VA Criticized for Data Sharing PoliciesOIG Report Focuses on Research Info Exchange
The Department of Veterans Affairs is not taking adequate steps to protect the privacy of sensitive information that's shared with researchers, according to a new report from the VA's Office of Inspector General.
While the OIG recommends creation of a centralized data governance and storage model to help ensure data is protected, the VA questions whether that's a feasible approach.
The 57-page OIG report, "Department of Veterans Affairs: Audit of VA's Systems Interconnections With Research and University Affiliates," says that despite federal requirements, "the VA could not readily account for the various systems linkages and sharing arrangements with researcher partners." In addition, the VA could not provide an accurate inventory of research data exchanged, where the data was hosted or the sensitivity level of data, the OIG determined.
The OIG says that while VA patients are often willing to participate in research studies, they are only willing to do so if their personal health information is not put at "undue risk, loss, theft or other misuse."
The report notes that adequate protection of sensitive data that's exchanged is essential to ensuring advancements in medical research.
The OIG's recommendations to VA for improving its handling of research data include:
- Develop and implement a centralized data governance and storage model that ensures accurate inventory of all research data collected, data collection compliance with research protocols and secure management of research information over the data life cycle;
- Provide the information technology infrastructure needed to implement a centralized data governance and storage model to securely manage research information;
- Partner with the Veterans Health Administration's Institutional Review Boards, research personnel and research partners to conduct joint oversight and monitoring of research labs to ensure security of sensitive veterans' data, compliance of data collections with research protocols and fulfillment of the department's information security requirements;
- Establish or update all memoranda of understanding and interconnection security agreements needed to accurately reflect operational environments and require that research partners implement information security controls.
In its response to the report, the VA says that while it agrees that it's important to ensure an accurate inventory of all research data collected, data collection compliance with research protocols and secure management of research information over the data life cycle, "it is not clear to VHA whether the use of a centralized data governance and storage model is feasible or appropriate."
The VA also notes: "Such a governance and management model would take considerable human and monetary resources. And a cost-benefit analysis has yet to be performed to determine whether the benefit to be gained by such a system is appropriate to the level of resourcing required to develop, implement and manage it over time."