Privacy Policy

Privacy Policu

 Ocean Blue Medical Research Center, Inc. is committed to protect your privacy. Information's confidentiality and integrity are to be preserved and its availability maintained. The value and sensitivity of information entered on this website are protected by the lay and by the strict policies of this facility. Your continued use of our website and your submission of any information to us indicate that you have read, understood and agreed to our Privacy Policy.

 What Protected Information do we Collect?


When you register on our website or submit a question/comment, we receive the information and keep it confidential. This information may include but is not limited to:

  • Date of birth
  • Email address
  • Gender
  • Mailing address
  • Medical condition(s)
  • Name
  • Payment information
  • Telephone number

This information may also include any other personal information or unique preference information you choose to provide us.


This information may include but not limited to:

  • Date of birth
  • Education
  • Email address
  • Gender
  • Name
  • Mailing address
  • Practice information
  • Signed agreements
  • Telephone number

This information may also include other personal information you provide us.


The Government may request  Ocean Blue medical research Center, Inc. to collect and submit certain information such as a completed IRS Form W-9. This information may include your taxpayer identification number, which will not be used, shared, transferred or sold for marketing purposes.

 How do we Share the Information we Receive?


Information collected from all points of contact within Ocean Blue Medical Research Center, Inc. may be shared with parties with a legitimate need in performance of our organization's mission (the sponsor or the study, CROs, US Food and Drug Administration, and the Institutional Review Board) and personnel whose job responsibilities require that they have access to such information. The information you provide us may be combined with other protected personal identifiable information available from our records and other sources.


Protected Information may be shared with governmental agencies or other companies assisting us in fraud prevention or investigation. This information is not shared to these entities for marketing purposes.


When you fill out our questionnaire, you are consenting to receive email notifications and updates. If, after you have shared your personal information including your email address with Ocean Blue Medical Research Center, Inc., you decide that you do not want to receive notifications and updates from our company, you can discontinue the email by clicking on the hyperlink shown in received email and follow the directions to indicate your unsubscribe preference.

As it relates to email communications or any other questions you may have about our Privacy Policy, contact us, or write us: Ocean Blue Medical Research Center, Inc. 286 Westward Dr., Miami Springs, FL 33166


This Privacy Policy applies to all the information collected by or submitted to Ocean Blue Medical Research Center, Inc.

 Children's Online Privacy Protection Act

There are unique privacy concerns regarding children. We agree in our terms and conditions that they are at least 18 years of age. We do not knowingly collect personally identifiable information from children under the age of 13 as per the Children's Online Privacy Protection Act (COPPA) guidelines. However we extend that guideline to include anyone under the age of 18. If a parent or guardian becomes aware that a minor child under the age of 18 has provided personally identifiable information through any point of contact, he/she is asked to contact us via "Contact Us" and we will delete his/her personally identifiable information from our files.

 Your Consent

By sharing information with Ocean Blue Medical research Center, Inc., you consent Ocean Blue Medical Research Center, Inc., to use the information collected or submitted as described in this Privacy Policy. We may change or add information to this Privacy Policy so we recommend you to review it periodically.


There is no complete security on the Internet. Ocean Blue Medical Research center, Inc. uses high standard security techniques on the website to help protect against the loss, misuse or modification of information you have provided or submitted to us. When you provide your personal identifiable information to us, the information is stored on our server which is protected from unauthorized access. Ocean Blue Medical Research Center, Inc. strives to protect your information, but cannot warrant the security of the information you provide us. You acknowledge and assume this risk when communicating with Ocean Blue Medical Research center, Inc.

 Limitations of Liability

You understand and agree that any dispute over privacy is subject to the terms and conditions of this privacy policy, as well as the terms and conditions of this website (including limitations on damages, and arbitration of disputes). You agree that Ocean Blue Medical Research Center's liability for any breach of this privacy policy shall be limited to the value of the services provided to you by Ocean Blue Medical Research Center, Inc. to the extent such claim is not otherwise barred by our terms and conditions.

IRB approval of all studies conducted at Ocean Blue Medical Research Center, Inc. (OBMR), involve review of procedures to ensure privacy, security and confidentiality of information obtained within the research. Studies involving protected health information (PHI) have additional requirements determined by HIPAA regulations which also must be followed; and where applicable, IRB approval must include review of and, compliance with HIPAA regulations as well as with federal, state and local regulations and institutional policies.

