Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE June 1, 2011
Jan 12, 2016
Developing Solutions - Specific ISO & Privacy Officer Responsibilities for Review of Human Research Projects
K. Lynn Cates, M.D.Assistant Chief Research & Development OfficerDirector, PRIDE
June 1, 2011
Human Research Protection Program (HRPP)*• Every office, committee, & individual who is involved
in human research• Institutional Official (IO) – Medical Center Director
• Research Team – Investigator & Research Staff
• Research Office – ACOS & AO
• IRB – Staff & Members
• Research & Development (R&D) Committee
• Research Compliance Officer
• Research Pharmacy
• Privacy Officer
• Information Security Officer
*VHA Handbook 1200.05, 3ee
2
VHA Handbook 1200.05 – “Requirements for the Protection of Human Subjects in Research”• Responsible Program Office – ORD
• ORO, OI&T, & the VHA Privacy Office collaborated & concurred on relevant content
• Establishes procedures for the protection of human subjects in VA Research
• Defines the procedures for implementing the Common Rule in VA Research
3
Common Rule “Protection of Human Subjects”
• VA is one of 17 Federal departments & agencies that have agreed to follow the Common Rule
• 38 Code of Federal Regulations (CFR) Part 16• 38 CFR 16.111 (also known as the “111 Criteria”) –
Criteria for IRB approval of research include provisions such as• Risks to subjects are minimized
• Risks are reasonable in relation to anticipated benefits
• Informed consent will be sought & documented
• When appropriate, there are adequate provisions to protect the privacy of subjects & to maintain the confidentiality of data (16.111(a)(7))
4
Privacy Officer & ISORole in HRPP*
• Must be appointed as a non-voting member of either• The IRB, or
• The R&D Committee
• Must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively
*VHA Handbook 1200.05, 12m
5
VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities
• Privacy Officer • Ensuring proposed research complies with
requirements for privacy & confidentiality
• Information Security Officer• Ensuring proposed research complies with
requirements for information security
6
VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities
• Cannot approve or disapprove a study
• Do not have the authority to prevent or delay IRB approval of a study
7
VHA Handbook 1200.05, Paragraph 38 Privacy Officer & ISO Responsibilities
• Reviewing the proposed protocol & other relevant materials submitted with the IRB application
• Informing the IRB of their findings
• Identifying deficiencies in the proposed research
• Making recommendations to the Principal Investigator (PI) of options to correct the deficiencies
• Following up with the PI, in a timely manner, to ensure the proposed research is in compliance before the study is initiated
8
Amendments & Continuing Review
• Privacy Officers & ISOs do not have to review all amendments & continuing reviews, but they do have to serve in an advisory role to the IRB which may include assisting the IRB in the review of amendments & continuing reviews when the IRB has concerns about privacy, confidentiality, &/or information security issues. See VHA Handbook 1200.05, 12m(2):
• “Regardless of whether they are appointed to be ex officio [i.e., non-voting] members of the IRB or R&D Committee, the facility Privacy Officer & ISO must be involved in the review of human subjects research to address & mitigate potential concerns regarding privacy & confidentiality, & information security, respectively.”
9
1
Checklist for Reviewing Privacy, Confidentiality and Information Security in Research:
Purpose, Development and Implementation
Alan Papier
VA Local Accountability for Research MeetingJune 1, 2001
Purpose: Develop a standard checklist to be used when reviewing research
studies Make it easier for Principal Investigators (PI) to provide complete
documentation on their data protection plans Make it easier for Privacy Officers (POs) and Information Security
Officers (ISOs) to comprehensively review research studies for adherence to policy
11
The Information Protection in Research Work Group created a checklist to ensure the security, privacy and confidentiality of sensitive information in research studies
Representatives VA-wide provided input to the development of the research checklist
Field Security Service Information Access and Privacy Service Office of Cyber Security VA Privacy Service Research Integrity and Assurance Office of Special Advisor on Policy and Emerging
Issues Health Data and Informatics Office of Information and Technology (OIT) Office
of Oversight and Compliance VA Office of General Counsel
12
During development of the research checklist, 12 facilities were invited to field test the first draft
Portland, Region 1 Puget Sound, Region 1 Tucson, Region 1 Milwaukee, Region 2 Saint Louis, Region 2 Birmingham, Region 3 Cleveland, Region 3 Richmond, Region 3
Baltimore, Region 4 Lyons, Region 4 Pittsburgh, Region 4 Providence, Region 4
13
The research checklist is designed to encourage collaboration and ensure information protection
14
There are several important factors to keep in mind when implementing the research checklist
The checklist is: Coordinated by the Institutional Review Board (IRB) or Research and
Development (R&D) Completed manually or electronically Suggested that PO and ISO sign once to indicate compliance with
policy or recommend changes requiring further review and additional signatures
Signed electronically or with a wet signature, depending on the preference of the IRB
15
Additional Factors…
The form will work best if the PI documents are in a specific section of the application or protocol
It is not necessary to document every item in the application or protocol -If it does not apply, check N/A
Checklist should be used for initial submissions Checklist is not expected to be submitted for previously approved
studies IRB can decide whether to use for continuing reviews or amendments
16
Checklist provides guidance to the PI on topics to document and provides them with the policy reference if they want to look it up
IRB may adapt the form to its needs or use it as is It is not intended to be an exhaustive list of requirements but rather a
brief list to reference Each requirement is clearly titled with a subject that can be used by
the PI as an outline to writing the information protection portion of the study application
8
Additional Factors…(con’t)
Visit the Information Security (IS) Portal for a copy of the research checklisthttps://vaww.infoprotection.va.gov/fieldsecurity/default.aspx
18
Contacts
Information Security Issues– Joseph Holston– Lucy Fleming
Privacy and Confidentiality Issues– Patricia Christensen– Stephania Griffin
Research Policy– Brenda Cuccherini
19
Questions
20
Checklist for Reviewing Privacy, Confidentiality and
Information Security in Research -Development and Purpose
Alan Papier, ISO Director, Region 4
IS YOUR IRB/RDC USING THE CHECKLIST?
