Confidentiality of Data- POL012   

 

 

Abstract: 
This policy details the protection of human subjects in research and the guidelines established by the IRB to ensure confidentiality of data.

Effective Date: 3/30/2007

 

Review/Revised Date: 2/7/2020

 

Category: Research

 

Policy Owner: Vice President for Research

Policy Contact:

 
   
 
 

DEFINITION
 

Identifiable sensitive information: information about an individual gathered or used during biomedical, behavioral, clinical, or other research, where the following may occur:

  • An individual is identified; or
  • For which there is at least a very small risk, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.

 

NIH considers research in which identifiable, sensitive information is collected or used to include:

  • Human subjects research as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46), including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
  • Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
  • Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subject s can be identified or the identity of the human subjects can readily be ascertained as defined in the Federal Policy for the Protection of Human Subjects (45 CFR 46); or
  • Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.
 

POLICY STATEMENT

 

It is UAB policy that research involving human subjects will account for the confidentiality of data. When appropriate in order to approve research, the IRB will determine that there are adequate provisions to protect the confidentiality of research data in accordance with federal regulations at 45 CFR Part 46, 21 CFR Part 56; 28 CFR 22 and 28 CFR 512.8, 11, 12, 13 and 15, if applicable, or the regulations of federal agencies (see SUP428 DOE guidance) and applicable state or local laws and regulations. This standard will apply to initial review, continuing review, and review of modifications of research by the convened IRB, expedited review procedures, or limited IRB review for relevant exempt research. (See also PRO112 Procedure for Confidentiality of Data.)

 

Investigators will describe in the research protocol the methods of accessing, storing, and safeguarding the data to preserve confidentiality. When research involves activities or information of a particularly sensitive or potentially damaging nature, the IRB is authorized to request that the investigator seek a certificate of confidentiality.

 

Research funded in whole or in part by the NIH and involves identifiable, sensitive information (NOT-OD-17-109) is automatically covered by a certificate of confidentiality.

 

Regardless of funding source, Researchers conducting research covered by a certificate of confidentiality must ensure that if identifiable, sensitive information is provided to other researchers or organizations, regardless of whether or not the research is federally funded and the other researcher or organization must comply with certificate of confidentiality requirements.

 

 

Research involving human subjects is a covered function for UAB designated health care components under HIPAA. Covered research activities will be conducted in accordance with the HIPAA privacy regulations at 45 CFR Parts 160, 164. The IRB is authorized to review proposed authorizations for research to assess whether the standards and specifications for a valid authorization for research at 45 CFR §164.508 are satisfied and to implement the standards for use and disclosure of protected health information for research purposes (i.e., HIPAA waivers of authorization) in accordance with 45 CFR §164.512(i).