3.3 Privacy Interests and Confidentiality of Research Data
Last Revised 1/21/2024
1.0 Purpose
The purpose of this policy is to describe the Organization’s requirements for 1) protection of privacy interests of research subjects, and 2) maintenance of confidentiality of data. For the purposes of this policy “subjects” and “participants” are synonymous, and includes those persons participating in a data registry or biobank.
2.0 Policy
It is the policy of the Organization that:
- 2.1. The privacy interests of participants, and the confidentiality of research data will be protected in consideration of the risk to subjects and the nature of the research performed.
- 2.2. Protected Health Information (PHI) will be protected in accordance with HRPP policy 3.4 (Use of Protected Health Information in Research).
3.0 Definitions
-
3.1. Privacy is defined as having control over the extent, timing, and circumstances of sharing oneself (i.e. a participant’s interest in controlling access to themselves).
-
3.2. Private Information is defined as information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).
-
3.3. Protected Health Information (PHI) is defined as individually identifiable health information, whether oral or recorded in any medium, that:
(1) is created or received by the Organization; and
(2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
-
3.4. Confidentiality refers to protecting data in order to ensure that it is not improperly divulged.
-
3.5. Identifiable sensitive information is defined as information that is about an individual and that is gathered or used during the course of research where the following may occur
(1) through which an individual is identified; or
(2) for which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identify of an individual (NIH CoC policy and 42 U.S. Code §241(d)).
Note that the regulations focus on the identifiability of the information, and not on the sensitivity of the information.
4.0 Protection of Privacy
- 4.1. The IRB will review all applications to determine whether there are adequate provisions to protect the privacy interests of the participants. The greater the risk to privacy, the greater the need to have more stringent protections in place. The IRB will consider the nature and degree of risk to the privacy interests of the participants and the participants’ expectations of privacy. The board will make the following determinations as appropriate:
- 4.1.1. The PI and other research personnel have ethical access to the participant’s private, identifiable information in accordance with HRPP policy 3.12 (Ethical Access).
- 4.1.2. The methods used to identify and contact potential participants minimize the risk to privacy.
- 4.1.3. The location where informed consent will be obtained is conducive to the privacy interests of participants.
- 4.1.4. Persons present during the informed consent process or during research activities will be limited as much as is possible to those listed on the IRB application or involved in the clinical care of the participant, or with the consent of the participant.
- 4.1.5. The research activities are performed in as private a place as possible.
5.0. Protection of Confidentiality
- 5.1. The IRB will review all applications to determine whether there are adequate provisions to protect the confidentiality of data. The greater the risk to the subject associated with a breach of confidentiality, the more stringent must be the protections in place. The IRB will consider the participants’ expectations for confidentiality and the nature and degree of risk associated with loss of confidentiality. The board will make the following determinations as appropriate:
- 5.1.1. The physical and/or electronic safeguards and security measures for the entry, storage, and transfer of data are adequate in consideration of the nature of the data, the risk to the subject associated with a breach of confidentiality and the physical medium on which the data is stored. PHI must be stored in a manner that is compliant with the HIPAA Privacy Rule, and other regulations and laws as applicable.
- 5.1.2. There is adequate justification for sharing identifiable private information, and PHI is shared in a manner that is compliant with the HIPAA Privacy Rule, and other regulations and laws as applicable.
- 5.1.3. The minimum amount of identifiable private information necessary to complete the study will be maintained, and access to identifiable private information will be restricted to the minimum number of persons with a legitimate need.
- 5.1.4. Identifiable private information will be appropriately and safely destroyed when it is no longer needed, as allowed under HRPP policy 1.17 (Retention of Research Records).
- 5.2. Certificate of Confidentiality
- 5.2.1. Research is automatically covered by an NIH Certificate of Confidentiality whenever the study is funded in whole or in part by the NIH and involves identifiable, sensitive information. Such research includes, but is not limited to:
- 5.2.1.1. Biomedical, behavioral, clinical or other research, including exempt research, except where the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects.
- 5.2.1.2. The collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
- 5.2.1.3. The generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified, or the identity of the human subjects can readily be ascertained.
- 5.2.1.4. Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
- 5.2.1.3. Researchers may also apply to the NIH for a Certificate of Confidentiality for research not funded by NIH. Generally, NIH will consider these requests for research on a topic that is within the NIH mission or HHS health-related research mission, and for research information that is collected, used, or stored in the US.
- 5.2.1.4. When research is covered by an NIH Certificate of Confidentiality, researchers:
- 5.2.1.4.1. May not disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
- 5.2.1.4.2. May not disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
- 5.2.1.4.3. May disclose information if:
- 5.2.1.4.3.1. required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
- 5.2.1.4.3.2. necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
- 5.2.1.4.3.3. made with the consent of the individual to whom the information, document, or biospecimen pertains; or
- 5.2.1.4.3.4. made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.
- 5.2.1.5. When research is covered by an NIH Certificate of Confidentiality, researchers must inform participants (for example, in the consent document) of the protections and limitations of certificates of confidentiality.
- 5.2.1.6. Researchers conducting NIH-supported research covered by a Certificate of Confidentiality must ensure that if identifiable, sensitive information is provided to other researchers or organizations, regardless of whether or not that research is federally funded, the other researcher or organization must comply with applicable requirements when research is covered by a certificate of confidentiality.
- 5.2.1.7. All identifiable, sensitive information collected or used for research under an NIH Certificate of Confidentiality are protected by the certificate in perpetuity. However, information collected during a lapse in NIH funding, or after the funding ends, would not be protected by the certificate. Therefore, the consent form for subsequent subjects should be amended to remove any guarantees of protection for these new subjects.
- 5.2.2. Investigators whose research is funded by the Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), Health Resources and Services Administration (HRSA), Indian Health Service (IHS), and Substance Abuse and Mental Health Services Administration (SAMHSA) may also have access to Certificates of Confidentiality thru those agencies.
- 5.2.1. Research is automatically covered by an NIH Certificate of Confidentiality whenever the study is funded in whole or in part by the NIH and involves identifiable, sensitive information. Such research includes, but is not limited to:
DOCUMENT HISTORY:
Written: 1/28/2016 (Approved: 1/28/2016) - original author not recorded
Revised: 2/2/2018 - revision not documented
Revised: 9/22/2022 - Stylistic changes, and changes for clarity; clarified privacy requirements regarding informed consent process; clarified applicability of CoC and consent form language during interruption in or termination of NIH funding; added acknowledgement of CoCs issued by agencies other than NIH.
Revised: 1/21/2024 – added definition of “identifiable sensitive information” (section 3.5); elaborated on types of research which are automatically issued a CoC by NIH (section 5.2).