VACS Data Sharing Policy

VACS Data Sharing Policy

Version 1.2January 23, 2017

Updated to incorporate changes in VHA Handbook Directive1605.01 (August 31, 2016)

1. Definitions & Background

Based on the privacy rules of the Health Insurance Portability and Accountability Act of 2002 (HIPAA), data sets are considered “de-identified data sets,” “limited data sets,” or “fully identified data sets.”

De-Identified Data Sets

De-identified data sets cannot contain any of the following pieces of information on an individual, or of relatives, employers or household members of the individual:

Names;
All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code, except as permitted

Limited Data Sets

Limited data sets cannot contain any of the following pieces of information on an individual, or of relatives, employers or household members of the individual:

Names;
Postal address information, other than town or city, state, and zip code;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints; and
Full face photographic images and any comparable images.

Fully Identified Data Sets

Fully identified data sets can contain any of the above listed identifiers. It is policy of the VACS Coordinating Centernot to not share any fully identified data sets.

Title 38 USC 7332[1]- Pprotected Iinformation

Information related to HIV testing (including whether a test has ever been performed, regardless of whether the result was positive or negative), alcohol abuse, drug abuse and sickle cell disease receives special protection under 38 USC 7332.

2. Covered Studies

This Data Sharing Policy covers data maintained at the VACS Coordinating Center, VA Connecticut Health Care System, West Haven, CT, USA. It covers projects including:

Veterans Aging Cohort Study, VA HSS #AJ0001
All HIV Positive Veterans and a Matched Sample of HIV Negative Veterans, VA HSS #AJ0002

Establishment of Veterans Birth Cohort and effect of HCV screening in the Cohort AJ0013

3. Data Sharing

Before data collected under a waiver of consent (most of the data in VACS) can be shared, and consistent with VHA policy, the following steps must be completed for any data request outside VACS:

A written request (in the form of our concept sheet available on our website: vacohort.org) stating records sought, purpose, methods, and source of funding to support reasonable costs of data cutting-- dated and signed by the Researcher.
Assurance in writing from the Researcher that the purpose of the data is to conduct scientific research and that no personnel involved in the study may identify, directly or indirectly, any individual patient or subject in any report of such research or otherwise disclose patient or subject identities in any manner. This may be documented in the methods.
Documented approval of waiver (in some cases, this may already be covered under the VACS protocal) of authorization from an Institutional Review Board (IRB) or Privacy Board that includes the following elements:

A statement identifying the IRB or Privacy Board and the date on which the waiver of authorization was approved.
A statement that the IRB or Privacy Board has determined that the waiver of authorization satisfies the following criteria:
The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals under criteria specified in the Privacy Rule; and
The research could not practicably be conducted without access to and use of the protected health information.
A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board in order to conduct the research.
A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures.

The documentation must be signed by the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable.

After all requisite approvals are obtained,Tthe Veterans Aging Cohort Study Coordinating Center will release only the minimum data set needed to fulfill the stated objectives of the approved request. Data can only be used to answer the hypotheses in the request approved by the review committee. Additional analyses of data sets already released from the Coordinating Center require submission of an additional proposal and approval by the appropriate review committees.

Persons and organizations receiving data are not permitted to share the data with other investigators or organizations without written approval from the VACS Coordinating Center.

A) De-identified Data Sets

De-identified data sets can be shared with collaborating researchers. De-identified data shared with investigators within the VHA may be assigned a code (unrelated to the 18 HIPAA identifiers) in order to allow data to be re-identified by VHA provided that:

(1) The code or other means of record identification is not derived from, or related to, information about the individual and that the code is not otherwise capable of being translated as to identify the individual;

(2) The code, or other means of re-identification, is not used or disclosed by VHA for any other purpose; and

(3) VHA does not disclose the mechanism (e.g., algorithm or other tool) for re-identification.

B) Limited Data Sets

Intramural Investigators

Intramural investigators are VHA investigators and must be a VHA employee (including official WOC employees) or contract personnel. Per VHA Handbook Directive

1605.01, all research activities conducted by VHA investigators must be approved by a R&D Committee. VHA individually-identifiable health information may be used by a VHA investigator with written authorization, or a waiver of authorization by an IRB or Privacy Board in accordance with 45 CFR 164.512(i).