OBMR investigators who obtain or access PHI from a "covered entity," or who create, use or access health information while providing health care services to research subjects, must comply also with HIPAA regulations, privacy and security policies of the "covered entity", the institution and the IRB as well as state law. This HIPAA requirement applies regardless the PHI is obtained, used or created prior the conduct of a study or during the study.

Instructions about such regulations and policies that apply to a particular study are described below:
For those studies in which all information collected from or about subjects will be used exclusively for the approved research (i.e. it will not be entered into any patient medical records or used for purposes of treatment or healthcare of the research participant). the investigator and his/her study must be compliant with the following policies:

  1. OBMR general Information Technology (IT) information and security policies
  2. IRB policies on Privacy, Security and Confidentiality

For those studies which access or create protected health information (PHI) about subjects that has been or will be used both in the subject's clinical treatment and in the research, the following policies are applicable:

  1. OBMR general IT information and security policies
  2. IRB policies on Privacy, Security, Confidentiality and HIPAA
  3. Institutional HIPAA policies which are determined by the Office of HIPAA Privacy and Security.

Even if a section of the study involves accessing, obtaining, recording or deriving PHI, compliance with HIPAA regulations and policies is required.

Concisely, studies involving PHI (i.e. obtained, accessed or recorded) are subject to HIPAA regulations and applicable institutional policies. This implies clinical trials, behavioral and social science studies, chart reviews, and some basic science research activities. HIPAA-suitable studies may include the administration of treatment but others may provide neither treatment nor diagnosis.

Terms common to documents or discussions of privacy, security, confidentiality and HIPAA are included below. Most HIPAA-related definitions are consistent with those in the Common Rule (i.e. the human subject research regulations codified by federal agencies). In situations where there may be ambiguity or inconsistency in these definitions, the language of the applicable regulation (i.e. the Common Rule or HIPAA) shall govern.

 Confidentiality: the circumstance in which information is shared or released in a controlled manner. Confidential information should be protected against theft or improper use and should not be disclosed to unauthorized individuals or entities without direct permission from the appropriate party.

 Covered Entity: a health plan, a healthcare clearinghouse or a healthcare provider who is required to comply with HIPAA regulations regarding the use and disclosure of Protected Health Information (PHI).

 Data Use Agreement : An investigator-submitted agreement required for the disclosure of a limited data set by a covered entity to the investigator. The agreement must specify the permitted uses of the limited data set and who may use or receive the data set. The agreement restricts further use and disclosure and restricts re-identification of the data or contact with subjects.

 De-Identified Information: health information is considered de-identified (and therefore, not PHI) if the following apply:

  • It does not identify an individual
  • The covered entity has no reasonable basis to believe that the information can be used to identify an individual
  • If the HIPAA-defined, 18 standard identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject note – the 18 standard identifiers which must be removed for data to be considered "de-identified" are:
    1. Names.
    2. Geographic subdivisions smaller than a state.
    3. Dates including birth date, admission date, discharge date, date of death, and all ages over 89.
    4. Telephone numbers.
    5. Fax numbers.
    6. Electronic mail addresses.
    7. Social Security numbers.
    8. Medical record numbers.
    9. Health plan beneficiary numbers.
    10. Account numbers.
    11. Certificate/license numbers.
    12. Vehicle identifiers and serial numbers, including license plate numbers.
    13. Device identifiers and serial numbers.
    14. Web Universal Resource Locator (URL).
    15. Biometric identifiers, including finger or voice prints.
    16. Full face photographic images and any comparable images.
    17. Internet Protocol address numbers.
    18. Any other unique identifying number characteristic or code.

 ePHI: electronic PHI (i.e. a subset of PHI)

 HIPAA: the federal Health Insurance Portability and Accountability Act. This act regulates, among other things, the maintenance and disclosure of protected health information ("PHI"), which includes ePHI, about patients treated by "covered entities". In addition, this act prescribes a process through which researchers may obtain or create PHI about patients who are also research participants or potential research participants.

 Hybrid Entity: a single, legal entity that uses or discloses PHI for only a part of its business operations. The Privacy Rule applies only to the healthcare components of a hybrid entity that use or disclose PHI.