1. Yes (47%)2. No (53%)
DOES YOUR IRB/RDC PLAN TO USE THE CHECKLIST?
1. Yes (76%)2. No (24%)
IF YOU ARE NOT PLANNING TO USE THE CHECKLIST, WHY NOT?
1. We have another checklist that works better. (32.6%)2. The Checklist is too complicated. (32.6%)3. The IRB hates it. (19.6%)4. The Privacy Officer does not want to use it. (8.7%)5. The Information Security Officer does not want to use it.
(6.5%)
HAS YOUR IRB ATTEMPTED TO USE THE CHECKLIST?
1. We tried it, but didn’t like it. (28.6%)2. IRB reviewed it and rejected it without a test. (14.3%)3. IRB rejected it without reviewing it. (10.7%)4. IRB did not want to discuss it. We have our own IRB. (7.1%)5. IRB did not want to discuss it. We use an affiliate IRB as the
IRB of record. (39.3%)
IF YOU ARE USING THE CHECKLIST, HAS IT MADE THE PROCESS WORK BETTER?
1. Better (24.6%)2. No difference (7.7%)3. Worse (20%)4. Need more time to evaluate (47.7%)
IF YOU ARE USING THE CHECKLIST, ARE YOU USING A PAPER VERSION OR
ELECTRONIC VERSION?
1. Paper (50%)2. Electronic (50%)
IF YOU ARE USING THE CHECKLIST, DOES YOUR REVIEW TAKE LESS TIME THAN BEFORE YOU BEGAN USING IT?
1. Significantly less time (6.8%)2. Somewhat less time (6.8%)3. About the same amount of time (23.7%)4. Somewhat more time (30.5%)5. Significantly more time (32.2%)
DOES THE CONTENT OF THE CHECKLIST HELP GUIDE YOU THROUGH A
COMPREHENSIVE REVIEW?
1. Review is now much more comprehensive (47.7%)2. Somewhat more comprehensive (29.2%)3. About the same (15.4%)4. Somewhat less comprehensive (6.2%)5. Much less comprehensive (1.5%)
Privacy Officer & ISO ResponsibilitiesHuman Research Review
• The Privacy Officer & ISO are expected to review studies against the requirements in the checklist (but not necessarily use the checklist itself)
• It is not sufficient to only review the checklist & not the protocol & related materials themselves (1200.05, 38b Note) because
• The checklist cannot cover all contingencies
• The PI &/or study team may not fill it out correctly
30
Privacy Officer & ISO ResponsibilitiesReports
• The IRB or Research Office needs to work with their Privacy Officers & ISOs to develop Standard Operating Procedures (SOPs) defining local policy on how the Privacy Officers & ISOs should document their findings (e.g., checklist, memoranda, etc.)
• So everyone knows what is expected
• To facilitate auditing of files (e.g., by RCOs)
• To facilitate site visits (e.g., by ORO, PCA, ITOC, & AAHRPP)
31
Privacy Officer & ISO ResponsibilitiesDocumentation
• Summary reports* = interim or initial reports of their review & assessment that either• Identify specific questions, concerns, required changes, &
suggested options for correcting deficiencies, or
• Final reports** = when all requirements have been met
• You do not have to submit a “summary report” if all the requirements have been met. A “final report” will suffice
*VHA Handbook 1200.05, 38g** VHA Handbook 1200.05, 38h
32
Privacy Officer & ISO ResponsibilitiesWhat Goes Into the Reports?*
• Date of report
• Study title
• PI’s name
• If issues• Questions, concerns, required changes
• Options for correcting deficiencies
• If no deficiencies• Statement that the study meets all requirements
• Approval
*Models = Checklist or VA Central IRB Forms
for PI Application, Privacy Officer, & ISO
33
Privacy Officer & ISO ResponsibilitiesWhen are Summary/Final Reports Due?*• For convened IRB Review – due prior to, or at, the
convened IRB meeting
• For expedited review - due prior to IRB approval by the IRB Chair or designee
• For exempt studies (i.e., exempt from IRB review) – go to the ACOS/R&D
*VHA Handbook 1200.05, 38g
34
Privacy Officer & ISO ResponsibilitiesWhen are Final Reports Due?
