ORD Privacy Officer
About
The Department of Veterans Affairs (VA) Privacy Service (PS) issues policy, provides guidance and raises privacy awareness regarding the protection of Veteran and VA employee information. Established in 2002, PS administers its programs in accordance with applicable federal privacy laws and regulations. As part of the Office of Information and Technology’s Office of Information Security, PS works closely with administration-level Privacy Offices at the Veterans Health Administration (VHA), Veterans Benefits Administration (VBA) and National Cemetery Administration (NCA) as well as VA Central Office (VACO) Privacy Officers (POs), to implement VA’s privacy policies and programs Department-wide. Additionally, POs work alongside Information System Security Officers (ISSO) to respond to privacy complaints and incidents reported by employees and Veterans. (SOURCE: VA Privacy Fact Sheet)
The VA Privacy Service does not drill down into VHA privacy issues as that role is delegated to the VHA Privacy Office as part of implementing the VHA Privacy Program in compliance with the HIPAA Privacy Rule. The VHA Privacy Program establishes and implements privacy policies and practices that comply with the requirements of all applicable Federal privacy statutes, regulations, and policies. The main components of the program are privacy policies, privacy training, use and disclosure of information, individuals’ privacy rights, privacy complaints and incidents, notice of privacy practices (NOPP) and privacy compliance monitoring. The focus of the policies and procedures involve individually-identifiable information that is collected, created, transmitted, accessed, used, disclosed, processed, stored, or disposed of by or on behalf of VHA. All individually-identifiable information, on Veterans maintained by VHA, is considered protected health information (PHI). Additionally, this includes all records maintained in any medium, including hard copy and electronic format, and in information systems administrated by, or otherwise under the authority or control of, the Department of Veterans Affairs (VA). (SOURCE: VHA Directive 1605)
While under the Office of Research and Development, the ORD Privacy Officer must follow privacy policy, guidance and direction from the VHA Privacy Office to ensure compliance with the VHA Privacy Program. The ORD Privacy Officer is responsible for ensuring the proposed research submitted to the VA Central Institutional Review Board (CIRB) complies with all applicable local, VA and other Federal requirements for privacy and confidentiality by identifying, addressing, and mitigating potential concerns about proposed research studies prior to information being given to a Research Investigator. The ORD Privacy Officer serves in an advisory capacity to the CIRB as a non-voting member. The VHA Privacy Office provides back-up support to the ORD, Privacy Officer for CIRB reviews.
The ORD, Privacy Officer must ensure there is legal authority under all applicable regulations including the Privacy Act of 1974 and HIPAA, to disclose PII/PHI to a non-VA entity. This would typically be covered by a contract, Memorandum of Understanding (MOU) or other written agreement that is developed for a non-VA entity to perform the services related to VA research. The agreements are implemented at the VHA Medical Facility-level as the Medical Center Director (MCD) is responsible for the facility's data. For guidance on agreements, refer to the ORD Research Agreements Manager (RAM).
ORD Privacy Officer Functional Areas:
- CIRB Privacy Representation: Serves as primary privacy representation for VA Central Institutional Review Board (CIRB) submissions for Panels 1 and 2. For example, the VHA medical facility Privacy Officer (PO) does not conduct a review of human research projects submitted to the VA CIRB Panels 1 and 2 (e.g., the Principal Investigator (PI) does not complete the VA Form 10-250; the Privacy Officer review is documented on the Checklist 223 as authorized by Privacy Compliance and Assurance (PCA), etc.) NOTE: The VHA medical facility PO is responsible for ensuring that personnel at their facility are compliant with Privacy requirements; reviewing Data Use Agreements (DUA) or other agreements/contracts as noted by the facility Privacy Program; and, submitting tickets in the Privacy and Security Events Tracking System (PSETS) for Data Breach Response Services (DBRS) decisions as each event occurs.