 Limited Data Set: health information that a covered entity may disclose (pursuant to a data use agreement) to an investigator for research purposes based on the fact that certain direct identifiers have been removed. The investigator receiving the limited data set must submit the data use agreement signed by an authorized UM official and obtain IRB approval before obtaining the limited data set for use in his/her study.

 Note: direct identifiers that must be removed in order for data to be included in a limited data set are:

  1. Names.
  2. Address information (other than city, state and zip code).
  3. Telephone and fax numbers.
  4. E-mail address.
  5. Social Security number.
  6. Certificate/license numbers.
  7. Vehicle identifiers and serial numbers.
  8. URLs and IP addresses.
  9. Full face photos and other comparable images.
  10. Medical record numbers, health plan beneficiary numbers and other account numbers.
  11. Device identifiers and serial numbers.

 Note: the following are allowed in a limited data set:

  • Admission, discharge and service dates.
    1. Birth date.
    2. Date of death.
    3. Age (including age 90 or over).
    4. Geographical subdivisions such as state, county, city, precinct and five digit zip code.

 Privacy: an individual's right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. The term "privacy" applies to persons whereas the term "confidentiality" refers to the treatment of personal information.

 Privacy and Security Rule: standards for Privacy of Individually Identifiable Health Information, promulgated by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and codified at part 160 and part 164 , subpart C (Security Standards for the Protection of ePHI) and subpart E of Title 45 of the U.S. Code of Federal Regulations (as amended from time to time).

 Protected Health Information (PHI): identifiable information about the past, present, or future physical or mental health or condition (including the provision of his/her health care, insurance, payment status etc) of an individual obtained or managed by a covered entity. PHI may be information that is recorded electronically, on paper or orally. PHI must be protected from unauthorized use or disclosure by the Covered Entity under HIPAA regulations.

 Note: PHI must be identifiable information or information that may be linked to an identifier. PHI does not include de-identified information.

 Research Related Health Information-RHI: personally identifiable information used in research that is distinct from PHI by not being associated with, or derived from, the provision of health care or payment for care.

 Security: the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage. Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.

 Sensitive Information: private and/or health care information including information relating to an identifiable individual's private activities or practices (e.g. sexual preferences or practices; drug or alcohol treatment history; mental health or treatment history; HIV status; diagnosis information; financial information including social security numbers or health insurance data; criminal history or background etc).

The protection of subjects in ALL STUDIES requires the assurance that privacy, security and confidentiality are appropriately managed. Principal investigators must ensure that studies include provisions for security and for ensuring the privacy and confidentiality of participants. The strategies to ensure privacy, security and confidentiality during and after the research shall be evaluated by the IRB which acts as the Privacy Board for HIPAA-related purposes, and the appropriateness of these strategies shall be a prerequisite for its study approval.

Strategies for privacy must ensure each participant's right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information. Research procedures should be carefully designed to limit the personal information to be acquired to that which is minimally necessary and should be administered using procedures that will protect the subject's privacy.

The IRB shall review, and base its study approval upon, strategies proposed by the principal investigator to ensure the privacy of research subjects. Privacy issues for IRB evaluation should include (as applicable):

  1. The time and place where information is provided by participants to investigators
  2. The nature of information provided by participants
  3. The nature of the experiences the participants will undergo as a result of the study
  4. Who shall receive, access and use information provided by participants
  5. Factors that may determine what is private to an individual such as gender, ethnicity, age, socio-economic class, education, ability level, social or verbal skill, health status, legal status, nationality, intelligence or personality
  6. The participant's relationship to the investigator
  7. The presence of others (such as parents) during data gathering

Studies requesting the use of existing, identifiable subject information for research other than that contemplated by the originally approved research protocol require IRB examination of the risks involved. The IRB shall determine whether the new use is within the scope of the original consent or whether it is necessary to obtain additional consent.

For studies in which HIPAA regulations apply (see below), the principal investigator must obtain IRB approval and provide the privacy offices of UM and/or JHS and/or other covered entities with copies of:

  1. The IRB's determination letter; AND
  2. The HIPAA Authorization forms; or documentation of a Waiver and/or Partial Waiver of HIPAA Authorization; OR
  3. The IRB determination letter approving the use of a Limited Data Set; OR
  4. Documentation that the requirements for decedent research or research preparatory to a study have been met.

