Overview

Information privacy is a set of regulations and policies that protects the confidentiality of human subjects and other sensitive research data (e.g., information with national security implications). Researchers must understand what types of data are protected and integrate best practices for securing information as an essential protocol for conducting research.

External Oversight

Federal Legislation

Human subjects research that is governed by Department of Health and Human Services regulations (the “Common Rule”) must be carried out in a way that minimizes risk to participants.  As appropriate, researchers must protect the privacy of subjects and maintain the confidentiality of data.

The Health Information Portability and Accountability Act (HIPAA) Privacy Rule specifies that “covered entities” must protect all individually identifiable health information.  Covered entities are defined as health plans, health care providers, and health care clearing houses.  Covered entities at Harvard include:

• Harvard University Health Services
• Dental Clinic at the Harvard School of Dental Medicine
• Benefits Services Group in the Office of Human Resources

Covered entities can disclose protected health information for research if they:

• De-identify the data (i.e., make the data anonymous)
• Obtain written authorization from the individual
• Obtain a waiver or alteration of the authorization requirement from an Institutional Review Board (IRB) or a Privacy Board (Harvard has the former)

The National Institutes of Health provides a detailed explanation on how protected health information can be used for research.

In addition to HIPAA, researchers should be aware of federal assurance requirements for research conducted with federal support.

State Legislation

At the state level, Massachusetts has laws that protect the personal information of its residents.  Massachusetts defines personal information as a person’s first name (full or first initial) and last name in combination with any of the following data:

• Social Security Number
• Driver’s license or state-issued identification number
• Financial account, credit card or debit card number

Massachusetts has issued a set of standards to protect the personal information listed above.  In addition, Massachusetts has specific laws for notifying residents of data security breaches and for records destruction of personal information.  Please see the advisory issued by Harvard’s Office of the General Counsel for more information on this legislation.

Harvard Policies, Procedures & Guidance

Data Protection

The University Technology Security Officer (UTSO) facilitates the development of University-wide security and privacy requirements and policies that support Harvard’s academic and research mission, while safeguarding confidential information.  Information about these requirements and policies can be found at the University Security website.  Each Harvard school is responsible for implementing these requirements and for developing local policies as needed. The UTSO can offer additional advice if the website does not provide sufficient guidance.

The UTSO, in collaboration with Harvard faculty and the Office of the Provost, has developed a set of guidelines for protecting research information at Harvard.  The guidelines are divided into five categories, based on the sensitivity level of the data.  Note that Harvard’s guidelines are more comprehensive than the current HIPAA Privacy rule and Massachusetts law.  For example, Harvard requires that individually identifiable human subject data must be treated as High Risk Confidential Information, regardless of whether or not the data come from a covered entity.  The Harvard Research Data Security Policy can be found on the University Security Website.

Any Harvard researcher who wishes to collect or work with human subject information (information that can be used to identify individual people) must contact the appropriate Institutional Review Board (IRB).  Note that the use of a data set that includes information about individuals that may allow identification of the individuals must be approved by the appropriate IRB. In addition, researchers should contact the UTSO or their School’s CIO or security officers to ensure that IT systems have the appropriate level of protections.

Research data on human subjects from non-Harvard sources is often accompanied by a use agreement that defines use limitations and/or protection requirements.  Individual researchers do not have the authority to sign such use agreements on behalf of the University.  Please see the Research Data Protection Process document for instructions on how to fulfill a use agreement.

Security Breaches

Researchers should immediately contact their IT security officer if a possible breach has occurred. If the breach may have exposed information protected under MA law (see above), then the researcher, or the local IT security officer, should immediately notify the Office of General Counsel at 617-495-1280, the University CIO at 617-495-9092, and the University Technology Security Officer at scott_bradner@harvard.edu.  Please see the University Security website for more information on reporting requirements.

Records Retention and Maintenance

In June of 2011, Provost Hyman approved a basic set of principles for the Retention and Maintenance  of Research Data and Materials.  A Committee comprised of academic leaders from the schools will be convened by the Provost's Office to expand upon these principles in order to prepare a guidance that will apply these principles to the wide range and various methods of research at Harvard.  The principles applicable to access and retention of reesarch data and materials can be found here.

Records Disposal

Disposal of confidential information must be performed in such a manner that the confidential information cannot be retrieved or recreated.  Harvard has contracted an external vendor for secure disposal of paper records.  Secure disposal of electronic records can be accomplished with specific software applications that ensure files are permanently removed from disk storage.  Electronic records can also be disposed of by the external vendor. Please see the University Security website for more information on acceptable disposal mechanisms.