Confidentiality & Data Protection

PHI is any individually identifiable health information that is stored, transmitted, or used by covered entities under HIPAA. Stanford University is considered a hybrid entity, as some components of Stanford University meet the definition of a covered entity under HIPAA and many others do not. Information on what components of Stanford are covered by HIPAA can be found on the Stanford University Privacy Office website.

PHI includes at least one of the following 18 HIPAA identifiers (personal information) combined with health data:

1. Names;
2. Social Security numbers;
3. Telephone numbers;
4. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code;
5. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
6. Fax numbers;
7. Electronic mail addresses;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the research data)

Data is considered de-identified when health information is stripped of all of the 18 HIPAA identifiers.

The following personal information is considered sensitive and requires additional confidentiality protections when the information is collected and used for research purposes. In most cases, explicit authorization is needed from patients for the use and disclosure of this information.

1. Information pertaining to drug and alcohol abuse, diagnosis, or treatment: The consent form should disclose any limitations on the confidentiality of information related to drug and alcohol use collected for the research. Federal and State regulations include limitations on when SUD treatment-related records can be shared.
2. HIV/AIDS testing information: Research records that include information relating to HIV or AIDS are confidential and cannot be disclosed except as authorized by the California AIDs Research Confidentiality Act.  Additionally, providers and laboratories are required to report HIV cases to the local health officer, including for persons participating in research studies.
3. Mental health diagnosis or treatment: Mental health records are heavily protected and generally cannot be released without the patient’s written, signed consent. The U.S. Department of Health and Human Services provides HIPAA guidelines regarding the limitations on the use and disclosure of mental and behavioral health related information. California state regulations establishes strict protections for outpatient psychiatric and psychotherapy records.
4. Reproductive health information: California’s reproductive privacy laws limit the sharing of patient medical information related to abortion, contraception, and other reproductive health information.

A limited data set is PHI that excludes all 18 HIPAA identifiers with the exception of the following: 

• street/postal address
• dates, including dates directly related to an individual, (e.g., birth date, health care service, admission and discharge dates, date of death)

If a limited data set is being received or shared, a data use agreement may still be needed. 

A HIPAA Authorization for Research is signed permission from a participant allowing the covered entity to use or disclose their PHI for specific research purposes.  For Stanford, the HIPAA Authorization must meet California state requirements which include the following:

1. must be written in at least 14 point font;
2. must be completely separate from any consent language on the same page, or it can be a completely separate document from the consent form;
3. must include a separate signature, which serves no other purpose than to execute the Authorization.

The Stanford medical consent form templates includes an embedded research HIPAA Authorization.

Obtaining an authorization may not be practicable for some types of research. In these cases, HIPAA allows the IRB to grant a waiver of HIPAA authorization. The waiver of HIPAA authorization can be granted for the entire study (i.e., retrospective chart reviews). Additionally, a Waiver of HIPAA Authorization (for Recruitment) may be granted to cover solely the recruitment activities, but a HIPAA authorization is typically required when the participant is enrolled.

Under certain circumstances, the IRB may approve a request to omit one or more of the required elements of authorization, for example, waiving the requirement to obtain a signature and date on HIPAA authorization when conducting research by phone or via the internet.

In order to access PHI under a waiver or alteration of authorization for research, the IRB must determine that the following criteria are met:

1. Use or disclosure involves no more than minimal risk to privacy for the individual based on: (i) a plan to protect patient identifiers from improper use and disclosure; (ii) a plan to destroy patient identifiers at the earliest opportunity, and (iii) adequate written assurances that protected health information will not be reused or disclosed to others except as  required by Law, for oversight of the research, or for other  research that would be permitted by HIPAA.
2. The research could not practicably be conducted without the waiver;
3. The research could not practicably be conducted without access to protected health information; and
4. A brief description of the PHI necessary to do the research (i.e., minimum necessary); and
5. The privacy risks are reasonable in relation to the anticipated benefits to the individuals and the importance of knowledge gained through research.

A CoC is mainly issued by the NIH. All ongoing or new research funded by NIH as of December 13, 2016 that is collecting or using identifiable, sensitive information is automatically issued a CoC through a term and condition of award. NIH is also the primary agency for issuing discretionary CoCs for non-NIH-funded research that aligns with its mission. See more information on the NIH Policy.

Centers for Disease Control and Prevention (CDC): Automatically issues CoCs for CDC-funded research.

Food and Drug Administration (FDA): Issues CoCs for FDA-funded research and for research conducted under an Investigational New Drug (IND) or Investigational Device Exemption (IDE).

Health Resources and Services Administration (HRSA): Automatically issues CoCs for HRSA-funded research.

Biomedical Advanced Research and Development Authority (BARDA): Automatically issues CoCs for BARDA-funded research.

