Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research.

Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects

K. Lynn Cates, M.D.Assistant Chief Research & Development OfficerDirector, PRIDE

June 1, 2011

Human Research Protection Program (HRPP)*• Every office, committee, & individual who is involved

in human research• Institutional Official (IO) – Medical Center Director

• Research Team – Investigator & Research Staff

• Research Office – ACOS & AO

• IRB – Staff & Members

• Research & Development (R&D) Committee

• Research Compliance Officer

• Research Pharmacy

• Privacy Officer

• Information Security Officer

*VHA Handbook 1200.05, 3ee

2

VHA Handbook 1200.05 – “Requirements for the Protection of Human Subjects in Research”• Responsible Program Office – ORD

• ORO, OI&T, & the VHA Privacy Office collaborated & concurred on relevant content

• Establishes procedures for the protection of human subjects in VA Research

• Defines the procedures for implementing the Common Rule in VA Research

3

Common Rule “Protection of Human Subjects”

• VA is one of 17 Federal departments & agencies that have agreed to follow the Common Rule

• 38 Code of Federal Regulations (CFR) Part 16• 38 CFR 16.111 (also known as the “111 Criteria”) –

Criteria for IRB approval of research include provisions such as• Risks to subjects are minimized

• Risks are reasonable in relation to anticipated benefits

• Informed consent will be sought & documented

• When appropriate, there are adequate provisions to protect the privacy of subjects & to maintain the confidentiality of data (16.111(a)(7))

4

Privacy Officer & ISORole in HRPP*

• Must be appointed as a non-voting member of either• The IRB, or

• The R&D Committee

• Must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively

*VHA Handbook 1200.05, 12m

5

VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities

• Privacy Officer • Ensuring proposed research complies with

requirements for privacy & confidentiality

• Information Security Officer• Ensuring proposed research complies with

requirements for information security

6

VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities

• Cannot approve or disapprove a study

• Do not have the authority to prevent or delay IRB approval of a study

7

VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities

• Reviewing the proposed protocol & other relevant materials submitted with the IRB application

• Informing the IRB of their findings

• Identifying deficiencies in the proposed research

• Making recommendations to the Principal Investigator (PI) of options to correct the deficiencies

• Following up with the PI, in a timely manner, to ensure the proposed research is in compliance before the study is initiated

8

Amendments & Continuing Review

• Privacy Officers & ISOs do not have to review all amendments & continuing reviews, but they do have to serve in an advisory role to the IRB which may include assisting the IRB in the review of amendments & continuing reviews when the IRB has concerns about privacy, confidentiality, &/or information security issues. See VHA Handbook 1200.05, 12m(2):

• “Regardless of whether they are appointed to be ex officio [i.e., non-voting] members of the IRB or R&D Committee, the facility Privacy Officer & ISO must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively.”

9

1

Checklist for Reviewing Privacy, Confidentiality and Information Security in Research:

Purpose, Development and Implementation

Alan Papier

VA Local Accountability for Research MeetingJune 1, 2001

Purpose: Develop a standard checklist to be used when reviewing research

studies Make it easier for Principal Investigators (PI) to provide complete

documentation on their data protection plans Make it easier for Privacy Officers (POs) and Information Security

Officers (ISOs) to comprehensively review research studies for adherence to policy

11

The Information Protection in Research Work Group created a checklist to ensure the security, privacy and confidentiality of sensitive information in research studies

Representatives VA-wide provided input to the development of the research checklist

Field Security Service Information Access and Privacy Service Office of Cyber Security VA Privacy Service Research Integrity and Assurance Office of Special Advisor on Policy and Emerging

Issues Health Data and Informatics Office of Information and Technology (OIT) Office

of Oversight and Compliance VA Office of General Counsel

12

During development of the research checklist, 12 facilities were invited to field test the first draft

Portland, Region 1 Puget Sound, Region 1 Tucson, Region 1 Milwaukee, Region 2 Saint Louis, Region 2 Birmingham, Region 3 Cleveland, Region 3 Richmond, Region 3

Baltimore, Region 4 Lyons, Region 4 Pittsburgh, Region 4 Providence, Region 4

13

The research checklist is designed to encourage collaboration and ensure information protection

14

There are several important factors to keep in mind when implementing the research checklist

The checklist is: Coordinated by the Institutional Review Board (IRB) or Research and

Development (R&D) Completed manually or electronically Suggested that PO and ISO sign once to indicate compliance with

policy or recommend changes requiring further review and additional signatures

Signed electronically or with a wet signature, depending on the preference of the IRB

15

Additional Factors…

The form will work best if the PI documents are in a specific section of the application or protocol

It is not necessary to document every item in the application or protocol -If it does not apply, check N/A

