The federal regulatory requirement to ensure (7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data overlaps with the privacy and confidentiality protections in HIPAA. With the advent of HIPAA people often confuse privacy and confidentiality and just as frequently over think the need for one or the other.
Privacy vs. Confidentiality
Generally speaking privacy applies to individuals and confidentiality applies to their information. For any given study, the specific protections needed will depend on the nature of the study and the risks involved. An appropriate level of privacy for a consent conference for a study on risk-taking behavior might differ from the level of privacy required for a consent conference for a study about preferences for on eating on a round versus a square plate.
Careful consideration should be given to how people are approached, the setting for approaching subjects and then the level of privacy needed to conduct the discussion about participation. The same holds true for conducting the study itself. What is appropriate for one study might not be necessary or even appropriate for another.
Some of the issues that should be taken into consideration when ensuring subjects' privacy include:
- clinic consent conferences and study visits (the subject may not want others to know that they are in a study);
- telephone calls to the subjects house (not all members of the household might be aware that the subject is participating);
- letters sent to the subject's house containing private information;
- emails and text messages that might be seen by others (e.g. children may not have complete control of their phones and email); and
- Facebook or other social media groups;
Confidentiality of subjects' data
The level of protections need to ensure the confidentiality of subjects' private information will vary from study to study, but the questions to be addressed remain the same.
- What sort of limitations should be placed on access to the study data?
- Who should be permitted access to the study documents?
- Who should be allowed to know the identities of those participating as subjects?
- What security plan (password protections, locked cabinets, encryption methods, separate storage of Master Lists from study data) is sufficient to adequately protect the subjects given the inherent sensitivity of the data?
Not every study requires absolute confidentiality of these items but at the same time, there should be a reasonable plan for limiting access to the information to those who need to know. Care should also be taken not to promise more than one can truly attain. That is to say, the consent form should not promise to keep the subject’s data strictly confidential unless one is able to guarantee that this will be the case. On the other hand, there will be cases, such as a high security data repository, that will maintain a significant level of confidentiality studies dealing with sensitive information.
Neither privacy protection, nor protection of confidential information are amendable to one size fits all solutions.Rather a thoughtful approach that tailors the approach by taking into account the nature of the research and its inherent risks to the subjects will result in the appropriate plan.
Studies that require a higher than usual level of protection for subjects' confidential information should obtain a Certificate of Confidentiality