Resource Guides: Research Data Management Resources: Data Privacy and Ethics

Data Privacy and Protection of Human Subjects

HIPAA

One of the laws that covers human subject data, particularly medical data, is the Health Insurance Portability and Accountability Act (HIPAA) which has requirements for the privacy and security of personally identifiable information.

UMass Chan HIPAA Compliance Web Page
Information about HIPAA regulations, including de-identification certification and authorization to disclose PHI for research forms.
Health Information Privacy
Department of Health and Human Services resources on the Health Insurance Portability and Accountability Act (HIPAA).

Institutional Review Board

All UMass Chan Morningside Graduate School of Biomedical Sciences Basic Science students and postdocs must take CITI Training.

Human Subjects Research, IRB Essentials, and Data Management
Video tutorial from the UMass Chan Institutional Review Board (IRB) covering the basics of what requires IRB approval and how the IRB intersects with data management. [27 minutes. UMass Chan login required.]
UMass Chan Institutional Review Board (IRB)
The IRB provides approval, guidance, and standards for human subjects research, and maintains a record of all human subject research conducted at UMass Chan.
Office for Human Research Protections
Policy and advocacy for subjects involved in Department of Health and Human Services research.

Data De-identification

The Safe Harbor method for de-identification requires that all of the following personal identifiers be removed for the data to qualify as de-identified:

Names
Geographic subdivisions smaller than a state (except for 3-digit zip codes where the population is greater than 20,000)
Dates other than year (except birth years that reveal an age of 90 or older, which must be aggregated so as to reveal only that the individual is age 90 or over)
Names of relatives and employers
Telephone and fax numbers
E-mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle or other device serial numbers
Web URLs
Internet protocol (IP) addresses
Finger or voice prints
Photographic images
and any other unique identifying number, characteristic, or code

HHS Deidentification Guidance
Describes protected health information and provides guidance on the Expert Determination and Safe Harbor de-identification methods. From the US Department of Health and Human Services.

Resources from the UK Data Service:

De-identification tool:

NLM-Scrubber
Freely available clinical text deidentification tool which uses an automated Safe Harbor process to deidentify the data. Review to ensure deidentification is complete is still required.

Research Compliance, Data Integrity, and Ethics

Research Compliance at UMass Chan
Within the Office of Research, this group oversees and maintains UMass Chan standards for research.
Office of Research Integrity
Federal agency that oversees Public Health Services research integrity.

Actions that undermine data integrity include data fabrication, falsification, and misattribution. For example, many journals, such as the Journal of Cell Biology, have strict editorial policies regarding images and image manipulation that, if not followed, result in the rejection and/or retraction of papers.

Retraction Watch Database
User guide for the Retraction Watch Database where you can filter the retracted articles by reason including concerns with data.

Other research ethics standards which impact research data at UMass Chan

Morningside Graduate School of Biomedical Sciences Research Ethics
Certification requirements for Morningside Graduate School of Biomedical Sciences students.
UMass Chan Institutional Animal Care and Use Committee (IACUC)
UMass Chan intranet site of the department responsible for the ethical treatment of laboratory animals.

Data Ethics Case Studies

The ethical aspects of data are many. Examples include defining ownership of data, obtaining consent to collect and share data, protecting the identity of human subjects and their personal identifying information, and the licensing of data. Below are several ethics cases from Responsible Conduct of Research Casebook: Data Acquisition and Management a publication from the Office of Research Integrity at the U.S. Department of Health and Human Services.

There are generally four matters of data acquisition and management that need to be addressed at the outset of a study: (1) collection, (2) storage; (3) ownership, and 4) sharing. These cases and role play present common scenarios that occur at various stages of data acquisition and management. Issues discussed include acquiring sensitive data, sharing data with colleagues, and managing data collection processes.

Case One: A researcher wants to sequence the genomes of children with cancer, eventually making them publicly available online, but encounters issues with adequate data protection and parental consent.

Case Two: After working with her advisor to develop a sophisticated database, the postdoc wants access to the database in order to submit a grant proposal but runs into trouble when seeking the advisor’s permission.

Case Three: A post-doc has a novel idea after observing a procedure during residency, but he needs access to a large amount of clinical data, including medical record numbers, so that he can eventually recruit individuals to participate in his research.

Role Play: An assistant professor places her data on the NIH’s database of genotypes and phenotypes (dbGaP) only to find that a leading researcher has published a paper using the data shared in the NIH database before the one-year embargo period was up.

From the U.S. Office of Research Integrity's RCR Casebook Stories about Researchers Worth Sharing edited by James M. DuBois