Compared to privacy breaches that routinely affect millions, the one suffered by Columbia University Medical Center in 2016 was tiny, but the information exposed was among the most sensitive. In November of that year, a Columbia researcher notified an internal board overseeing her study that email addresses of 145 individuals involved in HIV/AIDS research were visible in a recruitment pitch. A study coordinator had included individuals’ addresses in the CC portion of an email inviting participation in a related upcoming study.
Because only breaches affecting 500 or more individuals are required to be made public under federal law, smaller incidents like this one may remain secret. But in Columbia’s case, the breach, which also appears to be reportable under HIPAA, came to light because a U.S. agency found that the medical center violated U.S. regulations governing research by failing to report what had happened.
Last month, the HHS Office for Human Research Protections (OHRP) published a determination letter that it sent to Columbia University indicating that the email disclosure was considered a “breach in confidentiality” that qualified as an “unanticipated problem involving risks to subjects or others.” Such problems are to be “promptly” reported to OHRP; this one wasn’t until months later and only after the agency, acting on a complaint, contacted Columbia.
OHRP said Columbia had delayed its report to the agency because its “investigation was still pending,” but this is not an allowable reason for lack of a prompt notification.
The email breach, which a former OHRP regulator calls “shocking,” offers reminders that maintaining privacy is just as important in studies as it is in treatment settings and that when the protected health information (PHI) is research-based, an organization may face actions by an agency other than the Office of Civil Rights (OCR). Additionally, organizations will want to review the corrective actions Columbia took in the wake of the email breach, including terminating the study coordinator.
Privacy Protections Subject to IRB Review
In addition to HIPAA, organizations conducting applicable research must comply with specific regulations at 45 CFR part 46, also known as the Common Rule, meant to protect study subjects. These regulations apply to federally funded studies (Columbia’s had NIH support) and when drugs or devices are developed for potential approval by the Food and Drug Administration, and address the privacy of research participants.
Research is generally reviewed and approved by a hospital or other organization’s institutional review board (IRB). Among the criteria for IRB approval is ensuring “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data,” when appropriate to a particular trial.
Further, the Common Rule requires organizations to review and report to OHRP “unanticipated problems involving risks to subjects or others” and adverse events. The former was one of the issues in Columbia’s situation.
RPP attempted to learn more about the privacy breach and contacted the investigator on the study, as well as several other Columbia officials. After no response for nearly two weeks, a spokeswoman who RPP had not contacted emailed the following. “Thanks for your recent request about OHRP’s determination letter. Unfortunately, we do not have any additional information to share at this time.” Among RPP’s unanswered questions are whether Columbia considered the breach reportable under HIPAA or not, and if it has been reported.
It is unusual to learn about breaches involving research studies because OHRP rarely makes compliance findings at all, and even fewer involve privacy issues. OHRP’s letter to Columbia is only the third it has issued since October 2016. In previous years, OHRP had issued dozens of such letters, which address concerns ranging from lack of informed consent to failures to follow IRB procedures.
The determination letter that OHRP sent to Columbia closing the investigation was the only document that has been released; it did not post correspondence from Columbia but referred to information it had provided. Although the letter was issued this year, the events described in the letter took place in 2016 and 2017.