    the earliest opportunity consistent with the
    conduct of the research unless there is health
    or research justification for retaining them or
    retention or the retention is required by law
  • Adequate written assurance that the PHI will not
    be reused or disclosed to any other person or
    entity, except as required by law, for authorized
    oversight of the research study, or for other
    research for which the use of disclosure of PHI
    would be permitted by this subpart

Required Determinations 3 Criteria (Cont.)
  • 2. The research could not practicably be
    conducted without the waiver
  • 3. The research could not practicably be
    conducted without access to and use of the
    protected health information

Required Documentation
  • Name of IRB or PB date approved
  • Statement IRB or PB determined the alteration or
    waiver of authorization, in whole or in part,
    satisfies the 3 criteria in the Rule AND include
    the criteria
  • A brief description of the PHI for which use or
    access has been determined to be necessary
  • A statement that the alteration or waiver of
    authorization has been reviewed and approved
    under either normal or expedited review
    procedures, and
  • Signature of the chair or other member, as
    designated by the chair, of the IRB or PB, as

Investigators Responsibility
  • Include all necessary information in the
    submission to the IRB or PB
  • Request use of the minimal necessary information
    to conduct the research
  • Use of data consistent with the protocol
  • No re-use or sharing of data without approvals

Differences VHA vs. HHS
  • Preparatory To Research
  • Authorization Elements
  • Accounting for Disclosures
  • Data Use Agreements

Preparatory to Reach
  • VHA Handbook 1605.1 states that contacting
    research subjects or conducting pilot studies are
    not Preparatory to Research activities
  • HHS states that the Preparatory to Research
    provisions allow an investigator to use PHI to
    contact prospective research subjects

HIPAA Authorization
  • VHA requirements differ from HHSs
  • A description of the information to be used or
    disclosed AND specifically identify HIV, Sickle
    cell anemia, drug and/or alcohol abuse treatment

Accounting for disclosure
  • Not so much a difference but a clarification
  • VHA research is conducted inside a single covered
    entity MOST research does not involve
    disclosure, only use of PHI

Data Use Agreements
  • VHA and HHS requires DUA for use of limited data
    sets only
  • ORD policy will additionally require a DUA (Data
    Transfer Agreement) for anytime you transfer
    data within VHA for research purposes

  • Privacy Act of 1974

  • An American has no sense of privacy.
  • He does not know what it means.
  • There is no such thing in the country.
  • George Bernard Shaw

Privacy Act of 1974
  • Purpose To balance the governments need to
    maintain information about individuals with the
    rights of individuals to be protected against
    unwarranted invasions of their privacy
  • Background Watergate era and Congress concerned
  • Curbing illegal surveillance investigations
  • Potential abuses presented by governments
    increasing use of computers to store retrieve
    personal data

Privacy Act Objectives
  • Restrict disclosure of personally identifiable
    records by agencies
  • Grant individuals
  • Increased rights of access to agency records
  • The right to seek amendment of agency records
  • Establish code of fair information practices for

A Privacy Act Requirement
  • Agencies that maintain a system of records "shall
    promulgate rules, in accordance with notice and
    comment rulemaking
  • Systems of Records (SOR) A group of records
    under agency control from which information is
    retrieved by the name of the individual or by
    some identifying number, symbol, or other
    identifying particular assigned to the

System of Records Content
  • Category of individuals covered by the system
  • Categories of records in the system
  • Purpose of the records
  • Routine uses of records
  • Storage (storage medium)
  • Retrievability (name, numbers or identifier)

SORs and Research
  • 34VA12 -- Veteran, Patient, Employee, and
    Volunteer Research and Development Project
  • 121VA19 -- National Patient Databases - VA

SORs Impact on Research
  • All release/disclosure of information must be
    consistent with the SOR and routine uses
  • Investigators can not release information to
    non-VA investigators or institutions unless
  • Written permissions/authorization from individual
  • Permission of the USH
  • Release of information is through the Privacy

Privacy Issues Resources
  • VHA Privacy Officer Stephania Putt
  • Local privacy officer
  • VHA privacy program
  • http//vaww.vhaco.va.gov/privacy/
  • Links to all Federal statutes, regulations,
    policies including security policies
  • Privacy Fact Sheets

