Collecting and Protecting Sensitive Data in Research CU Morningside IRB Joyce Plaza MS, MBE, CIP. 419 West 119 Street New York, NY 10027 212-851-7040 Fax: 212-851-7044 http://www.columbia.edu/cu/irb /. November 18, 2014. 1. 1. Objectives.
419 West 119 Street
New York, NY 10027
November 18, 2014
types of protections
November 18, 2014
Require the IRB to ensure that certain criteria are satisfied prior to approval of human subjects research.
IRB shall determine that all of the following requirements are satisfied:
(1) Risks to subjects are minimized
(2) Risks to subjects are reasonable in relation to anticipated benefits,
(3) Selection of subjects is equitable.
(4) Informed consent will be sought from each prospective subject or the subject's legally authorized representative
(5) Informed consent will be appropriately documented
(6) When appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of subjects
(7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.
The manner in which data are collected, recorded and maintained are reviewed by the IRB and influence their determinations.
November 18, 2014
Any information about a living individual that is linked, associated with, or contains the name or any details of the individual that would allow someone to be able to directly or indirectly identify a subject from the information collected.
November 18, 2014
DefinitionSensitive Data with Potential High Risk
Information about a living individual that would potentially cause serious risk or harm to a subject if there was a breach of confidentiality (e.g., Social Security numbers, HIV status, substance abuse, criminal activity, negligence in the work place, etc.)
“The quality of being secluded from the presence or view of others.”
Guilamo-Ramos: High Use Alcohol Venues Study - recruited in alcohol-use venues; adults unable to participate in screening or take a detailed flyer due to privacy concerns were provided with a card only containing contact information for the study.
Conducted interviews in the home or at a neutral site chosen by the subject.
“Discretion in keeping secret information”
Any data that will be collected for research purposes that is considered to pose risk or harm to subjects upon a breach of confidentiality should have the data protected for a potential breach. The methods or processes for protecting the confidentiality of the data should be proportionate to the level of potential risk of the study.
Guilamo-Ramos: High Use Alcohol Venues Study: collected “refusal bias information” that did not contain identifiers.
Links to the subject codes were kept in locked files on a password protected computer.
All project staff were required to complete certain levels of training ( 40 hours) before they were granted access to the codes. This included training established by the Dominican and International organizations on the protection of human subjects.
Personnel signed confidentiality statements requiring reporting breach of confidentiality to PI.
Training included data safety, confidentiality of participants, limits of confidentiality and proper administration of the protocol.
The three biggest sources of a breach of data stored electronically:
Collection of Private Health Information also required HIPAA Form A.
The Health Information Technology for Economic and Clinical Health Act (HITECH) Act part of the American Recovery and Reinvestment Act (ARRA) of 2009, has established new notification requirements to report the loss or theft of patient information (Protected Health Information - PHI) that is not protected by encryption. These requirements apply in both the clinical and research context.
Data protection plans must consider all record-keeping processes and storage of data from the initial collection to post-study storage or destruction or complete de-identification of the data. Such plans should include details to all modes of storage: paper, electronic, video/audio recordings, films, etc.
Guilamo-Ramos: High Use Alcohol Venues Study: after the audio recorded interviews were transcribed, the recordings were destroyed. Participants were not identified by name on the transcripts.
Requires IRB review if it contains private identifiable information (either direct identifiers or indirect identifiers)
If the data is sensitive, confidentiality procedures are required.
New York has enacted legislation to protect the confidentiality of social security numbers (SSNs). The "NY Social Security Number Protection Law " which became effective on January 1, 2008 imposes harsh penalties on organizations that failed to protect the confidentiality of Social Security numbers that they have collected and stored.
Any plan to collect social security numbers (SSN) for research purposes must be submitted and approved by the IRB prior to such collection. The submission must include a justification for the collection of SSNs and provide the following:
Study Description: Document
Describe how subject privacy will be protected, and the limits to protection. Protections should cover (e.g.,) screening activities, HIPAA provisions, forums such as focus groups where private information may be shared, and recordings of research activities, as applicable. Limitations such as compelled disclosure and mandatory reporting should also be described.
Data and Safety Monitoring
Describe how data and safety will be monitored locally to identify unanticipated problems (e.g., events, outcomes, or occurrences that are unexpected, at least possibly related to the research, and suggest an increase in risk of harm to subjects or others).
Describe potential risks including data on risks that have been encountered in past studies.
Confidentiality of Study Data
Describe how this will be maintained (if it is to be maintained) locally, and during transmission to another site, if applicable. Include a clear description of how data will be stored, specifically indicating whether data will contain direct or indirect identifiers. Describe protections related to accessing the study data, whether in an electronic or paper form.
For contact information see: http://www.cumc.columbia.edu/dept/irb
or call 212 305‐5883
For contact information see: http://www.columbia.edu/cu/irb/
or call 212-851-7040