Skip to main content

It is the responsibility of all researchers and staff to be familiar with and to comply with the UNC-Chapel Hill Privacy of Protected Health Information Policy and Transmission of Sensitive Information Standard.

All communication methods used with research participants must first be approved by the IRB. To determine the applicability of this guidance, research teams must determine whether the study in question is regulated under the HIPAA Privacy Rule or if the study is not regulated under HIPAA. This is a study-by-study determination.

OHRE Town Hall: Communicating with Research Participants through Email or Text

In this video, OHRE Director Carley Emerson walks through OHRE’s new guidance for communicating with research participants through email or text and answers audience questions. OHRE Associate Director of Operations Celeste Cantrell discusses new changes in IRBIS. Recorded on Zoom 07/24/2024. Click here for a PDF of the slides.

Guidance for HIPAA Covered Studies

HIPAA covered studies include studies that require access to patient/participant’s protected health information (PHI) through their medical record.

For studies in which there is access to the medical record for reviewing or recording of data but the study does NOT involve interaction or intervention with research participants (often referred to as secondary data studies or retrospective studies) or studies where study teams receive a full waiver of the HIPAA authorization and waiver of the informed consent process from the IRB, this guidance does NOT apply.

Studies covered under HIPAA which are covered by this guidance often recruit participants from the patient population at a HIPAA covered entity such as UNC Health. These studies may include (but are not limited to) clinical observation studies, studies which involve clinical procedure or tests, or studies that have an intervention such as a drug or device. This guidance focuses on studies covered under HIPAA in which there is an interaction or intervention with the research participants and the participants are asked to sign a consent document and HIPAA Authorization.

For HIPAA covered studies and communications that must contain protected health information, the study team may communicate through unencrypted means (e.g., SMS text, email) after the study participant has consented to such communication by executing the University’s template Consent Addendum for Unencrypted Communication. The study team must limit the content of the communication to the minimum amount of information necessary to accomplish the intended purpose of the communication. Participants should be given the option to receive encrypted communications through the study. Back to top

Third-party Communication Platforms for HIPAA-Covered Studies

For HIPAA covered studies, if a research team intends to purchase the services of a third-party telecommunications platform to facilitate communication with study participants, the use and risks to study participant’s data must be addressed by referencing the platform’s Terms of Service in the study informed consent form and/or Consent Addendum for Unencrypted Communication. See Sample Consent Forms – UNC Research.

If the use and risks are adequately addressed in the study informed consent form and/or Consent Addendum for Unencrypted Communication, a business associate agreement is not required for a study team to use the services of a third-party communications vendor to communicate with study participants even if the communications contain protected health information. However, study teams are independently responsible for assessing whether there are other applicable University requirements that govern the purchase of such services including whether a University-approved contract or security risk assessment is required. Back to top


Guidance for Non-HIPAA Covered Studies

Studies that do not require access to the participants’ protected health information (PHI) or medical records at any point in the study are not covered under the HIPAA Privacy Rule. These studies do not involve clinical procedure, medical tests, or interventions such as a drugs or devices. Participants in non-HIPAA covered studies are often recruited from the general population through means such as flyers or social media ads, or if recruited from a health care institution, access to the medical record is not needed for any component of the study.

For non-HIPAA covered studies, the study team is permitted to communicate with study participants through unencrypted means (e.g. SMS text, email) without the need for an executed University Consent Addendum for Unencrypted Communication. However, the study team must limit the content of the communication to the minimum amount of information necessary to accomplish the intended purpose of the communication, and when possible, should notify the participant that the communications are not encrypted and that there is the risk of loss of confidentiality for this communication method.  Participants should be given the option to receive encrypted communications through the study. Back to top


References

UNC-Chapel Hill Transmission of Sensitive Information Standard

UNC-Chapel Hill Privacy of Protected Health Information Policy

OHRE Approval and Revisions Dates

4/30/24: Initial review and approved by Andy Johns (OVCR), Katherine Georger (OUC), and Carley Emerson (OHRE).