• Final reports must go to the IRB (VA or affiliate IRB) “in a timely manner”*
• Privacy Review• HIPAA Authorization
• The Privacy Officer must receive a copy of the final HIPAA authorization before signing off on a final report to ensure it is a valid authorization (the final sign off can be at the IRB meeting)
• Waiver of HIPAA Authorization• The Privacy Officer must receive documentation of IRB
approval of a waiver of HIPAA authorization before signing off on a final report (can be at meeting)
*VHA Handbook 1200.05, 38h
35
Privacy Officer & ISO Responsibilities Communication With the PI
• The Privacy Officer & ISO• Must feel free to engage all stakeholders
• May work directly with the PI (&/or study team)
• The IRB &/or Research Office staff• Should work with the Privacy Officer & ISO to
develop SOPs to address communication of privacy, confidentiality, & information security issues with the PI
• Must submit all documented questions, concerns, &/or changes to the PI for resolution
• Should provide the Privacy Officer &/or ISO a copy of the PI’s response, along with the next IRB agenda
36
What Happens if the PI is Unresponsive? • If the PI does not satisfactorily address
deficiencies identified by the Privacy Officer &/or ISO, & the project is not in compliance with relevant requirements
• The Privacy Officer &/or ISO will not be able to provide final approval, &
• The PI cannot collect or use data
37
What if the Privacy Officer & ISO are Non-Voting Members of the R&D Committee?• They must submit their summary/final report prior
to, or at, the convened IRB meeting (1200.05, 38g)
• They must be provided adequate time before the IRB meeting to perform their review (e.g., 2 weeks)
38
What if the IRB of Record is at the Affiliate?• Nothing changes. The Privacy Officer & ISO must
ensure the privacy, confidentiality, & information security plan are in accordance with all relevant requirements
• Waiver of HIPAA authorization. The affiliate IRB should approve it because the IRB has reviewed the project & is familiar with • Why the investigators need the waiver
• Why the investigators cannot perform the study without a waiver
39
What is the Role of the Local Privacy Officer & ISO in a Multi-Site Project?
• VA Central IRB reviews the project• The Privacy Officer for the VA Central IRB reviews the
project for all sites (PI site & local sites)• The local Privacy Officer does not have to review the
project
• The ISO for the VA Central IRB reviews the project for all sites, but• The ISO at local site may need to review the project if
there are special local information security issues
• Other multi-site studies• The local Privacy Officers & ISOs review the study as
it will be conducted at the local site
40
What Happens if the PI & Privacy Officer &/or ISO Disagree ? Who Mediates?• The Privacy Officer will contact the VHA Privacy
Office
• The ISO will contact the Network ISO or the Senior ISO for Research
• When applicable, guidance may be sought from ORD &/or ORO
• A written response will be provided to the PI
41
Who Follows Up to Ensure the PI Makes the Required Changes?
• The IRB Administrator or Research Office staff• They provide the PI’s response to the Privacy
Officer &/or ISO
42
How Others Can Help Privacy Officers & ISOs Fulfill Their Responsibilities
• PIs• Must dedicate sections of the protocol or develop an
additional document(s) (e.g., the checklist) to address all privacy & information security issues (1200.05, 10i&j)
• IRB Administrators &/or Research Office• Can work with the Privacy Officer & ISO to build into their
SOPs provisions for• Giving Privacy Officers & ISOs sufficient time for their reviews
• Defining how Privacy Officers & ISOs provide documentation
• Defining how the flow of communications with the PI
• Work with PIs to get their responses
43
Others’ Roles in Helping Privacy Officers & ISOs Fulfill Their Responsibilities• IRB
• Reports to the Privacy Officer any unauthorized use, loss, or disclosure of individually-identifiable subject information (1200.05, 14o)
• Reports to the ISO violations of VA information security requirements (1200.05, 14p)
44
Panel
Stephania Griffin, RHIA
VHA Privacy Officer
Patricia L. Christensen, MS, RHIA, CHPS, CIPP/G, CHPC
VHA Privacy Specialist, VHA Privacy Office
Alan Papier, CISSP, ISSMP, CISM
Information Security Director, Region 4
Lucy Fleming, RHIA, CAP
ISO, Baltimore
Joseph Holston
Senior Research ISO, ORD
Brenda Cuccherini, PhD, MPH
Special Advisor for Policy & Emerging Issues, ORD
45