Guidance for Principal Investigators and Research Team Members

Confidentiality and Data Security requirements

The University of Iowa Institutional Review Board recommends following the below proactive measures for adherence to DOE confidentiality and security requirements for Human Subjects Research that utilizes Personally Identifiable Information (PII).  As documented in the DOE Checklist for use by researchers conducting Human Subjects Research that utilizes Personally Identifiable Information (PII), the following items must be addressed in all protocols: 

1. Keeping PII confidential; 
2. Releasing PII, where required, only under a procedure approved by the responsible IRB(s) and DOE; 
3. Using PII only for purposes of this program; 
4. Handling and marking documents containing PII as “containing PII or PHI; 
5. Establishing reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of PII; 
6. Making no further use or disclosure of the PII except when approved by the responsible IRB(s) and DOE, where applicable, and then only under the following circumstances: (a) in an emergency affecting the health or safety of any individual; (b) for use in another research project under these same conditions and with DOE written authorization; (c) for disclosure to a person authorized by the DOE program office for the purpose of an audit related to the project; (d) when required by law; or (e) with the consent of the participant. 
7. Protecting PII data stored on removable media (CD, DVD, USB Flash Drives, etc.) using encryption products that are Federal Information Processing Standards (FIPS) 140-2 certified; 
8. Using passwords to protect PII used in conjunction with FIPS 140-2 certified encryption that meet the current DOE password requirements cited in DOE Guide 205.3-1; 
9. Sending removable media containing PII, as required, by express overnight service with signature and tracking capability, and shipping hard copy documents double wrapped; 
10. Encrypting data files containing PII that are being sent by e-mail with FIPS 140-2 certified encryption products; 
11. Sending passwords that are used to encrypt data files containing PII separately from the encrypted data file, i.e. separate e-mail, telephone call, separate letter; 
12. Using FIPS 140-2 certified encryption methods for websites established for the submission of information that includes PII; 
13. Using two-factor authentication for logon access control for remote access to systems and databases that contain PII. (Two-factor authentication is contained in the National Institute of Standards and Technology (NIST) Special Publication 800-63 Version 1.0.2 found at: http://csrc.nist.gov/publication/nistpubs/800-63/SP800-63V 1 0 2.pdf); 
14. Reporting the loss or suspected loss of PII immediately upon discovery to: 1) the DOE funding office Program Manager; and 2) the applicable IRBs (as designated by the DOE Program Manager). If the DOE Program Manager is unreachable, immediately notify the DOE-CIRC (1-866-941-2472, circ@jc3.doe.gov). 

For assistance with adhering to the technical requirements outlined in this checklist, researchers may contact University of Iowa Information Technology Services (ITS).    

Reporting Requirements

Reporting requirements for DOE supported research are more rigorous than the reporting requirements in place at the University of Iowa or under HHS regulations found at 45 CFR 46.  

• DOE Order 443.1B also requires prompt reporting to the DOE Human Subjects Research Program Manager, SC-23 (and the NNSA Human Subjects Research Program Manager, NNSA sites), and coordination with and approval from the appropriate Human Subjects Research (HSR) Program Manager in determining plans to correct any noncompliance or to deal with the unanticipated problem. While DOE Order 443.1B does not specify how quickly the HSR Program Manager should be notified, it is recommended that you do so within 48 hours of learning of any unanticipated problem that does not involve PII. 
• However, the definition of “prompt reporting” is different when PII is involved. Federal and DOE requirements (see DOE Order 206.1) require that any incident involving potential loss or compromise of PII be reported immediately (as soon as you learn of the incident) through your Departmental Element and to the DOE-Cyber Incident Response Capability (DOE-CIRC) at 866-941-2472 (doecirc@doecirc.energy.gov). Please coordinate with your site cybersecurity office to report the incident to the DOE-CIRC. Please also report any such incident(s) immediately to the HSR Program Manager(s).