Data Repositories - Anticipated PolicyVHA Handbook 1200.12

Research Accountability MeetingResearch Accountability Meeting

Dr. Joan P. PorterOffice of Research OversightOffice of Research OversightOR

O

HumanSubjectProtection

ResearchMisconduct

LaboratoryAnimal Welfare

ResearchLaboratorySafety/Security

DRAFT VHA Handbook 1200.12

““Use of Data and Data Use of Data and Data Repositories in VHA Research”Repositories in VHA Research”

What will this new handbook cover?

The Handbook is intended to define VHA policy on research use of data and data repositories. It addresses both the use of clinical and administrative data repositories for research as well as development and use of data repositories solely for research purposes.

Examples: Examples: Austin and NSQIP are Austin and NSQIP are notnot research data bases, per se, but research data bases, per se, but

contain information that provides powerful research resources.contain information that provides powerful research resources.

HSR&D databases in Centers of Excellence are research data HSR&D databases in Centers of Excellence are research data bases, for example. Some investigators have established large bases, for example. Some investigators have established large research databases.research databases.

What is a Research Data Repository?

This term means: 1. a data repository created in advance This term means: 1. a data repository created in advance from data assembled to conduct future research protocols from data assembled to conduct future research protocols (a bank or sorts), e.g. the Maveric database, or 2. data (a bank or sorts), e.g. the Maveric database, or 2. data gathered in the course of conducting a research protocol gathered in the course of conducting a research protocol that is maintained after completion of the research that is maintained after completion of the research protocol and turned into a bank for future use. A research protocol and turned into a bank for future use. A research data repository is developed by researchers and used by data repository is developed by researchers and used by researchers. researchers.

The “protocol” may be for an individual research project The “protocol” may be for an individual research project or a “protocol” for creating and maintaining a repository or a “protocol” for creating and maintaining a repository for research.for research.

Scope of Draft Database Handbook

Applies to all Applies to all VAVA-approved research activities involving -approved research activities involving the use of data and data repositoriesthe use of data and data repositories– Conducted in VA or space VA leases for its useConducted in VA or space VA leases for its use

– By VA investigators while on dutyBy VA investigators while on duty

– Utilizing VA resourcesUtilizing VA resources

VAVA investigators investigators– CompensatedCompensated

– WOCWOC

– IPAIPA

Contractors: similar requirements will be in Contractors: similar requirements will be in contract/contract/SOWSOW

Non-VA Investigators

Remember: you can give data to non-Remember: you can give data to non-VA investigators only under limited VA investigators only under limited circumstancescircumstances

(Remember — Joe Francis’ and Stephania (Remember — Joe Francis’ and Stephania Putt’s remarks [see VHA Handbook Putt’s remarks [see VHA Handbook 1605.1])1605.1])

Sources of Data

Internal sourcesInternal sources– Austin Automation ServiceAustin Automation Service

– PBMPBM

– VistAWebVistAWeb

– Other administrative and clinical databases (e.g., NSQIP)Other administrative and clinical databases (e.g., NSQIP)

– Research databasesResearch databases

External sourcesExternal sources

Research subjectsResearch subjects

Some Key Definitions:

Human Subject —Human Subject —– A living individual about whom an investigator A living individual about whom an investigator

conduction research 1) obtains data through conduction research 1) obtains data through intervention or interaction with the individual, or intervention or interaction with the individual, or 2) obtains identifiable private information.2) obtains identifiable private information.

Individually-Identified Information —Individually-Identified Information —– When the investigator can link data to a specific When the investigator can link data to a specific

person directly or through codes (38 person directly or through codes (38 CFRCFR 16.102 – 16.102 – Common Rule); use of anyone of the 18 Common Rule); use of anyone of the 18 HIPAAHIPAA identifiers (e.g. last 4 digits of identifiers (e.g. last 4 digits of SSNSSN, scrambled , scrambled SSNSSN, , initials, date of birth, date of admission . . . )initials, date of birth, date of admission . . . )

De-identified Data — must meet both the following definitions:

HIPAAHIPAA definition of de-identified definition of de-identified– Removal of all 18 identifiers that could be used to Removal of all 18 identifiers that could be used to

identity the individual, individual’s relatives, identity the individual, individual’s relatives, employers, or household membersemployers, or household members

Common Rule “definition”Common Rule “definition”– Removal of all information that could identify the Removal of all information that could identify the

individual or could be used to readily ascertain the individual or could be used to readily ascertain the identity of the individualidentity of the individual

(Remember HIPAA is only about health data, the (Remember HIPAA is only about health data, the Common Rule applies any identifiable data.)Common Rule applies any identifiable data.)

