OHRP: Columbia Recruitment Pitch Exposed Email Addresses, Wasn’t Reported as Required

Compared to privacy breaches that routinely affect millions, the one suffered by Columbia University Medical Center in 2016 was tiny, but the information exposed was among the most sensitive. In November of that year, a Columbia researcher notified the institutional review board (IRB) that email addresses of 145 individuals involved in HIV/AIDS research were visible in a recruitment pitch. A study coordinator had included individuals’ addresses in the CC portion of an email inviting participation in a related upcoming study.

Because only breaches affecting 500 or more individuals are required to be made public under federal law, smaller incidents like this one may remain secret. But in Columbia’s case, the breach, which also appears to be reportable under HIPAA, came to light because the HHS Office for Human Research Protections (OHRP) found that the medical center violated the Common Rule by failing to report what had happened. The finding is rare evidence of enforcement action by OHRP, although it imposed no sanctions on Columbia.

In February, OHRP notified Columbia via a determination letter that the email disclosure was considered a “breach in confidentiality” that qualified as an “unanticipated problem involving risks to subjects or others.” Such problems are to be “promptly” reported to OHRP; this one wasn’t until months later and only after the agency, acting on a complaint, contacted Columbia.

Determination letters can be valuable educational tools because they provide examples of missteps that may endanger subjects or otherwise run afoul of regulations. They also provide insight into OHRP’s views for how to correct and prevent mistakes and may provide suggestions for best practices. Institutions will want to make note of the actions Columbia took in the wake of the email breach, including terminating the study coordinator.

But OHRP now rarely writes such letters; Columbia’s is only the third it issued since October 2016. And although it found that the failure to report the breach was a violation, OHRP imposed no sanctions in this case, saying it was satisfied with Columbia’s corrective actions. Of note, OHRP did not cite Columbia for the breach itself, nor opine on the fact that none of the corrective actions address policies designed to ensure prompt notification to OHRP of reportable events.

In previous years, OHRP issued dozens of determination letters, which addressed concerns ranging from lack of informed consent to failures to follow IRB procedures.

Pressed by Michael Carome, director of the Health Research Group of watchdog organization Public Citizen, for its lack of visible enforcement efforts, OHRP Director Jerry Menikoff defended the agency’s “informal” approach to handling allegations of noncompliance. According to Menikoff, revealing details about investigations can result in inappropriate “shaming” of institutions “that just happen … to not comply with the regulations.”

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field