 Substance Abuse and Mental Health Services Administration (SAMHSA): Issues CoCs for research funded by their agency.

Department of Defense (DoD): Issues CoCs for DoD-funded research. CoC must be obtained for all DoD-supported research involving large-scale genomic data collected from DoD-affiliated personnel. Researchers must apply for a CoC via the NIH or contact the DoD Component human subjects protection office.

The protection of the CoC lasts in perpetuity. However, any data collected after a CoC expires or after the grant issuing the CoC no longer covers the research, may not be protected.

The Stanford medical consent form templates include recommended CoC language.

There is no requirement for participants consented prior to the issuance of a CoC to be re-contacted or notified of the CoC.  However, participants should be notified or re-consent obtained if new information is collected after the expiration of a CoC.

In general, placing research information protected by a CoC into a participant’s medical record would require the participant’s consent unless such disclosure is required by law. 

Section 301(d) of the Public Health Services Act protects identifiable, sensitive information and all copies thereof. Accordingly, if identifiable, sensitive information protected by a CoC is placed in a participant’s medical record, the protections of the CoC and prohibitions on further disclosure of the information may apply.

The GDS Policy applies to:

• All NIH-funded research that generates and uses large scale human or non-human genomic data, as well as the use of these data for subsequent research:
  • Large-scale data include genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, and genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data, irrespective of funding level and funding mechanism (e.g., grant, contract, cooperative agreement, or intramural support).
  • Examples include, but are not limited to, sequence data from more than one gene or region of comparable size in the genomes of more than 1000 human research participants; sequence data from more than 100 genes in the genomes of more than 100 human research participants; comparisons of differentially methylated sites genome-wide at single-base resolution within a given sample (e.g. within the same subjects over time or across cell types). Additional examples are available in the Supplemental Information to the NIH GDS Policy.

Examples of NIH-funded research or research-related activities that are outside the Policy’s scope include, but are not limited to, projects that do not meet the criteria above such as:

• instrument calibration exercises,
• statistical or technical methods development, or
• the use of genomic data for control purposes, such as for assay development.

In addition, the following types of funding generally do not fall under the GDS Policy:

• Institutional Training Grants, K12 Career Awards, Individual Fellowships (Fs) such as the Ruth L. Kirschstein National Research Service Award, Resource Grants and Contracts (Ss), or Facilities and coordinating centers funded to provide genotyping, sequencing, or other core services in support of GDS.

Work with your Research Process Manager (RPM) at RMG to submit a basic genomic data sharing plan in the Resource Sharing Plan section of funding applications.

Extramural Institutional Certification is required prior to depositing human genomic data into one of the NIH-supported repositories, even if the research itself is not NIH-supported. NIH-supported repositories include, but are not limited to Database of Genotypes and Phenotypes (dbGaP), Gene Expression Omnibus (GEO), or the Sequence Read Archive (SRA).

A Stanford Institutional Official-signed Extramural Institutional Certification is needed. Note - if no IRB-approved consent form exists at the time of a JIT award notification, a Provisional Institutional Certification can be used until the consent form is approved by the IRB.

The Stanford medical consent form templates include recommended genomic data sharing language.

To request Extramural Institutional Certification, submit the following to IRB Education:

• A blank copy of each consent form used to collect samples from which data were/will be generated.
  • If the dataset includes data from samples obtained at another institution, the Stanford IRB will review each of those consents as well.
  • Submit each consent, version across studies, and across time. Essentially each IRB-approved consent document used to collect samples represented in the dataset.
• A completed Genomic Data Sharing Checklist for each consent.
• A completed PD-signed Extramural Institutional Certification form that correlates with the dates samples were collected from participants.

Once the IRB confirms the data can be submitted to an NIH-supported genomic data repository, the IRB notifies the Office of Sponsored Research. 

• A Research Related Agreement (RRA) is needed and the Extramural Institutional Certification should be uploaded for signature.
• The contract officer will sign and return the form to whomever requested the  Extramural Institutional Certification.
• Questions related to the RRA, contact osr_intake@stanford.edu. 

• For data from specimens collected before 1/25/2015, the IRB will assess whether the data submission is consistent with the informed consent given by the participant.  NIH will accept data derived from de-identified cell lines or clinical specimens lacking consent for research that were created or collected before 1/25/15.   
• For studies initiated after 1/25/15, NIH expects researchers to obtain participants’ consent for their data to be shared broadly for future research.   
• For studies that prohibit sharing by using statements such as “Your data will never be shared outside of Stanford,” re-consenting may be possible.  Any plan to re-consent should be submitted to the IRB as a modification to the protocol along with the modified consent form prior to implementation.

For research that includes human subjects, template language that meets the requirements of GDPR should be included in the consent form(s). This language will inform participants about their data that is regulated under the GDPR.

If you have specific questions about GDPR, please contact the University Privacy Office.