UW Research

Information Privacy and Security

Additional requirements may be imposed on information by federal or state law, regulation, or specific terms and conditions that apply to the award.

Examples:

When information is restricted, it must be secured according to standards outlined in the award, or in authorizing regulation (e.g. NIST standards under FISMA). This ongoing responsibility requires direct project oversight under the authority of the Principal Investigator. This is typically achieved through budgeting for and maintaining an IT specialist and/or Project Manager to implement and monitor that security requirements are met.

More guidance on protecting data is available from the UW Chief Information Security Office.

The University maintains information security standards and guidelines that are met through UW provided systems to meet federal regulations.

Requirements for Human Subjects Research

Data Security Requirements

Human subjects research reviewed by the UW Institutional Review Board (IRB) are outlined in this document.

Use of Protected Health Information (PHI)

Obtaining and using identifiable healthcare record information for human subjects research must comply with HIPAA regulations. See the UW IRB’s HIPAA guidance and HIPAA Authorization form.

Identifiable UW Records

Obtaining and using identifiable UW record information for human subjects research without the consent of the subjects requires a Confidentiality Agreement, as described in this Guidance. These records may be from any UW administrative unit, such as: UW Medicine medical records, Office of the Registrar, departmental student records, Dental Clinic healthcare records, etc.

Federal Certificate of Confidentiality

A researcher may obtain, or the UW IRB may require, a Certificate of Confidentiality (CoC) from a federal agency (such as NIH) to protect sensitive identifiable human subjects data against subpoenas and other legal actions.

Principal Investigator (PI) CoC Responsibilities

NIH Funded Research

A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed. Review guidance for Sharing/Disclosing CoC Protected Information.

CoC Decision Tree: Is my NIH research subject to a CoC?

All Other Research

Researchers must apply to appropriate federal agency for a CoC. Review: Apply for, Extend, or Modify a Certificate of Confidentiality.

Privacy Certificate

Research funded by the federal Department of Justice is required to obtain a Privacy Certificate, which is very similar to a Certificate of Confidentiality. See this Guidance.