Checklist should be used for initial submissions Checklist is not expected to be submitted for previously approved

studies IRB can decide whether to use for continuing reviews or amendments

16

Checklist provides guidance to the PI on topics to document and provides them with the policy reference if they want to look it up

IRB may adapt the form to its needs or use it as is It is not intended to be an exhaustive list of requirements but rather a

brief list to reference Each requirement is clearly titled with a subject that can be used by

the PI as an outline to writing the information protection portion of the study application

8

Additional Factors…(con’t)

Visit the Information Security (IS) Portal for a copy of the research checklisthttps://vaww.infoprotection.va.gov/fieldsecurity/default.aspx

18

Contacts

Information Security Issues– Joseph Holston– Lucy Fleming

Privacy and Confidentiality Issues– Patricia Christensen– Stephania Griffin

Research Policy– Brenda Cuccherini

19

Questions

20

Checklist for Reviewing Privacy, Confidentiality and

Information Security in Research -Development and Purpose

Alan Papier, ISO Director, Region 4

IS YOUR IRB/RDC USING THE CHECKLIST?

1. Yes (47%)2. No (53%)

DOES YOUR IRB/RDC PLAN TO USE THE CHECKLIST?

1. Yes (76%)2. No (24%)

IF YOU ARE NOT PLANNING TO USE THE CHECKLIST, WHY NOT?

1. We have another checklist that works better. (32.6%)2. The Checklist is too complicated. (32.6%)3. The IRB hates it. (19.6%)4. The Privacy Officer does not want to use it. (8.7%)5. The Information Security Officer does not want to use it.

(6.5%)

HAS YOUR IRB ATTEMPTED TO USE THE CHECKLIST?

1. We tried it, but didn’t like it. (28.6%)2. IRB reviewed it and rejected it without a test. (14.3%)3. IRB rejected it without reviewing it. (10.7%)4. IRB did not want to discuss it. We have our own IRB. (7.1%)5. IRB did not want to discuss it. We use an affiliate IRB as the

IRB of record. (39.3%)

IF YOU ARE USING THE CHECKLIST, HAS IT MADE THE PROCESS WORK BETTER?

1. Better (24.6%)2. No difference (7.7%)3. Worse (20%)4. Need more time to evaluate (47.7%)

IF YOU ARE USING THE CHECKLIST, ARE YOU USING A PAPER VERSION OR

ELECTRONIC VERSION?

1. Paper (50%)2. Electronic (50%)

IF YOU ARE USING THE CHECKLIST, DOES YOUR REVIEW TAKE LESS TIME THAN BEFORE YOU BEGAN USING IT?

1. Significantly less time (6.8%)2. Somewhat less time (6.8%)3. About the same amount of time (23.7%)4. Somewhat more time (30.5%)5. Significantly more time (32.2%)

DOES THE CONTENT OF THE CHECKLIST HELP GUIDE YOU THROUGH A

COMPREHENSIVE REVIEW?

1. Review is now much more comprehensive (47.7%)2. Somewhat more comprehensive (29.2%)3. About the same (15.4%)4. Somewhat less comprehensive (6.2%)5. Much less comprehensive (1.5%)

Privacy Officer & ISO ResponsibilitiesHuman Research Review

• The Privacy Officer & ISO are expected to review studies against the requirements in the checklist (but not necessarily use the checklist itself)

• It is not sufficient to only review the checklist & not the protocol & related materials themselves (1200.05, 38b Note) because

• The checklist cannot cover all contingencies

• The PI &/or study team may not fill it out correctly

30

Privacy Officer & ISO ResponsibilitiesReports

• The IRB or Research Office needs to work with their Privacy Officers & ISOs to develop Standard Operating Procedures (SOPs) defining local policy on how the Privacy Officers & ISOs should document their findings (e.g., checklist, memoranda, etc.)

• So everyone knows what is expected

• To facilitate auditing of files (e.g., by RCOs)

• To facilitate site visits (e.g., by ORO, PCA, ITOC, & AAHRPP)

31

Privacy Officer & ISO ResponsibilitiesDocumentation

• Summary reports* = interim or initial reports of their review & assessment that either• Identify specific questions, concerns, required changes, &

suggested options for correcting deficiencies, or

• Final reports** = when all requirements have been met

• You do not have to submit a “summary report” if all the requirements have been met. A “final report” will suffice

*VHA Handbook 1200.05, 38g** VHA Handbook 1200.05, 38h

32

Privacy Officer & ISO ResponsibilitiesWhat Goes Into the Reports?*

• Date of report

• Study title

• PI’s name

• If issues• Questions, concerns, required changes

• Options for correcting deficiencies

• If no deficiencies• Statement that the study meets all requirements

• Approval

*Models = Checklist or VA Central IRB Forms

for PI Application, Privacy Officer, & ISO

33

Privacy Officer & ISO ResponsibilitiesWhen are Summary/Final Reports Due?*• For convened IRB Review – due prior to, or at, the

convened IRB meeting

• For expedited review - due prior to IRB approval by the IRB Chair or designee

• For exempt studies (i.e., exempt from IRB review) – go to the ACOS/R&D

*VHA Handbook 1200.05, 38g

34

Privacy Officer & ISO ResponsibilitiesWhen are Final Reports Due?

