Advanced Search

Investigator Resources

Information for Research Participants
Information for Study Teams
Information for Sponsors
Institutional Review Boards
UM Policies & Procedures - HSRO/IRB
1. Preface
2. Background Topics
3. Authorities and Responsibilities
4. Conflict of Interest
5. Institutional Review Boards
6. IRB Meetings
7. General Principles for IRB Reviews
8. Definition of IRB Review Types
9. IRB Review of Initial Studies
10. IRB Review of Continuing Studies
11. Amendments
12. Closing Studies and Final Reports
13. Suspension, Termination and Administrative Closure of IRB Approved Research
14. Unanticipated Problems and Adverse Events
15. Study Violations
16. Compliance Audits
17. Data Safety Monitoring Boards
18. Ancillary Committees
19. External IRB's
20. Policies Specific to Certain Types of Research
21. Informed Consent
22. Participant Recruitment Methods, Advertising Materials and Recruitment-Relevant Payment Arrangements
23. Vulnerable Populations
24. Privacy, Security, Confidentiality and HIPAA
25. Subcontracts/Agreements for UM-Initiated Studies that Engage or Involve non-UM Institutions or Investigators
26. International Research
27. Emergency Use
28. Record Retention
Other Policies
UChart Forms & Guidance
HSRO Forms & Documents
University Fees
Ancillary Committee Information
eProst User Guide
Ethics, Federal Regulations & Guidance
Western IRB (WIRB)
About the HSRO

Basic Folder Information

24.6 Security

Approval Date

Review Responsibility:

IRB Policy and Procedure Committee

Current Approval Date:

August 6, 2008


24.6(a)  General Principles of Security

All research data (including PHI) must be secure and protected, as reasonable, against breaches in confidentiality such as unpermitted uses or disclosures.  This includes research data and/or PHI that is stored electronically (ePHI). HIPAA standards also apply to PHI after project completion when computers, devices and/or media are destroyed or re-formatted for other uses.  The UM Information Technology Office resources and policies which govern data security are available at http://it.med.miami.edu/x1041.xml

The protection of subjects in ALL STUDIES requires the assurance that there are adequate provisions to secure research data.  The IRB shall review the adequacy of a study’s security provisions as a prerequisite for its approval.  Submissions to the IRB should describe the methods of accessing, storing, and safeguarding research data to preserve confidentiality.  This standard shall apply to initial review, continuing review, and review of modifications of research by expedited review procedures or by the convened IRB. 

Guidelines for properly securing research data include the following:

  1. As custodian of a study’s research data, the Principal Investigator shall ensurecompliance with institutional data security policies, HIPAA regulations (if applicable) and the IRB-approved security protocol
  2. The PI must ensure that collaborative research studies involving PHI (or ePHI) from another institution (or under oversight of another IRB) are also approved by the UM IRB prior to receipt of PHI
  3. Access to research data (including ePHI) should be restricted and controlled. The PI must ensure locks on files or  password or other protections (as applicable) (note – access  to e PHI must be by password)
  4. the PI must ensure that research data is accessed and used only by personnel authorized by the IRB (as approved study personnel) for such research activity 

Additional requirements under HIPAA for electronic protected health information (ePHI) include:

  1. ePHI should contain only the individual identifiers that are minimally necessary to support the research purpose.
  2. Mobile devices (laptops or PDAs) or electronic storage media (data sticks, tapes, disks) may be used for temporary storage of ePHI if they are encrypted, have automatic logoff features  and can be accessed only by password
  3. ePHI transmitted via a network must be encrypted, password protected and sent only through secure channels. Such transmission should occur only under strong necessity
  4. equipment and media that stored ePHI must be re-formatted prior to their disposal or reuse
  5. Confidentiality agreements must include commitments to store e-mails only on workstations in a secure network and to transmit ePHI only through secure channels
  6. webpages storing ePHI should be accessed via secure server lines and only by user ID and role-specific passwords that provide access to selected pages. 
  7. ePHI entered through the web must reside within a secure network 
  8. home and laptop computers that access ePHI within a network must be password protected using a password different from the log-on password. E-Mail connections must be encripted and anti-virus software or filters should be installed and appropriately updated

Additional requirements under HIPAA for securing paper records containing PHI include:

  1. PHI must be stored using two-locked filing systems within a locked office or storage room
  2. Shredding is required to discard printed materials containing PHI with directed identifiers  
  3. Paper-based PHI with direct identifiers should not be carried or sent unless necessary for approved research activities

Additional requirements under HIPAA for security Faxes containing PHI include:

  1. faxes are discouraged but, if required, they must be sent and received in a secure environment
  2. recipients of faxes should be alerted first that a fax is coming so the recipient can immediately secure the faxed document

Additional requirements under HIPAA for reporting breaches of privacy, unanticipated problems and reportable events related to ePHI include:

  1. the Principal Investigator must timely inform the HSRO if a security breach of confidentiality has occurred
  2. the HSRO will coordinate review of ePHI security breaches with ORCA, the Office of Information Technology  and the Privacy Offices of UM and/or JHS as applicable
  3. the HSRO shall forward all findings regarding data security breaches to the    IRB for its review and determination
  4. violations of HIPAA Security Rules by workforce members shall be reported to the UM Human Resources Department for review and actions pursuant to HR policies 

Footer Block

University of Miami Office of Research UM School of Medicine CITI Program Jackson Health System
 University of Miami logo University of Miami
Human Subjects Research Office

1500 NW 12th Avenue, Ste. 1002, Miami, FL 33136
Tel. 305-243-3195
Copyright, University of Miami, All Rights Reserved
Requests for information. Send technical feedback.
View Privacy statement