Human Research Protection
Program (HRPP)
DOMAIN II: RESEARCH REVIEW
UNIT, INCLUDING IRBs
Chapter 11: Privacy and Confidentiality
STANFORD* systematically evaluates the protection of privacy interests of research participants and the confidentiality of data in proposed research. (AAHRPP Standard II-6) STANFORD has established the following written policies, together with the other policies referenced in this Chapter 11, to avoid the possibility that biomedical and behavioral research may invade the privacy of individuals or result in a breach of confidentiality of their private information.
STANFORD recognizes that an invasion of privacy or breach of confidentiality may be a moral wrong or even present a risk of serious harm to subjects (e.g., when the researcher obtains information about subjects that would, if disclosed by the researcher, jeopardize their jobs or lead to their prosecution for criminal behavior). The IRBs understand that research inherently involves the acquisition, storage and utilization (e.g., analysis, publication, disclosure to FDA) of information. Consequently and for purposes of its review, the IRBs consider each research protocol to be a potential challenge to the privacy of participants and to present a potential risk of disclosure of their confidential information.
Definitions
Privacy means, in the context of a protocol, respecting an individual’s right to be free from unauthorized or unreasonable intrusion related to the individual’s private information, including control over the extent, timing and circumstances of obtaining such information. Privacy concerns participants or potential participants as “people,” in terms of access to personal information from or about them. For example, individuals may not want to be seen entering a place that might stigmatize them, such as a clearly-identified pregnancy counseling center. Both an “authorized” and an “unauthorized” release of research information implicates an individual’s privacy, because it provides access to information about the individual.
Confidentiality means respecting a potential participant or participant’s right to be free from unauthorized release of information, particularly if it could be prejudicial to a participant’s interest. Confidentiality concerns records of private information relating to participants, particularly the researcher’s agreement with the participant about how the participant’s records of private information will be handled, managed, and disseminated (e.g., shared with others). To use a parallel with the above example, it would include the manner for safeguarding and sharing a list of clients seen at the pregnancy counseling center. Only an “unauthorized” release of research information implicates an individual’s confidentiality.
Individually Identifiable Information means the identity of the subject is or may readily be ascertained by the investigator or associated with the information (45 CFR 46.102(f)).
Private Information means individually identifiable information:
· About behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place
· Which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). 45 CFR 46.102(f).
Sensitive Information is a subset of “private information” and means private information relating to:
· Sexual attitudes, preferences and or practices
· Use or treatment for alcohol, drugs or other addictive products
· Illegal conduct
· Areas such as private health information (including genetic information), financial affairs (e.g., social security numbers), employability, or reputation that, if released, could reasonably result in damage (including stigmatization or discrimination) to the individual in one or more of these areas
· An individual’s psychological well-being or mental health.
Private Health Information is a subset of “sensitive information” and means all individually identifiable health information which relates to past, present or future physical or mental conditions or treatment.
Protected Health Information (PHI) is a subset of “private health information” and has the same meaning as in the HIPAA privacy regulations in 45 CFR 164.501. PHI is legally relevant to the Stanford Affiliated Covered Entity and the Veterans Affairs Palo Alto Health Care System (VAPAHCS).
Stanford Affiliated Covered
Entity means the portions of
11.1 Determining if Private Information is Involved in the Protocol
Procedures
For each protocol, including exempt protocols, the IRBs determine if private information will be obtained, both in any screening process and in the carrying out of the protocol, based on the information provided by the PD in the New Protocol Application Form for Regular or Expedited Review – Medical (Document F.1.a.), New Protocol Application Form for Regular or Expedited Review – Non-medical (Document F.1.b.) and the Exempt Application forms (Documents F.1.e. and f.). If private information will be obtained, the IRBs consider during its review the amount and type of private information and the plan for its use, storage and disclosure. The IRB staff and IRB reviewers use the following material to assist them during the review: Protocol Checklist (Document D.2.f.iii.); Presenter Checklist (Document F.5.b.); Laminated Sheet – HIPAA (Document D.5.c.). When reviewing protocols where the only or primary risk to a participant relates to his or her privacy, the IRB review places added emphasis in eliciting what private information is involved in the protocol and how it will be used. As necessary, the IRBs will ask for additional details during its review.