  • Cybersecurity

  • To err is human and to blame it on a computer
    is even more so.
  • Robert Orben
  • Magician and Comedy Writer

A Changing Climate
  • Security must be addressed in
  • Protocol, appendices, or other document
  • Facility SOPs
  • New policies (VA VHA) and requirements
  • Sensitive data must be controlled at all times

It is VA policy that
  • VA information may not reside on non-VA systems
    or devices unless specifically authorized by VA
  • Federal Information Security Management Act of
    2002 (FISMA) Federal Security requirements apply
    to when contractors or other organizations on
    behalf of an agency possess or use Federal
  • You must obtain authorization to remove
    confidential Privacy Act protected information
  • Approved protocol
  • Consult with supervisors/obtain permission
  • Consult with supervisor and ISO to ensure that
    the data is properly encrypted and password
    protected in accordance with VA policy
    Secretarys memo June.6, 2006

VA Policy on Protection of Data
  • Data system backups or copies
  • Same confidentiality classification as originals
  • Laptops portable media must NOT contain the
    only copy of the data
  • VAPI stored on computers or other storage media
    outside VA facilities must be encrypted per VA
    approved protection mechanisms
  • Password or other authentication information
  • Do not store on remote systems unless encrypted
  • Data can not be transmitted by remote access
    without VA-approved protection mechanisms

VA policy on Government Laptops or Other Equipment
  • Updated property pass
  • Updated virus protection
  • House protect it from
  • Environmental threats hazards
  • Unauthorized access, use, or removal
  • Laptops, external hard drives, or other storage
    devices must be under lock key when not in your
    immediate vicinity if it
  • Contains sensitive/protected information (VAPI)
  • Software to access VA private networks

What You Must Do
  • Prior to receiving laptop or sensitive data
  • Know the policies on protecting or responding to
    lost/stolen laptops or data.
  • Always be on guard
  • Use common sense about where you leave it, who
    can access it
  • Once laptop or data is discovered to be missing
  • Report it to the police
  • Obtain a copy of the police report (name of
    officer, case number, etc.)
  • Try to inventory what is on the laptop or the
    missing data.
  • Make required notifications

Reporting of Security Incidents
  • OMB requires reporting of an incident within 1
    hour of discovery to US-CERT
  • US-CERT US Computer Emergency Readiness Team is
    the operational arm of National Cyber Security
    Division (NCSD), Department of Homeland Security
  • Suspected and confirmed breaches must be reported

How to Report Security Incidents
  • Immediately report to
  • Supervisor
  • ISO
  • Privacy Officer
  • Others (Your facility may require reporting to
    other facility administrators)
  • ISO will report it to the VA-Security Operations
    Center (VA-SOC)
  • Privacy Officer will enter it into the Privacy
    Violations Tracking System (PVTS)
  • VA-SOC will notify US-CERT key VHA/VA officials

Investigators Responsibilities
  • Protocols contain sufficient information on
    security issues
  • Who uses information
  • How it will be stored and secured
  • Who has copies where
  • Will it remain within VA if not, will all data
    be returned to VA if not why
  • Disposition of the data after protocol completed)
  • Allowing access only to authorized individuals

Investigators Responsibilities (Cont.)
  • Safeguarding laptops, portable drives, flash
    drives, and other medium
  • Ensuring all contracts, DUAs, and BAAs contain
    required language
  • Encrypting/password protecting all sensitive data

Policy Documents
  • VA Directive 6504 Waiver of requirements
  • Granted only by the VA Chief Information Officer
    in CO
  • Waiver request only from an Administration Head,
    Assistant Secretary, or other key official
  • Majority of IT security documents being
    redrafted on a very fast track

Finding Policies
  • www.va.gov/vhapublications
  • Link on left banner to VA publications
  • www.va.gov/research
  • Call or e-mail
  • Brenda Cuccherini, Ph.D. at (202)254-0277 or
  • brenda.cuccherini_at_va.gov

  • A single question can be more influential
  • than a thousand statements.
  • Bo Bennett
  • Businessman

About PowerShow.com