Definition: Coded Data

Information for which the source Information for which the source person can be identified through person can be identified through intermediate links (“coded”) used intermediate links (“coded”) used alone or in combination with other alone or in combination with other informationinformation

VHA Draft Handbook also addresses

the Use of Data Preparatory to Research

Preparatory to Research

Access only to prepare protocol prior to Access only to prepare protocol prior to submission to submission to IRBIRB and and R&DR&D Committee Committee

Can record aggregate data for background, to Can record aggregate data for background, to justify the research, or show adequate number of justify the research, or show adequate number of subjects available, etc.subjects available, etc.

Cannot:Cannot:– Record identifiersRecord identifiers– Use information reviewed for recruitment or to conduct Use information reviewed for recruitment or to conduct

pilot studiespilot studies

continued . . .

PIPI must make representation per must make representation per HIPAAHIPAA

– Access only to prepare protocolAccess only to prepare protocol

– No No PHIPHI removed from covered entity removed from covered entity

– Access is necessary for researchAccess is necessary for research

Documentation of representation placed in Documentation of representation placed in PIPI’s ’s filesfiles

Preparatory to Research(continued from previous page)(continued from previous page)

Key Points for Use of Data for Research Purposes

Minimum necessary dataMinimum necessary data

Approved use Approved use ((IRBsIRBs and and R&DR&D Committees) Committees)

Required approvals:Required approvals:The Principal Investigator and each The Principal Investigator and each co-investigators (regardless of site) must co-investigators (regardless of site) must obtain approvals of:obtain approvals of:

– IRB(s) – unless not human subjects or unless exemptIRB(s) – unless not human subjects or unless exempt

– R&D Committee(s)R&D Committee(s)

– Others – union; Privacy Offices, ISOs, administrator of databaseOthers – union; Privacy Offices, ISOs, administrator of database

Responsibilities of VA Facilities Releasing Identifiable or De-identified Information from Their Records to Other VA Sites for

Research Purposes

A DUA/DTAA DUA/DTA must be implemented between the must be implemented between the releasing facility and the receiving VA facility releasing facility and the receiving VA facility and investigator.and investigator.

Data Use Agreement/Data Transfer Agreement (DUA/DTA)

A written agreement that defines:A written agreement that defines:– What data may be usedWhat data may be used

– How it will be used, stored, and securedHow it will be used, stored, and secured

– Who may access itWho may access it

– To whom it may be disclosedTo whom it may be disclosed

– Disposition of data after termination of research Disposition of data after termination of research

– Required actions if lost or stolenRequired actions if lost or stolen

– IRB and R&D Committee approvals from each siteIRB and R&D Committee approvals from each site

– Documentation of the IRB’s waiver of informed consent Documentation of the IRB’s waiver of informed consent and waiver of HIPAA authorization (if no consent or and waiver of HIPAA authorization (if no consent or HIPAA authorization is to be obtained)HIPAA authorization is to be obtained)

Who Signs the DUA/DTA?

