Data Security Checklist for Principal Investigators
The VA now requires that each PI certify for each research project that sensitive information is stored in a secure manner. Sensitive information refers to information that can be used to identify an individual research participant and includes the following:
1.Names or initials
2.All geographic subdivisions smaller than a state
3.All elements of dates except the year and all ages over 85
4.Telephone numbers
5.Fax numbers
6.E-mail addresses
7.Social Security Numbers (or scrambled Social Security Numbers)
8.Medical record numbers
9.Health plan beneficiary numbers
10.Account numbers
11.Certificate or license numbers
12.Vehicle identifiers and license plate numbers
13.Device identifiers and serial numbers
14.URLs
15.IP addresses
16.Biometric identifiers, including finger and voice prints
17.Full-face photographs and any comparable images
18.Any other unique identifying number, characteristic or code, unless otherwise permitted by the Privacy Rule for re-identification.
Please evaluate the information you are collecting for your study. If sensitive information is not collected in the course of this project, you should check N/A for both statements in the upper table on page 3 of the checklist. Entering your personal information on the last page is a sufficient electronic signature. If this is not the case, then you must ensure that all identifiers associated with Participant Research Data are stored appropriately, using one of the three options described below:
Option 1: Store All Participant Research Data on VA Server in your personal (M:) drive or shared S: or P: drives (restricted to study personnel).
This is the preferred approach for storing participant data. In this format, all personal information is behind the VA firewall. In addition, all files are backed up regularly. If you need to store to the S: or P: drive, while these are still behind the VA firewall, it is important to work with IRM to restrict access.
Option 2: De-Identify Participant Information.
If data must be stored outside of the VA firewall or off of the VA campus, then the data should not contain identifiers and/or be de-identified.
Identifiable data is considered data where the identity of the participant is or may readily be ascertained.
De-identified data is data that does not contain any of the 18 individual identifiers of the HIPPA Privacy Rule (listed above).
One approach is to assign a sequential number to research participants as they are enrolled, which is used for all computer files. A code-breaker log linking these numbers to the actual participant will be required for most studies. This log can be kept on the VA server (see Option 1 above) or in paper form in a secure location on the VA campus (e.g., locked drawer or file cabinet).
The advantage of this Option towards Information Security is that such de-identyfied data files can be conveniently shared with research colleagues.
Option 3: Participant Identifiers cannot be Avoided
In some cases it is not possible to avoid using participant identifiers. The manner in which participant identifiers will be used must be clearly described in the informed consent form, protocol, and HIPPA authorization. The use of identifiers must be restricted to secure routes. These could include telephone calls to specific members of the research team; written correspondence to sponsor or request information from a prior hospital visit that is shipped using a trackable system (e.g., Fed Ex, DHL, etc); electronic entry of data into a secure web site. These will not include e-mails, e-mail attachments (whether or not password protected), faxes unless to known secure fax machines, and standard postal mail.
Date:
Name of Protocol:
Name of Pi:
Pi's Phone Number and e-mail address:
Name of Privacy Officer:Kamilah Shepherd
PO's Phone e-mail address (216)791-3800 x5315 –
Name of ISO:Larry Campbell
ISO's Phone Number and e-mail address:440-526-3030 x6625 –
Instructions: If you answer NO to any one of the statements, you may not remove or transmit the data outside the VA and you must consult with your supervisor, ISO and Privacy Officer. If the research will not obtain any VA sensitive information/data the statements below should be marked as not applicable (N/A).To change blank box to Xed change property (right click)
Yes / No / N/A / Specific RequirementAll VA sensitive research information is used and stored within the VA
All copies of VA sensitive research information are used and remain within the VA
Yes / No / N/A / Specific Requirement
Permission to remove the data has been obtained from 1) your immediate supervisor, 2) your ACOS/R&D, 3) the VA Information Security Officer (ISO) and 4) the VA Privacy Officer.
A property pass for the equipment (Laptop etc.) has been obtained
The laptop or other portable media is encrypted and password protected. NOTE: Contact the VA ISO at your facility for encryption issues.
Data are not transmitted as an attachment to unprotected e-mail messages.
Names, addresses, and Social Security Numbers (real and scrambled) have been replaced with a code. Note: Names, addresses, and Social Security Numbers (real or scrambled) may only be maintained on a VA server and documentation of the procedure by which the data were coded must remain within the VA
Data sent via mail or delivery service have been encrypted. Note: It is preferable to send data on CDs or other media by a delivery service where there is a “chain of custody.”
For data that will reside on a non-VA server: The server has to be accredited as required by Federal Information and Security Management Act of 2002 (FISMA). Note: your facilities ISO should be consulted.
Access to the data is only by those who are authorized to access it and the access is related to VA-approved research.
Procedures for reporting theft or loss of sensitive data or the media such as a laptop, containing sensitive data are in place and familiar to the researcher and all others who have access to use, store, or transport the data.
Storage of sensitive data outside of the VA in hard copy or electronic format is described in consent form.
If you have answered yes or N/A to both statements above, stop here.
If the original or copies of VA research information are removed from the VA the following apply:See Appendix A for definition of terms used in this document.
Principal Investigator's Certification: Storage
& Security of VA Research Information
Instructions:
1.This certification must be completed by all Principal Investigators (P1) and submitted to their facility's ACOS/R&D by April 15th annually. If you are PI on more then one research protocol, you may a) complete a form for each protocol, b) list additional protocols and date of R&D approval on the bottom of this form, or c) attach a separate list.
2.This form must be completed for each new protocol and a copy of this form must remain with the research protocol file.
3.This form must be submitted to ORD during the Just-In-Time process if you will be funded by ORD for a research project.
I certify to the best of my knowledge that all VA sensitive information associated with the research study entitled and approved by the Research and Development Committee on is being used, storedand secured in accordance with the applicable VA and VHA policies and guidance.
Name:
Title:
Date:
Phone:
E-mail:
RevisedApril, 2007Page 1 of 4