• Final reports must go to the IRB (VA or affiliate IRB) “in a timely manner”*

• Privacy Review• HIPAA Authorization

• The Privacy Officer must receive a copy of the final HIPAA authorization before signing off on a final report to ensure it is a valid authorization (the final sign off can be at the IRB meeting)

• Waiver of HIPAA Authorization• The Privacy Officer must receive documentation of IRB

approval of a waiver of HIPAA authorization before signing off on a final report (can be at meeting)

*VHA Handbook 1200.05, 38h

35

Privacy Officer & ISO Responsibilities Communication With the PI

• The Privacy Officer & ISO• Must feel free to engage all stakeholders

• May work directly with the PI (&/or study team)

• The IRB &/or Research Office staff• Should work with the Privacy Officer & ISO to

develop SOPs to address communication of privacy, confidentiality, & information security issues with the PI

• Must submit all documented questions, concerns, &/or changes to the PI for resolution

• Should provide the Privacy Officer &/or ISO a copy of the PI’s response, along with the next IRB agenda

36

What Happens if the PI is Unresponsive? • If the PI does not satisfactorily address

deficiencies identified by the Privacy Officer &/or ISO, & the project is not in compliance with relevant requirements

• The Privacy Officer &/or ISO will not be able to provide final approval, &

• The PI cannot collect or use data

37

What if the Privacy Officer & ISO are Non-Voting Members of the R&D Committee?• They must submit their summary/final report prior

to, or at, the convened IRB meeting (1200.05, 38g)

• They must be provided adequate time before the IRB meeting to perform their review (e.g., 2 weeks)

38

What if the IRB of Record is at the Affiliate?• Nothing changes. The Privacy Officer & ISO must

ensure the privacy, confidentiality, & information security plan are in accordance with all relevant requirements

• Waiver of HIPAA authorization. The affiliate IRB should approve it because the IRB has reviewed the project & is familiar with • Why the investigators need the waiver

• Why the investigators cannot perform the study without a waiver

39

What is the Role of the Local Privacy Officer & ISO in a Multi-Site Project?

• VA Central IRB reviews the project• The Privacy Officer for the VA Central IRB reviews the

project for all sites (PI site & local sites)• The local Privacy Officer does not have to review the

project

• The ISO for the VA Central IRB reviews the project for all sites, but• The ISO at local site may need to review the project if

there are special local information security issues

• Other multi-site studies• The local Privacy Officers & ISOs review the study as

it will be conducted at the local site

40

What Happens if the PI & Privacy Officer &/or ISO Disagree ? Who Mediates?• The Privacy Officer will contact the VHA Privacy

Office

• The ISO will contact the Network ISO or the Senior ISO for Research

• When applicable, guidance may be sought from ORD &/or ORO

• A written response will be provided to the PI

41

Who Follows Up to Ensure the PI Makes the Required Changes?

• The IRB Administrator or Research Office staff• They provide the PI’s response to the Privacy

Officer &/or ISO

42

How Others Can Help Privacy Officers & ISOs Fulfill Their Responsibilities

• PIs• Must dedicate sections of the protocol or develop an

additional document(s) (e.g., the checklist) to address all privacy & information security issues (1200.05, 10i&j)

• IRB Administrators &/or Research Office• Can work with the Privacy Officer & ISO to build into their

SOPs provisions for• Giving Privacy Officers & ISOs sufficient time for their reviews

• Defining how Privacy Officers & ISOs provide documentation

• Defining how the flow of communications with the PI

• Work with PIs to get their responses

43

Others’ Roles in Helping Privacy Officers & ISOs Fulfill Their Responsibilities• IRB

• Reports to the Privacy Officer any unauthorized use, loss, or disclosure of individually-identifiable subject information (1200.05, 14o)

• Reports to the ISO violations of VA information security requirements (1200.05, 14p)

44

Panel

Stephania Griffin, RHIA

VHA Privacy Officer

Patricia L. Christensen, MS, RHIA, CHPS, CIPP/G, CHPC

VHA Privacy Specialist, VHA Privacy Office

Alan Papier, CISSP, ISSMP, CISM

Information Security Director, Region 4

Lucy Fleming, RHIA, CAP

ISO, Baltimore

Joseph Holston

Senior Research ISO, ORD

Brenda Cuccherini, PhD, MPH

Special Advisor for Policy & Emerging Issues, ORD

45