Skip to main content

FAQs for Guidance on Communicating with Research Participants through Email or Text

Texting-Specific Recruitment Guidelines

What are the main changes in the revised guidance, published 4/30/24?

  • For studies covered under the HIPAA Privacy Rule: The revised guidance clarifies that texting and email are permitted for recruitment prior to the Unencrypted Communication language being signed by participants, but messages must contain the minimally necessary information and not include any PHI or other sensitive information that may inadvertently disclose a disease, medical condition, or other personal information to a third party.
  • For studies NOT covered under the HIPAA Privacy Rule: The revised guidance clarifies that texting and email are permitted for recruitment but messages must contain the minimally necessary information and not include any Personally Identifiable Information (PII) that may inadvertently disclose a disease, medical condition, or other personal information to a third party. In addition, the Unencrypted Communication language is no longer needed for studies that are not covered under HIPAA.
  • Emails and text messaging are permitted with minors if the parent or parents have provided consent for their child to receive unencrypted communications for purposes of the research, the minor provides assent, AND the communications do not contain sensitive information.
  • Participants may provide a new cell phone number or email address without the participant signing a new consent, as long as the participant has given verbal permission and the researcher documents the verbal permission in the research record. Back to top

What are encrypted communications?

Encrypted communications are those that are sent through a secure connection, such as VPN, HTTPS, SFTO, etc, between each endpoint OR through encryption of the file/information being sent.

Unencrypted communication are methods of communication that do not meet the encryption requirements as referenced above and as outlined in the UNC-CH ITS Transmission of Sensitive Information Standard.

Unencrypted messages are not protected and therefore it is possible the participant’s personal information could be shared or intercepted by individuals outside of the study team.

Examples of Encrypted and Unencrypted Communication

Encrypted

Unencrypted
E-mails using the “Secure” functionality E-mails not using the “Secure” functionality
“Messages” through an encrypted/secure platform approved by ITS Direct SMS messages, e.g. cell phone to cell phone text messages

Back to top

What studies are covered under HIPAA?

It is the responsibility of all researchers and staff to be familiar with and to comply with the UNC-Chapel Hill Privacy of Protected Health Information Policy. HIPAA’s requirements apply to records of individually identifiable health information in the control of health care clearing houses, health plans, and health care providers that transmit any health information electronically to carry out financial or administrative transactions related to health care or health insurance. The individually identifiable health information in these records is called Protected Health Information (“PHI”). Back to top

How to the University’s Information Classification Standards relate to this guidance?

Per the UNC-Chapel Hill Information Classification Standard, Tier 2 or Tier 3 information transmitted on behalf of the University must be encrypted. This includes Protected Health Information (PHI) and any other Sensitive Information (SI) data shown in the UNC-Chapel Hill Information Classification Standard.

Information that does not meet Tier 2 or 3 classification is not required to be encrypted per the standard. Back to top

Will the IRB always approve of requests for sending unencrypted messaging to individuals?

The federal regulations require that IRBs determine the adequacy of provisions to protect the privacy of subjects and to maintain the confidentiality of their data which is separate from the provisions for HIPAA. The IRB may or may not approve a request for utilization of text messaging or email messaging dependent upon the specifics of the study (population, design, sensitivity). Back to top

When should we use the unencrypted communications language in the consent form for research studies?

For studies covered under HIPAA, participants should be asked to sign the consent form with the unencrypted communications language as soon as possible if messaging throughout the study will contain PHI. Sensitive information and/or PHI may not be sent through unencrypted means prior to the participant signing the consent.

For non-HIPAA covered studies, while the unencrypted communications language is not required, the consent form must still state the methods of communications and the risks of unencrypted messaging so that participants understand there is the risk for loss of confidentiality if the communications are intercepted.  Participants must be given the opportunity to decline to receive unencrypted communication and must still be able to participate in the study. Back to top

Are there exceptions to requirements for use of encrypted communications?

The requirement for encryption of information being transmitted for research purposes is exempted from this guidance if:

  • Documented consent is obtained from the participant or someone with the authority to consent on their behalf that states they agree to receive unencrypted communications, including the minimum necessary PHI, for the purpose of the research study.
  • The research communications do not contain any sensitive information (PHI and/or personally identifiable information). Back to top

How do I request use of unencrypted communication prior to obtaining consent from the participant?

