Chapter 10: Privacy, Confidentiality and HIPAA

Privacy is about people. It refers to research participants’ willingness to allow access to themselves and their information. Consideration of privacy includes the time and setting where private information is given, the nature of the information given, and who receives and uses the information.

Confidentiality is about data. It refers to the handling of information that a person has disclosed in a relationship of trust, with the expectation that it will not be divulged to others without permission.

IRBs must consider the protection of privacy and confidentiality as part of their ethical and regulatory duty to protect the rights and welfare of human subjects. Maintaining privacy and confidentiality helps to protect subjects from potential harms that could occur with a breach of confidentiality, such as psychological distress, loss of insurance, loss of employment, or damage to social standing. Often, particularly in behavioral research, the main risk to subjects is the possibility of a breach of privacy or confidentiality. The IRB must consider privacy and confidentiality for the entire duration of the study. The IRB must also consider confidentiality of research data after the study is finished.

Investigators are required to maintain and protect the privacy and confidentiality of all personally identifiable information, except as required by law or released with the written permission of the subject. Subjects, including children, have the right to be protected against invasion of their privacy, to expect that their personal dignity will be maintained, and to be assured that the confidentiality of their information will be maintained. The more sensitive the data, the greater the care investigators must take in obtaining, handling, and storing data.

During the consent process, investigators must explain what information will be collected, how it will be used, who will have access to it, and what will happen to it after the study ends. When applicable, investigators should explain any special precautions they will take to ensure confidentiality of sensitive information. This will allow subjects to understand how their information will be used and decide if potential confidentiality risks are acceptable to them.

Research Data Security

The purpose of this policy is to establish data security requirements for the use, storage, sharing, transmission and destruction of information obtained about participants in USC human subjects research studies.

This policy applies to all human subject research data collected by or under the auspices of University of Southern California (USC) by faculty, students, post-doctoral scholars, affiliated investigators or other investigators using USC resources. This policy applies to data that may be (or has been) collected or stored in any form including, but not limited to electronic records, paper, and audio or video recordings. This policy applies to data stored within university owned equipment, privately owned equipment, internet services or that reside on removable electronic media (e.g. USB thumb drives).

Additionally, adherence to all USC-wide policies for research data is required (see policy for Information Security and the policy for Protection of Social Security Numbers and Other Restricted Information). Questions about complying with the Human Subjects Research Data Security policy should be directed to ITS Security.

Note: The European Union’s General Data Protection Regulation (GDPR) regulates the use, access, collection, and processing of all personal data from the European Union, regardless of the citizenship or residency status of the individual to whom the data pertains. USC investigators conducting research with data from the EU should become familiar with their responsibilities established by the GDPR.

Investigators are responsible for implementing appropriate protections for sensitive data including identifying risks and impact of potential breaches. The IRB will verify the adequacy of the protections by reviewing the data security plan, data collection instruments, informed consent language, and confidentiality statements as applicable. If the data is highly sensitive or used advance technology that exceeds the IRB expertise, then the IRB will seek a data security consultant in the relevant school/department.

Research data-sensitivity levels (de-identified, medium sensitivity, and highly sensitive) are defined in this section.

Protecting Medium/Highly Sensitive Data

• • Use University designated data centers or university approved cloud service providers
  • Preform weekly vulnerability scans on systems and remediate any critical or high rated vulnerability
  • Employ intrusion detection or review logs regularly
  • Use up-to-date software
  • Employ anti-virus/anti-malware software and update regularly
  • Backup data on separate media to ensure recoverability
  • Collect the minimum identifiable data
  • Ensure any vendors or third parties handling data, including online services such as cloud storage providers, have a current, approved HIPAA Business Associate Agreement
  • Whenever possible, de-identify and/or separate data elements into a coded data set and an identity-only data set.
  • Limit access to personally identifiable information using the principle of strict need-to-know.
  • Encrypt data if identifiable information is: (1) stored on a networked computer or device, (2) stored on or transmitted via the web, (3) stored on a computer or removable medium which is not permanently located in a secure location.
  • Contact the IT administrators from the local school/unit as questions arise prior to IRB submission.

Requirements for Data Transmission, Sharing and Storage

Data Transmission and Sharing
Highly sensitive data such as protected health information of research participants should not be housed on portable electronic devices. If portable electronic devices must be used, they should be encrypted to safeguard data and information. These devices include laptops, CDs, disc drives, flash drives, etc. Investigators and institutions also should limit access to highly sensitive data through proper access controls such as password protection and other means. Sensitive data should be transmitted only when the recipient has assured in writing that they will house the data in a secure storage system.

