Aerial view of the 91次元 campus and buildings around UM's Oval in Missoula, MT.

Research Compliance and Tech Transfer

Chapter 8: Additional Laws

1. Health Insurance Portability and Accountability Act (HIPAA)

Whenever a research project involves obtaining protected health information (PHI) from a “Covered Entity,” as defined by HIPAA, proper authorization must be obtained from each subject.

Responsibility for obtaining authorization rests with the Principal Investigator. Before the UM IRB approves a study involving collection of HIPAA protected health information, the Principal Investigator will supply a written assurance that all subjects will provide appropriate, signed authorization forms to the Covered Entity providing the information. The authorization (or Permission to Gather Health Information) form can be downloaded from the IRB website.

Covered Entities at the 91次元 include:

  • Curry Health Center Services Pharmacy
  • MonTech - Montana Accessibility and Assistive Technology Center
  • New Directions Program
  • The Nora Staael Evert Physical Therapy Clinic
  • RiteCare Clinic
  • UMPT Sports and Orthopedics

The Security Rule, an important part of HIPAA, went into effect April 20, 2003. The rule's intention is to protect the confidentiality, integrity, and availability of electronic protected health information, which the University creates, accesses, transmits, or receives in both research and patient care settings. It sets forth specific requirements for the adoption of administrative, physical, and technical safeguards for the protection of electronic protected health information.

Since April 14, 2003 all research that will enroll subjects (including existing studies) AND obtain subjects' PHI must comply with HIPAA regulations.

What is Protected Health Information (PHI)?

PHI is health information transmitted or maintained in any form or medium that:

  1. identifies or could be used to identify an individual; and
  2. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Exempt Records

The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

  1. student records maintained by an educational institution, and
  2. employment records maintained by an employer related to employment status.

If your study uses these kinds of records, it is not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.

Ways researchers can perform HIPAA-compliant research with PHI

  1. Obtain Subject Authorization — use of an authorization form that includes required HIPAA authorization language (it must be approved by the IRB prior to use - similar to a consent form).
    Using HIPAA Authorization Forms

    If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization (the most common and recommended means), investigators should be aware of the following:

    • The authorization form needs to be submitted to the IRB along with the IRB checklist/application. Use our Authorization Form template (IRB website) filled in with your study specifics.

    • Two authorization forms require the subject's or authorized representative's signature:

      • A copy for the subject to keep, and

      • A copy for the investigator's records.

    • It is the responsibility of the PI to keep this authorization form in their records for 6 years and assure that it is completed correctly.

  2. Obtain an IRB alteration or waiver of subject authorization — if the research is minimal risk to subjects and meets criteria for waiver or alteration.

    Obtaining HIPAA Authorization Waivers or Alterations

    For research uses and disclosures of PHI, an IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.

    How do I qualify for a waiver of authorization?

    Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. IRB approval is required for this Authorization Form - similar to consent forms.

    The following criteria must be met to qualify for a waiver:

    The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

    • An adequate plan to protect the identifiers from improper use and disclosure;

    • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

    • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

    • The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

    • The research could not practicably be conducted without the alteration or waiver or alteration; and

    • The research could not practicably be conducted without access to and use of the protected health information.

    The IRB maintains the authority to make the final decision if a study meets the aforementioned criteria.

  3. Use a Limited Data Set — PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.

  4. Use De-identified Data — health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. (see below, “Using data that is De-identified”)

    Using Data that is De-Identified

    Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule.

    Covered entities seeking to release this health information must authorize that the information has been de-identified using either statistical verification of de-identification OR by removing the 19 identifiers from each record as specified in the Rule. These identifiers are:

    1. Name

    2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people

    3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)

    4. All ages over 89 or dates indicating such an age 

    5. Telephone number

    6. Fax number 

    7. Email address

    8. Social Security Number

    9. Medical Record Number

    10. Health Plan Number

    11. Account Numbers

    12. Certificate or license numbers

    13. Vehicle identification/serial numbers, including license plate numbers

    14. Device identification/serial numbers

    15. Universal Resource Locators (URL’s)

    16. Internet Protocol addresses (IP’s)

    17. Biometric Identifiers

    18. Full face photographs and comparable images

    19. Any other unique identifying number, characteristic or code

2. Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights Privacy Act (FERPA) was established in 1974 to protect the rights of students (20 U.S. Code 1232g). The law applies to all schools (i.e. elementary, secondary, and higher education institutions) that receive funds under an applicable program of the U.S. Department of Education. FERPA impacts researchers in that data not included in the student directory information cannot be used in research without the permission of the IRB and the research participant. Keep in mind, however, that the IRB cannot overrule the institution’s decision to deny access, and if the IRB disapproves the proposed research, the institution may not approve disclosure of information associated with the research.

