DOE Worker Health-Related Studies and Programs

Privacy

The DOE/HHS Memorandum of Understanding: Communication Through the Worker and Public Health Activities Program on energy-related workplace health effects studies

Personally Identifiable Information (PII)

Lost, stolen, or misdirected information that is personally identifiable is a violation of existing regulations and can cause harm to individuals if such information is released to the public under any circumstance. One such avenue of dissemination is potential release of information through its loss during transmission from one location to another.

  • Requirements: This event highlights the importance of clarifying Federal and DOE requirements regarding required steps involved in the protection of PII of human research subjects and DOE employees.
    • The Federal human subjects protection regulations (45 CFR 46) issued by the HHS Office of Human Research Protections (OHRP) require prompt reporting of any unanticipated problem (such as loss of data) to the IRB, to appropriate institutional and agency officials, and to OHRP. OHRP guidance recommends that the PI report an unanticipated problem to the IRB(s) within 2 weeks and that the PI/the PI’s organization report the unanticipated problem to OHRP within 6 weeks (or within 1 month of notifying the IRB(s)).
    • DOE Order 443.1A also requires prompt reporting to the DOE Human Subjects Research Program Manager, SC-23 (and the DOE Human Subjects Research (HSR) Program Manager, NA-1 for NA sites), and coordination with and approval from the HSR Program Manager in determining plans to correct any noncompliance or to deal with the unanticipated problem. While DOE Order 443.1A does not specify how quickly the HSR Program Manager should be notified, this Office requests that you do so within 48 hours of learning of any unanticipated problem that does not involve PII.
    • However, the definition of “prompt reporting” is different when PII is involved. Federal and DOE requirements (see DOE Order 206.1) require that any incident involving potential loss or compromise of PII be reported immediately (as soon as you learn of the incident) through your Departmental Element and to the DOE-Cyber Incident Response Capability (DOE-CIRC) at 866-941-2472 (doecirc@doecirc.energy.gov). Please coordinate with your site cybersecurity office to report the incident to the DOE-CIRC. Please also report any such incident(s) immediately to the HSR Program Manager(s).
    • Additionally, in accordance with Federal and DOE requirements, PII transferred from one organization to another as part of a human research project (when/as authorized by the approving IRBs, the responsible DOE Program Office, and the research/screening participant) must first be encrypted consistent with PII protection requirements stated in DOE M 205.1-7 using a program such as Entrust.
  • Additional expectations:
    • Examine and modify your operating policies and procedures as necessary to address unanticipated problems. Ensure that your policies and procedures include a requirement for immediate notification of appropriate parties when there is potential loss or compromise of PII. The procedures should also outline the range of the IRB’s possible actions in response to reports of unanticipated problems.
    • Examine the protocol of each ongoing project approved by your IRB (and ensure there is a procedure in place for IRB review of future protocols) to verify that the protocol has a clear and detailed plan for protecting PII in accordance with Federal and DOE requirements, including encryption of any data to be transferred and immediate notification of any incident involving potential compromise or loss of PII data.
    • Notify Elizabeth White, HSR Program Manager (and, also for NNSA sites, John Ordaz, NNSA HSR Program Manager) when the above actions have been completed. This should be a high priority for the IRBs, and should be completed as soon as possible and no later than June 30, 2009.
    • Questions or requests for additional information should be directed as noted below:
    • Elizabeth (Libby) White
      DOE Program Manager, Protection of Human Research Subjects, SC-23.2
      Office of Biological and Environmental Research (BER)
      Phone: 301-903-7693
      Fax: 301-903-0567
      E-mail: elizabeth.white@science.doe.gov

      and, as appropriate:

      John Ordaz
      DOE Human Subjects Research Program Manager, NA-1
      National Nuclear Security Administration
      Phone : 202-586-0142
      E-mail: John.Ordaz@nnsa.doe.gov

Coalition for Patient Rights (CPR)
CPR consists of 34 organizations representing a variety of licensed health care professionals who provide a diverse array of safe, effective, and affordable health care services to millions of patients each year. CPR is committed to advocating for the practice rights of its members for the sake of their patients who rely on them for the many and varied services they provide.

Health Privacy Project
The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level.

HHS Medical Privacy—National Standards to Protect the Privacy of Personal Health Information Web site
Resources on protecting the privacy of personal health information on the HHS site. Includes a link to the Privacy Rule and other related resources.

Privacy Web Sites of Interest

Content reviewed: May 7, 2012