VA Criticized for Data Sharing Policies

OIG Report Focuses on Research Info Exchange
VA Criticized for Data Sharing Policies

The Department of Veterans Affairs is not taking adequate steps to protect the privacy of sensitive information that's shared with researchers, according to a new report from the VA's Office of Inspector General.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

While the OIG recommends creation of a centralized data governance and storage model to help ensure data is protected, the VA questions whether that's a feasible approach.

The 57-page OIG report, "Department of Veterans Affairs: Audit of VA's Systems Interconnections With Research and University Affiliates," says that despite federal requirements, "the VA could not readily account for the various systems linkages and sharing arrangements with researcher partners." In addition, the VA could not provide an accurate inventory of research data exchanged, where the data was hosted or the sensitivity level of data, the OIG determined.

The OIG says that while VA patients are often willing to participate in research studies, they are only willing to do so if their personal health information is not put at "undue risk, loss, theft or other misuse."

The report notes that adequate protection of sensitive data that's exchanged is essential to ensuring advancements in medical research.

Key Recommendations

The OIG's recommendations to VA for improving its handling of research data include:

  • Develop and implement a centralized data governance and storage model that ensures accurate inventory of all research data collected, data collection compliance with research protocols and secure management of research information over the data life cycle;
  • Provide the information technology infrastructure needed to implement a centralized data governance and storage model to securely manage research information;
  • Partner with the Veterans Health Administration's Institutional Review Boards, research personnel and research partners to conduct joint oversight and monitoring of research labs to ensure security of sensitive veterans' data, compliance of data collections with research protocols and fulfillment of the department's information security requirements;
  • Establish or update all memoranda of understanding and interconnection security agreements needed to accurately reflect operational environments and require that research partners implement information security controls.

VA Response

In its response to the report, the VA says that while it agrees that it's important to ensure an accurate inventory of all research data collected, data collection compliance with research protocols and secure management of research information over the data life cycle, "it is not clear to VHA whether the use of a centralized data governance and storage model is feasible or appropriate."

The VA also notes: "Such a governance and management model would take considerable human and monetary resources. And a cost-benefit analysis has yet to be performed to determine whether the benefit to be gained by such a system is appropriate to the level of resourcing required to develop, implement and manage it over time."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.