Section 1: Overview

This document provides an overview describing how the Jaeb Center for Health Research (JCHR) is committed to protecting the privacy and security of personal information. This Privacy Policy summarized how JCHR collects, uses, discloses, and protects personal data in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), and applicable international data protections, such as the General Data Protection Regulation (GDPR) (EU) 2016/679. This policy applies to all individuals whose information is processed by JCHR, including research participants, employees, contractors, and website visitors.

Additional details regarding specific processes and procedures can be found in JCHR’s:

  • HRPP Policy Manual
  • HRPP602: Human Subjects Training
  • HRPP607: General Data Protection Regulations
  • IRB Investigator Handbook
  • IT401.6: Data and File Protection
  • IT401.7: Public Datasets
  • IT401.8: Data Transfer
  • IT405.1: Information Access Policy
  • IT405.3: Safeguarding Personally Identifiable Information
  • IT405.4: Cyber Security Incident Response
  • IT405.5: Security Antivirus and Malware Protection
  • IT405.6: Security Monitoring and Alerting
  • IT406.1: IT Operations Manual
  • IT406.3: Computing Policy Manual
  • Research HIPAA Training
  • Quality Manual

These policies and procedures are made available upon request.

Section 2: Scope

As this is an external facing document to summarize JCHR's internal policies and procedures for external audiences, JCHR staff are not required to review and sign off on this policy. 

Section 3: Details

3.1  What information does JCHR collect? 

JCHR may collect and process the following categories of information when it has a qualifying business interest to do so and only after applicable consent/authorization has been obtained from the individual: 

  • Identifiers: Name, date of birth, contact information (only if specified in the informed consent form and authorizations) 
  • Health Information: Medical history, diagnoses, treatments, laboratory results 
  • Research Data: Study participation data, responses to surveys, trial results 
  • Financial/Administrative Data: Billing details (if/when JCHR will be providing payments or reimbursements to the individual) 
  • Technical Data: IP address, device identifiers, cookies (for digital services not associated with any of the above information)

3.2  What is the legal basis for processing?

JCHR only processes personal data under the legal bases as specified below.  

HIPAA:  

  • For treatment, payment, and healthcare operations; for public health activities; and as otherwise permitted or required by law. 

 International Data Protections, such as GDPR: 

  • Consent (Article 6(1)(a), Article 9(2)(a)) 
  • Contract performance (Article 6(1)(b) 
  • Legal obligation (Article 6(1)(c)) 
  • Public interest in public health and research (Article 9(2)(i), (j)) 
  • Legitimate interests pursued by the controller (Article 6(1)(f)))

      3.3  Does JCHR use this information?

      JCHR may use your information for: 

      • Conducting clinical trials and research 
      • Regulatory reporting and compliance 
      • Improving internal operations and services, including training and education 
      • Administrative functions such as ethics review, quality assurance, monitoring, auditing, and billing (if applicable) 
      • Communicating with individuals regarding participation and/or rights 

      3.4  How does JCHR share information?

        JCHR may share or disclose an individual’s personal data or protected health information:

        • To research partners, sponsors, or vendors, subject to appropriate safeguards as contractually bound under HIPAA-compliant agreements or GDPR-compliant Data Processing Agreements (DPAs) 
        • To healthcare providers involved in your treatment (as applicable) 
        • To regulatory authorities (e.g., the Food and Drug Administration (FDA); European Medicines Agency (EMA)) as required by applicable law 
        • When required by law or court order (if a Certificate of Confidentiality has not been provided) 

         JCHR only uses, shares, discloses, or otherwise processes data as specified in the explicit consent provided by the individual, as contractually bound, in accordance with the law, and for no other purpose. JCHR does not sell or use data for marketing purposes.

        3.5  What rights do individuals have?  

        Individuals from whom JCHR has collected data have the right to:  

        • Access their data and/or protected health information (considering any limitations specified in the consent forms) 
        • Request correction of inaccurate information 
        • Request deletion/erasure of data (except that certain legal/regulatory obligations may require that data that has already been collected be maintained to meet regulatory requirements as specified in the consent forms) 
        • Restrict or object to processing 
        • Receive a copy of the data collected in a portable format (e.g., data portability under GDPR) 
        • Receive an accounting of disclosures of your protected health information (e.g., under HIPAA) 
        • Revoke consent at any time, where processing is based on consent  

         To exercise these rights, contact: 

        • International Data Protections: 

        JCHR’s Data Protection Officer  
        Jeannie Perkins, MS, CCRP, CIP, RQAP-GCP 
        DPO@jaeb.org  

        • US Data Protections: 

        JCHR Director of the HRPP 
        Zachar Duff, JM, MS, CCRP, CIP 
        HRPP@jaeb.org  

        3.6  What data security measures are in place? 

          JCHR implements administrative, technical, and physical safeguards to protect personal data and protected health information, including encryption, access controls, audit logging, and secure storage as described in the processes and procedures noted above, in accordance with explicit informed consent, and as described in legal contracts. 

          3.7  How does JCHR retain data?

            JCHR retains personal data and/or protected health information only as long as necessary to fulfill the purposes described in the explicit informed consent and legal contracts as required by law, such as:  

            • HIPAA (generally 6 years from creation or last effective date) 
            • GDPR (storage limitation principle; retained only as long as necessary for the purposes for which it was collected) 

            3.8  How can a complaint be filed? 

                Under HIPAA, individuals may file a complaint with the Director of the HRPP and/or the DPO as specified above, or directly with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights. Under international data protect laws, such as GDPR, individuals may lodge a complaint with the DPO as specified above, their local supervisory authority (Data Protection Authority), and/or JCHR’s Data Protection Representative for each country specified on the second page of the Data Protection Representative Letter for Data Subject found on the https://www.jaeb.org/research-participants/ internet page.