Inewsource reports that the University of California San Diego (UCSD) has been stonewalling attempts by researchers to disclose to research subjects that their personal identifiable health data was breached several months ago. This is a shocking allegation, if true, given the necessities of disclosure with federal rules such as HIPAA and 42 Part 2 (substance abuse data disclosure even stricter than HIPAA).
Apparently, during the EmPower Women study, UCSD researchers told university officials that participant’s names, audio-taped conversations and other sensitive materials were made accessible to all of the employees and contractors at Christie’s Place, a San Diego nonprofit supporting women with HIV and AIDS. UCSD partnered with Christie’s Place to recruit subjects for the HIV/AIDS study.
The study examined how challenging experiences with domestic violence, trauma, mental illness and substance abuse affected their commitment to HIV treatment. As with any study, UCSD was to keep participant information confidential and accessible only by authorized research staff (who of course have signed up to policies, procedures and rules guiding researcher and institutional behavior).
The study started back in 2016 in an attempt to offer HIV-positive women in San Diego social and health support.
Christie’s Place managers intentionally stored all information in a database to track patients receiving clinical care. The information, available to anyone at the nonprofit, supported their ability to inflate patient numbers and invoice San Diego County for more services. Christie’s Place is on record denying these allegations.
UCSD informed inewsource that it planned on contacting the research participants over the next three weeks. It claimed the disclosure process would be slower due to an administrator put on leave.
Compliance Efforts Chime In
Five data protection and privacy experts have concurred that UCSD has taken far too long to notify the women affected. One expert on the record with inewsource noted, “being transparent” represents the immediate first step for such an incident.” Another expert said the “seven-month delay” is a real concern, and yet another noted that the response “seems to violate the respect” for the subjects. Michael Carome, a former associate director at the U.S. Office for Human Research Protections said, “that is just an unacceptable delay.”
The EmPower Women project was funded by the University of California system. Federal policy can’t necessarily be enforced in this situation.
UCSD needs to disclose personal data and privacy breaches immediately. It needs to follow standard HIPAA and 42 Part 2 policies and procedures which are already in place. Moreover, in the GcP context, there could be additional policies to adhere to. An institution as preeminent and esteemed needs to lead by example.