Office of Research & Development

Safeguarding Veterans' Information

Why is information essential to VA Research?

VA Research is dedicated to improving Veterans' lives through innovation and discovery. To conduct studies that may ultimately lead to advancements in Veterans' health care, VA researchers must have access to general data on VA care and services, as well as data on Veterans' health care utilization and outcomes. It is important to note, however, that researchers have access only to information that is considered vital to their study-as determined by an Institutional Review Board (IRB). An IRB is a board made up of researchers, non-researchers, and experts outside of VA. Protecting personal information is essential because its loss or unauthorized use can lead to serious consequences for Veterans and disruptions in VA's operations.

How is Veterans' Information Protected from Unauthorized Access?

To protect Veterans' personal information on which VA research relies, extensive policies and procedures are in place. Main elements of the security program can be categorized as:

  1. Managerial-includes establishment and continual examination and upgrading of information security policies and directives;
  2. Technical-includes upgrading of software and equipment to prevent unauthorized access to sensitive data; and
  3. Operational-includes establishment of enhanced training programs to educate employees about their information security responsibilities.

Management

Adopting Effective Policies and Procedures
Upgraded information security procedures include a requirement that VA health studies' lead researchers and other staff certify that all projects comply with current requirements for the use, storage, and security of research information. Also, reviews are conducted to identify VA employees who require access to sensitive data; these employees undergo appropriate background checks, depending on their responsibilities and the level of access they require.

VA also works with other federal and commercial entities that have Veterans' information for business reasons to ensure they have appropriate safeguards in place to protect sensitive data.

Technical

Securing Computers and Related Technologies
Like most organizations today, VA relies heavily on computer systems and telecommunications networks to achieve its mission. VA researchers, in particular, have benefited from advances in computer technology. They can access the information stored in VA's state-of-the-art electronic health record system, with proper safeguards in place, and conduct large-scale studies that contribute greatly to Veterans' health care.

For sensitive information accessed on-site, as well as data retrieval from remote locations, security requirements are in place to prevent unauthorized access. For example, laptop computers throughout VA have data encryption programs installed, and all sensitive data on mobile computers or portable storage devices such as thumb drives must be encrypted so that unauthorized users are unable to decipher the information.

Operational

Emphasizing Personal Responsibility
To ensure current policies and procedures protect sensitive information, VA Research places great emphasis on personal vigilance and individual responsibility among its employees. All employees receive training on privacy and security of sensitive data, and education campaigns are continuously undertaken to remind employees of their all-important responsibilities in this area.

Laws That Protect Personal Information


VA is required to comply with a number of federal laws that protect personal information. Below are three of the most important statutes that govern how VA and other federal agencies handle health care and other personal information.

Privacy Act of 1974
Federal agencies must establish safeguards to ensure the security and confidentiality of statistical records. A person's information must be protected against anticipated threats that could cause him or her substantial harm, embarrassment, inconvenience, or unfairness.

E-Government Act of 2002
Agencies must conduct"privacy impact assessments" that include descriptions of how certain types of personal information will be secured. Under a part of this Act known as the Federal Information Security Management Act (FISMA), agencies must develop and implement cost-effective programs to protect information from unauthorized access and use.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Under this Act, agencies are required to adopt standards for the electronic exchange, privacy, and security of health information-primarily a mandate to the Department of Health and Human Services but also applicable, in part, to VA and other federal agencies.