IRB & Penn Medicine Requirements regarding HIPAA PHI Security and Storage (Updated 3/2021)

All new submissions received after August 1, 2016 that involve the collection of protected health information will be required to include data confidentiality plans that align with the requirements outlined in the documents below. The IRB & Penn Medicine Requirements regarding PHI Security and Storage details the following: 

Requirements for Research Involving the Use of Protected Health Information (PHI)

  • Key elements of a Confidentiality Plan
  • Guidelines for Physical Security (Paper files/ Biospecimens)
  • Guidelines for Electronic File and Data Security, Storage, and Transmission

Key Features of IRB‐Approved Mechanisms for Data Storage/Transmission when Research Involves the Use of Protected Health Information (PHI)

  • IRB Approved Mechanisms for Data Storage
  • IRB Approved Mechanisms for Data Transmission

Avoid and Minimize PHI in Email

Use of Email During the Conduct of Research

  • Communicating with Research Subjects via Email
  • Communications Among the Research Team in a Resarch Study

Use of Text Messaging During the Conduct of Research - New 1/2022

The Office of Clinical Research (OCR) and Penn IRB have developed the attached guidance to provide best practices, considerations and parameters around when texting may, or may not, be appropriate in the conduct of research. 

University of Pennsylvania HIPAA Covered Entities

The University of Pennsylvania has 2 HIPAA Covered Entities: Penn Medicine and Penn Dental. 

Penn Medicine is comprised of the Perelman School of Medicine and the University of Pennsylvania Health System, which includes: 

Pennsylvania Sites

  • Hospital of the University of Pennsylvania
  • Hospital of the University of Pennsylvania - Cedar Avenue
  • Penn Presbyterian Medical Center
  • Pennsylvania Hospital
  • Chester County Hospital
  • Lancaster General Health (Lancaster Behavioral Health subject to PA Mental Health law)
  • Perelman Center for Advanced Medicine 
  • Penn Medicine Bucks County
  • Penn Medicine Radnor
  • Penn Medicine Rittenhouse
  • Penn Medicine Southern Chester County
  • Penn Medicine University City
  • Penn Medicine Valley Forge
  • Penn Medicine Washington Square
  • Good Shepherd Penn Partners Rehabilitation Facilities
  • Penn Medicine at Home
  • Penn Urgent Care South Philadelphia
  • Penn Outpatient Lab 3701 Market
  • Clinical Practices of the University of Pennsylvania (“CPUP”)
  • Clinical Care Associates (“CCA”)

New Jersey Sites

  • Penn Medicine Princeton Health (and Behavioral Health)
  • Penn Medicine Cherry Hill
  • Penn Medicine Mount Laurel
  • Penn Medicine Woodbury Heights
  • Clinical Health Care Associates of New Jersey

Penn Dental is comprised of the School of Dental Medicine and Penn Dental Clinical Practices, which include: 

  • Penn Dental at Locust Walk
  • Penn Dental University City

This list is accurate as of 3/31/2021

Clinical Trials Registration Compliance on

Research that is designed and/or written by the principal investigator, a sub-investigator, or a faculty member at Penn or another academic institution AND meets the NIH definition of a clinical trial (see below) may be required to post on Please review the following flow chart to determine if you are required to post on the NIH's Clinical website: flow chart.

NIH Definition: “A research study in which one or more human subjects are prospectively assigned to one or more interventions to evaluate the effects of those interventions on health-related biomedical or behavioral outcomes.” 

If required to post, please do so at

  • “Interventions” may include, but are not limited to, a drug or device product, a treatment procedure or surgery, social-behavioral intervention, etc.
  • The regulatory sponsor/lead investigator is responsible for making the decision about: 1) whether posting is applicable and 2) posting on 
  • Please be aware that the International Committee of Medical Journal Editors (ICMJE) and affiliated journals may also require registration on as a contingency for publication.

