University Policy requires that email conversations between research teams including members of the University’s hybrid entity, and current and potential research participants, must be conducted via encrypted email tools unless the participant authorizes the use of unencrypted emails.
This guidance describes a limited exception to this policy for introductory conversations with potential research participants. This exception only exists for communications that do not include information about the physical or mental health condition of a potential participant (“health condition”), or discussions of a potential participant’s eligibility for a study based on their past or current health condition.
Conditions
Research teams may communicate with potential research participants without requiring the use of email encryption tools or a written authorization permitting the use of unencrypted emails, provided the following conditions are met:
- The email account must be secured using the University’s “BAA” security setting. It is preferred that the research team uses a single departmental email account to communicate with participants and potential participants
- The research team may respond to messages sent by potential participants to discuss the study. The research team may not rely on this exception to discuss a potential participant’s health condition or discuss a potential participant’s eligibility for the study where that eligibility is conditioned on a participant’s health condition.
- The research team must ask the potential participant not to share their health condition, and include a confidentiality statement in the email, which includes a statement stating that the email is not secure.
- If a potential participant offers information about their health condition, the research team must move the conversation to an alternate form of communication that has been approved for the purpose of sharing PHI.
Information to be shared with potential participants
The research team must include this text in any initial response with potential participants:
I can answer your questions about research and this research study. I cannot discuss your health conditions or eligibility for this study via email without your authorization as this email is not secure. Other, more secure forms of communication exist to share your health condition. E-mails are always subject to some level of security risk, can be sent to the wrong address, and can be forwarded to others who should not receive them. Please ask if you would like to know your options for using more secure forms of communication with the research team.
Email confidentiality statement
The following Confidentiality Statement must be included at the bottom of emails to potential participants:
The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material, including "protected health information." If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please destroy and delete this message from any computer and contact us immediately by return e-mail.
Research teams must avoid using unsecure emails to request PHI
HIPAA does not require an individual to be a current patient or research participant. The health information of prospective participants that have not formed a relationship with a research team by signing a “consent to participate form” is PHI.
Research teams that communicate via unsecure emails must avoid requesting a participant’s PHI. For example, if a researcher believes that answering a participant’s question about the study requires knowing the participant’s health condition, the researcher should move the conversation to a secure method or ask the participant to sign an authorization to communicate via unsecure email. This practice ensures the researcher’s response does not inadvertently encourage the participant to offer PHI via unsecure email.
When a research participant volunteers PHI
The health condition of a potential participant is PHI. Unsecure emails must not be used to discuss a potential participant’s health condition or eligibility for a study. Unsecure emails may not be used to answer questions related to a participant’s eligibility for a study. Discussing a participant’s eligibility may encourage the participant to share PHI via an unsecure method. The only questions research teams may answer via unsecure emails are general questions about the study.