- We will use your information for research: We collect information about your identity, your health, and some of your behaviors that might help us predict your future health. This information will be used in research analysis, presented at scientific conferences, and then published. These presentations and publications will never show any information that identifies you or any other individual in the study.
- We will not sell your information: We will never sell data to drug companies for market research: We will never voluntarily share identifying information about you without your permission. We may share de-identified health data with other researchers for the purpose of research.
- You will be able to see some of your study information: When you registered for the study, you provided us with a username and a password. You will use the username and password to sign into the study to see your dashboard and some of the health information you have provided (e.g., My Health Data graphs). You should be very careful not to share your login information with anyone else, or they could sign in as you and be able to see that same health information. If you are worried that someone else may be using your login information, please let us know immediately, or change your password yourself through the participant homepage.
- Protection again involuntary disclosure of your information: We will do everything we can to keep your study information private. To further help us protect your privacy, we have obtained a Certificate of Confidentiality from the United States Department of Health and Human Services (DHHS). Under the terms of this certificate, IBD Partners study staff cannot be compelled to disclose study information that identifies you, even if ordered to do so by a court subpoena, in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings. The researchers will use the Certificate of Confidentiality to resist any demands for information that would identify you, except to prevent serious harm to you or to others. You should understand that we will, in all cases, take the necessary action, including reporting to authorities, to prevent serious harm to you or to others. Also, please note that a Certificate of Confidentiality does not represent an endorsement of the research study by DHHS or the National Institutes of Health.
- Electronic security and adherence to the HIPAA privacy rule: The IBD Partners Study follows the general security guidelines of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). All study data is transmitted, stored, and processed in a secure environment.
- While we cannot provide an absolute data security guarantee, your information will be transmitted and stored using state-of-the-art security systems similar to those that protect websites used by banks and electronic health systems. If despite our best efforts, we ever experience a breach of the security of your personal information, we will notify you in accordance with federal and state laws. For any questions, please contact your study coordinator.
Data Security Measures
The following is a technical explanation of the measures we take to protect your data. If you have any questions about this information, please contact us by email at firstname.lastname@example.org or by using one of the other options described in the “Contact Us” section of the website.
All study information will be stored in linked data tables. Identifying information (name and email address) will be stored in separate (but linked) data tables so that health-related data can be viewed by IBD Partners and IBD Plexus study staff as needed without inadvertent association with identifiers when such linkage is not required.
The IBD Partners and IBD Plexus study teams will take the following data security measures:
- Data Transmission: IBD Partners and IBD Plexus currently utilizes advanced encryption technology to protect all data transmitted over the Internet between the coordinating center’s web server and every client machine (including our research participants’ machines) that accesses our study web sites.
- Secure Servers: All study data is housed on secure servers.
- Antivirus Software: All servers are protected from viruses using anti-virus software. This software automatically checks for virus signature file updates once an hour, and if necessary, directly updates itself. All antivirus software is monitored and network personnel are notified in the event that the software stops functioning on a server.
- Firewall: The network, including all the servers that will store our research data, is behind a secure firewall that does not allow unauthorized access to any research data server.
- Disaster Recovery: The study database is backed up regularly to ensure that no data is lost. Our disaster recovery system also follows Standard Operating Procedures to maintain full security of backup data.
- Cloud Services: In addition to use of our secure servers, we may use your data in conjunction with cloud storage and computing services in order to assist with communication, data collection, storage, and processing. Third-party vendors will be vetted for their security practices and will meet or exceed privacy and security standards for the University of North Carolina at Chapel Hill electronic research health records management.
“Personal Information” is information you supply to IBD Partners that allows you to be individually identified. This includes (a) identifiable contact information, such as name, address, telephone, and email address, (b) information you provide about yourself, such as your health or lifestyle information, and (c) “coded information,” which is the same information as (b), but with all of your identifiers and contact information removed and a random alphanumeric code assigned to it for search purposes.
“De-Identified Data” means information that does not identify individuals. In regards to your health-related information, IBD Partners and IBD Plexus will follow the standard set by a federal law called HIPAA (the Health Care Portability and Accountability Act). The HIPAA Privacy Rule specifies eighteen (18) data elements that, alone or in combination, could identify a person. These include information such as your name, address, phone number, social security number, and photos of your face. Generally speaking, when all 18 of these identifiers specified by HIPAA are removed, the information that remains is “de-identified”. For more information, see the Glossary of HIPAA Terms here, posted online by Yale University.