- Central Privacy Reviews (CPR) for PRP and ACTIV Network projects: Central Privacy Reviews (CPR) as the privacy review required by VHA Directives 1200.5 and 1605.01 and conducted by the ORD PO for all engaged sites instead of the VHA Medical Facility PO at each site for a limited number of projects that are noted below. These research studies must be reviewed by a VA approved IRB such as a commercial institutional review board (IRB) (e.g., Advarra, Sterling, WCG IRB) or the IRB of another federal entity (e.g., National Institutes of Health (NIH), Centers for Disease Control and Prevention (CDC)). (NOTE: This does not include research studies reviewed by the VA Central IRB.) The CPR was implemented in September 2020 as a pilot program to conduct a single privacy review for multi-site project COVID related projects under Operation Warp Speed (OWS) as facilitated by the VA Partnered Research Program (PRP). In October 2021, the CPR expanded to provide central privacy reviews for some research studies managed by:
- VA Partnered Research Program (PRP)
- ACTIV Network
- Other multi-site studies as agreed upon by ePROS leadership
- 6 Contract Security Reviews for ORD contracts and IT systems: Conduct Privacy reviews of ORD program office level contracts, Statements of Work (SOW) and/or Performance Work Statements (PWS) (and in rare situations the Product Description) and VA Handbook 6500.6, Appendix A checklists, for the purpose of determining what type of VA sensitive information is involved in the contract. Works collaboratively with the Information System Security Officer (ISSO), the Contracting Officer (COTR/COR), and program management team members initiating the contract to ensure the PO review of the checklist is completed accurately and in a timely manner.
- Privacy Threshold Analysis (PTA)/Privacy Impact Assessments (PIA) including Incident Response Plans (IRP) and Control Assessments - Privacy Controls Reviews limited to ORD contracts and IT systems:
A PTA is a required document (VA Directive 6508 and VA Handbook 6500) used to determine if an ORD IT system, program, project, or boundary is privacy-sensitive and requires additional privacy compliance documentation such as a PIA or SORN. It is also the first step of the privacy compliance documentation process. PTA purposes are to:
- Identify IT systems, programs and projects that have privacy implications
- Demonstrate the inclusion of privacy considerations during the review of an IT system, program, project, or boundary
- Provide a record of the program, system, or boundary and its privacy requirements
- Demonstrate compliance with privacy laws and regulations
- Requirement of the Authorization and Accreditation (A&A) process
A PIA is required by the E-Government Act of 2002 and is used to identify and mitigate privacy risks in ORD information technology systems, projects, and programs:
- An analysis of what Personally Identifiable Information is being collected.
- Why the Personally Identifiable Information is being collected.
- How the Personally Identifiable Information will be collected, used, accessed, shared, safeguarded, and stored.
Participates in Incident Response Plan (IRP) preparation and NIST audits of ORD systems.
- VHA System of Records Notice (SORN), “Veteran, Patient, Employee, and Volunteer Research and Development Project Records-VA” (34VA12): Coordinates with the VHA Privacy Office on reviews and revisions for the ORD SORN and collaborations with the VHA Privacy Office from initiation to publication/completion in a timely manner and upon changes to affecting elements. Provides education, resources and field training and support on what research records are covered under the ORD SORN.
- Works collaboratively with VHA Privacy Office on various research-related privacy matters including to:
- Review and revisions of:
- VA Form 10-0493, Authorization for Use & Release of Individually Identifiable Health Information for Veterans Health Administration (VHA) Research and Informed Consent when combined with HIPAA Authorization to ensure appropriate language
- Form 103, Request for Waiver of HIPAA Authorization
- VA Form 10-205
- Combined informed consent form (ICF) with HIPAA authorization elements language
- Develop and deliver research privacy presentations to:
- CIRB staff and reviewers
- VHA POs (medical facility and/or VISN)
- Office of Research Oversight (ORO) including Research Compliance Officers (RCO)
- Research team members
The ORD Privacy Officer does not:
- Provide VA Privacy interpretation of VA Privacy policies, directives, etc.
- Provide VHA Privacy interpretation of VHA Privacy policies, directives, etc.