For storage of any data outside of USC/ USC networks, an agreement should be established that addresses the following questions:

• What security controls are in place to prevent the inadvertent or malicious disclosure of the data?
• What happens if a subpoena is issued?
• Does the recipient have Information Security/Cyber Liability insurance?

Data Storage
Research data and materials related to human subjects research must be maintained and stored in a manner that complies with all applicable IRB and University requirements, and with any relevant contracts, data use agreements and federal regulations. Principal Investigators and other University faculty and staff who lead or administer research projects are responsible for recording, retaining, accessing, and storing their research records, and for communicating such systems and to the members of their research teams and to the IRB.

• • • Storing data on-campus

      Storage of medium or high-risk data on campus must comply with the USC policy for Protection of Social Security Numbers and Other Restricted Information.

    • Storing data off-campus

      Storing data off-campus with a third-party vendor must meet all the policies for data stored on-campus and must be stipulated in a contract with the vendor.

    • Storage under a Data Use Agreement

      When data is shared using a Data Use Agreement, the agreement must state the terms of storage, destruction or return of the data during or after its use.

Establishing A Data User Agreement

A data use agreement (DUA) is an agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a limited data set (defined below) to an outside institution or party. A limited data set is defined by HIPAA as protected health information (PHI). Covered entities must enter into a data use agreement with any recipient of a limited data set.

At a minimum, any DUA must contain provisions that address the following:

• • • • Establish the permitted uses and disclosures of the limited data set;
      • Identify who may use or receive the information;
      • Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law
      • Storage, destruction or return of the data during after its use
      • Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;
      • Require the recipient to report to the covered entity any use or disclosure to which it becomes aware;
      • Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and
      • Prohibit the recipient from identifying the information or contacting the individuals

Definitions

• • • • • Anonymous data: Data that has no code that can be traced back to an individual. IP addresses are identifiable even though the address is linked to the computer and not specifically to the individual.
        • De-Identified: The identity of the subject cannot be readily ascertained. Requires the removal of all 18 HIPAA identifiers including geographic information and elements of dates.
        • Coded: a code (number, letter, symbol, or any combination) exists that links to the identity of the individual. A key exists, enabling linkage of the code to the identifying information.
        • PHI: Protected Health Information any identifiable health information used or created for healthcare or research, relating to the individual’s past, present or future physical or mental health condition or payment for health care.
        • PII: Personally Identifiable Information: “(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
        • Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (for example, a medical record).
        • Individually Identifiable: private information or specimens that can be linked to specific individuals by the investigator(s) either directly or indirectly.

Levels of Research Data Sensitivity Chart

•  

• Types of Identifiable Information

  Information through which subjects may be identified include names, student identification numbers, hospital ID numbers, social security numbers, driver’s license numbers, home addresses, photographs, videotapes, and the like. Individuals also may be identified by description, for example, as the personnel manager in a particular company, the sixth-grade teacher in a certain school, or the pediatric nurse at a local hospital. If information or data to be collected may be traced back to individual subjects, safeguards (described below) should be provided to ensure confidentiality.

• Guidelines for Protecting Confidentiality

  • Limit recording of personal information to that which is absolutely essential to the research
  • Store personally identifiable data securely and limit access to the Principal Investigator (PI) and authorized staff
  • Code data as early in the research process as possible, and plan for the ultimate disposition of the code linking the data to individual subjects
  • Apply for federal Certificates of Confidentiality in all situations for which certificates are reasonable and available. If a Certificate of Confidentiality is requested for a study, the consent must include specific language. See the IRB Informed Consent Template and Instructions. 
  • Do not disclose personally identifiable data to anyone other than the research staff without the written consent of the subjects or their legal authorized representative. (Exceptions may be made in case of emergency need for intervention or as required by regulatory agencies).

  Investigators must describe their plans for protecting privacy and confidentiality in the iStar application. The IRB evaluates the investigator’s plans, including:

  • The settings in which potential participants will be approached and research procedures will be performed
  • The settings in which data will be recorded, reviewed, and stored
  • The method for recording data and labeling samples (identifiable, coded, or
    anonymous)
  • The amount and type of data collected (to ensure that only the minimum amount necessary is collected)
  • The study staff who have access to data
  • Security measures in place to prevent inappropriate access to and disclosure of
    data
  • Release of data or samples to third parties
  • Destruction or de-identification of data at the end of the study

  The IRB must decide on a study-by-study basis whether there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. The IRB decision is based on the sensitivity of the information obtained in the research and the protections promised to participants.

  The IRB Associate Directors or IO are authorized to sign Certificates of Confidentiality.

