STANFORD has established the following written policies, together with the other policies referenced in this Chapter, to protect participant privacy and data confidentiality.
In order to approve research, the IRB must be satisfied that, Ňwhen appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the dataÓ [45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7)]. An invasion of privacy or breach of confidentiality may be a moral wrong or even present a risk of serious harm to participants (e.g., jeopardize their family relationships, community standing, employment, or lead to prosecution for criminal behavior). The IRB reviews each protocol, based on the information provided by the PD in the Protocol Application, and assesses the amount and type of private information involved, how the information will be collected, and plans for its use, storage and disclosure. As necessary, the IRB will ask for additional details during its review.
Privacy means, in the context of a research protocol, respecting an individualŐs right to be free from unauthorized or unreasonable intrusion, including control over the extent, timing and circumstances of obtaining personal information from or about them. For example, individuals may not want to be seen entering a place that might stigmatize them, such as a clearly-identified pregnancy counseling center.
Confidentiality means respecting a potential or current participantŐs right to be free from unauthorized release of information that the individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure. In the context of a research protocol, ŇconfidentialityÓ refers to the understanding between the participant and investigator (e.g., as set forth in the consent and authorization documents) as to how participant information will be handled, managed, and disseminated (e.g., shared with others) as part of the research.
Private Information means individually identifiable information:
á About behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place
á Which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).
Sensitive Information is private information relating, but not limited, to:
á Sexual attitudes, preferences or practices
á Use or treatment for alcohol, drugs or other addictive products
á Illegal conduct
á Information which if released could reasonably cause stigmatization or discrimination, or result in damage to areas such as financial well-being, employability, or reputation.
á Certain health information, including psychological or mental health.
Stanford Affiliated Covered Entity (SACE) means the portions of Stanford University designated as a part of the Stanford University HIPAA Components (SUHC) hybrid covered entity (e.g., its health care components and selected support units) joined with the Stanford Hospital and Clinics (SHC) and Lucile Packard ChildrenŐs Hospital (LPCH), to form a single affiliated entity as a covered entity under the HIPAA privacy regulations.
Section revised: 3/13/13
Privacy refers to persons and their interest in controlling the access of others to themselves.
To approve research, the IRB must determine that, where appropriate, there are adequate provisions to protect the privacy interests of potential or current participants, from the screening and recruitment through all phases of research. If the protocol does not include adequate provisions to protect the privacy interests of the participants, the IRB may not approve the protocol as written.
The PD must describe in the Protocol Application the provisions for protecting the privacy of participants during screening, data collection and other interactions. The IRB assesses the information during the review process and at convened meetings. As necessary, the IRB will ask for additional details during its review.
Provisions for protecting the privacy interests of participants or participants should include:
á Ensuring that the conditions under which a procedure is performed or information is collected (e.g., physical locations, telephone contact, mail or email solicitations) afford protections against interactions with participants being witnessed, overheard or inadvertently intercepted or viewed. For example, a potential or current participant may feel uncomfortable:
- Being seen entering a place that they feel might stigmatize them, such as a pregnancy counseling center;
- Having physical measurements recorded in a non-private setting;
- Discussing private medical information in a setting with other than a health care provider or in other than a private clinical setting;
- Answering sensitive questions by telephone while at home or work.
á Limiting the information being collected to only the minimum amount of data necessary to accomplish the research purposes.
Section revised: 3/13/13
Confidentiality refers to maintenance of the ResearcherŐs agreement with the participant about how the participantŐs identifiable private information will be handled, managed, and disseminated.
As a condition of protocol approval, the IRB determines that there are adequate provisions to protect confidentiality of information related to potential or current participants, throughout the research, including data analysis and retention. PDs are expected to design studies to maximize confidentiality to avoid unintentional and unauthorized release or other disclosures.
Additional requirements might apply, depending on the source of support/funding (e.g., Department of Education (re: access to instructional material used in a research or experimentation program), Department of Energy (such as a required checklist for DOE requirements), Department of Justice: National Institute of Justice (NIJ) and research conducted with the Bureau of Prisons): see GUI-42 Other Federal Agencies - Additional Requirements
The PD must describe the provisions to protect the confidentiality of data in the Protocol Application. The IRB assesses the information provided in the application during the review process and at convened meetings. The IRB may ask for additional details during its review, depending on the sensitivity of the information being used, maintained or disclosed. Generally, the greater the sensitivity of the information, the more stringent the security measures that are needed.
