Breaches of Confidentiality
Description
Investigators are responsible for the confidentiality of participant information collected during the course of a study, including how this information will be stored and shared. A breach of confidentiality is an unanticipated problem that must be reported to the IRB. Additional requirements apply if the breach involves Protected Health Information (PHI) covered under HIPAA regulations.
Examples of data breaches include, but are not limited to, the following:
- Lost or stolen laptops storing participant information
- Lost or stolen USB/thumb drives with unencrypted participant information
- Information delivered to the wrong participant using the postal service, courier, or other delivery method
- Accessing PHI without a business need to know
- Any unencrypted PHI sent outside of the institution
- This includes using unsecured protocols, such as FTP and Telnet, and not encrypting web pages when participant information is being transmitted
- Paper with PHI not disposed of properly - i.e. shredded
How to Report Breaches of Confidentiality
It is important that breaches of confidentiality be reported promptly in order to address the breach and reduce the level of risk to participants. Investigators should follow these procedures for reporting breaches of confidentiality to the University and the IRB.
Submit a Report Form to the IRB
- Complete a Report Form application in IRBOnline.
- Use the Possible Unanticipated Problem section of the report form.
- Describe the breach in detail, including the number of participants affected and type of information that was compromised. Also describe the timeline of events for the breach and institutional action.
- Describe any action that has already been taken by the principal investigator or study team to remedy or halt the breach.
- Include any correspondence and instructions from the Privacy Office, if applicable. Include the names of the individuals with which you have been in contact.
- If the breach occurred as the result of a crime, include the police report number.
- Notify the study sponsor, if applicable.
- Be sure to include any supporting documents with the application to explain the event.
- If you will be making changes to the study based on the information you are reporting, an amendment will be needed. In the amendment application, be sure to state that you are submitting it based on a report form. In the report form application, be sure to state that you are submitting an amendment as part of your corrective and preventive action plan.
Breach of Confidentiality Review Process
The IRB will work with the Privacy Office to determine if and how participants should be notified of the breach. The IRB review process for the Report Form will typically include participant notification as a corrective action for the investigator.
The IRB and Privacy Office are also required to notify regulatory agencies, study sponsors, and institutional officials about the determinations regarding the breach. This may include the following:
- Health and Human Services Office of Human Research Protection (OHRP)
- FDA, if the study is subject to FDA regulations
- The designated Institutional Official over research at the applicable institution(s)
- Office(s) of Risk Management at the applicable institution(s)
- Supervisor of the principal investigator
Related FAQs
- What are the consequences for submitting a possible Unanticipated Problem late?
- How do I submit a report form?