 Note: when privacy offices of UM and/or JHS allow an investigator access to PHI to generate his/her limited data set, the investigator will be considered a Business Associate in performing this function and a business associate agreement shall be required with signature by an authorized signatory.

For all studies involving PHI (with the exception of those creating limited or de-identified data sets) the principal investigator must assure, for IRB approval, that only the minimum necessary information is being requested and that any PHI created for research will be entered into the medical record or Designated Record Set.

 24.5(a) General Principles of HIPAA and PHI

The Privacy and Security Rule, at 45 CFR parts 160 and 164, establishes a category of health information, defined as protected health information (PHI), which a covered entity may use or disclose to others only in certain circumstances and under certain conditions. PHI is a subset of what is termed individually identifiable health information. With certain exceptions, individually identifiable health information becomes PHI when it is created or received by a covered entity.

The following policies, providing additional protections under federal Privacy Rules, apply to studies involving protected health information (PHI). They pertain to investigators seeking to obtain or create PHI from, or in association with, healthcare providers ("covered entities"), affiliated investigators and/or from or on behalf of a third party (e.g. an industry sponsor etc) for purposes such as:

  1. Identifying and contacting individuals to enroll them in a research study.
  2. Creating, using and/or disclosing PHI within the context of a research study.

The IRB shall review and approve studies involving PHI in accord with applicable federal, state and local laws, regulations and institutional policies on privacy, security and confidentiality including those promulgated under HIPAA.

All PHI created within a study protocol (such as when treatments are being compared), should be included in the subject's medical record maintained by the covered entity.

 24.5(b) Obtaining PHI to Prepare for Research - Participants not yet Identified

Investigators may wish to obtain and review information about potential participants to prepare for research. Examples of such preparatory activities include:

  1. Developing a research protocol
  2. Identifying potential research participants
  3. Identifying potential clinical trial sites

HIPAA regulations limit but do not preclude the use and disclosure of PHI to prepare for research provided the activity has approval by:

  1. The covered entity in situations wherein the research preparatory activity is preliminary and does not yet involve a protocol; OR
  2. The IRB and the covered entity in situations wherein the research preparatory activity is defined by a protocol

This requirement for appropriate approval applies even to clinicians wanting to review records from their own patients for research purposes. IRB and/or the covered entity may approve activities preparatory to research only if investigators and/or sponsors respect these limitations [c.f 45 C.F.R. §§ 164.512(i)(1)(ii), 164.512(i)(2), 164.502(1)(i), 164.528].

Investigators seeking to obtain PHI within a protocol that is preparatory to research must submit to the HSRO a signed form entitled "Investigator Certification for Reviews Preparatory to Research" (HIPAA FORM 'E'). By submitting this Certification, the investigator must affirm that:

  1. Access to the patient information is sought only to prepare for research; AND
  2. The requested information is necessary for this purpose; AND
  3. No patient information will be copied or removed from the premises of the covered entity during or following the review .

 NOTE -- If an electronic record is accessed remotely, the patient information may be viewed but may not be printed, copied, downloaded, or otherwise recorded for any research-related purpose

The IRB Chair or Chair designee shall review the Certification (HIPAA Form E) and may approve the activity on behalf of the IRB. IRB approval based on HIPAA Form E permits only limited access to PHI which may not be copied or removed from the covered entity. If not approved or upon reviewer decision, the Certification shall be forwarded to the convened IRB for its review and determination. These decisions shall be forwarded in writing to investigators by the HSRO. Investigators may not initiate activities permitted by HIPAA Form E until written confirmation of IRB approval is received.

It is possible that investigators may require disclosure of PHI beyond that permitted by HIPAA Form E to identify and contact potential study participants. To accomplish this, investigators must submit a "Partial Waiver of Authorization" form (HIPAA Form F) to the HSRO.

 Note: if a "Partial Waiver of Authorization" form (i.e. HIPAA Form F) is submitted, investigators are not required to submit the "Investigator Certification for Reviews Preparatory to Research" (HIPAA Form E).