In IRBIS section B.3 (moved from A.4.6) answer whether you will use text or email to communicate with participants during the study then answer if the communications will include sensitive information and if you the study population includes minors.

The detailed plan for text message and/or email communication must be clearly described in the application. All text content and email content MUST be IRB approved before use with study participants. 

Language pertaining to communications will auto populate in the consent builder based on your selections.

Screenshot of IRBIS

Back to top

May I use unencrypted text messages or emails for participant recruitment?

Text messaging or emailing may be used to recruit research participants when necessary but first requires IRB review and approval. Justification for using texting or emailing for recruiting will be required, and the content will be reviewed by the IRB. You should state in the IRB application how you received the individual’s contact information.

IRBIS has been updated to offer the option of Email or Text Messaging in Section B.1 regarding recruitment.

Messages must contain minimally necessary information regarding the purpose of the study and must exclude any reference to a specific disease, medical condition, or name of the PI.   While the potential participants’ name and email address or phone number are considered PHI if obtained from the medical record, this information is necessary to communicate and is permitted. If your email signature contains information that could be used to deduce the disease or condition, it is recommended you just include your name and UNC but don’t include information citing a specific center, such as cancer or infectious diseases.

Text messages should be limited to recruiting prospective eligible subjects and the text message must provide information for the individual to contact the research team if they are interested or have questions.  If the potential participant responds via text and expresses interest, the research team can text non-sensitive information back but must arrange to contact the individual via phone to provide more information about the study as soon as possible.  Consent forms should not be texted or emailed to a potential participant unless they have verbally agreed to receive it through unencrypted means. This agreement should be documented by the researchers.

Informed consent should be obtained as soon as possible, and if texting continues to be used to communicate sensitive information with the participant, the participant must sign the consent with the Unencrypted Communications language.

Recruitment texts should not be sent more frequently than one message a week with a maximum of three attempts. The individual should be provided with the option to stop receiving text messages in every text message.

Back to top

Language that is appropriate to be included in text messages or emails for recruitment includes:

  • A brief description of the study that does not include PHI, disease status, medical condition, department conducting the research, or any other potentially sensitive information that could inadvertently disclose a medical status to someone other than the individual;
  • An opportunity to state they are not interested and to opt out of receiving future communications for the research study.

Specific examples include:

Text/email direct recruitment methods from contact information obtained from Epic/MyChart or research registries.

  • Example: We are contacting you because you may qualify for a research study that involves … (ex: completing a survey, participating in a focus group, assessing patient outcomes, collecting blood samples, testing a new investigational drug/device, etc) being conducted by UNC at Chapel Hill. Please respond Yes if you are interested in learning more information about the study. Please respond No if you are not interested, and you will not receive any more messages about this study.

Research visit appointment reminders

  • Reminder: Your UNC-Chapel Hill research study visit is scheduled for this week. Please contact the research team at (phone number) with questions or if you need more information about the visit.

Requests to complete study activities

  • Reminder: Please complete your research study diary activities for today! Please contact the research team at (phone number) with questions.
    • Reminder: Please remember to take your study medication today!

Requests for participants to contact the study team via phone

  • Please contact the UNC-Chapel Hill study team today at (Phone number). Back to top

May I use the participant’s cell phone number or e-mail documented in Epic or in a clinical research registry to contact participants for recruitment for a research study?

Patients that have signed off on the Clinical Consent to Treat have provided permission to be contacted about research studies, so the individual’s phone number or email may be used for recruitment.  You should state in the IRB application how you received the individual’s contact information.

Once the participant signs the consent form with the Unencrypted Communication language and provides their contact information for text messages or e-mail they want to be communicated with, they should only receive study communications at that phone number or email.

If this number or email is no longer active, or the participant does not respond, alternate numbers should not be utilized unless the participant provides a new cell phone number or email and verbally agrees to using this contact information for unencrypted communications moving forward. The research team must document this verbal confirmation in the research record along with the date the verbal confirmation was provided.

If an individual has provided consent to participate in a research registry and agreed as part of that registry to be contacted for future studies and receive unencrypted communications about these studies, then the new research team may contact the potential participant directly using the provided contact information. The IRB application should explain that the permissions were provided under a previous study and provide the IRB number for the registry.

If the participant agrees to participate in the new study and the study is covered under HIPAA, they should sign the unencrypted communications consent to continue to receive unencrypted communications for the new study. Back to top

Should I submit a modification to start sending enrolled participants unencrypted messages (email/text)?

