Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data. Human subjects research data may also fall under the regulatory requirements of the U.S. Food and Drug Administration (FDA).
The University maintains a Sensitive Data Research Guide which details technical practices researchers and their unit IT should consult when choosing how to handle data of this type.
A human subject is defined in the Common Rule as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”
“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).
Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.
Under the FDA regulations, a human subject is defined as "an individual who is or becomes a participant in research, either as a recipient of the test article or as a control. A subject may be either a healthy human or a patient."
Sensitive identifiable human subject data may, but doesn’t necessarily, contain Protected Health Information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). To determine if the data you are working with is subject to HIPAA please visit http://dataguide.uchicago.edu/protected-health-information. Clinical trials subject to FDA regulations are likely to produce Protected Health Information as well as sensitive identifiable human subject research data.
- Illegal behaviors
- Drug or alcohol abuse
- Sexual behavior
- Mental health or other sensitive health or genetic information
- Financial transactions
**If you will be obtaining data covered by FERPA as part of a research study, please refer to the guidelines for student education records at http://dataguide.uchicago.edu/student-education-records**
- Federal Policy for the Protection of Human Subjects (also called the “Common Rule”): https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/
- FDA regulations setting out protections for human research subjects: https://www.ecfr.gov/cgi-bin/text-idx?SID=5704ce7fc55bb484f0b334a5ab6fc86b&mc=true&node=pt21.1.50&rgn=div5
Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive. For additional information on NIH’s Certificate of Confidentiality please see https://humansubjects.nih.gov/coc/background.