The IRB Chair or Chair designee shall review and may approve, on behalf of the IRB, the request for a Partial Waiver of Authorization. If not approved or upon reviewer decision, the request shall be forwarded to the convened IRB for its review and determination. These decisions shall be forwarded in writing to investigators by the HSRO. Investigators may not initiate activities permitted by the Partial Waiver of Authorization until written confirmation of IRB approval is received.

 24.5 (c) Obtaining or Creating PHI to Conduct Research – Participants are Identified or Identifiable

This subsection applies to studies that obtain or create PHI to conduct research. It does not apply to studies that create "Research Related Health Information" (RHI). Although RHI may be personally identifiable, it is not considered PHI because it is created exclusively for the study and is not derived from a healthcare service event (i.e., the provision of health care or payment for care). Also unlike PHI, RHI shall not be added to the participant's healthcare record within a covered entity.

 Note: If a study involves both RHI and PHI, it falls under HIPAA regulations and related institutional policies.

Unless the IRB approves otherwise, investigators must obtain written individual authorization from each participant (or the participant's legal representative) to access, create and/or disclose the participant's PHI for research. The covered entity may disclose PHI to an investigator without patient authorization only if one of the follow applies:

  1. The IRB has approved a Waiver of Authorization; OR
  2. The IRB has approved that the study may use a Limited Data Set and there is a Data Use Agreement between the investigator and the covered entity; OR
  3. The covered entity has approved an activity or the IRB has approved a protocol as preparatory to research; OR
  4. The research is being conducted with PHI from decedents and Form D is provided; OR
  5. The IRB has approved that the study may use de-identified data.

The HIPAA requirement for patient/participant authorization is additional and independent to the Common Rule requirement for informed consent and is not affected by an IRB decision to waive informed consent. Investigators who access PHI generally must obtain both HIPAA authorization and informed consent from study participants.

The research authorization form (HIPAA-Form B) is different from the consent form. The authorization form (and the process by which authorization is obtained from participants) should be submitted with a study application for IRB review and approval which shall be based on HIPAA regulations and other applicable Florida and federal laws. The authorization document should describe who may receive, use, and disclose the participant's PHI, the purposes for which the information may be used and disclosed, and the participant's rights with respect to these uses and disclosures of his/her PHI.

Patient/participant authorization is study-specific and applies only to PHI for the IRB-approved study. Subsequent uses or disclosures of this information for other research purposes require a new authorization or waiver of authorization by the IRB.

PHI previously disclosed by a covered entity may be subsequently used for studies other than that originally approved by the IRB or disclosed to a third party sponsor. This requires either:

  1. A new, IRB approved HIPAA authorization; OR
  2. An IRB approved waiver of authorization with an IRB-approved informed consent document that defines that participants permit the use of this information for future, unspecified research activities.

Authorization may not be combined with any other document, including the informed consent or an authorization to use or disclose the patient information for another study, or an authorization to place the information in a database or repository for future analysis that is not part of the original protocol (even if informed consent is obtained for both the initial and future analyses).

 24.5(c)(1) Obtaining HIPAA Authorization

Authorization is the process through which participants allow investigators to access their protected health information (PHI). The authorization process is similar to that used to obtain informed consent. For each, investigators must be prepared to explain to potential research participants the purpose and meaning of the authorization form. The authorization must be in writing unless the IRB waives this requirement.

Information conveyed to participants in authorization forms and in the process of obtaining authorization must describe what PHI will be used in the research and the purpose of that PHI in the research and who may receive, use or disclose the information. Authorization must include an expiration date or event (if the information will be kept indefinitely, the authorization should state that there is no expiration date). Authorization forms and process must include the right to revoke or refusal to sign authorization and may include that the subject's rights to access his/her PHI will be suspended while the study is in progress but will be reinstated at the conclusion of the study.

If individuals refuse to sign authorization, they may be excluded from the research and any treatment associated with the research.

Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.

The authorization form must be signed and dated by the research participant or his or her legal representative. Generally, individuals who have appropriate authority to provide informed consent on behalf of an individual for participation in the research study may also provide authorization on behalf of that individual (note- specific details regarding signature by or for incapacitated or decisionally impaired adults, minors and vulnerable populations are included in the informed consent policies of the IRB. The policy on translations of informed consent documents and process shall also apply to translations of authorization documents and processes. The research participant must be given a copy of the signed authorization at the time of signature.