For all new or revised requests to use unencrypted communications, regardless of when the study was started, a modification must be submitted and approved by the IRB prior to sending unencrypted messages to participants. Please include detailed justification in the modification, as well as the type and method of communications that will be sent unencrypted, as well as a description as to when consent will be obtained for the participants to receive unencrypted communications.

If you wish to include PHI or PII or other sensitive information through unencrypted means, the participant will first need to sign the consent with the Unencrypted Communications language.

Protocols or applications must describe how email and/or text will be used, including the source of email or phone lists, targeted populations, frequency of emails or texts, and methods for potential participants to remove themselves from the email or text list.

Unencrypted messaging pertaining to study appointment reminders, requests to complete study activities, or a reminder to have participants review their encrypted messages or call a study team member, do not need to be reviewed by the IRB, assuming they will not contain any PHI or sensitive information.

Recruitment messages must always be reviewed and approved by the IRB regardless of the method. Back to top

Do we need to upload a text script for recruitment if we will be emailing or texting potential participants?

Yes. These should be submitted just as email and phone scripts are now. If it’s a recruitment email, text, phone call, we prefer a template. The IRB will need to review the initial message and verbal consent to continue unencrypted communication should be sought until a consent form can be signed. We understand the conversation cannot be scripted once you begin to communicate with the individual. Back to top

Can we send the consent to the potential participant through email or text?

The consent form or a link to the consent form may not be sent with the initial unencrypted communications. The consent form may be sent to the potential participant only after the individual has agreed verbally or through their response in email or text to receive the consent form. It is best practice that if a participant expresses interest in learning more about the study, a phone call is arranged to provide more information prior to sending the consent. Back to top

Must I provide participants with the option to receive encrypted messages?

Participants must be given the option to receive encrypted communication. Participants must be allowed to continue participation even if they do not want to receive unencrypted messages.

The only exception to this is if the study’s design is studying the utility of an unencrypted messaging platform (e.g. studying how text messaging participant reminders affects their adherence rate to keeping study visits). In this case, participants should be excluded if they are not willing to receive unencrypted communications. Back to top

When do I use the consent addendum versus the consent form with language built in?

For an already approved study covered under HIPAA with no plans to reconsent for other purposes, please utilize the “Consent Addendum for Unencrypted Communication”, as this is specific to permission for unencrypted messaging. If you will be reconsenting for the entire study, or have a new study, please incorporate the language into your consent form or utilize the IRBIS Consent Builder. Back to top

What if a participant’s phone number or email information changes during the research study?

The participant should provide their new cell phone number or email to the research team if they want to continue to receive unencrypted communications. The participant must verbally agree to using this contact information for unencrypted communications. The research team must document this verbal communication in the research record along with the date the verbal confirmation was provided. Back to top

Should I provide any special instructions for participants?

Research teams should remind participants at the time of enrollment and periodically throughout the study that texting and unencrypted email should only be used to request a phone call with the study team, respond to appointment reminders, or other non-sensitive communications. Participants should not use unencrypted email or texting to share personal information with the research team, obtain medical care, or other emergency help or clinical care.

Depending upon the specifics of the study, you may wish to instruct participants to “delete” text messages after receiving and reading. Back to top

Can I use texting or email to communicate with children or minors?

If the child’s parent or legal guardian provided parental permission for the minor to receive unencrypted communications AND the minor has provided assent, texting and email communications via unencrypted means is permitted for minors.

If parents/LAR do not permit direct text messaging or email with their child, the parent may serve as the intermediate between the study team and the research team if they are agreeable. Back to top

May I use unencrypted communications for non-English speakers?

The Unencrypted Communications section has not been translated into any other languages. If the study needs recruitment materials translated and the study team has the ability to provide appropriately translated consent document and the unencrypted communication language to the participant, the research team may do so. Back to top

Can I send unencrypted communications through group message or multiple individuals listed in the “To/Recipient” field?

Sending an unencrypted message to multiple individuals at a time is not permitted. Back to top

May I obtain study consent through texting or email?

Texting and email may not be used to obtain study consent. Back to top

Should I update my IRBIS application immediately and revise my consent forms?

OHRE is asking that you implement the changes for new studies moving forward and do not submit modifications to currently approved studies that will continue in the same manner due to the workload that this will place on OHRE. If this new guidance will change the way you communicate with participants though, please submit the modification related to this new guidance when you are submitting another study modification, if possible. Back to top

Texting-Specific Recruitment Guidelines

Can I use my personal cell phones to text potential participants?

