The VA Office of Inspector General (OIG) conducted an inspection to evaluate allegations concerning patients’ data security and related oversight practices within the national cancer prevention, treatment, and research program and Office of Research & Development (ORD). The OIG identified additional concerns related to a Veterans Health Administration (VHA) project not submitted to an Institutional Review Board (IRB) and the process for reviewing a protected health information (PHI) breach.
The OIG did not substantiate that the national cancer prevention, treatment, and research program Executive Director categorized projects as operational to bypass IRB review. However, the OIG found that a collaborative project between VHA and non-VHA investigators was not submitted to a VHA IRB for approval.
The OIG substantiated that the Executive Director of Operations for a national cancer testing program and project staff did not deidentify a data file before sharing with non-VHA investigators. The OIG review of the data file found a significant amount of data containing PHI. The Executive Director of Operations also did not recognize the extent of PHI disclosed.
The OIG did not substantiate that the Executive Director of Operations for a national cancer testing program and an ORD privacy officer did not take action to review privacy concerns of a potential breach of PHI (privacy event). However, the privacy officer did not enter the privacy event into the tracking system or report the event to a VHA privacy officer timely. The Data Breach Response Service director reviewed the privacy event and determined it was not a data breach.
The OIG made six recommendations for VHA to ensure IRB review of the project and corrective actions address issues for determination of research project designation, privacy reporting and data disclosure, and national cancer prevention, treatment and research program staff receive training on IRB submission and privacy requirements.
