3.3 Privacy Interests and Confidentiality of Research Data

1.0 Purpose

The purpose of this policy and procedure is to describe the Organization’s requirements for: 1) protection of privacy interests of research subjects/registry participants (hereafter referred to as participants) and 2) maintenance of confidentiality of data.


2.0 Policy

  • 2.1. It is the policy of the Organization that: 1) the privacy interests of participants are protected; and 2) the confidentiality of research data will be protected.
  • 2.2. It is the policy of the Organization that Protected Health Information (PHI) will be protected in accordance with HRPP policy 3.4 (Use of Protected Health Information in Research).

3.0 Definitions

  • 3.1. Privacy is defined as having control over the extent, timing and circumstances of sharing oneself (i.e. a participant’s interest in controlling access to themselves).
  • 3.2. Private Information is defined as information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).
  • 3.3. Protected Health Information (PHI) is defined as individually identifiable health information, whether oral or recorded in any medium, that: 1) is created or received by the Organization; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
  • 3.4. Confidentiality refers to protecting data in order to ensure that it is not improperly divulged.

4.0 Procedures

  • 4.1. Protection of Privacy

    The IRB will review all applications to determine whether there are adequate provisions to protect the privacy interests of the participants. The greater the risk to privacy, the greater the need to have more stringent protections in place. During the course of review, the IRB will consider the nature and degree of risk to the privacy interests of the participants and the participants’ expectations of privacy. The board will make the following determinations:

    • 4.1.1. The PI and other research personnel have ethical access to the participant’s private, identifiable information in accordance with HRPP policy 3.12 (Ethical Access).
    • 4.1.2. The methods used to identify and contact potential participants minimize the risk to privacy.
    • 4.1.3. The location where informed consent will be obtained is conducive to the privacy interests of participants.
    • 4.1.4. No other persons are present during the informed consent process or during research activities unless the individual(s) is listed on the IRB application or is involved in the clinical care of the participant or is present to provide technical assistance. Other individuals can only be present with the consent of the participant.
    • 4.1.5. The research activities are performed in as private a place as possible.
    • 4.1.6. The minimum amount of PHI or other personal information necessary to complete the study will be maintained.
  • 4.2. Protection of Confidentiality

    • 4.2.1. The IRB will review all applications to determine whether there are adequate provisions to protect the confidentiality of data. The greater the risk to the subject associated with a breach of confidentiality, the more stringent must be the protections in place. During the course of review, the IRB will consider the participants’ expectations for confidentiality and the nature and degree of risk associated with loss of confidentiality. The board will make the following determinations as appropriate:
      • 4.2.1.1. The physical and/or electronic safeguards and security measures for the entry, storage, and transfer of data are adequate in consideration of the nature of the data and the physical medium on which it is stored. PHI must be stored in a manner that is compliant with the HIPAA Privacy Rule, and other regulations and laws as applicable.
      • 4.2.1.2. There is adequate justification for sharing identifiable private information, and PHI is shared in a manner that is compliant with the HIPAA Privacy Rule, and other regulations and laws as applicable
      • 4.2.1.3. The minimum amount of identifiable private information necessary to complete the study will be maintained, and access to identifiable private information will be restricted to the minimum number of persons with a legitimate need.
      • 4.2.1.4. Identifiable private information will be appropriately and safely destroyed when it is no longer needed, as allowed under HRPP policy 1.17 (Retention of Research Records).
    • 4.2.2. Certificate of Confidentiality
      • 4.2.2.1. Research is automatically covered by a Certificate of Confidentiality whenever the study is funded in whole or in part by the NIH and involves identifiable, sensitive information.
        • 4.2.2.1.1. Identifiable sensitive information means information about an individual, obtained during the course of biomedical, behavioral, clinical or other research, through which the individual is identified, or there is at least a very small risk that some combination of the information, a request for the information, and other available data sources could be used to determine the identity of an individual. This information may include name, address, social security or other identifying number; and fingerprints, voiceprints, photographs, genetic information, tissue samples, or data fields that when used in combination with other information may lead to identification of an individual.
      • 4.2.2.2. Examples of research automatically covered by a Certificate of Confidentiality include:
        • 4.2.2.2.1. Biomedical, behavioral, clinical or other research, including exempt research, except where the information obtained is recorded in such a manner that human participants cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects.
        • 4.2.2.2.2. The collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
        • 4.2.2.2.3. The generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained.
        • 4.2.2.2.4. Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
      • 4.2.2.3. Researchers may also apply for a Certificate of Confidentiality for non-federally funded research if it would meaningfully enhance protection of confidentiality.
      • 4.2.2.4. When research is covered by a Certificate of Confidentiality, researchers:
        • 4.2.2.4.1. May not disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
        • 4.2.2.4.2. May not disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
        • 4.2.2.4.3. May disclose information only when:
          • 4.2.2.4.3.1. Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
          • 4.2.2.4.3.2. Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
          • 4.2.2.4.3.3. Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
          • 4.2.2.4.3.4. Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.
        • 4.2.2.4.4. Written materials require that when research is covered by a Certificate of Confidentiality, researchers must inform participants (for example, in the consent document) of the protections and limitations of certificates of confidentiality.
          • 4.2.2.4.4.1. For studies that were previously issued a Certificate, and notified participants of the protections provided by that Certificate, NIH does not expect participants to be notified that the protections afforded by the Certificate have changed, although IRBs may determine whether it is appropriate to inform participants.
          • 4.2.2.4.4.2. If part of the study cohort was recruited prior to issuance of the Certificate, but are no longer activity participating in the study, NIH does not expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.
        • 4.2.2.4.5. Written materials require that researchers conducting NIH-supported research covered by a Certificate of Confidentiality must ensure that if identifiable, sensitive information is provided to other researchers or organizations, regardless of whether or not the research is federally funded, the other researcher or organization must comply with applicable requirements when research is covered by a certificate of confidentiality.

ADMINISTRATIVE APPROVAL: BRUCE G. GORDON, MD IRB EXECUTIVE CHAIR & ASSISTANT VICE CHANCELLOR FOR REGULATORY AFFAIRS CHRISTOPHER KRATOCHVIL, MD INSTITUTIONAL OFFICIAL

POLICY AMENDED:

 REVISED FEBRUARY 2, 2018

 INITIAL JANUARY 28, 2016