Depending on the subject matter of the research, there may be limits to the investigator’s promise of confidentiality to the subject.

Mandated Reporting of Abuse

California law requires reporting of abuse or neglect of the elderly, dependent adults, and children to law enforcement and/or protective services agencies. California law also requires reporting of some communicable diseases to public health agencies. California law defines who is a mandated reporter and what agencies receive reports in each of these situations. Mandated reporting limits the confidentiality that can be promised to research participants. As a researcher, mandated reporters who observe or suspect child/elder abusive or neglect must report the incident. Student researchers although not mandated reporters, must inform their faculty advisor of their concern. Additional information is found in Section 12.13 – Mandatory Reporting.

Participants must be informed if the investigator is a mandated reporter. The informed consent form should disclose what types of information must be reported to outside agencies by the research staff.

USC policies and procedures covering “mandated reporter” and the reporting of abuse/neglect can be found at the following site: http://policy.usc.edu/mandated- reporters/. Appendix A of the above policy provides a list indicating who are considered mandated reporters.

Mandated Reporting of Positive Results of Communicable Disease Testing

California law requires health care providers to report certain communicable diseases to local health authorities. For research that includes testing for HIV infection, hepatitis, tuberculosis, sexually transmitted diseases, and other communicable diseases, participants must be told that the investigator is a mandated reporter. The informed consent form should disclose what positive test results will be reported to public health agencies (California Code of Regulations Title 17, Section 2500).

Sponsor Monitoring of Research Records

In signing the consent and HIPAA form, subjects authorize monitors and auditors from funding agencies, sponsors, and regulatory agencies to access participants’ study files to verify study-related data. Investigators must ensure that only the data described in the protocol and the access agreed to by participants in the informed consent and HIPAA authorization forms is available to external monitors. Research personnel often keep “shadow” research files that contain copies of source documentation for the purpose of protecting a subject’s entire record accessible to third parties. Investigators must exercise caution to confirm that the privacy or confidentiality promised in the iStar application/informed consent are met regardless of whether records are kept in electronic or paper systems.

IRBs must consider state laws concerning privacy and confidentiality when reviewing research. Federal regulations require the IRB to evaluate the acceptability of proposed research in terms of applicable law, which includes state law. Investigators must comply with state laws regarding privacy and confidentiality.

Research Related to HIV or AIDS

The California Health and Safety Code (Section 121075-121125) provides additional protections for confidential research records in studies relating to HIV or AIDS. “Confidential research records” includes any data in a personally identifying form developed or acquired by any person in the course of conducting research relating to AIDS.

Confidential research records developed or acquired by any person in the course of conducting research relating to AIDS, shall be confidential:

Confidential research records may be disclosed in accordance with the prior written consent of the research subject to whom the confidential research records relate. Any disclosure made pursuant to such prior written consent shall contain the following statement:

This information has been disclosed to you from a confidential research record the confidentiality of which is protected by state law and any further disclosure of it without specific prior written consent of the person to whom it pertains is prohibited. Violation of these confidentiality guarantees may subject you to civil or criminal liabilities.

Confidential research records may be disclosed without prior written consent of the research subject to whom the confidential research records relate in the following circumstances:

• To medical personnel to the extent it is necessary to meet a bona fide medical emergency of a research subject, and
• To the California Department of Health Services for the conduct of a special investigation of the sources of morbidity and mortality and the effects of localities, employments, conditions and circumstances on the public health and for other duties as may be required in procuring information for state and federal agencies regarding the effects of those conditions on the public health

The content of any confidential research record shall be disclosed to the research subject, the legal authorized representative of the research subject if the research subject is a minor, or the personal representative of a deceased research subject to whom the record pertains within 30 days after a written request is made for such records by the research subject or the legal authorized representative.

Hereditary Disorders

The California Health and Safety Code (Section 124980) addresses confidentiality related to hereditary disorders such as sickle cell anemia, cystic fibrosis, and hemophilia.

All testing results and personal information obtained from any individual related to hereditary disorders, or from specimens from any individual related to hereditary disorders, shall be held confidential and be considered a confidential medical record except for information that the individual, parent, or guardian consents to be released, provided that the individual is first fully informed of the scope of the information requested to be released, of all of the risks, benefits, and purposes for the release, and of the identity of those to whom the information will be released or made available.

Prior consent for the release of such information is not required in the following situations:

• Data compiled without reference to the identity of any individual
• Data compiled for research purposes, so long as the research has been reviewed and approved by an IRB, who must certify its approval of the research to the custodian of the information and further must certify that in its judgment the information is of such potentially substantial public health value that modification of the requirement for legally effective prior informed consent of the individual is ethically justifiable.