In reviewing confidentiality protections, the IRB considers the nature, probability, and magnitude of harms that would be likely to result from an unauthorized release of the collected information. It evaluates the proposed anonymizing techniques, (e.g., de-identification, coding), storage plans, access restrictions, data security methods (e.g., encryption) and other relevant factors in making its final determination concerning the appropriateness and adequacy of confidentiality protections. See the Protocol Application for the information requested by the IRB for this assessment.
For active protocols, any changes in confidentiality protection measures must be described in either a protocol modification or continuing review application. Such changes are reviewed according to the requirements described above for new protocols.
The IRB requires that investigators use best practices and adhere to STANFORD security policies to protect the confidentiality of the information collected under a protocol.
Stanford University has guidelines for best practices for maintaining confidentiality. See the Stanford University HIPAA privacy policies including best practices for:
á Protecting PHI against public viewing;
á Storage and disposal of documents that contain PHI;
á Safeguarding computer workstations and databases that access PHI;
á Faxing and emailing PHI
Techniques described in these policies may be generally applied to all information.
The IRB may consult with the School of Medicine Office of Information Resources and Technology (IRT) or other STANFORD security specialists if needed.
PDs must also follow STANFORD security policies, as applicable to their respective departments or units, which define requirements for securing information maintained in electronic form. See:
- Stanford Data Classifications chart for definitions, examples, and handling requirements for prohibited, restricted, confidential, and public data
á Stanford Hospital and Clinics (SHC) and Lucile Packard ChildrenŐs Hospital (LPCH) HIPAA security policies
Legally Required Release of Private Information
The IRB identifies protocols that might collect information that could be subject to a legally mandated release of information, to the extent that this can be ascertained in advance. When such protocols are identified in advance, the IRB requires that the investigator notify the participants through language in the consent and HIPAA authorization document(s) of the possibility of legally mandated disclosure. Examples of reportable information include:
á Child abuse reporting, California Penal Code 11169 – 11174.3;
á Elder and dependent adult abuse reporting, California Welfare and Institutions Code 15600 – 15659;
á Sexual assault and rape reporting, California Penal Code 11160;
á Warning to police or potential victim when an individual is deemed a danger to others, California Welfare and Institutions Code 5328(r) and Tarasoff v. Regents of Uni. of CA, 17 Cal.3d 425 (1976);
á Reporting treatment of person suffering from assaultive or abusive behavior, California Penal Code 11160 – 11161;
á Reporting certain communicable diseases, California Health and Safety Code 120250 and 17 California Code of Regulations 2505;
á Reporting cases of active TB, California Health and Safety Code 121362;
á Reporting disorders characterized by a lapse of consciousness, 17 California Code of Regulations 2810;
á Reporting incidents involving medical devices, 21 USC 360i(b), 21 CFR Part 803.
á Release under a search warrant or a subpoena (e.g., civil or criminal litigation).
PDs may seek advice from the IRB or the relevant STANFORD legal counsel, if they have any questions concerning compliance with these laws.
Certificates of Confidentiality (CoC)
Where a protocol involves the collection of sensitive information (e.g., about illegal conduct), the IRB may determine that special steps are needed to protect participants from the risks of external investigative or judicial processes (legally mandated release of information for use in federal, state, or local civil, criminal, administrative, legislative, or other legal proceedings). In such situations, the IRB may require that the PD obtain a Department of Health and Human Services (DHHS) Certificate of Confidentiality (CoC) pursuant to Section 241(d) of Title 42 of the United States Code. Funding through DHHS or other federal funding is not a requirement for obtaining a CoC.
When the PD obtains a CoC, the IRB requires that participants be informed about the protections and limitations under the CoC, through the consent document or HIPAA authorization. The consent document must explain if the investigators will release information under any anticipated mandatory reporting or for internal or external audit purposes (e.g., STANFORD units, DHHS, or FDA). In order that a participant may weigh the risk of such release of information and not expect more confidentiality protection than is actually provided by the CoC, the IRB requires that the possibility of release for those purposes be stated clearly and explicitly in both the protocol and the consent form. The IRB also requires that any participant enrolled after expiration or termination of a CoC be informed that its protection will not apply to them, and that issuance of a CoC is not an endorsement of the research by the DHHS.
