SUBJECT: Confidentiality
PURPOSE: To provide guidance on issues dealing with
privacy and confidentiality of human subjects.
POLICY: To protect the privacy and confidentiality of
the human research subjects to the maximum extent possible within the
constraints of the regulations and reasonable means possible. To make reasonable efforts to limit the use and disclosure
of and request for protected health information to the minimum necessary to
accomplish the intended purpose.
SCOPE: This policy covers human subjects participating in biomedical, behavioral, clinical or other types of research protocols.
RESPONSIBILITY:
Investigators
and staff – The
researchers are responsible for protecting the privacy and confidentiality of
the human subjects participating in their research protocol. Certificates of Confidentiality do not
take the place of good data security.
Researchers are responsible for taking
appropriate steps to safeguard research data and findings. Unauthorized individuals must not access
the research data or learn the identity of research subjects.
IRB Chairman and IRB members – The IRB Chairman and members are
responsible for ensuring privacy and confidentiality concerns are addressed when
the protocol is reviewed. Any
deficiencies in privacy or confidentiality identified during the review will be
addressed prior to the IRB’s approval of the protocol.
IRB Coordinator – The IRB Coordinator is responsible for keeping the research protocols secured in the Research Office and for maintaining a log of who accesses these protocols.
Safeguarding Confidentiality. When information linked to individuals will be recorded as part of the research design, the IRB ensures that adequate precautions will be taken to safeguard the confidentiality of the information. The IRB and researchers must be familiar with techniques for protecting confidentiality.
(1)
When the IRB reviews research in which the
confidentiality of data is a serious issue at least one IRB member (or consultant) familiar with the strengths
and weaknesses of the different mechanisms available will be present. The Chairperson or his/her designee will
identify the appropriate member or consultant.
(2)
The IRB can waive
documentation of consent
when a signed consent form is the only link between the research and the
subjects and would itself be a risk to the subject.
(3) Methods for ensuring confidentiality are coding of records, statistical techniques, limiting access to the records, and physical or computerized methods for maintaining the security of stored data.
(4) Human subjects must be informed of the extent to which confidentiality of research records will be maintained.
(5) Federal officials have the right to inspect and copy research records, including consent forms and individual medical records, to ensure compliance with the rules and standards of their programs. The provisions of the Privacy Act of 1974 protect identifiable information obtained by Federal officials during such inspections.
Other methods of safeguarding confidentiality could included:
-
physical locks
-
electronic passwords
-
inter-file linkage
-
error inoculation
-
top coding
-
ethical editing of qualitative descriptions
-
data brokering
Certificates of
Confidentiality. Where research involves the collection
of highly sensitive information about individually identifiable subjects, the
IRB may determine that special protections are needed to protect subjects from
the risks of investigative or judicial processes. In such situations, the
IRB may require that an investigator obtain a Department of Health and Human
Services (DHHS) Certificate of Confidentiality (CoC). For studies not funded by DHHS, if there
is an Investigational New Drug Application (IND) or an Investigational Drug
Exemption (IDE), the sponsor can request a CoC from the FDA. The CoC was developed to protect against
the involuntary release of sensitive information about individual subjects for
use in Federal, state, or local civil, criminal, administrative, legislative, or
other legal proceedings.
Certificates constitute an important tool to protect the privacy of
research study subjects.
By protecting researchers and
institutions from being compelled to disclose information that would identify
research subjects, Certificates of Confidentiality help achieve the research
objectives and promote participation in studies by assuring confidentiality and
privacy to subjects.
The CoC does not prohibit voluntary disclosure of information by an investigator, such as voluntary reporting to local authorities of child abuse or of a communicable disease. In addition, the CoC does not protect against the release of information to VA, DHHS or FDA for audit purposes. Consequently, the IRB will require that these conditions for release be stated clearly and explicitly in the informed consent document.
Certificates
of Confidentiality are generally effective on the date of issuance or upon
commencement of the research project if that occurs after the date of issuance.
