Information Security

PHI/PII Stored Offsite

PI:

Study Title:

IRB#:

The only persons having access to the data will be the PIs, the study coordinator and other persons as authorized by the PI. The PIacknowledged that he/she has the ultimate responsibility for security of research study data.

All study data containing PII or PHI will be maintained on password protected and encrypted computers, behind locked doors, in a secured building. This includes PHI/PII stored outside the VA environment at alternate storage locations.

All media containing VA research study data to be removed from the VA premises, on a computer, in paper format or using an electronic removable storage device will be securely transported. This will be accomplished through the use of VA approved and FIPS 140-2 validated encrypted products and via internal/external courier personnel (e.g., personnel delivery, bonded courier, U.S. Postal Serves or a commercial transport or delivery service) using appropriate storage containers and delivery tracking information.

Study data will be kept in accordance with the department of veterans affairs record control schedule 10-1 (RCS 10-1). The PI in conjunction with the VA ISO, and in accordance with the VA policy, will ensure that upon completion of the research project, study data containing, sensitive, confidential information will be returned to the VA, sanitized and removed from all non-VA servers, desktops, removable storage devices, etc.

When any study personnel are no longer a part of the research team, the PI will remove that person’s access to all study data and notify the VA Information Security Officer of such action.

If there is a suspected or confirmed loss of VA information, unauthorized use of sensitive data or storage devices or non-compliance with information security controls, the PI and all other individuals having access to research study have been made aware that the VA Information Security Officer must be contacted by phone or e-mail within one hour of discovery of such an incident.

A. The data collection, data flow and/or data management process

Listed on IRB form STEP 2 Inst, ITEM #19-24

B. Paragraph detailing the precise location(s) where data and /or specimens will be stored, i.e., physical site, network location/server name (e.g. vhaxxxxxxx), type of mobile storage device, building and room, etc. This description should include all storage areas at the VA San Antonio and any other alternate storage areas in which study data is to be stored. NOTE: A secure folder can be made available on the VA Research Server for your study if needed. Contact the VA Research Administration for Assistance.

Listed on IRB form STEP 2 Inst, ITEM #19-24

1. Have all research staff have access to study data containing PHI/PII in any format completed VA approved information security training and VA approved privacy policy training (VA privacy and Information Security Awareness and Rules and Behavior) within the past twelve months?

If the answer is NO please direct those individuals who have not completed the training to do so on the Talent Management System (TMS) web site ( Please contact Gerald Steward at VA ext. 68165 for further information.

If the answer is YES, or following completion of the training by all research staff having access to study data containing PHI/PII, please leave the following statement:

All research staff having access study data have completed VA approved information security training and VA approved privacy policy training within the past twelve months.

2.Will the study require any specially obtained software?

If the answer in NO, please answer with the following statement:

This study does not require the use of any specially obtained software.

If the answer is YES, please enter the following information:

1) The source of the software

2) Whether a license will be required

3) Who will fund the license

3. Will the study require access to any web application?

If the answer in NO, please answer with the following statement:

This study does not require access to any web applications

If the answer is YES, please enter the following information:

1) The web site address

2) The web site’s security features that will be used for such purposes as recruiting patients, completing questionnaires or processing data.

4. Does this study involve the storage of any research data on the hard drive of a PC?

If the answer in NO, please answer with the following statement:

This study does not involve the storage of any research study data on the hard drive of a PC.

If the answer is YES, please answer with the following statement:

All study data containing VA research study data to be maintained on personal computers will be encrypted through the use of VA approved and FIPS 140-2 validated encryption tools.

5. Will VA research study data be stored on any type of mobile or removable storage device?

If the answer in NO, please answer with the following statement:

No VA research study data will be stored on any type of mobile or removable storage device

If the answer is YES, please answer with the following statement:

All VA research study data stored on any type of mobile or removable storage device will be encrypted through he use of VA approved an FIPS 140-2 validated encryption products.

VA Research study data kept on any removable storage devices does not contain the only copy. Original electronic or paper research data stored on mobile device or removed from the VA premises will be backed up regularly and stored securely within VA’s protected environment.

All VA Research study data to be removed from the VA via an electronic storage device shall only utilize storage devices that are authorized Government Furnished Equipment (GFE). All GFE devices will be acquired through the VA CIO and will be encrypted utilizing VA encryption methods and VA approved password policy.

Approval to remove research study data has been made by following the policies and procedures described in VA South Texas Veterans Health Care System facility policy.xxxxxx, Removing VA Information from STVHCS Premises and Use of Removable Media Storage Devices.

Portable computers that have VA research study data sensitive information on their storage device(s) or have software that provides access to VA private networks will be secured under lock and key when not in the immediate vicinity of the responsible employee. This includes external hard drives and other storage devices.

Investigators will use physical locks to secure portable computers when the computers must be left in a meeting room, or other semi-public area to which individual other than the investigators have access.

When in an uncontrolled environment (for example, when traveling on an airplane or in an airport), investigators will guard against disclosure of VA research data through eavesdropping, overhearing or overlooking (shoulder surfing) by unauthorized person. When traveling, employees will keep portable computers or storage devices in their possession and will not check them as baggage.

7. Will VA sensitive information be stored in an alternate location outside the VA protected environment?

If the answer in NO, please answer with the following statement:

No study data in any format will be stored outside the VA Protected environment in any alternate storage location

If the answer is YES, please make sure you have identified the alternate locations as requested in paragraph B above.

8. Will any research data containing PHI/PII be transported to any alternate sited using personnel delivery, bonded courier, U.S. Postal Service or a commercial transported or delivery service?

If the answer in NO, please answer with the following statement:

No research data containing PHI/PII will be transported to an alternate site using personnel delivery, bonded courier, U.S. Postal Service or a commercial transport or delivery service.

If the answer is YES, please answer with the following statement:

Any research data containing PHI/PII being transported to an alternate site using personnel delivery, bonded courier, U.S. Postal Service or a commercial transport or delivery service will utilize appropriate storage containers and delivery tracking information. And, if it is electronic, will be encrypted with FIPS 140-2 validated encryption.

9. Will study data containing PHI/PII be E-mailed? (Emailing patients is not permitted per VA policy)

If the answer in NO, please answer with the following statement:

No research data containing PII will be transmitted via E-mail to any other person or entity.

If the answer is YES, please answer with the following statement:

Any research data containing PII that will be transmitted via E-mail will be encrypted according to VA specifications.

Data will be maintained and destroyed in accordance with RCS 10-1; research documents may be transported and/or stored offsite, the protocol must also include provisions that allow the VA to maintain custody and control of the records, including returning to the VA at the conclusion of the study.

I acknowledge that the VA owns these records and will be returned to the VA at the conclusion of the study.

As the Principal Investigator on this study, I have read the above document and agree the information contained herein is correct.

Signature or E-signature of Principal Investigator Date

January 10, 2017 (version 4)