Communicating with Research Participants through Email or Text
It is the responsibility of all researchers and staff to be familiar with and to comply with the UNC-Chapel Hill Privacy of Protected Health Information Policy and Transmission of Sensitive Information Standard.
All communication methods used with research participants must first be approved by the IRB. To determine the applicability of this guidance, research teams must determine whether the study in question is regulated under the HIPAA Privacy Rule or if the study is not regulated under HIPAA. This is a study-by-study determination.
Guidance for HIPAA Covered Studies
HIPAA covered studies include studies that require access to patient/participant’s protected health information (PHI) through their medical record.
For studies in which there is access to the medical record for reviewing or recording of data but the study does NOT involve interaction or intervention with research participants (often referred to as secondary data studies or retrospective studies) or studies where study teams receive a full waiver of the HIPAA authorization and waiver of the informed consent process from the IRB, this guidance does NOT apply.
Studies covered under HIPAA which are covered by this guidance often recruit participants from the patient population at a HIPAA covered entity such as UNC Health. These studies may include (but are not limited to) clinical observation studies, studies which involve clinical procedure or tests, or studies that have an intervention such as a drug or device. This guidance focuses on studies covered under HIPAA in which there is an interaction or intervention with the research participants and the participants are asked to sign a consent document and HIPAA Authorization.
For HIPAA covered studies and communications that must contain protected health information, the study team may communicate through unencrypted means (e.g., SMS text, email) after the study participant has consented to such communication by executing the University’s template Consent Addendum for Unencrypted Communication. The study team must limit the content of the communication to the minimum amount of information necessary to accomplish the intended purpose of the communication. Participants should be given the option to receive encrypted communications through the study. Back to top
Third-party Communication Platforms for HIPAA-Covered Studies
For HIPAA covered studies, if a research team intends to purchase the services of a third-party telecommunications platform to facilitate communication with study participants, the use and risks to study participant’s data must be addressed by referencing the platform’s Terms of Service in the study informed consent form and/or Consent Addendum for Unencrypted Communication. See Sample Consent Forms – UNC Research.
If the use and risks are adequately addressed in the study informed consent form and/or Consent Addendum for Unencrypted Communication, a business associate agreement is not required for a study team to use the services of a third-party communications vendor to communicate with study participants even if the communications contain protected health information. However, study teams are independently responsible for assessing whether there are other applicable University requirements that govern the purchase of such services including whether a University-approved contract or security risk assessment is required. Back to top
Guidance for Non-HIPAA Covered Studies
Studies that do not require access to the participants’ protected health information (PHI) or medical records at any point in the study are not covered under the HIPAA Privacy Rule. These studies do not involve clinical procedure, medical tests, or interventions such as a drugs or devices. Participants in non-HIPAA covered studies are often recruited from the general population through means such as flyers or social media ads, or if recruited from a health care institution, access to the medical record is not needed for any component of the study.
For non-HIPAA covered studies, the study team is permitted to communicate with study participants through unencrypted means (e.g. SMS text, email) without the need for an executed University Consent Addendum for Unencrypted Communication. However, the study team must limit the content of the communication to the minimum amount of information necessary to accomplish the intended purpose of the communication, and when possible, should notify the participant that the communications are not encrypted and that there is the risk of loss of confidentiality for this communication method. Participants should be given the option to receive encrypted communications through the study. Back to top
FAQs
Can SMS texting and emailing be utilized for study recruitment?
Researchers may use text and email for study recruitment. When researchers are texting or emailing unsolicited information to prospective enrollees for recruitment purpose, communications must not include information about the prospective enrollees’ health or PHI and must include only the minimal amount of information necessary. Back to top
Can appointment reminders be sent through SMS text or email?
Researchers may use text and email for appointment reminders and general study reminders, as well as request the participant contact the research team. When researchers are texting or emailing appointment reminders or other study reminders, communications must not include PHI or information about the participant’s health status and must include only the minimal amount of information necessary. Back to top
Who do I contact with questions?
For questions related to study consent forms, please contact the Office for Human Research Ethics at irb_questions@unc.edu.
For questions related to business associate agreements, the HIPAA authorization for research, or whether a study is covered by HIPAA, please contact the Institutional Privacy Office at privacy@unc.edu.
For questions regarding purchasing services from a third-party vendor, please contact Purchasing Services at purchasing_team@unc.edu.
For questions regarding security risks assessments, please contact the Information Security Office at security@unc.edu.
References
UNC-Chapel Hill Transmission of Sensitive Information Standard
UNC-Chapel Hill Privacy of Protected Health Information Policy
OHRE Approval and Revisions Dates
4/30/24: Initial review and approved by Andy Johns (OVCR), Katherine Georger (OUC), and Carley Emerson (OHRE).