The expiration date should correspond to the completion of the study. The
Certificate will state the date upon which it becomes effective and the date
upon which it expires. A Certificate of Confidentiality protects all information
identifiable to any individual who participates as a research subject (i.e.,
about whom the investigator maintains identifying information) during any time
the Certificate is in effect. The
protection afforded by the Certificate is permanent. All personally identifiable
information obtained about subjects in the project while the Certificate is
in effect is protected in perpetuity.
Subjects may
disclose information to physicians or other third parties. They may also
authorize in writing the investigator to release the information to insurers,
employers, or other third parties. In such cases, researchers may not use the
Certificate to refuse disclosure.
However, if the researcher intends to make any voluntary disclosures, the
consent form must specify such disclosure.
Certificates
do not authorize researchers to refuse to disclose information about subjects if
authorized DHHS personnel request such information for an audit or program
evaluation. Neither can researchers refuse to disclose such information if it is
required to be disclosed by the Federal Food, Drug, and Cosmetic Act.
In the informed consent form,
investigators should tell research subjects that a Certificate is in effect.
Subjects should be given a fair and clear explanation of the protection that it
affords, including the limitations and exceptions noted above. Every research
project that includes human research subjects should explain how identifiable
information would be used or disclosed, regardless of whether or not a
Certificate is in effect.
Privacy
The use of confidential information is an essential element of research and especially the social and behavioral types of research.
(1)
It is important to ensure that the methods used
to identify potential research subjects or to gather information about subjects
do not invade the privacy of the individuals. In general, identifiable information may
not be obtained from private (non-public) records without the approval of the
IRB and the informed consent of the subject. This is the case even for
activities intended to identify potential subjects who will later be approached
to participate in research. However, there are circumstances that are exempt from the
regulations, and circumstances in which the IRB may approve a waiver of the
usual informed consent requirements.
(2) It is also important to ensure that adequate measures are taken to protect individually identifiable private information once it has been collected to prevent a breach of confidentiality that could lead to a loss of privacy and potentially harm subjects.
Researchers have a duty to respect the privacy of prospective subjects. That is, the researcher allows the research subject to determine when, how, and to what extent information about him or her is communicated to others. Researchers usually protect an individual's right to privacy by obtaining free and informed consent before collecting personal information about him or her. The act of contacting potential subjects to seek free and informed consent to access private information may constitute a breach of privacy if the investigator does not have access to such individuals in the course of his or her usual professional activities. In general, someone the research subject would think has a reason to know why he or she might participate in the study should be the first to approach the research subject.
Research
Office Files
The Office of Research Integrity
(ORI) personnel are bound by all legal and ethical requirements to protect the
rights of human subjects, including the confidentiality of information that can
be identified with a person. All
IRB records are kept secure in locked filing cabinets
in the ORI or other secured areas.
Access to IRB records is limited to the Director, ORI, the IRB
Chairperson, IRB members, IRB Coordinator, ORI staff, authorized Marshall
University representatives, and officials of Federal and state regulatory
agencies, including the Office for Human Research Protections (OHRP), and the
Food and Drug Administration (FDA).
Research investigators are provided reasonable access to files related to
their research. All other access to
IRB records is limited to those who have legitimate need for them, as determined
by the Director, ORI. Appropriate
accreditation bodies are provided access as needed.
Investigator’s Files - To maintain the confidentiality of subjects, no records
with the subject's name or SSN should leave investigator's files or the usual
location (e.g. medical record) without a reason, which cannot be otherwise
met. Unnecessary risks to subject
privacy and confidentiality can be avoided by reviewing consent documents in the
investigator’s files rather than taking them to another location. Reports of audits of investigator's files
can be made for the ORI administration or IRB files, which document the
oversight, yet do not have identifiers.
FOLLOW-UP RESPONSIBILITY: Director, Office of Research Integrity
REFERENCES: Section 301(d) of the Public Health Service Act (42 USC 241 (d))
45 CFR Part 160
Revised 5-1-2007