Potential breaches of privacy or confidentiality of study participants’ Protected Health Information (PHI) are considered “major (reportable) incidents” that must be reported to the HRPP/IRB. The IRB collaborates with the UCSF Privacy Office to investigate these incidents to meet state and federal regulatory obligations in a timely fashion.

The Privacy Office must complete its investigation into a potential breach of privacy or confidentiality within a short time frame in order to avoid penalties and/or late reporting fines for the institution.

Therefore, Principal Investigators must submit a Protocol Violation/Incident Report Form in iRIS within 48 hours of their first awareness of a violation or incident involving a breach of privacy or confidentiality involving PHI.

Some examples of major incidents involving privacy or confidentiality include the following:

• Failure to properly execute a HIPAA Research Authorization Form due to
  • Missing a participant’s signature or date
  • Missing initials next to an information type in Section C that has been or will be accessed by the research team
  • Accessing items in Section B that are not approved for access or release by the participant
• Failing to obtain a properly executed Consent Form due to
  • Missing a participant’s signature or date
• Mailing, emailing or otherwise communicating identifiable study participant information to an unauthorized individual (e.g., incorrect participant, incorrect mailing address, incorrect e-mail address, etc.)
• Failing to redact identifiable study participant information sent to a study sponsor (only if the IRB Application and consent form require de-identification)

If you have any questions about reporting an incident involving privacy or confidentiality, please contact the IRB at 415-476-1814 / [email protected] or contact the Privacy Office at 415-353-2750 / [email protected].