Coded Information as Private Information
When the protocol uses coded information, the IRBs do not consider coded information to be private information if it cannot be linked to specific individuals by the investigator either directly or indirectly because:
· The code (e.g., a number, letter, symbol) replacing the name or other identifier would not allow the investigator to readily ascertain the identity of the individual, and
· Any key to decipher the code is destroyed before the research begins, or the holder of the key enters into an agreement with the investigators prohibiting release of the key to the investigators under any circumstances until the individuals are deceased, the IRBs have approved procedures for a data repository (e.g., information, tissue data bank) holding the key with such a prohibition, or other legal requirements exist with such a prohibition.
PDs are instructed to consult with the IRBs if they have any questions concerning when coded information may constitute private information. (Note: This does not pertain to whether a protocol qualifies as “exempt,” but only as to whether private information and a human subject are involved.)
11.2 General Considerations for Privacy of Private Information
The IRBs have the following written policies and procedures to evaluate the proposed arrangements for protecting the privacy interests of research participants during and after their involvement in the research. (AAHRPP Element II.6.A) To approve research, the IRBs must determine that, where appropriate, there are adequate provisions to protect the privacy interests of potential participants and participants, from the screening and recruitment phases throughout data analysis and retention. If the protocol does not include adequate provisions to protect the privacy interests of the participants, the IRBs may not approve the protocol as written.
Procedures
The PD must describe the provisions to protect the privacy of subjects, and respect each individual's right to be free from unauthorized intrusion in the New Protocol Application Form (Document F.1.a.). The IRBs assess the information using the Protocol Checklist (Document D.2.f.iii.), and during convened meetings, the Presenter Checklist (Document F.5.b.). As necessary, the IRBs will ask for additional details during its review.
Situations Requiring Additional Scrutiny
The IRBs strongly consider, and require the PDs to consider methods for reducing potential privacy concerns when the private information:
· Is being accessed without the participant’s knowledge and explicit permission, e.g., under a waiver of consent or HIPAA authorization, before consent, during recruitment and screening, under an exempt protocol
· Concerns sensitive information
· Involves covert observation of non-public activity.
Example - Recruitment: Because they often involve a waiver or occur pre-consent, the IRBs pay special attention to recruitment and screening activities. The IRBs expect that the PDs will access private information for recruitment purposes only after satisfaction of the applicable requirements, if any, of the Common Rule, FDA regulations and HIPAA privacy regulations. Often this means submitting to the IRBs a waiver of consent or a waiver of HIPAA authorization if PHI is involved (unless the preparatory to research or some other HIPAA provision is being utilized (see discussion of HIPAA privacy regulations at Chapter 11.6 below)). The PD is expected only to access the minimum necessary information for recruitment and under the waiver requirements have a plan for maintaining confidentiality.
Example - Screening: The screening process during recruitment, particularly for psychiatric research and clinical trials, often involves obtaining sensitive information. This occurs prior to any formal informed consent and includes many individuals who will never go through the consent process because they do not meet the inclusion criteria of the research or for other reasons. The IRBs have established guidance, entitled Guidance on Telephone Screening of Potential Subjects for Research Protocols (Document F.4.k.), for various types of screening scenarios (Documents C.3.b.xvi.-xxii.) in order to restrict the collection of sensitive private information before consent has been obtained. See also Guidance for Recruitment (Document D.1.g.), and http://humansubjects.stanford.edu/research/recruitment.html.
Example - Data and Tissue Banks: Data and tissue repositories are solely concerned with obtaining, maintaining, and accessing participant information for research, often private health information and often over long periods of time. The IRBs realize that such repositories pose particular risks to the privacy and confidentiality of participants. For that reason, the IRBs require the PD to be very detailed and clear in explaining in the initial repository protocol and consent document:
i. What information will be obtained
ii. How it will be stored, and
iii. Who will have access to it for research purposes.
