Spotlight on Privacy in Research
In previous newsletters, we’ve covered a variety of topics regarding the use and disclosure of Protected Health Information (PHI) in research. To help put this knowledge into practice, below are a few specific scenarios you may have encountered while conducting your research duties and the best steps for how to address them.
Scenario 1: You are approached about serving as a PI on research for which authorization will not be obtained from the patients, and the sponsor proposes sharing PHI under a Data Use Agreement (DUA).
Make sure the data that would be shared excludes the 16 elements of identifiers not permitted for use of a Limited Data Set (LDS). The IRB would have to approve the proposed use of the LDS, and the DUA must include the specific provisions required under the privacy regulations.
Scenario 2: PHI for a study subject was sent to a study sponsor via unsecured email.
If the PHI disclosed was appropriate (e.g., covered by the subject’s signed consent/privacy authorization form), the Privacy Office must be notified of the unencrypted method of transmission of electronic PHI. If the PHI disclosed was inappropriate (e.g., subject name instead of study ID#), the disclosure as well as the unencrypted method of transmission must be reported.
Scenario 3: A study sponsor has requested a log of all subjects screened for participation to date.
Screening logs often include information on patients who were screened out prior to providing signed consent/authorization to participate. If this is needed, information for these individuals should be general and not include PHI (e.g., a 35-year-old male exceeds lab a parameter for inclusion criterion #2). 
Policy Corner
Useful Privacy and Security References:
• ThePrivacy&SecurityHandbookisa reader friendly guide to complying with the requirements of HIPAA Privacy and Security Regulations as well as institutional policy.
• TheUse&DisclosureofPHIfor Research Purposes policy provides information on the use of PHI specific to the research environment.
• ThePrivacy&SecurityBreach Response & Notification policy explains how a potential breach is handled and reported.
• TheDisciplinaryActionforViolationsof Confidential Information policy explains what is considered a violation and how confirmed or perceived violations are resolved.
Visit the Policy and Procedure Library for more information.
             Ask the Auditor:
My study uses an approved drug that is available over-the-counter but is provided by the sponsor for this trial. Is it really that big of a deal to let clinic staff store it with the rest of their drugs?
When discussing experimental drugs, it’s easy to understand why they must be segregated from other drugs and stored in an secure way. After all, they’re unapproved and potentially very dangerous. When discussing storage of an over the-counter-drug, however, it’s easier to think of it not as a study product but as an everyday item you could pick up at any corner drug store. It’s that familiarity that often leads us to approach storage in a more relaxed way and while understandable, it has the potential to lead to deviations and problems.
If the sponsor provides a drug for their study, let’s say aspirin, they’re providing it for that particular study. That means that it’s no longer just aspirin, it’s a study product and everything about that drug needs to be secure and appropriately documented. How much did the site receive from the sponsor? Who has access to it? Who dispensed it and to which subjects? How much was dispensed and how much returned? Was any destroyed on-site or sent back to the sponsor? If that aspirin were stored with other clinic drugs, it could be taken by unapproved individuals or provided to patients who aren't on the study. It could be mixed up with the clinic supply and things can get messy. Instead, it should be kept in a locked container within a locked room and only approved study personnel should have access to it.
It’s important to remember that a study product, no matter how innocuous, is still study product and should be store and secured with the same rigor as an experimental drug that has never before been used in humans. 
Don’t Forget!
Have a concern? Need to report a compliance prob- lem but don’t know how to go about it? Call the
confidential Compliance HelpLine at 1-866-245-0815 or go online to: http://ComplianceHelpLine.BSWHealth.com
    We’re here for you!
ResearchCompliance@BSWHealth.org
 Research Compliance Webpage
Research Integrity Officer:
Stephanie Worley Office: 254-215-9025
Compliance Consultants:
Jennifer Gibbons-Ramirez Office: 254-215-9027
Lindsey Estep Office: 254-215-9028
        3