Main Menu

Home Submitting an Application Report Forms Breaches of Confidentiality

Investigators are responsible for the confidentiality of participant information collected during the course of a study, including how this information will be stored and shared. A breach of confidentiality is an unanticipated problem that must be reported to the IRB. Additional requirements apply if the breach involves Protected Health Information (PHI) covered under HIPAA regulations. Examples of data breaches include, but are not limited to, the following:

  • Lost or stolen laptops storing participant information
  • Lost or stolen USB/thumb drives with unencrypted participant information
  • Accessing PHI without a business need to know
  • Any unencrypted PHI sent outside of the Health Sciences Center
    • Unencrypted e-mails that have been sent outside of the Health Sciences Center (i.e. without "PHI" in the subject line)
    • This includes using unsecured protocols, such as FTP and Telnet, and not encrypting web pages when participant information is being transmitted
  • Faxes sent to the wrong fax machine outside of the Health Sciences Center
  • Paper without PHI not disposed of properly - i.e. shredded
  • Information delivered to the wrong participant using the postal service, courier, or other delivery method

How to Report Breaches of Confidentiality

It is important that breaches of confidentiality be reported promptly in order to address the breach and reduce the level of risk to participants. Investigators should follow these procedures for reporting breaches of confidentiality to the University (and its affiliates) and the IRB.

Immediately contact the applicable Privacy Office(s) and Institutional Official(s) if the breach involves PHI from one of the following institutions:

Submit a Report of a Problem or Event to the IRB

  • Create a Report Form in the ERICA system
  • Indicate that there has been a breach of confidentiality, found as a bullet selection under the option "Other Problem or Event."
  • Describe the breach in detail, including the number of participants affected and type of information that was compromised. Also describe the timeline of events for the breach and institutional action.
  • Describe any action that has already been taken by the principal investigator or study team to remedy or halt the breach.
  • Include any correspondence and instructions from the Privacy Office(s) or Institutional Official(s), if applicable. Include the names of the individuals with which you have been in contact.
  • If the breach occurred as the result of a crime, include the police report number.
  • Notify the study sponsor, if applicable

Breach of Confidentiality Review Process

The IRB will work with the applicable Privacy Office(s) to determine if and how participants should be notified of the breach. The IRB review process for the Report of Information will typically include participant notification as a corrective action for the investigator.

The IRB and Privacy Office(s) are also required to notify regulatory agencies, study sponsors, and institutional officials about the determinations regarding the breach. This may include the following:

    • Health and Human Services Office of Human Research Protection (OHRP)
    • FDA, if the study is subject to FDA regulations
    • The designated Institutional Official over research at the applicable institution(s)
    • Office(s) of Risk Management at the applicable institution(s)
    • Chairman or supervisor of the principal investigator
    • Office of Research Development (R&D) and Regional Office of Research Oversight (ORO), for the VA studies