Receiving principal investigatorReceiving principal investigator

ACOS/R of receiving institutionACOS/R of receiving institution

ACOS/R of releasing institution (if a research ACOS/R of releasing institution (if a research database)database)

Database ownerDatabase owner

ISO and Privacy Officer of releasing facility at ISO and Privacy Officer of releasing facility at discretion of releasing facilitydiscretion of releasing facility

Responsibilities of the Non-Research Data Repositories (Like NSQIP)

Must develop policies and procedures to respond to Must develop policies and procedures to respond to requests for data:requests for data:

– Method of obtaining complete documentation from the Method of obtaining complete documentation from the investigator(s)investigator(s)

– Address submission of all publications from use of dataAddress submission of all publications from use of data

– Address Privacy Officer and ISO written approval of release of Address Privacy Officer and ISO written approval of release of datadata

– Address reports of serious adverse events and unanticipated Address reports of serious adverse events and unanticipated problemsproblems

– Release of any data beyond minimal necessary for the protocolRelease of any data beyond minimal necessary for the protocol

– Devise policies and procedures for data preparatory to researchDevise policies and procedures for data preparatory to research

Special Responsibilities for Administration of Research Data Repositories

The repository must have an administrative structure The repository must have an administrative structure and include a VA investigator responsible for all and include a VA investigator responsible for all activities of the repository.activities of the repository.

Oversight responsibilities of administrator of a Oversight responsibilities of administrator of a research data repositoryresearch data repository

– Develop policies and procedures for releasing data Develop policies and procedures for releasing data when all necessary information receivedwhen all necessary information received

– Review access requestsReview access requests

– Maintain privacy and securityMaintain privacy and security

continued . . .

Oversight Responsibilities of Administrator of a Research Data Repositorycontinued from previous pagecontinued from previous page

– The research repository that is large and frequently used The research repository that is large and frequently used should have an advisory committee(s) to provide scientific should have an advisory committee(s) to provide scientific and ethical advice (e.g., experts in epidemiology, statistics, and ethical advice (e.g., experts in epidemiology, statistics, ethics, law, subject matter may help in policy development ethics, law, subject matter may help in policy development and review of requests). and review of requests).

– Must have stable administrative oversightMust have stable administrative oversight

– Must have an IRB-of-record to oversee the “repository Must have an IRB-of-record to oversee the “repository protocol” for managing the research repositoryprotocol” for managing the research repository

– Must have R&D Committee approvalMust have R&D Committee approval

– Must be physically located with space owned or leased by Must be physically located with space owned or leased by VA in a secure spaceVA in a secure space

continued . . .

– Good record keeping! Sources of dataSources of data

Retention requirementsRetention requirements

Terms and conditions of use Terms and conditions of use

Consent of subjects’ whose data are in repositoryConsent of subjects’ whose data are in repository

Release of data – when, what, to whom, how?Release of data – when, what, to whom, how?

New use of data requestsNew use of data requests

CommunicationsCommunications

IRB and R&D committee repository deliberationsIRB and R&D committee repository deliberations

MinutesMinutes

And so on . . . And so on . . .

– Standard Operating Procedures to cover all of these areas

Oversight Responsibilities of Administrator of a Research Data Repositorycontinued from previous pagecontinued from previous page

Research Data Repository SOPs

Administrative structureAdministrative structure

Conflict of InterestConflict of Interest

Adding data to repositoryAdding data to repository

Accessing dataAccessing data

Record keeping requirementsRecord keeping requirements

Privacy and confidentialityPrivacy and confidentiality

Storage and securityStorage and security

Termination of repositoryTermination of repository

Oversight of a Repository

Annual reporting to the IRB (repository treated as a Annual reporting to the IRB (repository treated as a research protocol) and R&D Committeeresearch protocol) and R&D Committee

Report informationReport information– Source of data being addedSource of data being added

– Type of data released to others including the protocol for reuse Type of data released to others including the protocol for reuse that contains information on:that contains information on:

Confidentiality Storage and security of data Disposition of data at end of study

– Any unanticipated problems regarding risk to subjects, Any unanticipated problems regarding risk to subjects, institutions, etc.institutions, etc.

