DOE Worker Health-Related Studies and Programs
The DOE/HHS Memorandum of Understanding: Communication Through the Worker and Public Health Activities Program on energy-related workplace health effects studies
- Access Handbook Conducting Health Studies at Department of Energy Sites (pdf)
- Communication Plan (pdf)
Lost, stolen, or misdirected information that is personally identifiable is a violation of existing regulations and can cause harm to individuals if such information is released to the public under any circumstance. One such avenue of dissemination is potential release of information through its loss during transmission from one location to another.
- Background: The current concern relates to the recent loss of a disk containing the personally identifiable information (PII) of approximately 60,000 former and current workers at one of the DOE laboratories. These data were being used by two organizations conducting medical screening for former laboratory workers to identify and notify these workers of the availability of screening. The disk was mailed and lost in route from one provider to another in February 2009. It was password protected but not encrypted as required by current Federal and DOE requirements.
The Principal Investigator reported this unanticipated problem to the program office (DOE Office of Health, Safety, and Security, HS-10), to the laboratory IRB, and to the HHS Office of Human Research Protections (OHRP). The laboratory IRB notified the Office of the DOE Human Subjects Research Program Manager, SC-23. Current workers have been notified by the local DOE Office and at the time of this incident former workers were in the process of being notified. All will be offered free credit reporting for up to one year. Additional information is available. Additionally, HS-10 has provided organizations they fund to conduct former worker medical screening with specific requirements for how to protect PII that is stored or transferred for project purposes. Other requirements documents are available but some may require specific authorization for access to them.
Transmittal of Personal Identifiable Information for the Former Worker Programs (pdf)
Security Controls for Unclassified Information Systems Manual
Cyber Security Incident Management Manual
Department of Energy Privacy Program
Manual for Identifying and Protecting Official Use Only Information
Security Requirement for Crytograpic Modules (pdf)
- Requirements: This event highlights the importance of clarifying Federal and DOE requirements regarding required steps involved in the protection of PII of human research subjects and DOE employees.
- The Federal human subjects protection regulations (45 CFR 46) issued by the HHS Office of Human Research Protections (OHRP) require prompt reporting of any unanticipated problem (such as loss of data) to the IRB, to appropriate institutional and agency officials, and to OHRP. OHRP guidance recommends that the PI report an unanticipated problem to the IRB(s) within 2 weeks and that the PI/the PI’s organization report the unanticipated problem to OHRP within 6 weeks (or within 1 month of notifying the IRB(s)).
- DOE Order 443.1A also requires prompt reporting to the DOE Human Subjects Research Program Manager, SC-23 (and the DOE Human Subjects Research (HSR) Program Manager, NA-1 for NA sites), and coordination with and approval from the HSR Program Manager in determining plans to correct any noncompliance or to deal with the unanticipated problem. While DOE Order 443.1A does not specify how quickly the HSR Program Manager should be notified, this Office requests that you do so within 48 hours of learning of any unanticipated problem that does not involve PII.
- However, the definition of “prompt reporting” is different when PII is involved. Federal and DOE requirements (see DOE Order 206.1) require that any incident involving potential loss or compromise of PII be reported immediately (as soon as you learn of the incident) through your Departmental Element and to the DOE-Cyber Incident Response Capability (DOE-CIRC) at 866-941-2472 (firstname.lastname@example.org). Please coordinate with your site cybersecurity office to report the incident to the DOE-CIRC. Please also report any such incident(s) immediately to the HSR Program Manager(s).
- Additionally, in accordance with Federal and DOE requirements, PII transferred from one organization to another as part of a human research project (when/as authorized by the approving IRBs, the responsible DOE Program Office, and the research/screening participant) must first be encrypted consistent with PII protection requirements stated in DOE M 205.1-7 using a program such as Entrust.
- Additional expectations:
- Examine and modify your operating policies and procedures as necessary to address unanticipated problems. Ensure that your policies and procedures include a requirement for immediate notification of appropriate parties when there is potential loss or compromise of PII. The procedures should also outline the range of the IRB’s possible actions in response to reports of unanticipated problems.
- Examine the protocol of each ongoing project approved by your IRB (and ensure there is a procedure in place for IRB review of future protocols) to verify that the protocol has a clear and detailed plan for protecting PII in accordance with Federal and DOE requirements, including encryption of any data to be transferred and immediate notification of any incident involving potential compromise or loss of PII data.
- Notify Elizabeth White, HSR Program Manager (and, also for NNSA sites, John Ordaz, NNSA HSR Program Manager) when the above actions have been completed. This should be a high priority for the IRBs, and should be completed as soon as possible and no later than June 30, 2009.
- Questions or requests for additional information should be directed as noted below:
Elizabeth (Libby) White
DOE Program Manager, Protection of Human Research Subjects, SC-23.2
Office of Biological and Environmental Research (BER)
and, as appropriate:
DOE Human Subjects Research Program Manager, NA-1
National Nuclear Security Administration
Phone : 202-586-0142
Coalition for Patient Rights (CPR)
CPR consists of 34 organizations representing a variety of licensed health care professionals who provide a diverse array of safe, effective, and affordable health care services to millions of patients each year. CPR is committed to advocating for the practice rights of its members for the sake of their patients who rely on them for the many and varied services they provide.
Health Privacy Project
The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level.
HHS Medical Privacy—National Standards to Protect the Privacy of Personal Health Information Web site
Resources on protecting the privacy of personal health information on the HHS site. Includes a link to the Privacy Rule and other related resources.
Privacy Web Sites of Interest
- Department of Health and Human Services, Office for Human Research Protections IRB Guidebook
- Privacy Act of 1974
- Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization
Content reviewed: May 7, 2012