UW Research

Frequently-Asked Questions

Video Conferencing and Privacy Considerations (updated 09.08.2020)

More and more researchers are turning to online video conferencing to conduct research activities. In doing so there are several privacy considerations researchers should consider to ensure data and subject privacy are protected. These include:

Type of Data

What type of information will be discussed with the subject? If it is protected health information (PHI), you must use a HIPAA-compliant communication product. Even if it is not technically PHI, if the information is sensitive (e.g. illegal behavior, gender/sexual orientation, traumatic experiences) use of a HIPAA-compliant product (and the additional protections it affords) may be appropriate.

Recording of Data

If the video conference session will be recorded there are a few things to consider including:

  • Whether consent will be obtained, or participants notified and how this is documented. For example, with many applications (e.g. Zoom) both the audio/visual and any chat sessions may be recorded. Subjects should be made aware of this. Note that for recordings made in WA State, WA State RCW 9.73.030 requires consent, with no option for a waiver.
  • The need for a HIPAA authorization or waiver to use the data for research purposes if the information being recorded is considered PHI.
  • Location of where the recording will be stored. If it is PHI, there might be requirements to maintain the information as part of the individual’s health record in addition to any copy retained for research purposes. The location for storage must also be secure. For example, if the researcher is working from home, they should not store any sensitive data or PHI on their local laptop. If you must store the data locally, the device should be encrypted and the data transferred to a secure, non-portable location at the soonest opportunity. Some conferencing software will offer to keep recordings in their own remote storage systems (cloud). These may or may not be secure (see Vendor Privacy policy considerations below). A better alternative might be to use UW OneDrive, or a UW secured server instead of the vendor-provided software
  • Access to the recording. The location should only be accessible to authorized members of the research team. If you are storing data with the video conferencing software vendor and they have access to the recording, there should be a legally binding agreement in place that limits how that vendor can use or share the data.

Institutional Security Requirements

Whatever product is used must comply with the data security protections approved for the study by the IRB. For PHI, UW Medicine Compliance has its own requirements for how data is accessed, used, transmitted, and stored.

Minor-aged Research Participants

Some UW technology, e.g., Google Classroom and Panopto, cannot be used with minors for any purpose, including research. Others (e.g. Canvas) cannot be used with youth under the age of 13. University recommendations for safe virtual use of technology with minors, including a description of acceptable UW technology (e.g. Zoom, Microsoft Teams) can be found on the UW Privacy Office FAQ under Engaging Youth Virtually. Additional guidance on virtual programs/activities with minors can be found here. For technology questions please contact UW IT. For questions about safe youth engagement in a virtual setting, you can consult with the Office for Youth Programs Development and Support.

Vendor Privacy Policy

For the software selected, it is important to understand the vendor’s privacy policy. It should specify what data they retain or have access to, where it is stored and for what purpose. It should limit their ability to share or sell any data to 3rd parties. If any data will be accessed or used by the vendor or 3rd parties this may require disclosure to subjects during informed consent.

Additional Resources

Updated 09.08.2020