<p> Required Reports for Research Information Protection at PVAMC per VHA ORO Handbook 1058.01 and ORO memorandum January 20, 2011</p><p>RESEARCH INFORMATION PROTECTION (HB 1058.01, section 11, pgs. 22-23) Reports Within PVAMC Reports Outside PVAMC What to Report Who Should Report to Who and How Who Should Report Report to Who and How Research Information Incidents – Members of the VA research community must report PVAMC Director Uses and disclosures of Immediate Reporting Required Within 1 incidents to the ACOS/R&D, Information Security PHI under an invalid (or Hour. Unauthorized access, use, disclosure, Officer (ISO), and Privacy Officer (PO) verbally or in nonexistent) HIPAA transmission, removal, theft, loss, or writing. authorization or waiver of destruction of VA research-related protected HIPAA authorization, and health information (PHI), individually The ACOS/R&D will then inform the PVAMC deficient (or nonexistent) identifiable private information, or confidential Director through COS (with CC to the RCO), R&DC ISO or PO protocol information as defined by the HIPAA Privacy and any relevant research subcommittee. review practices that Rule, the Common Rule, the Privacy Act, or ACOS/R&D will confirm the ISO and PO have been substantively 38 U.S.C. 5701, 5705, and 7332. notified. If initial notification is verbal, a written compromise the Research Information Protection report must follow as soon as possible. effectiveness of the Incidents – Regular Reporting Required facility’s research Within 5 Business Days. information protection program, must be Findings of Noncompliance. Any findings reported to the relevant of noncompliance related to research ORO Western Regional information security or privacy by any VA Office. office (other than ORO) or any other Federal or state entity. Reports to ORO based on All other research findings made by entities external to the information protection facility must include a copy of the official incidents (i.e., findings. unauthorized transmission, removal, Other Deficiencies. Any other deficiency theft, loss, or destruction that substantively compromises the of VA PHI related to effectiveness of the facility’s research research) must be information protection program. reported to ORO Central Office RIPP. Suspensions or Terminations. Any suspension or termination of research (e.g., by the ACOS/R&D or other facility official or committee) related to concerns about research information protection.</p><p>7/26/11</p>