Review of Data Security and Oversight Processes of a Veterans Health Administration National Cancer Prevention, Treatment, and Research Program

Report Information

Issue Date
Report Number
24-00568-38
VA Office
Veterans Health Administration (VHA)
Report Author
Office of Healthcare Inspections
Report Type
National Healthcare Review
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Leadership and Governance
Recommendations
6
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General (OIG) conducted an inspection to evaluate allegations concerning patients’ data security and related oversight practices within the national cancer prevention, treatment, and research program and Office of Research & Development (ORD). The OIG identified additional concerns related to a Veterans Health Administration (VHA) project not submitted to an Institutional Review Board (IRB) and the process for reviewing a protected health information (PHI) breach.

The OIG did not substantiate that the national cancer prevention, treatment, and research program Executive Director categorized projects as operational to bypass IRB review. However, the OIG found that a collaborative project between VHA and non-VHA investigators was not submitted to a VHA IRB for approval. 

The OIG substantiated that the Executive Director of Operations for a national cancer testing program and project staff did not deidentify a data file before sharing with non-VHA investigators. The OIG review of the data file found a significant amount of data containing PHI. The Executive Director of Operations also did not recognize the extent of PHI disclosed. 

The OIG did not substantiate that the Executive Director of Operations for a national cancer testing program and an ORD privacy officer did not take action to review privacy concerns of a potential breach of PHI (privacy event). However, the privacy officer did not enter the privacy event into the tracking system or report the event to a VHA privacy officer timely. The Data Breach Response Service director reviewed the privacy event and determined it was not a data breach.

The OIG made six recommendations for VHA to ensure IRB review of the project and corrective actions address issues for determination of research project designation, privacy reporting and data disclosure, and national cancer prevention, treatment and research program staff receive training on IRB submission and privacy requirements.
 

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director of Operations for a national cancer testing program ensures the project has met the requirements for Institutional Review Board review for research with human subjects and takes action as needed.

No. 2
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Executive Director of Operations for a national cancer testing program ensures national cancer prevention, treatment, and research program staff are trained on Institutional Review Board project submission and privacy requirements. 

No. 3
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program staff reviews and provides required approvals before the release of protected health information for research. 

No. 4
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer, in conjunction with the Office of Research & Development ensures that VA privacy officers report privacy incidents involving data obtained from or for national cancer prevention, treatment, and research program activities timely and monitors for compliance.

No. 5
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The Office of Research Oversight Executive Director in conjunction with the Chief Research and Development Officer, VHA Office of Research & Development, reviews the national cancer prevention, treatment, and research program final mitigation plan and ensures corrective actions address system-wide issues for determining whether a national cancer prevention, treatment, and research program project constitutes research, safeguarding privacy when data is shared for projects, and ensuring data security requirements are met. 

No. 6
Open Recommendation Image, Square
to Veterans Health Administration (VHA)

The National Specialty Care Program Office Chief Officer ensures the national cancer prevention, treatment, and research program has safeguards in place including biostatistician expertise to ensure that data containing sensitive patient information and protected health information is deidentified before sharing outside of VA as required.