What information is protected by FERPA?

Items that do not fall under student directory information cannot be used in research without going through the proper channels. FERPA requires that students be given the option to “opt out” of allowing directly information to be shared, and if students choose to opt out, this information may not be disclosed (99.37). Note: For a general definition of the term “directory information” please see 34 CFR 99.2 and 1232g(a)(5)(A). To see what UM considers directory/non-directory information please refer to the UM Registrar’s website.

Researchers need to receive consent from student research participants in order to use information that falls under FERPA’s definition of education records (for definitions of “education record” or “records” please refer to 34 CFR 99.2 and/or 1232g(b)(3),(b)(5)(a)(4)). This includes – but is not limited to – end-of-course grades or any other grades or assignments produced within a class. In other words, instructors cannot use information to which they might have natural access for purposes other than instruction and evaluation without informed consent. Course grades are considered part of the students’ official records and thus belong to the student, and permission of the student should be obtained through informed consent. Other information not typically in a student directory could include race, sex birthdate, GPA, country of citizenship, social security number, residency status, and financial aid (including PELL Grants or HOPE Scholarship) or academic status. This list, however, is not exhaustive.

Does this mean that I cannot use my students’ grades or coursework in my research without IRB approval?

Yes, FERPA regulations apply even when using your “own” records. You must receive IRB approval and student consent to use any grades and/or work completed within your class, including assignments such as papers, journals, projects, and tests (34 CFR 99.2). In practical terms, this means that you will need to obtain student consent either by securing access to educational records contained in UM’s directory or – if this is not possible – by obtaining consent via established informed consent procedures. Irrespective of the consent route, however, student research participants need to be informed about the following three issues so they know what they are consenting to: (1) nature of records that will be disclosed/used, (2) the purpose of the disclosure, and (3) the identification of the part of class or parties to whom the disclosure may be made (34 CFR 99.30).

What if my study is large-scale and consent for release of data not included in student directory information is difficult to obtain?

For large-scale research projects where consent is difficult and/or impossible to obtain, you may want to consider applying for a waiver of consent. While the IRB will consider requests for waivers on a case-by-case basis, all requests should be made during the regular IRB application process. Keep in mind, however, that your ability to use this data will remain contingent upon IRB approval and student consent. Note: If the IRB grants the waiver, a designated school official will strip any personally identifiable information (PII) before the dataset will be shared with you (for a definition of the term “PII” please see federal regulations 34 CFR 99.3 or 20 U.S. Code 1232g). Examples of PII include – but are not limited to – student names, student identification numbers, grade lists, place of birth, ethnicity, course schedules, academic status, and advisor names. The waiver, however, does not absolve you of the responsibility to notify the students of the possibility to opt out of research project. Students retain this right to their educational records even if they no longer attend UM (34 CFR 99.37).

How does FERPA apply to proposed prekindergarten through 12-grade research?

FERPA applies to all research projects conducted within local PK-12 schools and school districts. The PI is responsible for obtaining IRB approval from the 91次元, and s/he also needs to comply with any additional safeguards that have been put into place by individual school districts. Also, keep in mind that the IRB cannot override a school district’s decision to deny access to certain information to the researcher. Investigators will need to obtain written FERPA authorization from the parent/guardian of the child/children involved in the research.

Are there research projects involving access to data not typically included in student directory information that do not require informed consent from participants?

Educational institutions may disclose, without consent, student data to those conducting studies for, or on behalf of, educational institutions to (1) develop, validate, or administer predictive tests; (2) administer student aid programs; or (3) improve instruction (34 CFR 99.31). Educational records may be released, as well, for institutional research; however, individuals proposing to publish or publicly disseminate such research would need IRB approval before proceeding.

3. Protection of Pupil Rights Amendment (PPRA)

The Protection of Pupil Rights Amendment (PPRA; 20 U.S.C. § 1232h; 34 CFR Part 98) applies to any “local educational agency” that receives funding from the U.S. Department of Education. A “local educational agency” means an elementary school, secondary school, school district, or local board of education that is the recipient of funds from the U.S. Department of Education (ED). It does not include postsecondary institutions. PPRA also applies to research funded by the Department of Education. The focus of PPRA is on the requirement for parental consent for the collection of certain sensitive information, such as medical data or sexual attitudes or practices from school children via surveys and evaluations.