In a timely manner, investigators should place a copy of the signed authorization in the participant's medical record. The covered entity must keep a copy of the signed authorization in the medical record for a minimum of six (6) years from (i) the signature date or (ii) when the participant's information was last used or disclosed by the covered entity pursuant to the authorization, whichever is later.

 24.5(c)(2) Waivers of Authorization

The IRB may waive the requirement for HIPAA research authorization by a determination that shall be made separately from a decision to waive informed consent. Investigators may request an authorization waiver in the initial study application; or investigators may submit an amendment requesting an authorization waiver if the waiver is being requested during an on-going study.

Waivers of authorization are study-specific. The IRB may not approve a waiver request that will permit the use of PHI for any research purpose that is not part of the original study. The Privacy Rule requires that PHI made available under a waiver of authorization be the minimum necessary data for the research purpose. The IRB shall consider this standard when determining which, if any, of the direct or indirect patient identifiers included in the definition of patient information may be necessary to the research.

The IRB may approve waivers of authorization if studies satisfy each of the following waiver criteria of the Privacy Rule:

  1. The proposed use or disclosure of PHI involves no more that a minimal risk to participants' privacy based on, at least, the following:
  2. An adequate plan to protect the identifiers from improper use and disclosure;
  3. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research reason for retaining the identifiers or if keeping the identifiers is required by law; and
  4. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for oversight of the research, or for other research for which authorization or waiver of authorization is obtained.

  • The research could not practicably be conducted without the waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the PHI.

An investigator requesting a waiver of authorization must justify in the study application why a limited data set of patient information is not appropriate for the research purpose. The IRB must document and retain copies for six years of all information that demonstrates that the Waiver of Authorization criteria were met. The covered entity must document and retain copies for six years of all IRB determination letters certifying approval of the Waiver of Authorization. The covered entity must provide an accounting or summary to the subject of any disclosures of PHI provided with a Waiver of Authorization.

 24.6(a) General Principles of Security

All research data (including PHI) must be secure and protected, as reasonable, against breaches in confidentiality such as unpermitted uses or disclosures. This includes research data and/or PHI that is stored electronically (ePHI). HIPAA standards also apply to PHI after project completion when computers, devices and/or media are destroyed or re-formatted for other uses. The UM Information Technology Office resources and policies which govern data security are available at

The protection of subjects in ALL STUDIES requires the assurance that there are adequate provisions to secure research data. The IRB shall review the adequacy of a study's security provisions as a prerequisite for its approval. Submissions to the IRB should describe the methods of accessing, storing, and safeguarding research data to preserve confidentiality. This standard shall apply to initial review, continuing review, and review of modifications of research by expedited review procedures or by the convened IRB.

Guidelines for properly securing research data include the following:

  1. As custodian of a study's research data, the Principal Investigator shall ensurecompliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol.
  2. The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI.
  3. Access to research data (including ePHI) should be restricted and controlled. The PI must ensure locks on files or password or other protections (as applicable) (note – access to e PHI must be by password) 4. the PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity.

Additional requirements under HIPAA for electronic protected health information (ePHI) include:

  1. ePHI should contain only the individual identifiers that are minimally necessary to support the research purpose.
  2. Mobile devices (laptops or PDAs) or electronic storage media (data sticks, tapes, disks) may be used for temporary storage of ePHI if they are encrypted, have automatic logoff features and can be accessed only by password.
  3. ePHI transmitted via a network must be encrypted, password protected and sent only through secure channels. Such transmission should occur only under strong necessity.
  4. Equipment and media that stored ePHI must be re-formatted prior to their disposal or reuse.
  5. Confidentiality agreements must include commitments to store e-mails only on workstations in a secure network and to transmit ePHI only through secure channels
  6. Webpages storing ePHI should be accessed via secure server lines and only by user ID and role-specific passwords that provide access to selected pages.
  7. ePHI entered through the web must reside within a secure network.
  8. Home and laptop computers that access ePHI within a network must be password protected using a password different from the log-on password. E-Mail connections must be encripted and anti-virus software or filters should be installed and appropriately updated.

Additional requirements under HIPAA for securing paper records containing PHI include:

  1. PHI must be stored using two-locked filing systems within a locked office or storage room.
  2. Shredding is required to discard printed materials containing PHI with directed identifiers.
  3. Paper-based PHI with direct identifiers should not be carried or sent unless necessary for approved research activities.

