Privacy practices govern the receipt, use and storage of personal and confidential information in research. Because the use of personal and confidential information is common in both biomedical and behavioral research, confidentiality is a major concern. Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration’s (FDA) human subject protection regulations (21 CFR Parts 50 and 56). However, studies that involve the use of protected health information (PHI) from medical records need to be conducted in compliance with the Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule”.
Federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information be maintained throughout the research and thereafter. In proposing a research study, the Principal Investigator s hall consider the nature, probability, and magnitude of harms that would be likely to result from a disclosure of collected information outside the research. The PI shall also evaluate the effectiveness of the proposed anonymizing techniques, coding systems, encryption methods, storage facilities, access limitations, and other relevant factors in determining the adequacy of confidentiality protections. See the Data Management Security web page for more information on how to protect human subject data.
It is a requirement that the IRB application and consent documentation (if applicable, according to submission category) describe the extent to which confidentiality of records identifying the subject(s) will be maintained (or not maintained). Where deemed necessary, the PI shall obtain a certificate of confidentiality which protects against the compulsory release of individually identifiable research information.