Topics

Breaches of Confidentiality

Description

Investigators are responsible for the confidentiality of participant information collected during the course of a study, including how this information will be stored and shared. A breach of confidentiality is an unanticipated problem that must be reported to the IRB. Additional requirements apply if the breach involves Protected Health Information (PHI) covered under HIPAA regulations.

Examples of data breaches include, but are not limited to, the following:

  • Lost or stolen laptops storing participant information
  • Lost or stolen USB/thumb drives with unencrypted participant information
  • Information delivered to the wrong participant using the postal service, courier, or other delivery method
  • Accessing PHI without a business need to know
  • Any unencrypted PHI sent outside of the institution
    • This includes using unsecured protocols, such as FTP and Telnet, and not encrypting web pages when participant information is being transmitted
  • Paper with PHI not disposed of properly - i.e. shredded

How to Report Breaches of Confidentiality

It is important that breaches of confidentiality be reported promptly in order to address the breach and reduce the level of risk to participants. Investigators should follow these procedures for reporting breaches of confidentiality to the University and the IRB.

Contact the Privacy Office


Submit a Report Form to the IRB

  • Be sure to review the instructions carefully. Not all sections need to be completed based on the type of information you are submitting.
  • Use the Possible Unanticipated Problem section of the report form.
  • Describe the breach in detail, including the number of participants affected and type of information that was compromised. Also describe the timeline of events for the breach and institutional action.
  • Describe any action that has already been taken by the principal investigator or study team to remedy or halt the breach.
  • Include any correspondence and instructions from the Privacy Office, if applicable. Include the names of the individuals with which you have been in contact.
  • If the breach occurred as the result of a crime, include the police report number.
  • Notify the study sponsor, if applicable. 
  • Submit the completed Report Form via email. Be sure to include any supporting documents with the application to explain the event.
  • If you will be making changes to the study based on the information you are reporting, an amendment will be needed. In the amendment application, be sure to state that you are submitting it based on a report form. In the report form application, be sure to state that you are submitting an amendment as part of your corrective and preventive action plan.

Breach of Confidentiality Review Process

The IRB will work with the Privacy Office to determine if and how participants should be notified of the breach. The IRB review process for the Report Form will typically include participant notification as a corrective action for the investigator.

The IRB and Privacy Office are also required to notify regulatory agencies, study sponsors, and institutional officials about the determinations regarding the breach. This may include the following:

  • Health and Human Services Office of Human Research Protection (OHRP)
  • FDA, if the study is subject to FDA regulations
  • The designated Institutional Official over research at the applicable institution(s)
  • Office(s) of Risk Management at the applicable institution(s)
  • Supervisor of the principal investigator

Related Documents

Related FAQs

Related Research Topics

Revised Date

03-23-2023