Description

Researchers conducting studies in a “local educational agency” that receives any funds from the U.S. Department of Education must ensure that their protocol complies with the PPRA. Parental consent is required for studies involving surveys, psychiatric examination, testing, or treatment, or psychological examination, testing, or treatment, in which the primary purpose is to reveal information concerning one or more of the following:

  • Political affiliations or beliefs of the student or the student’s parent
  • Mental and psychological problems potentially embarrassing to the student or his or her family
  • Sex behavior or attitudes
  • Illegal, anti-social, self-incriminating and demeaning behavior
  • Critical appraisals of other individuals with whom the student has close family relationships
  • Legally recognized privileged and analogous relationships, such as those of lawyers, physicians and ministers
  • Religious practices, affiliations, or beliefs of the student or student’s parent
  • Income, other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under a program

The IRB does not have the authority to issue a waiver of informed consent on any of the areas of inquiry set forth above, or to overrule school district policies for implementing PPRA. Researchers whose studies are subject to PPRA should review the policies of the local educational agency early in the study design process and should consider multiple methods to provide information to parents about their planned study. Parents should be given the opportunity to review the study materials before making a decision to permit their child to participate in the research.

For research not funded by the U.S. Department of Education but conducted in a local educational agency, the investigator must provide the IRB with a letter of agreement from a school official or the School IRB approval letter (when applicable), indicating that the school has adopted policies required by PPRA, and that the school agrees that the proposed study complies with those policies, which must include the following:

  1. The right of parents to inspect, upon request, a survey created by a third party before the survey is administered or distributed by a school to students.
  2. Arrangements to protect student privacy in the event of the administration of a survey to students, including the right of parents to inspect, upon request, the survey, if the survey contains one or more of the same eight items of the information noted above.
  3. The right of parents to inspect, upon request, any instructional material used as part of the educational curriculum for students.
  4. The administration of physical examinations or screenings that the school may administer to students.

4. General Data Protection Regulation (GDPR)

The General Data Protection Regulation ("GDPR" 2016/679) is a European law that enhances data privacy by imposing strict requirements on the use of personal data (“data processing”) and by making data privacy laws more uniform across the European Economic Area ("EEA”). The GDPR became effective on May 25, 2018.

The European Union (EU) consists of 27 countries:

  • Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
  • EEA - EU countries and Iceland, Liechtenstein, Norway.
  • Similar protections apply to the United Kingdom.
  • For a full list of territories within the European Economic Area, please see here.

“Personal data” under the GDPR refers to any identifiable information about a natural person (i.e., an individual, not a company or other entity), also known as a “data subject.” Examples include a person’s name, email address, government-issued identification, other unique identifiers such as IP addresses or cookies, and their personal characteristics, including photographs.

In addition, “special categories” of personal data merit a higher level of protection due to their sensitive nature and consequent risk for greater privacy harm. This includes information about a data subject’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. Although criminal convictions and records are not considered special categories of personal data, this information is also subject to greater protection under the GDPR. 

Where Does GDPR Apply?

  1. The physical location of a data subject determines the applicability of the regulation. Personal data of an individual who is physically located within the EEA countries at the time of data collection (whether or not the participant is not a citizen or resident of an EEA country), is covered under the GDPR.
  2. Personal data of an individual who is physically located anywhere outside of the EEA at the time of data collection (even if the participant is a citizen of an EEA country) is not covered under the GDPR. However, if the personal data of this individual is subsequently processed (e.g., used, stored, or shared) after their return to the EEA, such data may be within scope of the GDPR.

What research data are in scope of the GDPR?

  1. GDPR and Identifiable Data

    Personal data collected from individuals who are, at the time of data collection, physically present in any of the EEA countries, is subject to GDPR. The GDPR can apply to data collected by a UM person, or data collected by a third party and sent to UM researchers for analysis as part of a collaboration, from a data bank or repository, or pursuant to any other agreement or arrangement.

  2. GDPR and Coded Data

    Under the GDPR, “pseudonymized data” (coded data) is considered personal data even where one lacks access to the key-code/coding system/crosswalk required to link data to an individual data subject.

    Example: A non-UM entity collects personal data from subjects who are located in the EEA, codes the data, secures the key, and sends only the coded data to UM, such that UM researchers have no means of accessing the identifiers. This data is considered personal data in the hands of the UM researchers, and is therefore subject to GDPR regulations.

