Breaches of Confidentiality

Investigators are responsible for the confidentiality of participant information collected during the course of a study, including how this information will be stored and shared. A breach of confidentiality is an unanticipated problem that must be reported to the IRB. Additional requirements apply if the breach involves Protected Health Information (PHI) covered under HIPAA regulations. Examples of data breaches include, but are not limited to, the following:

  • Lost or stolen laptops storing participant information
  • Lost or stolen USB/thumb drives with unencrypted participant information
  • Accessing PHI without a business need to know
  • Any unencrypted PHI sent outside of the Health Sciences Center
    • Unencrypted e-mails that have been sent outside of the Health Sciences Center (i.e. without "PHI" in the subject line)
    • This includes using unsecured protocols, such as FTP and Telnet, and not encrypting web pages when participant information is being transmitted
  • Faxes sent to the wrong fax machine outside of the Health Sciences Center
  • Paper without PHI not disposed of properly - i.e. shredded
  • Information delivered to the wrong participant using the postal service, courier, or other delivery method

How to Report Breaches of Confidentiality

It is important that breaches of confidentiality be reported promptly in order to address the breach and reduce the level of risk to participants. Investigators should follow these procedures for reporting breaches of confidentiality to the University (and its affiliates) and the IRB.

  1. Immediately contact the applicable Privacy Office(s) and Institutional Official(s) if the breach involves PHI from one of the following institutions:

    University of Utah
    Contact the Privacy Office Help Desk at 801.587.6000

    The Help Desk will notify the Information Security and Privacy Officer and the on-call staff at the Privacy Office. The on-call staff will contact you to acknowledge receipt of the report and obtain any necessary or additional details, and determine whether immediate action is required.

    -----

    Primary Children's Hospital
    Contact the Intermountain Compliance Hotline at 1.800.442.4845 or by email to Privacy@imail.org.

    When should I report a situation?
    If you become aware of any inappropriate access, use or disclosure of identifiable Intermountain patient or SelectHealth member information, you must promptly report the situation to Intermountain Corporate Compliance so that an investigation can be conducted and the notifications can be completed, when required. The new rule has specific timelines for required actions so time is of the essence when a breach is discovered. If you are unsure whether a situation should be reported, please report it.

    What information do I need to report?
    When reporting a situation, please be prepared to describe what happened, including a description of the information involved and the approximate number of individuals affected, if known. Please do not destroy or delete any information involved in the situation until an investigation has been completed.

    -----

    Veteran Affairs Medical Center
    Contact the following individuals:

    Associate Chief of Staff for Research
    Dr. Larry Meyer

    Information Security Officer
    Robert Beckstead - 801.582.1565, Ext. 5442
    Christopher Putman - 801-582.1565, Ext. 5443

    Privacy Officer
    Robert Janes - 801.582.1565, Ext. 1636

  2. Submit a Report of a Problem or Event to the IRB
    • Create a Report Form in the ERICA system
    • Indicate that there has been a breach of confidentiality, found as a bullet selection under the option "Other Problem or Event."
    • Describe the breach in detail, including the number of participants affected and type of information that was compromised. Also describe the timeline of events for the breach and institutional action.
    • Describe any action that has already been taken by the principal investigator or study team to remedy or halt the breach.
    • Include any correspondence and instructions from the Privacy Office(s) or Institutional Official(s), if applicable. Include the names of the individuals with which you have been in contact.
    • If the breach occurred as the result of a crime, include the police report number.

  3. Notify the study sponsor, if applicable 

Breach of Confidentiality Review Process

The IRB will work with the applicable Privacy Office(s) to determine if and how participants should be notified of the breach. The IRB review process for the Report of Information will typically include participant notification as a corrective action for the investigator.

The IRB and Privacy Office(s) are also required to notify regulatory agencies, study sponsors, and institutional officials about the determinations regarding the breach. This may include the following:

  • Health and Human Services Office of Human Research Protection (OHRP)
  • FDA, if the study is subject to FDA regulations
  • The designated Institutional Official over research at the applicable institution(s)
  • Office(s) of Risk Management at the applicable institution(s)
  • Chairman or supervisor of the principal investigator
  • Office of Research Development (R&D) and Regional Office of Research Oversight (ORO), for the VA studies