Data Privacy and Security Plan Checklist

Data Privacy and Security Plan Checklist

Please answer all applicable questions listed below. Every question will not necessarily be applicable to your study. If you believe any question is not applicable, you should still address the question as "N/A". This should be submitted as part of the Initial Review Application.

Title of Study: ______

Date: ______

Name of Principal Investigator: ______Name of VA Principal Investigator: ______

Data Use:

Is there a Data Use Agreement? Yes No

Is there a Memorandum of Understanding (MOU) in place? (Resource: ISO) YesNo

Is there an Interconnection Service Agreement (ISA) in place (may be combined with anMOU if appropriate)?

(Resource: ISO) Yes No

Is there a contract service involved with this protocol Yes No

Is Patient Health Information involved with the service contract Yes No(If yes, then a BAA is needed for this protocol)

Data Privacy and Security:

Per VA policy you are required to report within 1 hour of any security incident i.e. theft or loss of data or storage media, unauthorized access of sensitive data or storage devices or non-compliance with security controls to the following people:

Information Security Officers / Privacy Officers
Eduardo Lorenzo, 303-316-6618
/ Jeffrey Day, 303-399-8020 ext. 2080

John Westfall, 303-370-7581
/ Lesley Petersen, 303-399-8020, ext. 2082

E-mail: / E-Mail:
ACOS:
Robert Keith, 303-399-8020, x3182; E-Mail: / Records Manager:
Norbert Zick, 303-399-8020 ext. 2973

Please acknowledge understanding of above policy requirement Yes No

Is identifiable Information collected? Yes No If yes, please give detail what is collected: ______

______

Will the PHI collected be de-identified? Yes No

Ifyes, who will have access to the de-identified information? ______

How will the data be de-identified? ______

How will the data elements that are being collected or abstracted be stored? Electronic Paper

Please provide how you plan on safeguarding the collected data? ______

Describe the physical security for all areas where data is stored or processed? ______

List all individuals who will have access to the physical location where your data will be kept?

______

Termination of Data Access: Please explainhow access will be removed from personnel who are no longer part of the research team? ______

Has a waiver been submitted to the VA CIO for the use of "OtherEquipment" (OE) in accordance with VA Handbook 6500? (Resource ISO or CIO) Yes No N/A

Describe the method by which data will be returned to the VA at eitherthe end of study, or by demand of the VA.

______

Will any Protected Health Information (PHI) and/or Personally Identifiable Information(PII) be transmitted or transported? Yes No If so, how (e.g. security bag, thumb drive, disc)? ______

Has approval to transport, transmit, access, and store VA sensitive information been obtained in accordance with VA Handbook 6500? (Resource ISO) Yes No NA

If electronically, describe the process and all protections in place (e.g. PublicInfrastructure (PKI, a software that provides the ability to email sensitive information in a secure manner), encrypted CD sent via FedEx, etc).______

Will any third party be provided PHI or PII information in either paper orelectronic format (Sponsor, Lab, Affiliate, etc.)? Yes No

Accounting of Disclosure:

Will PHI be shared with an outside entity (e.g. University, sponsor)? Yes No

If yes, who will be responsible for documenting and tracking the accounting of disclosure if the PHI is sent to an outside entity (e.g. coordinator, PI.)? ______

Notice of Privacy Practices:

Will you be enrolling non veteran’s participants in this research? Yes No

NOTE: If yes, you will need to provide a Notice of Privacy Practices to each participant and obtain a signed acknowledgement receipt. The signed acknowledgement receipt will be forward to the facility Privacy Officer.

Confidentiality:

Is staff who has access to and/or will be working with the data been properly approved andgranted appropriate VA status (e.g. Without Compensation (WOC), Inter-agency Personnel Agreement (IPA), employee, etc)? Yes No

Is staff that has access to and/or will be working with the data completed all VA and IRB mandatory annual training (VA Privacy & Info Security Awareness, CITI, VA Info Security 201, etc). (Resource: VA Research Training Coordinator) Yes No

HIPAA Waiver:

Is there a plan to protect identifiers from improper use or disclosure? Yes No If yes,please explain: ____
______

Written Assurance of Protection: The request for waiver of HIPAA authorization provides adequate written assurance that the requested information will be protected from improper use and disclosure and will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the requested information would be permitted by the HIPAA Privacy Rule. Yes No

If yes, pleaseexplain:______

Could the research practicably be done without the access to and use of the requested information? Yes No

Ifno,please explain: ______

Revised 8/3/2016Page 1

______

Signature of VA Principal Investigator

Revised 8/3/2016Page 1