Office of Research & Development |
|
VA Research is dedicated to improving Veterans' lives through innovation and discovery. To conduct studies that may ultimately lead to advancements in Veterans' health care, VA researchers must have access to general data on VA care and services, as well as data on Veterans' health care utilization and outcomes. It is important to note, however, that researchers have access only to information that is considered vital to their study, as determined by an Institutional Review Board (IRB). An IRB is a board made up of researchers, non-researchers, and experts outside of VA. Protecting personal information is essential because its loss or unauthorized use can lead to serious consequences for Veterans and disruptions in VA's operations.
To protect Veterans' personal information on which VA research relies, extensive policies and procedures are in place. Main elements of the security program can be categorized as:
Adopting Effective Policies and Procedures
Upgraded information security procedures
include a requirement that VA health studies' lead
researchers and other staff certify that all projects
comply with current requirements for the use,
storage, and security of research information.
Also, reviews are conducted to identify VA
employees who require access to sensitive data;
these employees undergo appropriate background
checks, depending on their responsibilities and the
level of access they require.
VA also works with other federal and commercial entities that have Veterans' information for business reasons to ensure they have appropriate safeguards in place to protect sensitive data.
Securing Computers and Related Technologies
Like most organizations today, VA relies heavily
on computer systems and telecommunications
networks to achieve its mission. VA researchers,
in particular, have benefited from advances in
computer technology. They can access the
information stored in VA's state-of-the-art
electronic health record system, with proper safeguards
in place, and conduct large-scale studies
that contribute greatly to Veterans' health care.
For sensitive information accessed on-site, as well as data retrieval from remote locations, security requirements are in place to prevent unauthorized access. For example, laptop computers throughout VA have data encryption programs installed, and all sensitive data on mobile computers or portable storage devices such as thumb drives must be encrypted so that unauthorized users are unable to decipher the information.
Emphasizing Personal Responsibility
To ensure current policies and
procedures protect sensitive
information, VA Research places
great emphasis on personal vigilance
and individual responsibility among
its employees. All employees receive
training on privacy and security of
sensitive data, and education campaigns are
continuously undertaken to remind employees of
their all-important responsibilities in this area.
VA is required to comply with a number of federal laws that protect personal information. Below are three of the most important statutes that govern how VA and other federal agencies handle health care and other personal information.
Privacy Act of 1974
Federal agencies must establish safeguards to
ensure the security and confidentiality of
statistical records. A person's information must
be protected against anticipated threats that
could cause him or her substantial harm,
embarrassment, inconvenience, or unfairness.
E-Government Act of 2002
Agencies must conduct"privacy impact
assessments" that include descriptions of how
certain types of personal information will be
secured. Under a part of this Act known as the
Federal Information Security Management Act
(FISMA), agencies must develop and implement
cost-effective programs to protect information
from unauthorized access and use.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Under this Act, agencies are required to adopt
standards for the electronic exchange, privacy,
and security of health information-primarily
a mandate to the Department of Health and
Human Services but also applicable, in part,
to VA and other federal agencies.