South Central VA Health Care Network (VISN 16)

Report ID: SPE000000073103, U.S. Department of Veterans Affairs

Reported Entity: VISN 16 Houston, TX

Issue:

The medical center Research Department was performing a routine audit of IRB approved research protocols to assure they had also received R&D Committee approval. During the audit it was discovered that a protocol had received IRB approval and the principal investigator (PI) had started the study without obtaining R&D approval. The study included collecting protected health information from Veterans and storing the information outside the VA. The study requires both a consent form and a valid HIPAA authorization. The PI only had the Veteran sign the consent form which is not a valid HIPAA authorization. The privacy violation is accessing, using and sharing protected health information without a valid HIPAA authorization. Since the study was not approved by the R&D Committee it had also not received final approval from the Information Security Officers or the Privacy Officer. There were a total of 55 Veterans. The electronic information resides on the University of Massachusetts Medical School server. The Research Compliance Officer is completing her investigation and will report her findings to the R&D Committee in April. The PI has been notified to place the study on hold. Update: 03/20/12:Fifty-five (55) Veterans will be sent letters offering credit protection services.

Outcome:

Research protocol has been suspended until principal investigator amends protocol and HIPAA authorization to include appropriate language. Once the amended protocol and HIPAA authorization have been approved by IRB and R&D PI will be required to obtain signed HIPAA authorization.