Â鶹´«Ã½Ó³»­

FERPA's guarantee of confidentiality of educational records often, by its very nature, has repercussions on those who wish to conduct research on educational practices. While schools can release directory information without explicit consent, all other information is protected.

Student academic records, including tests, journals, written assignments etc., are considered part of the student’s academic record. FERPA requirements apply to investigators conducting research involving academic information even when this information is obtained from their own students.

Those who wish to obtain data from educational records beyond directory information, for the purposes of research, are generally limited to three options:

1. The researcher may contact and obtain written consent for each individual (or parent/guardian) whose records will be accessed for research purposes. Written consent must 1) specify the records that may be disclosed, 2) state the purpose of the disclosure and 3) identify the party/parties who will receive the disclosed information.
2. A school official with legitimate access (other than the researcher) may strip the records of any identifying information and provide the data to the researcher. In other words, educational records may be released to a researcher if all personally identifying information has been removed.
3. The holder of the record may invoke an exception to FERPA in order to release the records to the researcher. When invoking an exception for the use of educational records, the holder of the records must specifically cite the exception to the regulation in writing. The exceptions that may be used for educational research are:
   • If the researcher is a school official with legitimate educational interest [34 CFR 99.31(a)(1); or
   • If the researcher is conducting studies for or on behalf of the school [34 CFR 99.31(a)(6).

When planning to conduct research involving educational records, the FERPA exception letter should be submitted to the Institutional Review Board (IRB) along with the IRB application. In most cases involving educational records held by elementary and secondary schools, this letter should come from the school district’s superintendent. The University Registrar is usually the official from whom this letter should come for research involving educational records held by a university. The use of personal, identifiable data for research purposes must always be approved by the IRB prior to the researcher obtaining access to such data.

Additional information on FERPA may be found at the website of the .

The text of the statute is here:  and the regulations are here .

For specific questions regarding FERPA and research, please contact Dr. Jignya Patel (jpatel@fit.edu), the IRB Chairperson.

HIPAA specifies that a covered entity may not use or disclose identifiable health information for research purposes unless the patient has provided, in advance, his/her written authorization for such use or disclosure.

Note that when researchers collect health or mental health related information from participants, this specific form of data collection and use must be addressed in the consent form. Alternatively, researchers may use a separate HIPAA authorization/consent form.

Certain provisions of HIPAA address the use and disclosure of identifiable health information for research purposes. In this regard, HIPAA is generally consistent with the applicable provisions of the current Federal Policy regulations (45 CFR 46) governing human research subject protections, although there are some important differences. Together, these regulations will have an enormous impact primarily on two aspects of human subject research: 1) access to and the use of identifiable health information to facilitate research subject recruitment; and 2) retrospective research studies involving the use of existing, identifiable, health information.

1. Access to and the use of identifiable health information to facilitate research subject recruitment.
   Researchers may access health records of potential study participants if they submit a research agreement that contains the following information A research agreement containing the following information must be signed by both the researcher and the medical center.
   1. Such use or disclosure is solely for purposes of reviewing the protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research (e.g., to design a study or to assess the feasibility of conducting a study). Investigator must describe the purpose of your desired record review.
   2. The PHI being sought to be disclosed is limited to the minimum necessary to achieve the purpose(s) of the review. Investigator must describe the nature of the data requested and indicate why each of the data elements being requested is necessary to achieve the purpose of the review.
   3. The PHI being sought to be disclosed is necessary for the research project. Investigator must indicate why the PHI that you are requesting for review is necessary in order to prepare a research protocol.
2. Retrospective research studies involving the use of existing, identifiable, health information.
   Both the federal policy and HIPAA regulations mandate that retrospective research studies involving the collection and use of identifiable health information require the prior written informed consent/authorization of the involved patients-subjects or an IRB waiver of this informed consent/authorization requirement.
3. Retrospective research studies involving the use of existing, de-identified, health information.

Consistent with the HIPAA Privacy Rule, de-identified data must not contain any of the following identifiers:

1. Names
2. Postal address information (other than town or city, state and zip code)
3. Telephone numbers
4. Fax numbers
5. E-mail addresses
6. Social security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate/license numbers
11. Vehicle identifiers & serial numbers, including license plate numbers
12. Device identifiers & serial numbers
13. Web Universal Resource Locators (URL’s)
14. Internet Protocol (IP) address numbers
15. Biometric identifiers, including finger and voice prints
16. Full face photographic images and any comparable images

Authorization Core Elements:

• A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
• The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
• The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
• A description of each purpose of the requested use or disclosure.
• Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the research study" or "none" are permissible for research, including for the creation and maintenance of a research database or repository).
• Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided.

Authorization Required Statements:

• A statement of the individual's right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
• Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
• A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.

Recording the voice and/or image of an individual creates a type of record that requires unique handling and storage, particularly if the content may be considered sensitive.  As with all research procedures, the dignity of human subjects should be respected.  Therefore, only what is necessary for the purpose of the study should be recorded.  Research subjects must be informed prospectively that such recording will occur, and be provided with information about the storage, confidentiality, and future use of the resulting recording.

If a research protocol involves the recording of research subjects, the Principal Investigator must include the following elements for consideration, in his/her protocol and informed consent form for submission to and review by the IRB:

Elements for consideration:

• Purpose and use of recording
• Specific identifiers that will be recorded (e.g., partial facial features, full facial features, subject’s name)
• Steps to avoid the inclusion of nonparticipants on the recordings
• People who will have access to the recording(s)
• Storage procedures, the storage location, and the duration of storage
• Procedures for controlling access to and use of the recordings
• Use(s) of the recording(s), including educational or analysis by external research group or future unspecified use
• State when and how recordings will be destroyed

The use of video/audio recording must be documented in the consent form. The IRB recommends researchers use headings in consent forms and create a separate heading for Video/Audio Recording. This section should identify the purposes and uses of the recording. It should provide information about who will have access to the recording and how access will be controlled. Storage information should state how long the investigator will store the recording and when and how the recording will be destroyed. If recordings will be used for educational purposes (e.g., research team meetings) this must be explicitly stated. Given that the identities of your participants remain on the recordings until they erased or destroyed, you must inform participants about the possibility that others may see the recordings or that the recordings may be used in additional research projects.

Additional considerations may be necessary for research that extracts photographs from video files, or research that records real-time video observations (e.g., Skype, Adobe Connect). PIs are encouraged to contact the IRB office to discuss the confidentiality, privacy and protection of this type of data.

This policy encompasses all cells, cell lines, and tissues that are derived from human beings, deceased or living

When research involves identifiable human specimens, each research use must receive prospective IRB review and approval.

Research on tissue samples obtained from an established research repository

Recipient-investigators should have a written data use agreement with the repository

• The data use agreement should specify under what conditions the data is being released to the recipient-investigator(s)
• The terms under which the data is released determine whether the research requires IRB oversight based on OHRP’s Guidance on Coded Data
  • If the specimen obtained is identifiable (i.e., can be linked to specific individuals, either directly or through a coding system, by the investigator or member of the research team), IRB review and approval is required
  • If the specimen is NOT identifiable as defined above, IRB review and approval is NOT required.

OHRP does not consider research involving specimens to involve human subjects as defined under 45 CFR 46.102(f) if the following conditions are both met:

1. The private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals
   
   AND
   
   
2. The investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain

Examples of acceptable conditions:

• The key to decipher the code is destroyed before the research begins
• The investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased
• There are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or
• There are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased.

Office for Human Research Protections (OHRP) –