    In this scenario, the non-UM entity is considered the “controller” of the data, and harbors greater liability and responsibility for protecting the data, including the management of consent, options for withdrawing consent, coding the data appropriately, and conveying to UM the conditions under which the data are to be used. UM researchers, in most of these cases, would be considered a “processor” of the data under the GDPR. As a processor, a UM researcher is be responsible for ensuring that they comply with the controller’s terms for using and safeguarding the data.

    Note: Under the US regulations for human subjects research, this type of coded data would not be considered to be human subject research and therefore would not require IRB review. Because the GDPR imposes significant new requirements for coded data, researchers are urged to consult the IRB office if their research is or may be subject to these regulations.

  3. GDPR and Anonymized Data

    The GDPR does not apply to data that have been anonymized. In order for data to be considered completely anonymized, there can be no key code in existence anywhere that could re-identify the data. Essentially, any record of identifiable information about participants must be destroyed, whether in a system or on paper.

    Example: A survey conducted using Qualtrics or another third-party online survey tool where the researcher receives assurances that the data is not linked to any IP address or other identifiable information; or paper records where no information about the participant is collected or recorded.

What are the data processing requirements under the GDPR?

  1. Under the GDPR a so-called “lawful basis” is needed. This justifies the processing of personal data, and establishes the circumstances under which it is lawful to collect, use, disclose, retain, destroy, or otherwise process personal data. For research involving human participants, informed consent is considered the lawful basis for collecting and processing personal data.
  2. If the GDPR applies, explicit informed consent must be obtained from data subjects at the point of collection. The consent process must include a description of how a participant’s personal data will be processed, and with whom it may be shared. This consent must describe any planned or expected use of the data. Please see the section of this document on specific consent documentation requirements.
  3. If data is subject to the GDPR, data subjects must be able to exercise certain rights with respect to the data they provide. Data subjects have the right to access, amendment, erasure (“right to be forgotten”), restriction, and objection to processing. The “controller” of the data (which may or may not be the UM researcher, as explained above) is responsible for responding to these requests from study participants.
    1. If UM is the controller: In cases where a UM researcher is directly collecting personal data from data subjects (i.e., when UM is acting as the controller), consult with the UM IRB if granting the participants the ability to withdraw data is not feasible for the study and can compromise analysis and outcomes. Otherwise ensure that the data is managed in a way that allows you to honor a request for withdrawal. The study consent form must include an explicit statement about withdrawal and contact information for the IRB.
    2. If UM is the processor: In cases where a UM researcher is the recipient of coded data from third parties and does not have the key or other mechanism to link data to individuals, contact information for the controller must be provided to participants.
  4. The GDPR also requires researchers to implement appropriate technical and organizational security measures to ensure a level of data security that is appropriate to the risk of harm to the research participants.
  5. In the event of a security breach, timely breach1 notification is required. If a breach occurs in the course of a study involving data that may be protected by the GDPR, the PI must inform the UM IRB and:
    1. either notify the appropriate EEA data protection authorities within 72 hours following the discovery of a personal data breach; or

    2. without undue delay, notify the applicable controller of the data.

  6. Contractual documentation is required when personal data is transferred from EEA countries to other jurisdictions that, in the eyes of the EEA, lack adequate data protection laws. The United States is one such jurisdiction. Documentation is required when:

    1. controllers provide GDPR-classified data to UM researchers; or,

    2. UM researchers use third parties to support their research (e.g. Qualtrics, Skype) where participants may be located in the EEA.

How does this affect my research with human participants?

If your research involves any of the following, your project may be subject to the GDPR:

  1. Recruitment through social media, such that some participants may be located in the EEA;
  2. Use of a third-party “processor” (e.g., Qualtrics, Skype) to collect data from participants who may be located in the EEA;
  3. Direct receipt of data from individuals (participants, collaborators, etc.) located in the EEA;
  4. Receiving data from third parties that have identified the data as being subject to the GDPR.

What can I do to make my project GDPR compliant?

