Boston University
Charles River Campus IRB
Policies and  Procedures
Title: Privacy and Confidentiality
Date: December 3, 2018

Purpose

The purpose of this policy is to outline the process for protecting the privacy of subjects and the confidentiality of study data.

Defined Terms

Privacy can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.

Confidentiality refers to the researcher’s agreement with the subject about how the subject’s identifiable private information will be handled, managed, and disseminated.

Directly Identifiable:  Data/samples are considered to be directly identifiable if they are labeled with unique identifiers that allow the identity of the subject to be ascertained or readily ascertained by the investigator or associated with the information

Indirectly Identifiable:  Data/samples that have a link (code or key) to identifiable information about the person.

Non-identifiable: Data/samples are considered to be non-identifiable when the data/samples cannot be linked to a specific individual either because the link (code or key) was never created or the link was destroyed.

Policy

Federal regulations require that, when appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.  As part of the IRB review process, the IRB will review the privacy and confidentiality provisions for each study to ensure that they are adequate for the study.

Note: If you are conducting research in a covered entity, you must comply with the Health Insurance Portability and Accountability Act (HIPAA). 

The following components have been determined to be covered entities on the Boston University Charles River Campus:

  • Sargent College Rehabilitation Services
    • Physical Therapy Center at the Ryan Center for Sports Medicine and Rehabilitation
    • Sargent Choice Nutrition Center
  • The Danielsen Institute
  • Boston University Health Plan

For more information regarding HIPAA, please visit the BU HIPAA website.

Procedures

Privacy

The IRB will consider the following when reviewing the privacy provisions of a study:

  • Purpose of the study
  • Sensitivity of the information being collected
  • Potential risk of harm of unintended disclosure of information
  • Location and method(s) used for recruitment, consenting, and conducting study procedures
  • Which members of the study team will interact with subjects
  • Subject population

Provisions for protecting the privacy of subjects should include:

  • Private location for the conduct of all study procedures including consenting
  • Limiting access to identifiable study information
  • Limiting the information being collected to only the minimum amount necessary to accomplish the study aims

Confidentiality

The IRB will consider the following when reviewing the confidentiality provisions of a study:

  • Sensitivity of the information being collected
  • Nature, probability, and magnitude of harm that could occur as a result of unintended disclosure of information

Provisions for maintaining confidentiality should include one or more of the following as applicable:

  • Coding system
  • Anonymize data
  • Encryption
  • Pass-word protected files/databases
  • Locked file cabinets
  • Use of pseudonyms
  • Restrict access to identifiable information
  • Waiver of documentation of consent
  • National Institutes of Health (NIHNational Institutes of Health) Certificate of Confidentiality

Subjects should be informed (via the consent form) about how data confidentiality is maintained.  Subjects should be informed of the following:

  • Who will know of their participation in the research
  • How the data will be used
  • How the data will be stored, the purpose of storage, and the period of time for storage
  • Will the data stored be identifiable
  • Who will have access to the data
  • The plan for maintaining confidentiality
  • Statement that unauthorized individuals will not have access to their information
  • Limitations of the confidentiality plan
  • List of individuals/organizations outside of the research team who will have access to information (e.g. FDA, IRB, Sponsor, mandatory reporting, etc.)

For further assistance and/or access to resources regarding information security, please refer to the BU Information Security website: http://www.bu.edu/tech/security/.

National Institutes of Health (NIH) Certificate of Confidentiality for Studies Funded by the NIH

Per NIH policy, the NIH will issue Certificates of Confidentiality to persons engaged in biomedical, behavioral, clinical or other research, in which identifiable, sensitive information is collected.  These Certificates protect the privacy of subjects by limiting the disclosure of identifiable, sensitive information

The NIH policy applies to all biomedical, behavioral, clinical, or other research funded wholly or in part by the NIH, whether supported through grants, cooperative agreements, contracts, other transaction awards, or conducted by the NIH Intramural Research Program, that collects or uses identifiable, sensitive information.  The term “identifiable, sensitive information” means information about an individual that is gathered or used during the course of biomedical, behavioral, clinical, or other research, where the following may occur:

  • An individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual

The NIH will provide Certificates automatically to any NIH-funded recipients conducting research that falls under the NIH policy.  The NIH considers research in which identifiable, sensitive information is collected or used, to include:

  • Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
  • Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46); or
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

To determine if the NIH policy applies to research conducted or supported by NIH, investigators will need to ask, and answer the following question:

  • Is the activity biomedical, behavioral, clinical, or other research?