Extramural Investigators

Per VHA Handbook Directive 1605.01, paragraph 13b(1)(a)1 VHA may disclose individually-identifiable health information excluding 38 USC 7332-protected information and names and addresses if there is prior written authorization. In the absence of prior written authorization, information may be disclosed to Non-Federal Investigators if there is VHA approval by the Under Secretary for Health, or designee, and IRB or Privacy Board waiver of authorization. In addition, the Chief R&D Officer must also approve the request per VHA Handbook 1200.5 (VHA Handbook Directive 1605.1 paragraph 13b.).

We will be seeking confirmation from the Chief R&D Officer that approval from the Chief Public Health and Environmental Hazards Officer is sufficient for release of limited data.

Title 38 USC 7332-protected information may be disclosed without written authorization, if the above requirements are met and, in addition, the requirements of 38 CFR §1.488[2]are met.Specifically, the research protocol must indicate:

1. The information must be maintained in accordance with the security requirements of 38 CFR §1.466 [3] or more stringent requirements; and

2. The information will not be re-disclosed except back to VA; and,

3. The information will not identify any individual patient in any report of the research, or otherwise disclose patient identities.[from VHA Handbook 1605.1, 13b(1)(d)]

A dataset defined as Limited Data Set under HIPAA, containing 38 USC 7332-protected health information, can be considered de-identified from the standpoint of 38 USC 7332. As implemented in 38 CFR §§ 1.460-1.499, 38 USC 7332 defines patient identifying information as:

the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. [italics added] The term does not include a number assigned to a patient by a treatment program, if that number does not consist of, or contain numbers (such as social security, or driver’s license number) which could be used to identify a patient with reasonable accuracy and speed from sources external to the treatment program. [from 38 CFR §1.460, emphasis added][4]

Limited data sets can be shared with VACS collaborating researchers listed on our approved protocol inside the VHA, without a VA Data Use Agreement. Because under HIPAA, the VHA is considered a single “covered entity” sharing of data within the VHA does not count as a HIPAA disclosure.

Prior to release of a limited data set to an extramural (non VA) investigator, the followinga data use agreement/Data Transfer Agreementdocuments (DUA/DTA) must be completed. When such a document is required it must be signed by an official at the releasing facility (ACOS for Research and Development at the VA Connecticut Healthcare System) and the appropriate corresponding official of the receiving facility or entity prior to data transfer. It must also be signed by the PI of the Veterans Aging Cohort Study and by the receiving lead investigator.

Elements that must be included in the DUA/DTA document include:

A description of all specific uses of the data including the name of the research protocol in which they will be used.
Names of all persons who will have access to or use the data.
Name and description of any entities to which the data will be disclosed as required by the protocol.
Disposition of the data after the research is completed.

Stipulations that must be included in the DUA/DTA:

Data will not be disclosed other than as permitted by the agreement and within the protocol for which the data have been requested.
Data must be used, stored, and secured according to the requirements of the VHA series 1200 handbooks, other applicable VA and VHA requirements, and as described in the approved research protocol

Any non-compliance with VA, VHA, or other applicable Federal regulations or the research protocol as approved by the IRB and R&D Committees, must be reported according to VA Connecticut policies and procedures and by VHA requirements. It must also be reported to the PI of VACS who will notify the appropriate IRB.
Any theft, loss, or copromise of the data must be immedicately reported to VA Connecticut Information Security Officer, VA Connecticut Privacy Officer, the West Haven VA IRB and the PI of VACS as well as appropriate officials at the facility at which the theft, loss or compromise occurred.
No effort will be made to re-identify data that are de-identified.

Written approval from Chief Public Health and Environmental Hazards Officer authorizing release of 7332-protected information.

Written approval from Chief R&D Officer authorizing release of research data

VA Form 10-0403 (Responsible Requestor and Project Information Sheet)

VA Form 10-0403a (Data Use Agreement) – May need modification and Appendix signed by requestor and Chief Public Health and Environmental Hazards Officer

VA Form 10-0403b (Data Access List)

VHA Data Use Agreement (VHA Handbook 1605.1 Appendix F)

Yale Data Use Agreement (2 signed originals)

Yale Assurance of Compliance with Data Use Agreement (included in Yale Data Use Agreement)

The Chief Public Health and Environmental Hazards Officer signs for VHA. the Yale Grants & Contracts office signs for Yale, and requires a signed original for their files.

In addition, copies of the IRB approvals for the extramural investigator must be on file with the VACS Coordinating Center.

Copies of all documents should be maintained by VACS Coordinating Center and another copy filed with the Office of the Chief Public Health and Environmental Hazards Officer.