  1. Collect the absolute minimum personal/demographic data needed. Consider designing the study such that it can be done anonymously, or record no identifying information. Many online survey sites collect personal information, including IP addresses, by default. Since IP addresses are considered identifiable information, make sure that you need to collect this information for your study. If not, disable this feature. We strongly recommend using Qualtrics as an online survey platform. If other electronic systems are used, consult the IRB office for guidance.
  2. Use an active (“opt-in”) informed consent. Under the GDPR, consent must be freely given, specific, informed, unambiguous, and explicit. In your consent, include:
    1. a description of the data processing and how data will be transferred (electronically or via any other means) to non-EEA jurisdictions. NOTE: Following informed consent language, a button stating “click to proceed to the survey” or similar is considered active consent for these purposes. Silence, pre-ticked boxes, and inactivity do not meet the standard for active consent under the GDPR.
    2. details on how to withdraw consent and whom participants may contact to exercise rights under the GDPR (for UM researchers: irb@umt.edu). Feel free to contact the IRB to ensure that your consent form is GDPR compliant.

  3. Verify that contracts with any third-party website or software applications include language clarifying GDPR roles and responsibilities and specifying mechanisms to be used for global data transfers. Consider that many centrally offered services at UM already have these contractual requirements in place. If you wish to use any other services or software solutions, a data processing agreement will need to be in place. If the third party does not have this agreement language, UM can provide appropriate language.

  4. For research where identifiable data will be collected, include an executable plan to restrict processing or remove data in the event participant requests to have their data removed. The informed consent document must notify the participant that their participation is voluntary and that they may leave the study at any point; however the informed consent need not describe how the data erasure will take place if requested. It is sufficient if these procedures be in place and available internally.

  5. Use appropriate administrative and technical safeguards to protect the personal data collected.

  6. In the event of a data breach or suspected loss of data, immediately notify the UM IRB so that appropriate steps can be taken at the University level and proper, timely response and support may be provided.

How is informed consent affected by the GDPR?

Consent records, which must include the time and date of consent, must be maintained for each study participant. In the case of verbal, online, or other undocumented consent, the Principal Investigator is responsible for maintaining a consent log indicating each participant (either by name or study ID number) and the date and time that they provided consent.

Consent must be explicit, and provided in clear, plain language. If a consent form or script serves multiple purposes (as in, a recruitment email that doubles as a consent form), the request for consent must be clearly distinguishable within the document or script.

Participants must be given the right to withdraw consent at any time. Each subject must be informed of this right prior to giving consent. Withdrawing consent must be as easy as giving consent. If you believe that a participant withdrawal would jeopardize your research, consult the IRB.

Consent must be an affirmative action. This means that opt-out procedures or pre-checked boxes indicating consent cannot be used.

Consent must be freely given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced. For example, faculty cannot obtain consent from their own students.

Consent forms must contain the following information:

  1. The identity of the Principal Investigator;
  2. The purpose of data collection;
  3. The types of data collected, including listing any of the following special categories of information that will be gathered:
    1. Racial or ethnic origin;
    2. Political opinions;
    3. Religious or philosophical beliefs;
    4. Trade union membership;
    5. Processing of genetic data;
    6. Biometric data for the purposes of unique identification;
    7. Health data; and/or
    8. Sex life or sexual orientation information;
  4. The right to withdraw from the research and the mechanism for withdrawal;
  5. Data access and data security, including storage and transfer of data;
  6. Information regarding automated processing of data for decision making about the individual, including profiling;
  7. How long data will be stored (can be indefinite);
  8. Whether and under what conditions data may be used for future research, whether or not related to the purpose of the current study.

Does recruiting participants or collecting data online fall under the GDPR?

It might, if you are seeking participants from the EEA countries. However, in cases where a survey is sent to potential participants without a geographical preference, where there is no mechanism by which the location of the participants will be identified, GDPR does not apply. Consult with the IRB office for clarification if you are seeking participants from the EEA countries, and are collecting identifiable personal information.

What is right to erasure (“the right to be forgotten”)?

When consent is used as the lawful basis for processing personal data, mechanisms for the withdrawal of consent must be accessible. Under the GDPR, withdrawing consent for research participation includes the right to erasure of data. If an individual covered by the GDPR contacts you at any point after data collection and asks for their data to be erased, please contact the UM IRB immediately.

If there is a data breach, what needs to happen?

The GDPR has strict rules and timelines for the reporting of data breaches. If you identify that a data breach has occurred involving GDPR-covered research, immediately report the breach to the UM IRB and include the following information:

  1. Type of breach and timeline of events
  2. Nature, sensitivity, and volume of personal data
  3. Severity of consequences for individuals
  4. Number and characteristics of affected individuals
  5. Ease of identification of individuals, in light of the breach
  6. IRB Protocol number