Privacy Overview for VHA ORD Stephania H Griffin

Privacy Overview for VHA ORD Stephania H. Griffin, JD, RHIA Director, Information Access and Privacy Veterans Health Administration Office of Health Informatics May 4, 2020 1

Privacy Topics • General Privacy Efforts with Research Component • VA Form 10 -250, VHA Research Protocol Privacy Review Checklist • Combined Research ICF with HIPAA Authorization • Waiver of HIPAA Authorizations 2

General Privacy Efforts • Updating VHA facility Privacy Policy Template – Facility-level Privacy Policies are required but being revised to remove duplicate language • PCA Audits include Research Privacy Component (Mandated and Consultative) – Review compliance with Privacy requirements and use the completed VA Form 10 -250 to assist in that review 3

VA Form 10 -250 • VA Form 10 -250, VHA Research Protocol Privacy Review Checklist, is required by VHA Directive 1605. 03 • Must incorporate completed form into the protocol documents – May be maintained in facility protocol documentation, if using Affiliate IRB. • Only documents the Privacy Officer review – ISSO review is no longer documented on the Privacy Officer Checklist and may be performed as the facility determines. • Both the Preliminary and Final review sections must be completed.

Completing VA Form 10 -250 • Privacy Officer Preliminary review begins on pg. 2 – Conducted to ensure that all privacy concerns are addressed prior to approval • Privacy Officer Final Review begins on pg. 5 – Conduct a final review after the IRB (or R&D Committee when acting as Privacy Board) has approved the study to see if any changes were made that would affect the privacy interest of the subjects – Did the approval documents include all the necessary components

Combined ICF and HIPAA Authorization • VHA Directive 1200. 05 no longer prohibits combining informed consent forms and HIPAA authorizations into one document. • There are however, certain situations when it is not advised to combine the two documents due to requirements inherent in the Privacy Act or HIPAA Privacy Rule. Specifically, it is best not to combine the informed consent form with a HIPAA Authorization when either: – The subject has diminished decision-making capacity; or – When the research study contains optional components that the subject can choose to participate in or not (e. g. optional data or tissue banking or genetic testing). 6

Combined ICF and HIPAA Authorization • For subjects that have diminished decision-making capacity, the individual who is authorized to provide informed consent on the subject’s behalf may not be the same individual who is authorized to sign a HIPAA Authorization for the subject. – If a combined document was used, and the individual signing the form met the qualifications of the subject’s LAR but was not appointed as their personal representative, the HIPAA authorization would not be valid. – The scenario would require the subject’s Personal Representative to sign a separate HIPAA Authorization or for the IRB or R&D Committee to approve a waiver of HIPAA Authorization for the subjects without a Personal Representative. 7

Combined ICF and HIPAA Authorization • Where the study includes an optional component such as data or tissue banking or genetic testing, in order to meet the requirements specified in the HIPAA Privacy Rule, the HIPAA authorization must clearly differentiate between the conditioned (mandatory) and unconditioned (optional) components and provide the subject with an opportunity to opt in to the research activities described in the unconditioned part of the authorization. • In order to sufficiently show that the subject opted into the unconditioned (optional) component of the study, a signature is required for that component as opposed to just a check box within the Informed Consent. 8

Waiver of HIPAA Authorizations • IRB or Privacy Board approved waivers of HIPAA Authorizations may be for: – an entire study; – a single aspect of the study, such as recruitment; or – a specific situation, such as consenting subjects with diminished decision-making capacity with a LAR. • Waivers are a balance of generalities with specificity. • The IRB or Privacy Board has sole authority for determining if HIPAA Privacy Rule criteria have been meet to grant a waiver. • However, concerns raised by the PO around what the waiver does and does not cover as written, should be heeded as a PO in many cases may have to approve access to the data, such as with CDW, VINCI and CAPRI. 9

Q&A Discussion 10

ADDITIONAL INFORMATION Contact Stephania Griffin, Director Information Access and Privacy (10 A 7 B), 704 -245 -2492, Stephania. griffin@va. gov 11