Additional requirements under HIPAA for security Faxes containing PHI include:

  1. Faxes are discouraged but, if required, they must be sent and received in a secure environment .
  2. Recipients of faxes should be alerted first that a fax is coming so the recipient can immediately secure the faxed document.

Additional requirements under HIPAA for reporting breaches of privacy, unanticipated problems and reportable events related to ePHI include:

  1. The Principal Investigator must timely inform the HSRO if a security breach of confidentiality has occurred.
  2. The HSRO will coordinate review of ePHI security breaches with ORCA, the Office of Information Technology and the Privacy Offices of UM and/or JHS as applicable.
  3. The HSRO shall forward all findings regarding data security breaches to the IRB for its review and determination.
  4. Violations of HIPAA Security Rules by workforce members shall be reported to the UM Human Resources Department for review and actions pursuant to HR policies.

 24.7(a) General Principles of Confidentiality

Confidentiality of identifiable information shall be maintained unless subjects give permission to relinquish confidentiality. The more sensitive the information, the greater is the need for confidentiality. This is to protect subjects from potential harms such as psychological distress, loss of insurance, loss of employment and damage to social standing. Investigators should understand that to do other than maintain confidentiality would be inconsistent with the principles of the Belmont report requiring respect for persons and beneficence.

All information relating to research studies shall be kept secure and confidential to the extent permitted by law. However, records shall be available to the IRB and appropriate governmental agencies and authorized University employees or other agents authorized by the University. All others requesting information on research studies must obtain written approval from the Principal Investigator or the Vice Provost for Human Subject Research.

Principal Investigators should design and conduct studies that protect to the fullest extent possible the participants' and confidentiality. The Principal Investigator must comply with the UM policy entitled "Policy and Security of Confidential Health Information".

 24.7(b) IRB Review of Confidentiality

Studies must include appropriate strategies to protect the identity of human subjects and the confidentiality of research records. These strategies should cover all types of data collected, including personality inventories, interviews, questionnaires, observations, photographs and film, taped records and other stored data. Plans should explain the mechanisms devised for this purpose such as numbering or code systems or the locking of files in private offices and shall describe who has access to the data and under what circumstances a code system may be broken. Plans should also define the final disposition or destruction of such information.

The IRB shall evaluate strategies for confidentiality in its review process. The appropriateness of such strategies shall be a requirement for study approval. In its review, the IRB shall be guided by the following:

  1. Questionnaires, inventories, interview schedules, and other data-gathering instruments and procedures should be carefully designed to limit the personal information to be acquired to that which is essential, and should be administered using procedures that will protect the subject's privacy.
  2. Information that could reveal a subject's identity should be securely stored in files accessible only to the principal investigator and authorized staff listed in the IRB approved protocol
  3. As early as feasible, data should be coded to remove identifying information, and identifiers destroyed
  4. The identity of subjects should not be released except with their express permission. This includes through the use of audio tapes, videos, photos, or other images (e.g., MRI, CT scan) that either show the subject's face or would divulge unique or identifying features. Subjects should always be told during the informed consent process if their likeness or other unique or identifying features will be imaged and how the images will be used. Explicit consent must be obtained for any public use of such images (including uses in the classroom, on the internet, or as part of a presentation of the research results), since publication would otherwise constitute a breach of the basic confidentiality requirement.
  5. Use of existing data that were originally obtained for different purposes and that involve identifiable subject information requires examination of the risks involved. The IRB must determine whether the new use is within the scope of the original consent or whether it is necessary or feasible to obtain additional consent. Anonymity of the subjects must be preserved in these cases.

 24.7(c) Certificates of Confidentiality

Certificates of Confidentiality: Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect the privacy and confidentiality of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects.

In certain circumstances involving civil, criminal, administrative, legislative or other proceedings at the federal, state or local level, investigators and institutions may be compelled to release information that could be used to identify subjects within a research study. To ensure the privacy of research subjects, investigators and institutes may refuse to disclose any item or combination of items in the research data that could lead directly or indirectly to the identification of a research subject if protected by a Certificate of Confidentiality.

