This section of the Investigator Manual outlines communications guidelines, including using email to schedule an initial visit or for study participation, not including health information in voicemails, and use of personal cell phones for research.
General Communication Guidelines
Throughout the course of a study, researchers may wish to communicate with participants using a range of methods. When using email, guidelines described in the Email Recruitment Guidelines section apply to the scenarios described below. Depending on the method used, you may need to follow specific guidelines, particularly if your study falls under HIPAA or FERPA.
- Using email to schedule initial study visit: Upload a copy of the email script you will use to schedule initial visits in the IRB application. You must obtain permission from participants before using email to schedule a visit. Permission may be obtained by emailing subjects to ask if they agree to set up an appointment by email before sending scheduling information. Emails scheduling an initial visit may not include information about the subject’s health unless they provide permission to do so. Even with subject permission, the email should contain as little health information as is necessary to convey the intended message.
- Using email as part of study participation: The consent form must include information on how email will be used in the study and the study team must obtain permission to communicate with the subject by email. You cannot require that subjects provide an email address in order to participate in a research study unless the study cannot be carried out without access to email. Additionally, subjects may request that email no longer be used to communicate about the study, without any loss or penalty.
- Phone: Whether calling potential subjects for recruitment purposes or communicating with participants during the study, you should avoid leaving voicemail messages that include any information about the subject’s health (e.g., identifying that you are calling from a specific clinic).
Use of Personal Cell Phones for Research
UW researchers considering the use of personal cell phones for research involving human participants must be aware of the privacy and security implications of such use. Because of the sensitivity of information that may be accessed, created, exchanged and stored in the course of research involving human participants, it is recommended, and in some cases required, that researchers only use UW-Madison managed devices while conducting research activities.
Researchers are responsible for consulting with their departmental/unit IT professionals and other appropriate offices as applicable (for example, their unit’s HIPAA Privacy and Security Coordinators if the study is subject to HIPAA) to ensure that any use of a personally owned device is compliant with legal, regulatory, and university requirements applicable to the type of data or information that may be accessed, received, transmitted or stored on a personally owned device, as well as to ensure that any requirements for connecting to university networks are met.
I. Types of Information and Data That Could be Created, Received, Accessed, or Stored on Personal Cell Phone
When using personal cell phones to communicate with human participants or study team members, such devices may capture phone numbers/contact information of research participants. Substantive information may be exchanged via text, voicemail, or other messaging platforms. It should be noted that while researchers may anticipate using personal cell phones in specific or limited ways, they are not able to control the information received from research participants via text, voicemail or other messaging platforms which is then stored, at minimum, on the phone.
Information about human participants, particularly when promised confidentiality, may qualify as Restricted or Sensitive information. Restricted information is sensitive information but receives additional protection. Restricted or sensitive data may include, for example, individually identifiable health information protected by the HIPAA, personally identifying information regarding students protected by FERPA, sensitive research information protected by an NIH Certificate of Confidentiality, information obtained from research participants pursuant to a promise of confidentiality, and information protected by nondisclosure agreements with sponsors.
II. Data and Records Access and Retention
Records or data evincing university activities and business that are maintained by UW employees, agents, or subcontractors may be subject to public records requests, subpoenas, or other legal or regulatory requirements that mandate that the university access (and potentially disclose) such records or data. University employees, agents, and subcontractors are required to produce such records or data, or the devices containing them, upon the University’s request.
In addition, employees are obligated to ensure that any university records whether created or received on personal or university devices, are maintained according to the university records schedule applicable to business communications, and any other applicable schedules related to the research. Aside from studies that could exchange PHI, discussed further below, the UW-Madison Office of Legal Affairs has generally discouraged people from using personal devices for work related business because those communications are records under the law and have to be maintained pursuant to a university records schedule and made available under certain circumstances. If the university receives a public record request or a subpoena for information that is on a researcher’s personal phone, that information must be retrieved and accessed by employees in the office of compliance and/or university lawyers. As a result, researchers who believe cell phones are necessary for a research study (not covered by HIPAA) are encouraged to speak with their department about the possibility of obtaining a university issued cell phone for the duration of the study.
III. HIPAA Protected Information
Researchers may only exchange and store PHI using those tools approved for such purposes by UW-Madison and UW Health. A list of such approved tools is maintained by the University’s HIPAA Privacy and Security Program. Using personal cell phones to text PHI is prohibited, except when texting is integral to the research and is approved by the IRB. PHI may not be transmitted or maintained on personally owned devices, except when specifically approved by policy or procedure. Researchers should consult with their departmental/unit IT professionals, as well as familiarize themselves with the University’s policies on Remote Access to Protected Health Information, Workstation and Mobile Device Use and Security Configuration, and HIPAA Security System Access. Per these policies, unmanaged mobile devices (mobile devices not managed by a UW-Madison approved mobile device management system) may not be used to access PHI, and mobile devices used with PHI must be configured securely to protect the privacy, security, confidentiality, integrity, and availability of PHI.
IV. Data Security
Use of personal cell phones can have implications for the confidentiality and security of the information on the device itself, as well as to the networks to which the devices are connected. Individuals are responsible for working with IT security to ensure that appropriate safeguards are in place to protect data and records against unauthorized access and use. Unauthorized access or use of data or information could occur if a phone were lost, stolen, or accessed by a family member or other person, if data or information were intercepted in transit over an unsecured network, or if the security of the device were compromised by malware.
Researchers are responsible for understanding the risk category of data or records with which they work and the associated requirements for protection and security; general risk categories are defined in the university’s Data Classification policy and guide to handling sensitive university data. In general, information to/from or regarding research participants will be classified as either Restricted or Sensitive. Researchers handling Restricted or Sensitive data are required comply with UW’s Storage and Encryption Policy. Researchers are further responsible for complying with the University’s Restricted Data Security Management Policy, as well as policies and requirements on connecting to the UW network and Endpoint Management and Security. Researchers are encouraged to consult with their department administrators or IT professionals to ensure that they understand the requirements of policies applicable to their activities.