Role of the Privacy Officer on the IRB

Role of the Privacy Officer on the IRB Stephania H. Griffin, RHIA, CIPP/G VHA Privacy Officer 1

Overview of Discussion • Role of Information Access and Privacy Office – – Non-voting Member of VA Central IRB Issuing Policy and Guidance Reviewing Requests for National Data Processing requests for Real. SSN and Vist. AWeb Access • Role of Facility Privacy Officer – Non-voting Member of IRB or R&D Committee – Privacy Reviews For Research 2

Role of Information Access and Privacy Office • Non-voting Member of VA Central IRB – Review all Protocols submitted to the VA Central IRB and conduct privacy review • Issuing Policy and Guidance – VHA Handbook 1605. 1 – Review Tools • Privacy Review Checklist – Available at http: //vaww. vhaco. va. gov/privacy/vhapo. htm 3

Role of Information Access and Privacy Office • Issuing Policy and Guidance (cont. ) – Privacy Fact Sheets • June 2006, Vol. 06, No. 3 - Privacy Requirements for Use of VHA Data by VHA Researchers • June 2006, Vol. 06, No. 4 - Privacy Requirements for Disclosure for Research to Non-VA Researchers • Available at http: //vaww. vhaco. va. gov/privacy/Fact. Sheets. ht m 4

Role of Information Access and Privacy Office • Reviewing Requests for National Data – Extracts from National Databases at AAC – Extracts from Corporate Data Warehouse • Processing Requests for Real. SSN and Vist. AWeb Access – Review Research Documentation – Provide approval • Sign and Submit VAF 9957 for Real. SSN • Approval on Request Form for Vist. AWeb 5

Role of Facility Privacy Officer • VHA Directive 2007 -040, Appointment of Facility Information Security Officer (ISO) and Privacy Officer to the Institutional Review Board (IRB) or the Research and Development (R&D) Committee • Rewrite of the policy directive is currently underway. • But today…. 6

Role of Facility Privacy Officer • Non-voting Member of IRB or to R&D Committee – Participate in IRB or R&C Committee meetings in order to review research documentation and raise privacy issues directly to IRB or the R&D Committee • VA uses Affiliate or Outside IRB – Develop policies, in conjunction with Research Department, for the privacy review of documentation for all facility research studies; and – Reside as non-voting member on affiliate IRB or facility R&D Committee 7

Role of Facility Privacy Officer • Final Privacy Review of Research – Required after IRB approval of research study and/or approval of waiver of HIPAAcompliant authorization – Ensure legal authority exists prior to the use of Protected Health Information (PHI) for Research – must review: • HIPAA-compliant authorization; and/or • IRB approval of waiver of HIPAA-compliant authorization; and • Business Associate Agreements, in rare instances where contractors will have access to PHI. 8

Role of Facility Privacy Officer – Ensure legal authority exists prior to the disclosure of PHI to outside entities (e. g. , study sponsor) for Research – must review: • HIPAA-compliant authorization; or • IRB approval of waiver of HIPAA-compliant authorization – Ensure process exists for the maintenance of an accounting of all disclosures resulting from the Research. – Ensure HIPAA-compliant Authorization is consistent with the Informed Consent. 9

Role of Facility Privacy Officer • Preliminary or Interim Privacy Review of Research – Review performed on Principal Investigator submission prior to the IRB Meeting • Review HIPAA-compliant authorization, if present, to determine if it meets all content requirements • Determine if a waiver of HIPAA-compliant authorization is requested or required, and what it covers (e. g. , recruitment only or entire study) • Review Informed Consent to see if consistent with HIPAA-compliant authorization provided – Provide all comments to IRB 10

Role of Facility Privacy Officer • Requested Privacy Review (Prior to IRB Submission) – Conducted at request of Principle Investigator – Review to ensure that all elements are contained in the HIPAA-compliant Authorization (if stand alone or incorporated into the Informed Consent) – Assist in determining if waiver of HIPAAcompliant Authorization required 11

Contact Information • Stephania H. Griffin, VHA Privacy Officer, Director, Information Access and Privacy Office – Phone: 704 -245 -2492 – Email: stephania. griffin@va. gov 12

Questions 13