Overview

Information privacy is a set of regulations and policies that protects the confidentiality of human subjects and other sensitive research data (e.g., information with national security implications). Researchers must understand what types of data are protected and integrate best practices for securing information as an essential protocol for conducting research.

External Oversight

Federal Legislation

Human subjects research that is governed by Department of Health and Human Services regulations (the “Common Rule”) must be carried out in a way that minimizes risk to participants.  As appropriate, researchers must protect the privacy of subjects and maintain the confidentiality of data.

The Health Information Portability and Accountability Act (HIPAA) Privacy Rule specifies that “covered entities” must protect all individually identifiable health information.  Covered entities are defined as health plans, health care providers, and health care clearing houses.  Covered entities at Harvard include:

• Harvard University Health Services
• Dental Clinic at the Harvard School of Dental Medicine
• Benefits Services Group in the Office of Human Resources

Covered entities can disclose protected health information for research if they:

• De-identify the data (i.e., make the data anonymous)
• Obtain written authorization from the individual
• Obtain a waiver or alteration of the authorization requirement from an Institutional Review Board (IRB) or a Privacy Board (Harvard has the former)

The National Institutes of Health provides a detailed explanation on how protected health information can be used for research.

In addition to HIPAA, researchers should be aware of federal assurance requirements for research conducted with federal support.

State Legislation

At the state level, Massachusetts has laws that protect the personal information of its residents.  Massachusetts defines personal information as a person’s first name (full or first initial) and last name in combination with any of the following data:

• Social Security Number
• Driver’s license or state-issued identification number
• Financial account, credit card or debit card number

Massachusetts has issued a set of standards to protect the personal information listed above.  In addition, Massachusetts has specific laws for notifying residents of data security breaches and for records destruction of personal information.  Please see the advisory issued by Harvard’s Office of the General Counsel for more information on this legislation.

Harvard Policies, Procedures & Guidance

Research Records and Data Retention

At the direction of Provost Steve Hyman during the 2010-2011 academic year, the Sponsored Administration Leadership Committee (“SALC”), in collaboration with faculty and administrators at several Schools, the University Chief Information Officer, the University Archives, the Office of the General Counsel and the Office of Technology Development, outlined a set of basic principles to guide the retention and maintenance of research records by Harvard faculty and staff.  The principles applicable to access and retention of reesarch data and materials can be found here.  In June 2011, outgoing Provost Steve Hyman and incoming Provost Alan Garber adopted these Principles and appointed Anne Margulies, University CIO, and Karen Emmons, HSPH Associate Dean for Research, to chair an ad hoc committee comprised of faculty and administrators to expand upon these principles and to prepare guidance applying these principles to the wide range and various methods of research at Harvard.  

The Committee developed a guidance in the form of Retention and Maintenance of Research Records and Data Frequently Asked Questions (“FAQs”), organized by Principle.  The FAQs establish the minimum University requirements for research records and data retention.  Each School must appoint a representative responsible for research records and data retention issues, consider discipline-specific issues and provide further guidance beyond these minimal requirements, consistent with best practices of the disciplines contained within that School.  The Provost’s Office is charged with assuring that each School appoints such a representative and develops discipline-specific additional guidance for each School that will be consistent with the Principles and this guidance.  Once a year, all School representatives, the Provost’s Office and the consultative group described above will meet to discuss outstanding issues and best practices that can be shared across all Schools.

Records Disposal

Disposal of confidential information must be performed in such a manner that the confidential information cannot be retrieved or recreated.  Harvard has contracted an external vendor for secure disposal of paper records.  Secure disposal of electronic records can be accomplished with specific software applications that ensure files are permanently removed from disk storage.  Electronic records can also be disposed of by the external vendor. Please see the University Security website for more information on acceptable disposal mechanisms.

Data Protection

The University Technology Security Officer (UTSO) facilitates the development of University-wide security and privacy requirements and policies that support Harvard’s academic and research mission, while safeguarding confidential information.  Information about these requirements and policies can be found at the University Security website.  Each Harvard school is responsible for implementing these requirements and for developing local policies as needed. The UTSO can offer additional advice if the website does not provide sufficient guidance.

The UTSO, in collaboration with Harvard faculty and the Office of the Provost, has developed a set of guidelines for protecting research information at Harvard.  The guidelines are divided into five categories, based on the sensitivity level of the data.  Note that Harvard’s guidelines are more comprehensive than the current HIPAA Privacy rule and Massachusetts law.  For example, Harvard requires that individually identifiable human subject data must be treated as High Risk Confidential Information, regardless of whether or not the data come from a covered entity.  The Harvard Research Data Security Policy can be found on the University Security Website.

Any Harvard researcher who wishes to collect or work with human subject information (information that can be used to identify individual people) must contact the appropriate Institutional Review Board (IRB).  Note that the use of a data set that includes information about individuals that may allow identification of the individuals must be approved by the appropriate IRB. In addition, researchers should contact the UTSO or their School’s CIO or security officers to ensure that IT systems have the appropriate level of protections.

Research data on human subjects from non-Harvard sources is often accompanied by a use agreement that defines use limitations and/or protection requirements.  Individual researchers do not have the authority to sign such use agreements on behalf of the University.  Please see the Research Data Protection Process document for instructions on how to fulfill a use agreement.

Security Breaches

Researchers should immediately contact their IT security officer if a possible breach has occurred. If the breach may have exposed information protected under MA law (see above), then the researcher, or the local IT security officer, should immediately notify the Office of General Counsel at 617-495-1280, the University CIO at 617-495-9092, and the University Technology Security Officer at scott_bradner@harvard.edu.  Please see the University Security website for more information on reporting requirements.