Unencrypted Communication for Human Subject Research FAQ
A1. Unencrypted communication is methods of communication that do not meet the encryption requirements as outlined in the Transmission of Sensitive Information Standard.
|Examples of Encrypted and Unencrypted Communication|
|E-mails using the “Secure” functionality||E-mails not using the “Secure” functionality|
|“Messages” through an encrypted/secure platform||Direct SMS messages, e.g. cell phone to cell phone|
A2. In IRBIS section A.4.6, please select un-encrypted messaging and then two additional sections will populate for completion: 1) Purpose/Types of Messages, 2) addition information/details about the message. As a reminder, this “free text” field is not to utilize types of messages outside the outlined usages
Q3. Do I need to submit a modification or request IRB approval if I want to send subjects unencrypted messages (email/text)?
A3. If you have previously been approved to send subjects messages through encrypted means (e.g. PHI compliant messaging platform), this does not require any modification or change. For all utilization of “unencrypted” communication that involves sensitive information or PHI (security tier 2 or 3) that was previously approved in applications, the application should be updated, and the consent language or consent addendum utilized as soon as possible after approval. For all new requests regardless of when the study was started a modification will be required to send unencrypted messages, please include in the modification description and do not proceed to utilize unencrypted messages until approved by the IRB.
Q4. Will the IRB approve all requests for sending unencrypted messaging and do I need to submit the material I will be sending?
A4. The federal regulations require that IRB’s determine the adequacy of provisions to protect the privacy of subjects and to maintain the confidentiality of their data which is separate from the provisions for HIPAA. The IRB may or may not approve a request for utilization of text messaging dependent upon the specifics of the study (population, design, sensitivity). As unencrypted messaging is limited for research participants to the minimally amount necessary in regard to reminders, requests to complete activities, or to have participants review their encrypted messages or call a study team member, the OHRE views this similar to other communication such as phone calls and encrypted emails and do not need to review templates of language that will be utilized.
A5. Yes, as a reminder communication that is not encrypted (texting and un-encrypted email) should be limited to the minimally amount necessary, and only for items such as reminders, requests to complete activities (e.g., surveys), or for participants to review their encrypted email or call study team members. As personal cell phones may be used please remind subject at the time of enrollment and periodically throughout the study that texting should not be used to obtain medical or other emergency help or clinical care.
A6. The selections in IRBIS are to ensure that UNC is not sharing information that may place subjects at increased risk. If your study has a need to share information outside reminders, requests to complete activities, or to review their encrypted emails or contact study team members, please reach out to your IT liaisons and the OHRE to identify if there is a technology that may support this type of messaging to the appropriate security tier.
A1. No, as you are required to have the participants consent to send unencrypted communication on a study by study basis, texting should not be initiated until after the participant has consented to both participate in the study and to receive unencrypted communications. Also record retention of texting messages is difficult to obtain and would be challenging to meet the federal requirements for documentation of consent.
Q2. If I have consent to text as part of the patients consent to treatment form, can I text with the subject about research participation.
A2. No, as this does not meet regulatory requirements in regard to HIPAA. We also do not consider this adequate to protect subject’s privacy and also maintain confidentiality of data in regard to OHRP and FDA requirements, as the participant has not been given the opportunity to consider receipt of unencrypted messages in the context of the research when completing the consent to treatment form for clinical purposes.
Q3. Do I have to give subjects the option to receive unencrypted messages or can we just say they have to agree to unencrypted messages?
A3. Participants must be given the option to receive unencrypted communication, unless the study’s design is specific to study the unencrypted messaging platform (e.g. studying how text messaging a participant reminder effects their adherence rate to keeping study visits). If the study’s design is not studying the unencrypted messaging platform, participants must be allowed to continue participation even if they do not want to receive unencrypted messages. The appropriate language has been provided in the unencrypted messaging consent addendum and regular consent templates.
A4. Depending upon the specifics of the study you may wish to instruct patients to “delete” text messages after receiving and reading. Participants should also notify the study team if they lose or have their phone stolen so text messages can be discontinued, or a consent addendum for unencrypted communication can be signed to receive messages at an alternate number.
A5. Not unless this is the number or email, they provide in the consent form or addendum. The OHRE’s “Consent Addendum for Unencrypted Communication” and language added to the consent form includes a place for a participant’s cell phone number for text messages or e-mail they want to be communicated with. If this number or email is no longer active, or the participant does not respond, alternate numbers should not be utilized unless the individual signs the “consent addendum for Unencrypted Communication” and provides a new cell phone number or email.
A6. If you have a study that is existing and have no plans to reconsent for other purposes or limited to updating the participant’s unencrypted communication information (cell phone number or email), please utilize the “Consent Addendum for Unencrypted Communication”, as this is specific to permission for unencrypted messaging. If you will be reconsenting for the entire study, or have a new study, please incorporate the language into your consent form or utilize the IRBIS Consent Builder
A7. The templated language was created in collaboration with the Privacy Office, the Policy Office, the Office of Clinical Trials, and ITS, and meets the UNC Transmission of Sensitive Information Standard’s exception requirements for obtaining consent. Alternative language can be considered but is at the discretion of the IRB and must meet the consent form requirements as outlined in the standard.
A1. At this time texting will not be permitted for minors (under the age of 18 in NC, unless they are considered “Age of Majority” (please refer to Age of Majority Policy), this may be a topic that can be re-reviewed in the future. For a study that involves children, unencrypted communication with the child’s parent or legal guardian is permitted if consent is obtained as required.
A2. If the participant needs language translated and the study team has the ability to provide appropriately translated unencrypted communication, they may communicate in a language that is preferred by the subject. If they are unable to communicate in the participants preferred language, the study team should ensure that during the consent process for unencrypted messaging this is shared with the participant as they may have resources to translate messages or may prefer not to receive text messages.
Q3. Can I send my unencrypted communication to participants in a group message or have multiple individuals listed in the “To/Recipient” field?
A3. No, messages should be sent to individuals without identifying or sharing information on other participants, unencrypted emails could utilize the “BCC” feature, or other functionality that allows for recipients not to “know” or identify each other by sharing emails, phone numbers, names, or other identifiable information.