If the answer to this question is no, then the activity is not issued a Certificate. If the answer is yes, then investigators will need to answer the following questions:

  • Does the research involve Human Subjects as defined by 45 CFR Part 46?
  • Are you collecting or using biospecimens that are identifiable to an individual as part of the research?
  • If collecting or using biospecimens as part of the research, is there a small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual?
  • Does the research involve the generation of individual level, human genomic data?

If the answer to ANY ONE of these questions is yes, then the NIH policy will apply to the research and the research will automatically be covered by the Certificate.  If the research is covered by a Certificate, the recipient (principal investigator) of the Certificate shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.

Disclosure is permitted only when:

  • Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
  • Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research

 

If this study is covered by an NIH Certificate of Confidentiality, the consent form must include language about the protections and exceptions allowed with the Certificate.  The NIH has required consent form language.  The language is at the following website:  https://humansubjects.nih.gov/coc/suggested-consent-language.  A consent form with the applicable language must be included with the IRB submission.

National Institutes of Health (NIH) Certificate of Confidentiality for Studies that are not funded by the NIH

The NIH will continue to consider requests for Certificates for specific projects that are not funded by NIH or other HHS agencies that issues Certificates.These requests should be submitted through the NIH online application system at https://humansubjects.nih.gov/coc/apply.

Certificates of confidentiality are typically only issued for research projects that are:

  • Collecting or using identifiable, sensitive information (see below for more detail)
  • On a topic that is within the HHS health related research mission
  • Storing the research information collected or used in the US

Research in which identifiable, sensitive information is collected or used, including research that:

  • Meets the definition of human subjects research, including exempt research in which subjects can be identified
  • Is collecting or using human biospecimens that are identifiable or that have a risk of being identifiable
  • Involves the generation of individual level human genomic data
  • Involves any other information that might identify a person

If this study is covered by a NIH Certificate of Confidentiality, the consent form must include language about the protections and exceptions allowed with the Certificate. The NIH has required consent form language.  The language is at the following website:  https://humansubjects.nih.gov/coc/suggested-consent-language.  A consent form with the applicable language must be included with the IRB submission.

At the time of IRB review, the IRB may request that an investigator either obtain a Certificate or provide the rationale for not obtaining a Certificate. If a Certificate will not be obtained, the IRB will require that the consent form include information about what research information could be disclosed.

Subjects in Harmful Situations:  Abuse, Suicide, and Threat of Harm

Investigators often conduct research in areas where the subjects are at risk for harmful situations such as abuse, suicide, or threat of harm.  During these studies, subjects may disclose information about abusive relationships, suicidal thoughts, or plans to harm others.  Examples of these types of studies may include studies on: post-traumatic stress syndrome (PTSD), depression, suicide, or care-giving.

For studies in these areas the IRB will require additional safeguards to protect subjects, such as:

  • Confirmation of investigators qualifications to deal with these situations
  • Obtaining a Certificate of Confidentiality or informing subjects of what circumstances would necessitate the investigators to disclose information outside of the study
  • Specific plan to deal with the situation (e.g. plan for subjects who report suicidal thoughts)
  • Including information in the consent form about when information can be disclosed outside of the study. This will also include a description of what information will be disclosed

The IRB is aware that these types of disclosures may also happen in studies that are not considered to be at risk for these types of disclosures. The IRB will typically not require additional safeguards for these studies.  It is expected that investigators always have the resources to protect the rights and welfare of human subjects enrolled into their studies.  However, the IRB will consider the requirements for additional safeguards on an individual basis.

Investigators may also be mandated reporters in accordance with Massachusetts law.  Mandatory reporters may include:

  • Person employed by a state agency within the Executive Office of Health and Human Services including but not limited to employees of the
  • Person employed by a private agency providing services to persons with disabilities
  • Physician
  • Medical intern
  • Hospital personnel engaged in the examination, care or treatment of persons
  • Medical examiner
  • Dentist
  • Psychologist
  • Nurse
  • Chiropractor
  • Podiatrist
  • Osteopath
  • Public or private school teacher
  • Educational administrator
  • Guidance or family counselor
  • Day care worker
  • Probation officer

Investigators are required to be knowledgeable about their role as a mandatory reporter and the associated responsibilities.

Independent of mandatory reporting requirements, investigators are responsible to act accordingly in order to protect the rights and welfare of human subjects.  This may include consulting with others who have experience in these situations or referring the subject to resources that can help them.

The IRB may consult with the Office of General Counsel on areas of mandatory reporting or disclosing information outside of a study.

 

Title Privacy and Confidentiality
Author Cynthia Monahan
Effective Date May 29, 2015
Last Review/Update DateDecember  3, 2018
Revision #2
Approved Cynthia Monahan, IRB Director

Kathryn Mellouk, Associate Vice President-Research Compliance