SOP #38 Confidentiality and Privacy

Owner: Vice President of Academic Affairs
Author: CSS IRB
Contact: irb@css.edu
Policy Number: 38
Effective Date: 10/8/2021

Policy

It is the policy of the CSS IRB that all research involving human research participants or the use of information about human research participants be planned and conducted in a manner that protects the privacy interests of the research participants and the confidentiality of any personal information about the research participants.

Purpose

The purpose of this policy is to outline the process for protecting the privacy of subjects and the confidentiality of study data.

Definitions

Privacy deals with people and is defined in terms of a person having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.  NOTE: Private information must be identifiable in order for the collection of such information to constitute research.

Confidentiality deals with data or information and is the process of protecting an individual’s privacy. Confidentiality includes the expectation that information an individual has disclosed in a pre-arranged agreement between parties (e.g., between researcher and participants) will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure or that permission will be obtained for disclosures not previously authorized by the individual. All studies including those using computer and internet technologies must maintain the confidentiality of information obtained from or about participants and adequately address possible risks to participants.

Directly Identifiable Data/samples are considered to be directly identifiable if they are labeled with unique identifiers that allow the identity of the subject to be ascertained or readily ascertained by the investigator or associated with the information.

Indirectly Identifiable Data/samples that have a link (code or key) to identifiable information about the person.

Non-identifiable Data/samples are considered to be non-identifiable when the data/samples cannot be linked to a specific individual either because the link (code or key) was never created or the link was destroyed.

Federal Regulations

Federal regulations for the protection of human participants in research require the IRB to consider the adequacy of provisions to both protect the privacy of participants and to maintain confidentiality of the research data (when appropriate) (45 CFR 46.111(a)(7)). The IRB may not approve human research projects without assessing the adequacy of these provisions.

Federal regulations for human research protection also require researchers to inform study participants of "...the extent, if any, to which confidentiality of records identifying the subject will be maintained" (45 CFR 46.116 (b) (5). The regulations also require researchers disclose "reasonably foreseeable risks," including risks related to privacy and confidentiality, to participants during the informed consent process. However, in some research a promise of confidentiality may not be part of the informed consent agreement, for example when participants agree in advance to be identified. In such cases, the research plan and consent materials must clarify the confidentiality of participation and when applicable, justify disclosure of participants' identities and the information collected about them.

The FDA goes further and adds “and that notes the possibility that the Food and Drug Administration may inspect the records” (21CFR 50.25 (a) (5)). It is also good practice to list other third parties who may access the records including sponsors, the institution, the IRB, and other appropriate entities which may be specific

Procedures

Upon review of the investigator’s submission, the IRB determines whether the investigator’s proposal for protection of the privacy and confidentiality of research participants is adequate. The determination is documented in the reviewer checklist. (See, Reviewer Checklist found in CSS IRB SOP # 12 Criteria for Approval of IRB Research and Checklist.)

Privacy Protections

Careful consideration should be given to how people are approached, the setting for approaching subjects and then the level of privacy needed to conduct the discussion about participation. The same holds true for conducting the study itself. What is appropriate for one study might not be necessary or even appropriate for another.

Some of the issues that should be taken into consideration when ensuring subjects' privacy include:

  • clinic consent conferences and study visits (the subject may not want others to know that they are in a study);
  • telephone calls to the subjects’ house (not all members of the household might be aware that the subject is participating);
  • letters sent to the subject's house containing private information;
  • emails and text messages that might be seen by others (e.g. children may not have complete control of their phones and email); and
  • Facebook or other social media groups.

IRB applications should ask how investigators plan to provide for the privacy of the participants. Researchers must demonstrate both the plan and the resources to maintain privacy. For example, if the participants are interviewed, are the interviews conducted in private environments where others cannot hear? For young children, the presence of parents might protect the child’s privacy while for teenagers, not having the parents present might be appropriate.

Confidentiality of subjects' data

The level of protections needed to ensure the confidentiality of subjects' private information will vary from study to study, but the questions to be addressed remain the same.

  • What sort of limitations should be placed on access to the study data?
  • Who should be permitted access to the study documents?
  • Who should be allowed to know the identities of those participating as subjects?
  • What security plan (password protections, locked cabinets, encryption methods, separate storage of Master Lists from study data) is sufficient to adequately protect the subjects given the inherent sensitivity of the data?

IRB applications should ask investigators how they plan to keep information confidential. This can be a complex question in this high-tech world. Investigators should consider various strategies to maintain confidentiality of identifiable data including storage, use, sharing, and transmission of data. Protections may range from password protected computers, physical security of computers (especially laptops), restrictions on use of storing data on flash drives or CDs to more technical protections like firewalls, encryption, virus and malware protection, or intrusion detection software. the IRB should know and apply these requirements to research they review.

If the only risk for a study is disclosure of sensitive information, the research may be classified as expedited if “reasonable and appropriate protections are implemented so that risks related to invasion of privacy and breach of confidentiality are no greater than minimal.”  IRB members need to be aware of what “reasonable and appropriate” measures are to protect the information. (See, CSS IRB SOP #11

(4)(ii), Expedited Review Procedure and Checklist.)