C) Fully Identified Data Sets

It is VACS Coordinating Center policy to not share fully identified data sets.

4. Specifics Related to Release of Protected Health Information Including HIV Infection, Drug & Alcohol Abuse

Veterans’ health information related to HIV, drug abuse, alcohol abuse and sickle cell disease is specifically protected by 38 USC 7332, restricting release without consent specifically related to these classes of information. However, under 38 USC 7332 (b)(2)(B), information related to HIV infection (including information related to testing regardless of the test results), drug abuse, alcohol abuse and sickle cell disease may be released for purposes of research. In addition, 38 CFR 1.488, allows for the release of HIV-related information for the purposes of research when the recipient:

Is qualified to conduct the research
Has a research protocol under which the information:
Will be maintained in accordance with the security requirements of 38 CFR 1.466, and
Will redisclose only back to the VA
Will not identify any individual patient in any research report or otherwise disclose patient identities
Has furnished written statement of independent review documenting adequate protection of patient rights and potential benefits of research outweigh any potential risks to patient confidentiality.

5. Requesting a Data Set

Investigators wishing to collaborate with the VACS Studies and the VACS Coordinating Center should begin by completing a Project Form (available from the VACS website at Once this form has been submitted, it will be circulated in accordance with VACS policies.

For investigators outside the VHA requesting a limited dataset, separate Data Use Agreements are needed between the Data Recipient and Yale University, and the Data Recipient and VHA. Templates for the Data Use Agreements can be obtained from the VACS website.Copies of IRB approvals and completed Data Use Agreements with original signatures for the Data Recipient should be sent (preferably via FedEx or similar delivery service) to the VACS Coordinating Center at:

Teresa Bohan

VA Connecticut Health Care System

Building 35A, Room 211 (11-ACLSG)

950 Campbell Avenue

West Haven, CT 06516

(203) 932-5711 x3541

The VACS Coordinating Center will facilitate obtaining signatures from VHA and Yale University.

Questions regarding this policy should be directed to Amy Justice, VACS Coordinating Center at or (203) 932-5711 x3541.

6. Transfer of Data Sets

Within the VA system, datasets will be transferred via uploading to internal VA servers, which have limited access. The recipient will then be informed of how to download the dataset. After it has been downloaded, the VACS Coordinating Center will remove the dataset from the server.

Datasets shared with investigators outside the VA system will be transferred via CD-ROM, sent via courier service (i.e. FedEx) to insure delivery to the proper recipient. The data will be encrypted and the password delivered separately. Once delivered, security and confidentiality of the dataset becomes the responsibility of the recipient as outlined in the Data Use Agreement

7. Noncompliance with This Policy

Noncompliance with this policy may result in an individual or organization being ineligible for future collaborative relationships with the VACS Studies and the VACS Coordinating Center. If violations of this policy are in violation of applicable laws, civil and criminal penalties may also apply.

VACS Data Sharing PolicyPage 1 of 10

[1] 38 USC 7332. Confidentiality of certain medical records

(a)

(1) Records of the identity, diagnosis, prognosis, or treatment of any patient or subject which are maintained in connection with the performance of any program or activity (including education, training, treatment, rehabilitation, or research) relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia which is carried out by or for the Department under this title shall, except as provided in subsections (e) and (f), be confidential, and (section 5701 of this title to the contrary notwithstanding) such records may be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b).

(2) Paragraph (1) prohibits the disclosure to any person or entity other than the patient or subject concerned of the fact that a special written consent is required in order for such records to be disclosed.

(b)

(1) The content of any record referred to in subsection (a) may be disclosed by the Secretary in accordance with the prior written consent of the patient or subject with respect to whom such record is maintained, but only to such extent, under such circumstances, and for such purposes as may be allowed in regulations prescribed by the Secretary.

(2) Whether or not any patient or subject, with respect to whom any given record referred to in subsection (a) is maintained, gives written consent, the content of such record may be disclosed by the Secretary as follows:

(A) To medical personnel to the extent necessary to meet a bona fide medical emergency.

(B) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient or subject in any report of such research, audit, or evaluation, or otherwise disclose patient or subject identities in any manner.

(C)

(i) In the case of any record which is maintained in connection with the performance of any program or activity relating to infection with the human immunodeficiency virus, to a Federal, State, or local public-health authority charged under Federal or State law with the protection of the public health, and to which Federal or State law requires disclosure of such record, if a qualified representative of such authority has made a written request that such record be provided as required pursuant to such law for a purpose authorized by such law.