Communication that is not encrypted (texting and un-encrypted email) is permitted for the uses described in this guidance and if approved by the IRB. You may use your personal cell phone for unencrypted communications if permitted for the approved study, and you do not have a study specific phone or phone number.

Encrypted communication means should be arranged if texting or email will continue if the individual enrolls in the study or the participant must consent to receiving unencrypted communications. Back to top

Is there an approved list of texting platforms?

There is not currently a list of approved texting platforms.

If a research team intends to purchase the services of a third-party telecommunications platform to facilitate communication with study participants, the use and risks to study participant’s data must be addressed by referencing the platform’s Terms of Service in the study informed consent form and/or Consent Language for Unencrypted Communication (if data includes PHI). See Sample Consent Forms – UNC Research.

If the use and risks are adequately addressed in the study informed consent form and/or Consent Language for Unencrypted Communication, a business associate agreement is not required for a study team to use the services of a third-party communications vendor to communicate with study participants even if the communications contain protected health information.

Study teams are independently responsible for assessing whether there are applicable University requirements that govern the purchase of such services, including whether a university-approved contract or security risk assessment is required. Back to top

Can I use an encrypted texting platform like WhatsApp?

It depends. Using free services of a third-party telecommunications platform without a purchasing agreement means that the university does not have “privity of contract” and therefore there are no additional protections afforded to the users. The third-party platform can store and use data as agreed to as part of their terms of service and privacy policy. When a purchase agreement is executed with a third party, the university can negotiate the terms of the collection and storage of data.

Therefore, these third-party platforms may not be utilized for recruitment prior to consent if a vendor risk assessment and purchasing agreement have not been executed.

These third-party platforms may be utilized for communications through the study after the participant provides consent and the risk of the use of the third-party platform is disclosed in the consent form.

“If you consent to participating in this study, we will use the Whatsapp text messaging platform to communicate with you throughout the life of the study. These messages may contain PHI or private sensitive information. UNC-CH is not associated in any way with WhatsApp. WhatsApp may use your data for their benefit. You should review and understand WhatsApp’s “Terms of Service” and “Privacy Policy” so you understand how they may use your data. Back to top

Can you please summarize the above information?

If your study is covered under HIPAA:

    1. Be sure to request a partial HIPAA Waiver in the IRBIS IRB application for screening purposes.
    2. If sending text messages or emails for recruitment purposes, ensure your initial recruitment messages do not contain any PHI, or other sensitive information that could link the person to a disease state or specific provider (such as PI name, name of medical department, study title, etc).
    3. Ensure the message contains a method for the individual to opt out of future contact
    4. If the individual responds favorably, schedule a phone call to discuss the study and only send the consent form once you have their permission. If the individual agrees to participate and if there is the intent to email or text PHI or other sensitive information throughout the course of the study, the individual must sign consent the Unencrypted Communications as part of the consent. Ensure the consent form also refers to the communication platform’s Terms of Service, as applicable.

Note: The Unencrypted Communications is not needed if the communications through the study are limited to appointment reminders or reminders to complete study activities and will not contain PHI or other sensitive or identifiable data but the consent form must mention the use of these methods of communication.

  1. Participants must be given the option to opt out of unencrypted communications and instead receive encrypted communications.
  2. If your study is not covered under HIPAA
  3. If sending text messages or emails for recruitment purposes or after initial contact from the individual, do not include information that could link the person to a disease state or specific provider (such as PI name, name of medical department, study title, etc).
  4. Ask the individual if you can send them information about the study or schedule a phone call to discuss the study and only send the consent form once you have their permission
  5. If the individual agrees to participate and if there is the intent to email personal information throughout the course of the study, ensure the consent form states the risk associated with this method of communication and refers to communication platform’s Terms of Service, as applicable.
  6. Note: The Unencrypted Communications language is not needed.
  7. Participants must be given the option to opt out of unencrypted communications and instead receive encrypted communications. Back to top

References

UNC-Chapel Hill Transmission of Sensitive Information Standard

UNC-Chapel Hill Privacy of Protected Health Information Policy

OHRE Approval and Revisions Dates

4/30/24: Initial review and approved by Andy Johns (OVCR), Katherine Georger (OUC), and Carley Emerson (OHRE).