Privacy & Confidentiality
IRB Member Fact Sheet--Version Date: Unknown
For research to be approved by UW-Madison IRBs, the protocol must include, when appropriate, adequate provisions to protect the privacy interests of research participants and the confidentiality of research data pursuant to 45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7). In addition, if a protocol involves the use of Protected Health Information (PHI), UW-Madison IRBs must assure that the protocol satisfies the requirements of the HIPAA Privacy Rule, including any waiver or alteration of HIPAA authorization under 45 CFR Parts 160 and 164.
IRB Member’s Role
When reviewing protocols and determining the necessary provisions for protecting participants’ privacy interests and/or confidentiality of data, the IRB should make an assessment of the risk/benefit ratio of the research in regards to privacy and confidentiality issues, including whether the risks of breach of participants’ privacy interests and confidentiality of data are commensurate with the benefits to participants and the risks of everyday life and whether measures for mitigating those risks are necessary for approval of the research. Please note the following definitions:
Privacy refers to a person’s desire to control the access of others to him or herself. For example, research participants may not want to be seen entering a place that might stigmatize them, such as an addiction-counseling center that is clearly identified as such by signs on the front of the building.
Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private information will be handled, managed, and disseminated.
Evaluating Privacy and Confidentiality Protections
Depending of the situation, the consequences of an inadvertent breach of privacy can be significant for subjects, as well as others, and result in emotional trauma for subjects or their families, damage to reputations, adverse effects on insurability or employability, legal consequences for subjects, or life threatening circumstances. In order to evaluate the type and level of risks to subjects and others, the IRB should obtain the following information from the investigator in order to determine whether the provisions to protect participants’ privacy interests and/or confidentiality of data are adequate:
- Whether the research involves a population that may be especially vulnerable should a breach of confidentiality occur (e.g., those who engage in illegal or stigmatizing behaviors, have a disease that may be stigmatizing, or live in a situation that heightens their risk).
- Whether image or audio recordings are obtained, especially those that may increase privacy/confidentiality risks, how the material will be used, who will see the images or hear the recordings, and in what setting and how long the recordings will be maintained.
- The type of information elicited from participants, including whether sensitive information will obtained (e.g. illegal behaviors, HIV/STD history, alcohol abuse).
- Whether any of the study procedures generate information that may put subjects at increased privacy risks (e.g., genetic testing for predisposition to a disease) and whether this will be shared with subjects or others (e.g., subjects’ primary care providers).
- Whether the number and demographics of subjects or the condition under study is likely to increase the privacy and confidentiality risks to subjects (e.g., a rare condition under study; collection of race/ethnicity information when only a few subjects will be enrolled or subjects will be recruited from an area with little racial/ethnic diversity).
- Whether the study will store blood or tissue samples beyond publication of the study results for future studies, use an existing depository or collection of blood or tissue samples, do testing for genetic or other markers on blood or tissue samples and involve identifiable blood or tissue samples.
- Who is collecting the data and/or accessing medical records and who is keeping the data and where it will be kept and where the research will be conducted.
- How research data will be kept confidential (e.g., whether the data will be coded, whether it will be kept in a locked cabinet or on secure server, or whether identifiers will be stripped from the data, whether a Certificate of Confidentiality will be obtained) and whether these measures are adequate in relation to the risk/benefit ratio of the study.
- Whether the HIPAA Privacy Rule applies to the research and whether the standards outlined in the Rule are satisfied.
- An assessment of the types and level of each type of risk involved in the research, including the risks to participants’ privacy interests and confidentiality of data.
- Whether participants are adequately informed of the risks of breach of privacy interests and confidentiality of data posed by the research and of the protections put in place to mitigate those risks.
The National Institutes of Health (NIH) issues Certificates of Confidentiality (CoC) to protect identifiable research information from forced disclosure. A CoC allows an investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.
Certificates can be used for biomedical, behavioral, clinical, or other types of research that are sensitive. In sensitive research, disclosure of identifying information could have adverse consequences for research participants or damage their financial standing, employability, insurability, or reputation.
Examples of sensitive research activities include, but are not limited to, collection of the following:
- Genetic information
- Information on psychological well-being of participants
- Information on participants' sexual attitudes, preferences or practices
- Data on substance abuse or other illegal risk behaviors
The HIPAA Privacy Rule (the Privacy Rule) is a set of federal regulations providing protections for the confidentiality of health information used in clinical practice, research, and the operations of health care facilities. The intended purpose of the Privacy Rule is to ensure that health information confidentiality risks are minimized. In addition, the Privacy Rule requires the training of researchers in the protection of confidential health information.
The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:
- is created or received by a covered entity, which includes a health care provider, and
- relates to the past, present, or future physical or mental health, or condition of the individual, or
- relates to payment for the individual’s health care, or
- relates to the provision of health care in the past, present, or future, and
- identifies an individual or could be used for identifying an individual.
- A written authorization specifically for the use and disclosure of PHI for research purposes involving human subjects.
- A waiver of authorization approved by the IRB.
- Use of de-identified information or limited datasets.
- Preparatory to research certifications.
- Database registration
Identifiers under the HIPAA Privacy Rule vs. the Common Rule
The HIPAA Privacy Rule and the Common Rule regulations have different standards for determining what constitutes identifiable information.
The Common Rule provides a definition for information that is individually identifiable: “…the identity of the subject is or may readily be ascertained by the investigator or associated with the information” [45 CFR 46.102(f)].
The HIPAA Privacy Rule, rather than providing a definition, lists 18 specific identifiers that may identify an individual. These identifiers include name, medical record number and dates, such as birth date and dates of service.
Therefore, for research studies in which both the Common Rule and the HIPAA Privacy Rule apply, the different standards must be applied to determine whether information is identifiable. Subsequently, it’s possible for the IRB to determine that the information is not individually identifiable under the Common Rule, but is identifiable per the HIPAA Privacy Rule. For example, a large dataset that contains no identifiers other than a date of service (e.g. date of CT scan) would be considered identifiable under the HIPAA Privacy Rule; however, if the IRB determines the identity of the subject is not readily ascertained by the investigator, it would not fit the definition of individually identifiable per the Common Rule.
For further information, please contact the Health Sciences IRBs Office at (608) 263-2362 or AsktheIRB@medicine.wisc.edu.