While much emphasis is placed on protecting electronic information, there also must be security associated with physical materials such as paper forms, CDs, tapes, etc. Appropriate protections might be locked file cabinets, locked doors with limited access and access card.

HIPAA (Health Insurance Portability and Accountability Act) Access to and/or use of identifiable patient information from medical records or clinical databases for research purposes must comply with the requirements of the HIPAA Privacy and Security Rules.

The IRB may approve the investigator’s proposal to obtain HIPAA Authorization from individuals to use their protected health information (PHI). HIPAA requires an authorization form to release PHI to researchers, which can be combined with a research consent form. HIPAA also has strict rules on what information can be considered de-identified.  If HIPAA Authorization is not obtained from individuals, the investigator must obtain approval for one of the following:

  • Alteration of (HIPAA) Authorization
  • Waiver of (HIPAA) Authorization
  • Use of a de-identified Data Set that contains no PHI
  • Use of a Limited Data Set with an effective Data Use Agreement in place, as applicable
  • Research on Decedents’ Information

FERPA The proposed use of student education records in research must comply with the requirements of the Family Educational and Rights Privacy Act (FERPA).  The Act serves two primary purposes. It gives parents or eligible students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information in education records” without the written consent of an eligible student, or if the student is a minor, the student’s parents (20 U.S.C.S. § 1232g(b)). An eligible student is one who has reached age 18 or attends a school beyond the high school level. FERPA allows schools to disclose information from a student’s education record, without consent, to the following parties or under the following conditions:

  • School officials with legitimate educational interest
  • Other schools to which a student is transferring
  • Specified officials for audit or evaluation purposes
  • Appropriate parties in connection with financial aid to a student
  • Organizations conducting certain studies for, or on behalf of, the school
  • Accrediting organizations
  • Appropriate officials in cases of health and safety emergencies
  • State and local authorities, within a juvenile justice system, pursuant to specific state law
  • To comply with a judicial order or lawfully issued subpoena

Subjects in Harmful Situations:  Abuse, Suicide, and Threat of Harm

Investigators often conduct research in areas where the subjects are at risk for harmful situations such as abuse, suicide, or threat of harm.  During these studies, subjects may disclose information about abusive relationships, suicidal thoughts, or plans to harm others.  Examples of these types of studies may include post-traumatic stress syndrome (PTSD), depression, suicide, or caregiving.

For studies in these areas the IRB will require additional safeguards to protect subjects, such as: ● Confirmation of investigators qualifications to deal with these situations;

  • Obtaining a Certificate of Confidentiality or informing subjects of what circumstances would necessitate the investigators to disclose information outside of the study;
  • Specific plan to deal with the situation (e.g. plan for subjects who report suicidal thoughts);
  • Including information in the consent form about when information can be disclosed outside of the study. This will also include a description of what information will be disclosed.

The IRB is aware that these types of disclosures may also happen in studies that are not considered to be at risk for these types of disclosures. The IRB will typically not require additional safeguards for these studies.  It is expected that investigators always have the resources to protect the rights and welfare of human subjects enrolled into their studies.  However, the IRB will consider the requirements for additional safeguards on an individual basis.

Investigators may also be mandated reporters in accordance with Minnesota law.  Mandated reporters are professionals or professional’s delegate identified by law who MUST make a report if they have reason to believe that the abuse, neglect, or financial exploitation of a vulnerable adult has occurred.

"Mandated reporter" means a professional or professional’s delegate while engaged in:

  • Social services
  • Law enforcement
  • Education
  • Direct care
  • Licensed health and human services professionals (MS 214.01, subdivision 2) ● Employment in a licensed facility
  • Medical examiner or coroner activities

(MS 626.5572, subdivision 16)

Investigators are required to be knowledgeable about their role as a mandatory reporter and the associated responsibilities. This may include consulting with the CSS IRB and others who have experience in these situations.

Resources

IRB EasyEd. Privacy and Confidentiality.  Volume 1 Number 7 and Addendum.  © 2017 Apex Ethical

CDC Center for Disease Control and Protection – Public Health Law -FERPA https://www.cdc.gov/phlp/publications/topic/ferpa.html University of Nevada -Reno

https://www.unr.edu/research-integrity/human-research/human-research-protection-policy-manual/40 0-participant-privacy-versus-data-confidentiality

Children’s Hospital of Philadelphia

https://irb.research.chop.edu/privacy-and-confidentiality Fred Hutch IRB

https://extranet.fredhutch.org/en/u/irb/policies-and-procedures/_jcr_content/leftParsys/download_26/ file.res/IRB-Privacy-Confidentiality-Policy.pdf The Ohio State University Office of Research

http://orrp.osu.edu/files/2012/02/Privacy-and-Confidentiality.pdf Boston University Research Support https://www.bu.edu/researchsupport/forms-policies/privacy-and-confidentiality/

This is a new policy per the 2018 Common Rule Requirements.

Print Article