NOTE: USC legal opinion interprets this statute to indicate that as long as the IRB certifies that the research is approved and that the information is of a potentially substantial public health benefit, prior consent by the subject need not be obtained in order to obtain the records from the custodian. There is some concern, however, that this may conflict with the HIPAA Privacy Rules, which would require authorization by the subject for the release of his or her medical records, whether related to a hereditary disorder or not. For research where these issues arise, the IRB and/or the Office of Compliance will interpret on a case-by-case basis.

Certificates of Confidentiality (CoCs) are documents issued by the National Institutes of Health (NIH) and other federal agencies (such as DOJ, FDA, CDC) to protect against forced disclosure of identifiable research information. CoCs are issued as an automatic condition of NIH awards and apply to all NIH funded research.

Certificates of Confidentiality allow investigators and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. CoCs may be granted for studies collecting sensitive information that, if disclosed, could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation. NIH will issue a CoC for a study that fits the NIH mission regardless if the study has federal funding or not.

Examples of sensitive information that may require a CoC include:

• Genetic susceptibility or family pedigree
• Mental illness
• High risk sexual attitudes, preferences, and practices
• Substance abuse or other illegal behaviors
• Participation in exposure effects studies that later become litigious, such as breast
  implants or environmental or occupational exposures

By protecting investigators and Institutions from being compelled to disclose information that would identify research participants, CoCs help the investigator achieve research objectives and promote participation in studies by assuring confidentiality and privacy to participants.

The certificate states the date it becomes effective and the date it expires. A CoC protects all information identifiable to any individual research participant during the time certificate is in effect. If the research extends beyond the expiration date, an extension of coverage must be requested. However, the protection afforded by the certificate is permanent. All personally identifiable information obtained about subjects in the project while the certificate is in effect is protected in perpetuity.

While certificates protect against involuntary disclosure, research subjects might voluntarily disclose their own information or authorize (in writing) the investigator to release information to others. In such cases, researchers may not use the certificate to refuse disclosure. Researchers must still comply with mandatory state and local reporting of child or elder abuse, reportable communicable diseases, or a subject’s threatened violence to self or others. Additionally, the certificate does not prevent audits of the study by federal agencies such as the Food and Drug Administration (FDA) or the Office for Human Research Protections (OHRP).

The informed consent form must explain that a CoC has been obtained for the study. The consent form should explain the protections it affords as well as the limitations of protection. The IRB template informed consent forms contain language that should appear when a CoC is obtained.

The IRB understands there is a slight risk that data may be subpoenaed before the certificate is received and would not be protected by the certificate. In these cases, the USC IRB will decide if the risk outweighs the benefit of proceeding with participant recruitment and data collection before the certificate was granted. Data collected before the certificate is granted are protected by the certificate once it is granted so the risk pertains only to the period of time between data collection and receipt of the certificate

How to Obtain a Certificate of Confidentiality

Investigators may choose to apply for a CoC, or the IRB may require that an investigator obtain one during the process of initial review, or to be submitted as an amendment to the study. Information as to how to obtain a Certificate of Confidentiality can be found on the NIH Grants and Funding website: Certificates of Confidentiality (CoC) – Human Subjects

Request a CoC through the Online Certificate of Confidentiality System. The following information will be required:

1. Project details, including research title, start date, projected end date, and description.
2. Institution and performance site (if applicable) details, including institution and performance site(s) names and addresses, and institutional official name, email address, and phone number.
3. Principal Investigator name, phone number, email address, position.
4. Key personnel names, degrees, and positions
5. Name(s) of drugs that will be administered, route of administration, and dosage
6. The following document to upload, if applicable:
   1. a copy of the DEA certificate(s)/registration for studies in which a
      controlled drug will be administered

Contact the USC IRB to obtain the contact information for the Institutional Official (IO) to be listed on the CoC request. The IO will need to review the CoC request information for accuracy and affirm the online Institutional Assurance Statement by checking each box and then submitting the CoC request.

Please contact NIH CoC Coordinator if you have additional questions.

*IRB approval may be granted even though receipt of a Certificate of Confidentiality (CoC) is pending as long as the consent form(s) indicate the Principal(please use the template language from the USC Template Informed Consent Form from the USC HRPP website). Once the CoC is received the PI must submit an amendment in iStar. The amendment must include a revised Informed Consent Form uploaded into section 24.7, informing the participants the data is protected under a CoC (please use the language from the USC Template Informed Consent Form), upload the CoC into section 26.6 of the iStar application and indicate the expiration date of the CoC.

Additional CoC Guidance