Report Potential Breaches of Privacy or Confidentiality Within 48 Hours

Please note: This bulletin was originally published in April 2017 and has been updated in June 2026 to reflect current guidance.

Potential breaches of privacy or confidentiality of study participants’ Protected Health Information (PHI) are considered “major (reportable) incidents” that must be reported to the HRPP/IRB. The IRB collaborates with the UCSF Privacy Office to investigate these incidents to meet state and federal regulatory obligations in a timely fashion.

The Privacy Office must complete its investigation into a potential breach of privacy or confidentiality within a short time frame in order to avoid penalties and/or late reporting fines for the institution.

  • It is the responsibility of the study team whose data is affected by the incident to notify the UCSF Privacy Office of all research privacy incidents, unless the incident meets one of the Research Privacy Notification Exceptions.
  • Therefore, Principal Investigators must submit a report to the Privacy office  within 48 hours of their first awareness of a violation or incident involving a breach of privacy or confidentiality involving PHI. 
  • If notification is required, attest below that the Privacy Office has been notified and include any recommendations or guidance received in response.
  • Submit a Privacy Incident Report.

IRB review:

  • Submission to the IRB is also required whenever IRB approved Privacy protocols are violated. Submit a Reportable New Information (RNI) form to the IRB within 10 working days in Research Gateway IRB (ReGI).

Some examples of major incidents involving privacy or confidentiality include the following:

  • Failure to properly execute a HIPAA Research Authorization Form due to
    • Missing a participant’s signature or date
    • Missing initials next to an information type in Section C that has been or will be accessed by the research team
    • Accessing items in Section B that are not approved for access or release by the participant
  • Failing to obtain a properly executed Consent Form due to
    • Missing a participant’s signature or date
  • Mailing, emailing or otherwise communicating identifiable study participant information to an unauthorized individual (e.g., incorrect participant, incorrect mailing address, incorrect e-mail address, etc.)
  • Failing to redact identifiable study participant information sent to a study sponsor (only if the IRB Application and consent form require de-identification)

If you have any questions about reporting an incident involving privacy or confidentiality, please contact the IRB at 415-476-1814 / [email protected] or contact the Privacy Office at 415-353-2750 / [email protected].