Principal Investigators may apply for a Certificate of Confidentiality from the National Institutes of Health (NIH) under section 301(d) of the Public Health Service Act [42 U.S.C. 241(d)]. A Certificate may be awarded whether or not a research project is federally funded. Certificates may be requested prior to the submission of an application for study approval to the IRB; or the IRB may require that the Principal Investigator obtain a Certificate of Confidentiality from the NIH prior to conducting the research. Generally, an application for a Certificate is submitted after IRB approval of the research because IRB approval is a prerequisite for issuance of a Certificate.

A separate application is required for each research project for which a Certificate is desired even if the projects have a common Principal Investigator. A Certificate is generally issued to a research institution for a single project (not broad groups or classes of projects). However, projects that use the same sample of subjects but have different protocols may file for one Certificate since the subjects, whose identities the investigator wishes to protect, are the same.

Instructions for applying for a Certificate of Confidentiality are available at;polocy/coc/appl-extramural.htm. Both the Principal Investigator and the Institutional Official (the Vice Provost for Human Subject Research) must sign the Certificate application. Certificates of Confidentiality may be issued to institutions or universities for biomedical, behavioral or other types of research where disclosure of identifying information could have adverse consequences for subjects such as by damaging their financial standing, employability, insurability, or reputation or by involving them in criminal or civil litigation. Examples of sensitive research activities that may qualify for Certificates of Confidentiality include but are not limited to:

  1. Collecting genetic information.
  2. Collecting information on the psychological well-being or mental health of subjects.
  3. Collecting information on subjects' sexual attitudes, preferences or practices.
  4. Collecting data on substance abuse or other legal or illegal risk behaviors.
  5. Studies where subjects may be involved in litigation related to exposures under study (e.g. breast implants, environmental or occupational exposures).

Specific cultural or other factors may make information in other, unlisted, categories to be considered as sensitive. Certificates of Confidentiality may be granted in such cases upon appropriate justification and explanation.

Some projects are ineligible for a Certificate of Confidentiality such as those that are:

  1. Not research.
  2. Not collecting personally identifiable information.
  3. Not reviewed and approved by the IRB as required by these policies.
  4. Collecting information that if disclosed would not significantly harm or damage the participant.

In general, Certificates are issued for single, well-defined research projects rather than groups or classes of projects. In some instances, they can be issued for cooperative multi-site projects. A coordinating center or "lead" institution designated by the NIH program officer can apply on behalf of all institutes associated with the multi-site project. The lead institution must ensure that all participating institutions conform to the application assurances and inform participants appropriately about the Certificate, its protections and the circumstances in which voluntary disclosures would be made.

A Certificate of Confidentiality protects personally identifiable information about subjects in the research project while the Certificate is in effect. Generally, Certificates are effective on the date of issuance or upon commencement of the research project if that occurs after the date of issuance. The expiration date should correspond to the completion of the study. The Certificate will state the date upon which it becomes effective and the date upon which it expires.

A Certificate of Confidentiality protects all information identifiable to any individual who participates as a research subjects (i.e., about whom the investigator maintains identifying information) during any time the Certificate is in effect. An extension of coverage must be requested if the research extends beyond the expiration date of the original Certificate. However, the protection afforded by the Certificate is permanent. All personally identifiable information maintained about participants in the project while the Certificate was in effect is protected in perpetuity.

Although Certificates of Confidentiality protect against involuntary disclosure, research subjects may voluntarily disclose their research data or information to physicians or other third parties and they may also authorize in writing the Principal Investigator to release the information to insurers, employers, or other third parties. In such cases, the Certificate should not be used to refuse disclosure. Moreover, Principal Investigators are not prevented from the voluntary or mandatory disclosure of matters such as child abuse, reportable communicable diseases, or a subject's threatened violence to self or others. However, if the Principal Investigator intends to make any voluntary disclosures, the consent form must specify such disclosure.

In the informed consent documents, Principal Investigators shall inform research subjects if a Certificate of Confidentiality is in effect. Subjects should be given a fair and clear explanation of the protection that a Certificate affords, including the limitations and exceptions noted above.

Certificates of Confidentiality do not authorize investigators to refuse to disclose information about subjects to the HSRO or the IRB or authorized DHHS or FDA personnel requesting such information requirements such as an audit or program evaluation.


Content updated on Tuesday, 02-9-2021 05:30:52 pm