Associated Requirements

  • Studies meeting the NIH definition require study teams to complete Good Clinical Practice training. The IRB will not monitor compliance with this requirement. Penn Medicine researchers should continue to reach out to OCR Operations regarding GCP training. Researchers from non-Penn Medicine schools are responsible for compliance with these requirements.
  • The consent form must be posted on a publicly available website approved by the U.S. Office of Human Research Protections (OHRP) for such posting. Two publicly available federal websites have been identified that will satisfy the consent form posting requirement. These include OR a docket folder on (Docket ID: HHS-OPHS-2018-0021). For studies that are registered on, the consent form must be posted on
  • The following language must be placed into the consent form: “A description of this clinical trial will be available on, as required by U.S. Law.  This web site will not include information that can identify you.  At most, the web site will include a summary of the results.  You can search this web site at any time.” 

Questions? Please contact the following individuals for guidance: 


Applicable State Laws in Human Subjects' Research

Pennsylvania State Law

The PA Law guidance document describes Pennsylvania laws on the following topics that are applicable to human research: 

  • Surrogate Consent
  • Mandatory Reporting of Diseases and Infections
  • Mandatory Reporting of Abuse
  • Emancipation
  • Consent to Health Services
  • Nontherapeutic Research on "unborn children"

Download guidance

New Jersey State Law

The NJ Law guidance document describes New Jersey laws on the following topics that are applicable to human research: 

  • Research with Genetic Information [N.J.S.A. C.10:5-45-48]
  • “Medical Research” with Cognitively Impaired Adults [NJSA 26:14-3-5] including Surrogate Consent
  • “Experimental Research” with Mental Health In-Patients [N.J.S.A. 30:4-24.2]
  • Mental Health Records [N.J.A.C. 10:37-6.1]
  • Obtaining and Using Human Embryonic Stem Cells, Human Embryonic Germ Cells, and Human Adult Stem Cells for Research [NJ Rev Stat § 26:2Z-2 (2019)]
  • Prospective Research Involving Drug Trials or Invasive Procedures Conducted in the Context of Advanced Life Support Services, Mobile Intensive Care Units, Specialty Care Transport Services, or Air Medical Services [N.J.A.C. 8:41-5.1]
  • Research with Children [N.J.S.A. 9:17B-3; 9:17a-1]
  • Prisoner Research within the State of NJ [N.J.A.C. 10A:1-10.1-10.6]

Download guidance

For additional assistance: contact the Office of General Counsel.

ICH Good Clinical Practice (ICH/GCP) Compliance

Good Clinical Practice (GCP) is an international stardard provided by the International Conference for Harmonisation (ICH) for the design, conduct, performance, monitoring, auditing, recording, analysis, and reporting of clinical trials or studies.

Click here to view the letter for Sponsors describing the Penn IRB's position on compliance with ICH GCP, including disclosing the names of IRB members to sponsors. 

For further information please contact a Senior Regulatory Analyst.

Principal Investigator Compliance Assessment (PICA)- For Greater Than Minimal Risk Research Continuing Review

  • Study teams conducting greater than minimal risk biomedical research who do not have a sponsor appointed study monitor for quality control of site activities are expected to be familiar with the PICA.
  • This form should be completed annually and filed in the regulatory binder for the study.
  • The Completed PICA should be sent to the Office of Clinical Research at or fax it to (215) 614-0378
  • Do not submit the completed PICA to the IRB via HSERA.

Click Here to Download PICA Form

*Please note that this form is published by The Penn Office of Clinical Research (OCR). Any questions about this form should be directed to that office.

Data & Safety Monitoring (DSM)

A criterion for IRB approval is that “when appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of subjects.”

Monitoring, an ongoing process of overseeing the progress of a study, is a quality control tool for determining whether study activities are being carried out as planned and whether there are any unexpected safety concerns. It enables study teams to identify and correct any deficiencies in the conduct of the study, record keeping, or reporting. A Data and Safety Monitoring Plan (DSMP) should be risk based with a focus on safety and scientific integrity. 

When is a DSMP required?

  • Research that is greater than minimal risk should have a DSMP designed based on complexity and risk of the protocol.
  • Research that is minimal risk usually does not require a DSMP, with most exceptions falling under expedited category 1. For all minimal risk research, there should be clear methods to protect confidentiality and privacy as well as subject safety that are commensurate with the risk. 

What should a DSMP cover?