The IRBs require that a second, specific protocol be filed for each different future research use that involves private information. (This topic is also discussed in the Guidance on Data and Tissue Repositories (Document F.4.dd.) and in Chapter 12 on consent.)
11.3 Legally Required Release of Private Information
The IRBs and PDs attempt to identify protocols that will collect private information that could be subject to a legally mandated release of information, if it can be ascertained in advance. This usually involves an investigator who has a certain professional status or duty and includes state and federal regulations pertaining to reporting responsibilities:
• Child
abuse reporting, California Penal Code 11169 – 11174.3;
• Elder
and dependent adult abuse reporting, California Welfare and Institutions Code
15600 – 15659;
• Sexual
assault and rape reporting, California Penal Code 11160;
• Warning
to police or potential victim when an individual is a deemed a danger to
others, California Welfare and Institutions Code 5328(r) and Tarasoff v.
Regents of Uni. of CA, 17 Cal.3d 425 (1976);
• Reporting
treatment of person suffering from assaultive or abusive behavior, California
Penal Code 11160 – 11161;
• Reporting
certain communicable diseases, California Health and Safety Code 120250 and 17
• Reporting
cases of active TB, California Health and Safety Code 121362;
• Reporting
disorders characterized by a lapse of consciousness, 17
• Reporting
incidents involving medical devices, 21 USC 360i(b), 21 CFR Part 803.
• Release
under a search warrant or a subpoena (e.g., civil or criminal litigation).
For example, many protocols involving psychiatric treatment or research could involve screening criteria on matters that solicit private information about child abuse and suicidal thoughts and actions.
When these protocols can be identified in advance, the IRBs require that the investigator notify the participant through language in the consent and HIPAA authorization document(s) of the possibility of the particular legally mandated disclosure. In that manner, participants can take account of the risk to their privacy in deciding whether to participate in the protocol.
The PDs are instructed to seek advice from the IRBs or the relevant STANFORD legal counsel, if they have any questions concerning compliance with these laws.
11.4 Confidentiality of Private Information during Research Activity
The Research Compliance Office (RCO) has the following written policies and procedures to evaluate the proposed arrangements for protecting the confidentiality of identifiable data, when appropriate, during and after the protocol activity. (AAHRPP Element II.6.B)
While recognizing that absolute confidentiality in all protocols is not possible, the IRBs require, through the application form and review process, that PDs design studies to maximize data confidentiality to avoid unintentional and unauthorized release or other disclosures.
To approve research, the IRBs must determine that, where appropriate, there are adequate provisions to confidentiality of private information related to potential participants or participants, from the screening and recruitment phases throughout data analysis and retention. If the protocol does not include adequate provisions to protect the confidentiality of private information, the IRBs may not approve the protocol as written.
Best Practices for Investigators
The IRBs require that investigators protect the confidentiality of the private information collected under a protocol by using best practices. PDs have access to a list of best practices for maintaining confidentiality that was developed for the implementation of the HIPAA privacy policies, but which are relevant for all private information. See Document C.3.b.v. and http://hipaa.stanford.edu/faq_best_practices.html. It includes the best practices for:
· Protecting PHI against public viewing
· Preventing conversations about PHI from being overheard
· Storage and disposal of documents that contain PHI
· Safeguarding computer workstations and databases that access PHI
· Faxing and E-Mailing PHI
Procedures
IRB Application Requires Description
of Confidentiality Protection Methods
The PD must describe the provisions to protect the confidentiality of data for regular and expedited protocols in the New Protocol Application Form (Document F.1.a.) and for exempt protocols (Exempt Application Forms, Documents F.1.e. and f.). The IRBs assess the information using the Protocol Checklist (Document D.2.f.iii.) and, during convened meetings, the Presenter Checklist (Document F.5.b.). As necessary, the IRBs will ask for additional details during its review.