– Any incidents of inadvertent disclosure, loss, or theft of dataAny incidents of inadvertent disclosure, loss, or theft of data

Responsibilities of the Investigators

The Investigator must provide:The Investigator must provide:

– IRB’s approval if human subjects researchIRB’s approval if human subjects research

– R&D Committee’s approvalR&D Committee’s approval

– HIPAA authorizations or waiver or authorizations if human subjects HIPAA authorizations or waiver or authorizations if human subjects researchresearch

– Research Informed Consent or waiver if human subjects researchResearch Informed Consent or waiver if human subjects research

– Summary of protocol or full protocols indicating Why? What Summary of protocol or full protocols indicating Why? What databases? What is the justification for use of identifiers (e.g., SSNs)? databases? What is the justification for use of identifiers (e.g., SSNs)? Where stored? Who will have access? What is the physical and e-Where stored? Who will have access? What is the physical and e-security? What is the disposition of data? Is training up-to-date? What security? What is the disposition of data? Is training up-to-date? What are the roles of Privacy Officers and ISOs in the review? How will reuse are the roles of Privacy Officers and ISOs in the review? How will reuse of data be handled? What are the amendment approval requirements? of data be handled? What are the amendment approval requirements? What are the adverse events and unanticipated problems reporting What are the adverse events and unanticipated problems reporting requirements?requirements?

continued . . .

Investigator’s Responsibilities (continued from previous page)(continued from previous page)

Protocol contains all required information Protocol contains all required information

Ensure data storage and security meets all VA Ensure data storage and security meets all VA requirementsrequirements

Data use consistent with protocolData use consistent with protocol

No re-disclosure of dataNo re-disclosure of data

When leaving VA data and all copies left at VAWhen leaving VA data and all copies left at VA

Database Research protocols — PIs

must take care in their preparation.

Protocols must contain information on:Protocols must contain information on:– Source of data & type of data (identified,

de-identified)

– Consent under which it was/will be collected

– How the data will be used

– Planned use of & justification for use of real SSNs

– Justification for waiver of authorization and/or consent

Research Consent — PIs must take care in preparation of informed consent documents and HIPAA authorizations.

If data were/are to be collected directly from subjects:If data were/are to be collected directly from subjects:

– Consent clearly statesConsent clearly states:: Use of dataUse of data If reuse is allowedIf reuse is allowed Who will have access to data (VA investigators, non-VA investigators, Who will have access to data (VA investigators, non-VA investigators,

drug companies, etc.drug companies, etc. Where it will be stored (VA, non-VA)Where it will be stored (VA, non-VA) How it will be securedHow it will be secured Disposition of data after studyDisposition of data after study Certificate of ConfidentialityCertificate of Confidentiality

– HIPAA authorization meets all requirements in VHA Handbook HIPAA authorization meets all requirements in VHA Handbook 1605.1 (more than HIPAA)1605.1 (more than HIPAA)

This need not be a rough road.

IRB and R&D Committee

Must carefully review discussion of:Must carefully review discussion of:– PrivacyPrivacy– Flow of dataFlow of data– SecuritySecurity– Plans for re-use or placement in repositoryPlans for re-use or placement in repository

Approvals for Individual Studies Using Data From a Repository

Who is responsible?Who is responsible?– The investigator’s facility’s IRB and R&D CommitteeThe investigator’s facility’s IRB and R&D Committee

Who is NOT responsible?Who is NOT responsible?– The IRB and R&D Committee for the facility that houses The IRB and R&D Committee for the facility that houses

the repositorythe repository

– The IRB and R&D Committee for the facility from which The IRB and R&D Committee for the facility from which the data camethe data came

Your questions will probably be just the tip of the iceberg.

Questions?

Issues?

For Additional Information Contact

Dr. Brenda CuccheriniSpecial Advisor for Policy and

Emerging Issues

Brenda.Cuccherini@va.govBrenda.Cuccherini@va.gov810 Vermont Avenue, NW, Suite 574 (10R)810 Vermont Avenue, NW, Suite 574 (10R)

Washington, DC 20420Washington, DC 20420Phone: (202) 254-0277Phone: (202) 254-0277

Fax: (202) 254-0460Fax: (202) 254-0460

Dr. Joan P. Porter

Deputy Chief OfficerOffice of Research Oversight

http://www.1.va.gov/orohttp://www.1.va.gov/oro810 Vermont Avenue, NW, Suite 574 (10R)810 Vermont Avenue, NW, Suite 574 (10R)

Washington, DC 20420Washington, DC 20420Phone: (202) 565-7191Phone: (202) 565-7191

Fax: (202) 565-9194Fax: (202) 565-9194