- Review/execute VHA Medical Facility Data Use Agreements (DUA) or other agreements/contracts
- Complete the VA Form 10-250 as authorized by Privacy Compliance and Accountability (PCA) for CIRB Panels 1 and 2 reviews
Michelle Christiano
Michelle.christiano@va.gov
706-399-7980
⇪
Resources
* NOTE: Some links below are inactive because the resource is available on the VA network only. If you have network access, copy and paste the URL into your browser.
VHA Resources:
- Privacy Fact Sheet, Privacy Requirements for Disclosures for Research to VHA Researchers - https://dvagov.sharepoint.com/sites/vacovetsprivacy/vhapo/Documents/Guidebooks,%20Fact%20Sheets%20and%20Practice%20Briefs/Privacy%20Requirements%20for%20Disclosure%20for%20Research%20to%20VHA%20Researchers.docx
- Privacy Fact Sheet, Privacy Requirements for Disclosures for Research to Non-VA Researchers - https://dvagov.sharepoint.com/sites/vacovetsprivacy/vhapo/Documents/Guidebooks,%20Fact%20Sheets%20and%20Practice%20Briefs/Privacy%20Requirements%20for%20Disclosure%20for%20Research%20to%20Non-VA%20Researchers.docx
- Privacy Fact Sheet, Displaying Personally Identifiable Information in Presentations - https://dvagov.sharepoint.com/sites/vacovetsprivacy/vhapo/Documents/Guidebooks,%20Fact%20Sheets%20and%20Practice%20Briefs/Displaying%20Sensitive%20Information%20in%20Presentations.docx
- Privacy Fact Sheet, Use of Protected Health Information in Microsoft Office Applications - https://dvagov.sharepoint.com/sites/vacovetsprivacy/vhapo/Documents/Guidebooks,%20Fact%20Sheets%20and%20Practice%20Briefs/Microsoft%20Office%20Fact%20Sheet_8-2020%20Final__Correction_508_9-2021_corrected_links11172021.pdf
- VHA SORN 34VA12 Veteran, Patient, Employee and Volunteer Research and Development Project Records
- Research Privacy Info for ISSOs (2/14/19) https://dvagov.sharepoint.com/sites/vacovetsprivacy/vhapo/Documents/Research/Resources/Research%20ISSO%20Privacy%20Pres%202-14-2019.pptx
- VHA Privacy Program, VHA Directive 1605 - https://vaww.va.gov/vhapublications/ViewPublication.asp?pub_ID=5456
- VHA Privacy Office - VHA Directive 1605.01_24_July_2023.pdf - All Documents (sharepoint.com) - https://dvagov.sharepoint.com/sites/vhaprivacy/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2Fvhaprivacy%2FShared%20Documents%2FPrivacy%20Policies%20Laws%20%26%20Regs%2FVHA%20Directive%201605%2E01%5F24%5FJuly%5F2023%2Epdf&parent=%2Fsites%2Fvhaprivacy%2FShared%20Documents%2FPrivacy%20Policies%20Laws%20%26%20Regs
VA Resources
Recommended Websites
Forms
- 10-0493, Authorization for Use and Release of Individually Identifiable Health Information Collected for VHA Research - https://dvagov.sharepoint.com/:b:/r/sites/vhaprivacy/Shared%20Documents/Research/_VA_Form_10-0493_SEPT_2015_.pdf?csf=1&web=1&e=anF8b1
- If this form does not open automatically, download a copy first and then open it. If that does not work, email VHA Privacy Issues
- This form is available in VAIRRS.
- 10-0521, IRB Documentation of Waiver of HIPAA Authorization for Research - http://vaww.va.gov/vaforms/medical/pdf/vha-10-0521-fill.pdf
- Not required; provided as a reference
- VA Form 10-3203, Consent for Production and Use of Verbal or Written Statements, Photographs, Digital Images, and/or Video or Audio Recordings by VA (July 2020) - https://vaww.va.gov/vaforms/medical/pdf/VA%20Form%2010-3203%20Fill.pdf
⇪