In reviewing confidentiality protections, the IRBs consider the nature, probability, and magnitude of harms that would be likely to result from an unauthorized release of the collected private information. It evaluates the effectiveness of proposed anonymizing techniques, coding systems, encryption methods, storage facilities, access limitations, and other relevant factors in making its final determination concerning the adequacy of confidentiality protections.
Steps after Active Research Phase
As long as the protocol is active (e.g., renewed annually) with the IRB, any changes in confidentiality protection measures must be described in either the protocol revision or renewal application. These changes are reviewed according to the procedures described above for new protocols.
After the collection of data, its analysis and dissemination, the PD should consider taking additional precautions that were not feasible during the more active phases, including:
· Disposing appropriately of all private information, particularly sensitive information, at the conclusion of the research or some subsequent point
· If not disposed of, then removing some or all identifiers or coding the information
· Further limiting the individuals who have access to the private information, since fewer research staff and others will need to access and utilize the information
· Imposing greater and more sophisticated security measures, since the information will probably not be utilized often.
PDs are responsible for the confidential storage of the signed consent
documents for at least three years and HIPAA authorizations for at least six
years. PDs conducting research through
The HIPAA privacy regulations and
Sensitive Information
The IRBs require that PDs take additional precautions for safeguarding the confidentiality of sensitive information, because by definition its release poses greater potential to damage a participant.
Certificates of Confidentiality (CoC)
Where a protocol involves the collection of sensitive information, the IRBs if not requested by the PD, may determine that special steps are needed to protect participants from the risks of external investigative or judicial processes – involuntary release of sensitive information for use in federal, state, or local civil, criminal, administrative, legislative, or other legal proceedings. In such situations, the IRBs may require that the PD obtain a Department of Health and Human Services (DHHS) Certificate of Confidentiality (CoC) pursuant to Section 241(d) of Title 42 of the United States Code. (See http://grants.nih.gov/grants/policy/coc/index.htm for general information.) Funding through DHHS or other federal funding is not a requirement for a CoC.
When the PD obtains a CoC, the IRBs require that participants be informed about the protections and limitations under the CoC, through the consent document or HIPAA authorization. In particular, the consent document must explain if the investigators will release sensitive information under any anticipated mandatory reporting (e.g., child abuse) and for internal and external audit purposes (e.g., STANFORD units, DHHS, or FDA). In order that a participant may weigh the risk of such release of information and not expect more confidentiality protection than is actually provided by the CoC, the IRBs require that the possibility of release for those purposes be stated clearly and explicitly in both the protocol and the consent form. The IRBs also require that any participant enrolled after expiration or termination of a CoC be informed that its protection will not apply to them, and that its issuance is not an endorsement of the research by the federal agency.
For more information about obtaining a CoC, PDs should consult with IRB staff and the CoC kiosk at http://grants.nih.gov/grants/policy/coc/index.htm.
Special Consents/Authorizations for Disclosure of Sensitive Health Information As required by law, the IRBs mandate special forms of consent and authorization for the release of certain private health information that is sensitive information. As described in Chapter 12.2 the special form of authorization may need to be in a separate document than the consent document or HIPAA authorization. If it is separate, the IRBs require that the special authorization be included and obtained as part of the consent process.
The PDs should seek advice from the IRB or STANFORD legal counsel, if they have any question concerning compliance with these types of laws.
11.5
Protected
Health Information Accessed and Utilized in
Research and the Health Insurance
Portability and
Accountability Act (HIPAA) Privacy
Regulations
In accordance with HIPAA regulations, the IRBs act as the Privacy Board and oversee the satisfaction of and compliance with some of those requirements on behalf of the portions of STANFORD covered by HIPAA. This is in addition to any requirements under the Common Rule and FDA regulations.
In accordance with the HIPAA privacy regulations, the Stanford Affiliated Covered Entity established written policies to implement the regulations, including a specific, extensive HIPAA policy governing research -- HIPAA: Research and Patient Privacy (Document C.3.b.iii., also at http://hipaa.stanford.edu/policy_university/research_privacy.html). It describes under which circumstances PHI may be accessed and used or disclosed for research purposes.
