ISSUE DATE:
Volume 1 Number 3, March-April 2007

Summer Travel on Federal Awards - Important Facts

Faculty Administrative Burden Survey Published

VA Data Security Requirements

NHLBI Guide to Clinical Research

Reminders from the NIH

Did You Know?

Research Administration Training Opportunities

Who You Gonna Call?

ORA Newsletter Archive

Office of Research Administration Home Page

Veteran's Administration Data Security Requirements

On February 6, 2007 the Deputy Secretary for Health Operations and Management and the Chief Research and Development Officer of the Department of Veterans Affairs issued a memo entitled “Certification by Principal Investigators:  Security Requirements for VA Research Information.”  This memo requires that all Principal Investigators involved in VA research certify compliance with stringent data security measures by April 15, 2007.  The memo is in response to recent incidents of potential data breeches at the VA.  VA data security received national attention last May when the VA announced that personal data, including names and social security numbers of 26 million veterans and military personnel may have been disclosed when a laptop was stolen from a VA employee’s home.  Subsequently there have been thefts involving computers storing research data relating to veterans at various VA sites.  Concern over the potential for identity theft or other harms to veterans related to such data disclosures has led the VA to implement mandatory notification of veterans when data is unaccounted for as well as to implement strict data security requirements.

At the present time, the certification requirements have been issued to Yale faculty who serve as PI’s on human subject studies approved by the VA IRB.  Yale has been working with the VA and effected faculty to develop and implement strategies to meet the VA requirements. 

Options for compliance include:

1. De-identification of the data by removing all 18 HIPAA identifiers (See HIPAA policy 5039 at www.hipaa.yale.edu ) either with or without a linking code.  For PI’s who have a VA net ID, the linking code can be stored on the VA network (contact the VA IT staff for assistance in setting up a shared limited access folder on the VA server).
2. Installing whole disk encryption on all devices storing the data.  Yale recommends the use of PGP encryption software installed through Yale ITS.  PGP meets the VA encryption requirements and the Yale installation will include a mechanism for emergency access to the data to minimize the possibility of the data becoming irretrievable in the future.  
3. Transfer data files to the VA network servers.  The University has been negotiating with the VA for a server to be installed at the VA to hold Yale-VA research data.  Arrangements for a server and technical issues related to transfer of data are still in development.   

Execution of any of the above options is non-trivial.  University research staff who are required to comply should begin by identifying both the nature of their data relative to the definition of VA sensitive information and where such data is stored.  If the data meets the definition and will be stored outside the VA, permission to continue to do so should be made to the officials listed in the certification document.  Further information will be provided as it is developed. 

For further information you may contact the Yale HIPAA Privacy Office at hipaa@yale.edu, or Yale Information Security at information.security@med.yale.edu.  For details on the VA position see www.research.va.gov