Report Potential Breaches of Privacy or Confidentiality Within 48 Hours

Potential breaches of privacy or confidentiality of study participants’ Protected Health Information (PHI) are considered “major (reportable) incidents” that must be reported to the HRPP/IRB. The IRB collaborates with the UCSF Privacy Office to investigate these incidents to meet state and federal regulatory obligations in a timely fashion.

The Privacy Office must complete its investigation into a potential breach of privacy or confidentiality within a short time frame in order to avoid penalties and/or late reporting fines for the institution.

Therefore, Principal Investigators must submit a Protocol Violation/Incident Report Form in iRIS within 48 hours of their first awareness of a violation or incident involving a breach of privacy or confidentiality involving PHI.

Some examples of major incidents involving privacy or confidentiality include the following:

  • Failure to properly execute a HIPAA Research Authorization Form due to
    • Missing a participant’s signature or date
    • Missing initials next to an information type in Section C that has been or will be accessed by the research team
    • Accessing items in Section B that are not approved for access or release by the participant
  • Failing to obtain a properly executed Consent Form due to
    • Missing a participant’s signature or date
  • Mailing, emailing or otherwise communicating identifiable study participant information to an unauthorized individual (e.g., incorrect participant, incorrect mailing address, incorrect e-mail address, etc.)
  • Failing to redact identifiable study participant information sent to a study sponsor (only if the IRB Application and consent form require de-identification)

If you have any questions about reporting an incident involving privacy or confidentiality, please contact the IRB at 415-476-1814 / [email protected] or contact the Privacy Office at 415-353-2750 / [email protected].