For more information about obtaining a CoC, PDs may consult with IRB staff and visit the CoC kiosk.
Continuing Confidentiality Protections – Data Analysis, Dissemination and Retention
PDs should consider taking additional precautions that were not feasible while the protocol was active, including:
á Removing some or all direct identifiers (e.g., name, medical record number) and coding the information;
á Limiting the individuals who have access to the participant identifiable information
á Employing secure archival methods or ITSS-approved long-term storage services.
PDs are responsible for the secure storage of signed consent documents for at least three years after completion of the study and of HIPAA authorizations for at least six years from the date that the authorization was last in effect. PDs conducting research through Stanford University must also comply with Research Policy Handbook RPH 1.9 Retention of and Access to Research Data, and should refer to this policy when considering the disposal of information.
The HIPAA privacy regulations and California law continue to apply to any PHI held for research purposes, even after the protocol has been closed.
Section revised: 01/12/16
In accordance with HIPAA regulations [45 CFR 160 and 45 CFR 164], the IRB oversees the satisfaction of and compliance with some of those requirements on behalf of the portions of STANFORD covered by HIPAA. This is in addition to any requirements under the Common Rule and FDA regulations. The Stanford Affiliated Covered Entity and VAPAHCS have established written policies and procedures to implement the HIPAA regulations. In accordance with the HIPAA privacy regulations, the Stanford Affiliated Covered Entity has approved and posted and the IRB adheres to a HIPAA policy specifically governing research – Policy H-13 Research and Patient Privacy. The policy describes under which circumstances protected health information (PHI) may be accessed and used or disclosed for research purposes. The following additional HIPAA policies impact investigators and the IRB:
á Stanford University Administrative Guide Memo 16.2
á Stanford University HIPAA Components (SUHC) policies
á SHC/LPCH HIPAA policies
á VAPAHCS and its physicians as health care providers also have HIPAA policies documented in VHA Handbook 1200.05VHA Handbook 1605.1, addressing research as well as other aspects of HIPAA. VAPAHCS has a local policy (HCSM 151-15-06 - Collection, Use, Storage, and Sharing of Data in Human Subjects Research)) to educate investigators and staff on these national policies.
The IRB, PDs, and other investigators accessing, using, or maintaining PHI have certain duties and responsibilities under those policies and HIPAA, particularly for research activities.
Stanford University has designated a University Privacy Officer who is also the privacy officer for the Stanford Affiliated Covered Entity (SACE), and a number of other privacy officials for its departments and schools. The University Privacy Officer and other privacy officials are responsible for the development and implementation of the HIPAA policies and procedures and overseeing compliance with HIPAA, as stated in Administrative Guide Memo 16.2. The privacy officials and privacy officers meet periodically as members of the Privacy and Security Governance Council, convened by the University Privacy Officer as a forum to explore issues related to the implementation and enforcement of the Privacy and Security Rules issued under HIPAA.
VA: The VA has privacy officers at all levels: Central Office, the VISN, the Northern California Healthcare Systems, and at the Palo Alto facility (VAPAHCS). The IRB is the Privacy Board for the VA, as designated in the Memorandum of Understanding.
IRB staff meet periodically with representatives of the VAPAHCS to discuss IRB matters including privacy and confidentiality issues.
Section revised: 3/13/13
The IRB requires that PDs immediately inform it of any possible or actual unauthorized release of information. The IRB also may receive a complaint or allegation from a participant about such a release, since its contact information is contained in the consent document for that purpose. The IRB treats such a release or allegation of release as possible non-compliance. It follows the process set forth in Chapter 3, in order to review and respond to the situation.
The IRB will report any breach of confidentiality involving VA research information to the VA Privacy Officer at the Palo Alto facility in accordance with requirements documented in the Memorandum of Understanding.
California Civil Code Section 1798.80 et seq.
The response must include any notification to the participant of any breach of security relating to personal information as defined in California Civil Code Section 1798.81.5 and required by California Civil Code Section 1798.82.
Potential Violation of HIPAA
If a potential violation involves PHI, STANFORD also treats it as a potential violation of HIPAA policies and the HIPAA privacy and security regulations. The IRB will communicate and coordinate its review and response with that required under the applicable STANFORD HIPAA policies, including communicating with the applicable privacy officers of the STANFORD organizations (refer to Stanford University Administrative Guide Memo 16.2.)