Institutional Review Board for Health Sciences Research (IRB-HSR)

Managing Protocol After Initial Approval

Data Breach

A data breach is defined in the HITECH Act (43 USC 17932) as an unauthorized acquisition, access, or use of protected health information (PHI) that compromises the security or privacy of such information.

The HITECH Act requires the University to notify patients, including human subjects, whose “unsecured PHI” has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach, if the breach poses a risk of significant harm as defined by the HITECH regulations.

The HITECH Act applies to breaches of both electronic data and data in paper form. Reports should be made according to the Reporting Information Security Incident Standard.

Examples of a Data Breach That Must Be Reported:

Unsecured electronic PHI is any PHI not secured by encryption processes that meet the National Institute of Standards and Technology (NIST) standards adopted by HHS, which enforces the HITECH Act.  UVA offers encryption solutions to employees that meet these standards: see

Timeline and Procedures for Reporting a Data Breach


Report to:
  1. The UVA Corporate Compliance and Privacy Office, at 924-9741. The Corporate Compliance and Privacy Office will investigate to determine whether a notification of breach must be given to affected patients, the media and the Secretary of HHS under the HITECH Act, and make any required notifications.
  2. 2. UVA office of Information Technology Services (ITS) if the breach involves electronic data. Use the UVa Reporting an Information Security Incident
  3. UVa Police Department if the data breach involves lost or stolen electronic devices and media. The data breach must be reported immediately.

Data Breach Caused By or resulting from A Protocol Violation or Other Issues of Noncompliance

If a data breach results from a protocol violation or other issues of noncompliance with the protocol, including not following data security issues in the Data and Safety Plan, the issue should be reported to the IRB within 7 calendar days using the Protocol Violation/Noncompliance/ Enrollment Form.  This event may result in an unanticipated problem but the information is best captured using the Protocol Violation/Noncompliance/ Enrollment Form so there is no need to double report using the Unanticipated Problem Report Form.

Data Breach that was NOT Caused by a Protocol Violation or Other Issues of Noncompliance that meets the criteria for Unanticipated Problem.
A data breach may also meet the criteria for an Unanticipated Problem if the Data Breach meets all 3 of the following criteria:

If the Data Breach meets the criteria of an Unanticipated Problem and was not caused by a protocol violation or other issue of noncompliance, the researcher must follow the IRB-HSR requirements for reporting an Unanticipated Problem IN ADDITION TO the UVa requirements for reporting a Data Breach.


Click on the link above for additional information on procedures for reporting unanticipated problems to the IRB-HSR

Information Sources
UVa has policies covering the protection of PHI and reporting requirements for a data breach. These policies include:

For more information on Data Breach see Learning Shot: Reporting to the IRB Part 3: Data Breaches