VAPAHCS and its physicians
as health care providers also have HIPAA policies through VHA Handbook 1605.1,
The IRBs have developed a number of HIPAA forms and guidances (Documents C.3.b.i.-xv.) for its members, staff, and PDs to use in implementing the Stanford Affiliated Covered Entity and VAPAHCS’s HIPAA policies relating to research.
VAPAHCS, SHC, LPCH, IRBs, PDs, and any investigator in the School of Medicine (SOM) maintaining PHI have certain duties and responsibilities under those policies and HIPAA, particularly for research activities.
Communication Regarding HIPAA Matters
The Stanford Affiliated Covered Entity has designated one privacy official and a number of privacy officers for its units and organizations. They are responsible for the development and implementation of the HIPAA policies and procedures and overseeing compliance with HIPAA, as stated in Administrative Guide Memo 23.10 (Document C.3.b.ii.). The RCO Associate Director is the privacy officer for the Dean of Research Office, and the SOM has a Director of Privacy and Data Security. SHC and LPCH have one Chief Compliance Officer/Privacy Officer. The privacy official and privacy officers meet regularly as members of the HIPAA Council. The HIPAA Council is convened monthly by the University Privacy Office as a forum to explore issues related to the implementation and enforcement of the Privacy and Security Rules issued under HIPAA (Document C.2.c.iii.).
The VA has privacy officers at all levels: Central Office, the VISN, the
Northern California Healthcare Systems, and at the
Stanford Affiliated Covered Entity HIPAA Education
All
The Training Module includes a post-test so that learning key concepts can be verified. A passing score is 100%, which must be achieved before a certificate of completion is issued.
VA HIPAA Education
In accordance with VHA Handbook 1605.1, Privacy and Release of Information, (Document B.5.y.), VAPAHCS requires that all VHA personnel including employees, volunteers and students be trained at least annually and on an ongoing basis on privacy policies to include the requirements of federal privacy and information laws, regulations, and VHA policy. New personnel must be trained within 30 days of employment and annually thereafter. Personnel may complete the VHA Privacy Policy annual training module available on its intranet at http://vapaweb/ or through the Internet at http://www.vhaprivacytraining.net/frame.htm. After completion, the VHA personnel must submit their certificates to their service chief or designee. For additional information, VA personnel can contact the VAPAHCS Privacy Officer at (650) 493-5000 at extension 64616.
11.6 STANFORD Implementation of HIPAA Security Regulations
STANFORD also addresses the security of electronic PHI maintained and used in research by complying with the HIPAA security regulations, 45 CFR Parts 160 and 164, particularly Subpart C of Part 164. The Stanford Affiliated Covered Entity and VAPAHCS:
i. Established written policies, principles and procedures to implement the regulations
ii.
Educates their workforce concerning their HIPAA
security policies and principles. See the
11.7 Confidentiality Breach -- Unauthorized Release of Private
Information
The IRBs require that PDs immediately inform it of any possible or actual unauthorized release of private information. The IRBs also may receive a complaint or allegation from a participant about such a release, since its contact information is contained in the consent document for that purpose. The IRBs treat such a release or allegation of release as possible non-compliance. It follows the process set forth in Chapter 3.5, in order to review and respond to the situation.
The response must include any notification to the participant of any
breach of security relating to personal information as defined in California
Civil Code Section 1798.81.5 and required by California Civil Code Section
1798.82. This notification applies only
to STANFORD investigators in the portion of
Potential Violation of HIPAA
If a potential violation involves PHI, STANFORD also treats it as a
potential violation of HIPAA policies and the HIPAA privacy and security
regulations. The IRBs will communicate
and co-ordinate its review and response with that required under the applicable
STANFORD HIPAA policies, including communicating with the applicable privacy
officers of the STANFORD organizations.
(For example, see the requirements in section 10 of the