  • Review of participant’s data for safety, welfare, and data integrity. Data should be reviewed in real time, such as consent forms, eligibility, adverse events, product accountability, etc. The study team should have a documented standard operating procedure to review data at pre-determined intervals to ensure there is adequate documentation of critical elements such as eligibility criteria.
  • Site Monitoring. Site monitoring is a process to ensure that the protocol is being followed). For Low – Medium Complexity studies self monitoring is usually acceptable (e.g., PICA). For High Complexity studies, an independent study monitor should be identified. Monitoring should be more frequent and more comprehensive as study complexity increases. 

When is a Data and Safety Monitoring Board / Committee (DSMB/C) needed? 

A Data and Safety Monitoring Board / Committee (DSMB/C) is only one component of a DSMP. A DSMB is not always required. For more information, please review this guidance.

When should DSMB / DSMC Reports be Submitted?

In general, the IRB expects these reports are submitted in a timely manner via a modification submission in HSERA. This includes reports that recommend continuation of the study without modification.

Reports that include commentary which require a response or necessitate action on the part of the study team or sponsor must be accompanied by a response to any issues noted in the report.

It is important that the study team submit the DSMB reports to the IRB in real time so that the IRB may assess the appropriateness of study continuation. Any reports not submitted in real time must be provided with the annual request for continuing approval. However, failure to submit in real time will be raised to the Investigator’s attention in their annual continuing approval letter and may require additional followup.

For further assistance, please contact: Jessica Yoos or visit the Office of Clinical Research for additional information.

Suicidal Ideation and Behavior: Risk Mitigation Guidance

Participants at risk of suicidal ideation and behavior are a vulnerable population group. Therefore, additional measures may be warranted to ensure their protection while they are enrolled in research studies.Additionally, participants in FDA-regulated clinical trials (including otherwise healthy volunteers) may also be at risk for suicidal ideation and behavior, when they are being administered: 

  • A drug being developed for any psychiatric indication, 
  • Any antiepileptic drug, and/or
  • Other neurologic drugs with central nervous system (CNS) activity

When a research team is made aware of immediate suicide risk in a participant, there is an obligation and responsibility for timely and appropriate follow up to ensure participant safety. The intent of this document is to provide guidance on ensuring the safety of research participants who may be at risk of suicidal behavior.

Click Here for Guidance

For further assistance, please contact: Jessica Yoos

Certificates of Confidentiality (CoC)

Certificates of Confidentiality allow the investigator and others who have access to research records to refuse to disclose identifying information about research participants in any civil, criminal, administrative, legislative, or other proceeding. See the NIH Certificate Kiosk for additional information.

Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality (CoC)

To increase the protection of privacy of research participants, as of October 1, 2017, NIH funded researchers who are who are collecting identifiable, sensitive information as part of their NIH funded research will automatically be issued a CoC as part of the term and condition of their award. There is no need for them to apply for a CoC. Compliance with the privacy protections afforded by the CoC is also a term and condition of award. All research that was commenced or ongoing on or after December 13, 2016 and is within the scope of this policy is issued a Certificate through this policy.  See NOT-OD-17-109

For further assistance, please contact: Dave Heagerty

Entering Information Protected by a COC in a Subject's Medical Record

In general, placing research information protected by a Certificate of Confidentiality into a subject’s medical record would require the subject’s consent unless such disclosure is required by law.  NIH and the IRB encourages investigators who wish to include identifiable, sensitive information protected by a Certificate in a medical record, to work with general counsel to determine how to do so in accordance with applicable federal and state laws.

Section 301(d) of the Public Health Services Act protects identifiable, sensitive information and all copies thereof. Accordingly, if identifiable, sensitive information protected by a Certificate is placed in a subject’s medical record, the protections of the Certificate and prohibitions on further disclosure of the information may apply. Investigators should consult with general counsel to ensure that proper consent is obtained for all potential disclosures from medical records.

If you have obtained a COC, and you need to suppress information from release in the medical record, please review this Tip Sheet on placing a flag on a record, and contact OCR Operations with any associated questions. 

Conflicts of Interest (COI)

NIH Genome Wide Association Study (GWAS) Registry

Any request to submit data into the NIH Genome-Wide Association Studies repository must include certification that the submission has been approved by the responsible Institutional Official. At Penn the IRB serves that function and this guidance document details (i) how to submit requests for GWAS certification to the IRB, (ii) how the IRB will consider these requests and (iii) how studies can be drafted to ensure that IRB Certification can be granted.

Download guidance.

For additional assistance, please contact: Patrick Stanko