OFFICE FOR PROTECTION OF HUMAN SUBJECTS

Quick Links:

Home Page

Investigator's Manual

Educational Resources

Examples of Risk

NIH Guidlines

HIPAA Guidelines

Investigational Drugs/Devices

Genetic Research

Radiology Devices

Data Safety Monitoring

Contact Us!

 

Minimum Guidelines for Web Based Surveys

  • All Surveys that request confidential information from subjects must use SSL (https).
  • For a survey to be anonymous, researchers must not receive IP addresses of respondents or timestamps that show when a survey was completed to within less than 60 minutes.
  • No personally identifiable confidential information can be saved on any computer that can be directly accessed from the Internet (i.e., a web server requesting such information cannot save the information on its own disk).  This information must be saved on a separate computer that is isolated from the web server and the Internet by a firewall.
  • Any information defined as “protected health information” (PHI) under the HIPAA Privacy Rule must be encrypted when stored on a computer or when transferred to the investigator.

Guidelines for Describing Website Security Provisions

Include the following items in your description:

  • Hardware and software setup(s)
  • Physical location of the computer receiving the data
  • Security measures in place to protect data during initial transmission from subjects' computers to the web server
  • How web server data storage location is protected
  • How often data are backed up
  • Where backups are stored
  • Who has access to data and backups
  • Which data the web server log files collect
    • How these data are used
    • How often log files are downloaded and cleared from the web server
    • Who has access to the log files
  • How data are transmitted to the researchers' computer(s)
  • Who has access to the researcher' computer(s)
  • How researchers' computer(s) are protected
  • Steps taken to ensure that all data collected will remain private and confidential
  • Security measures during all transmission points
  • When identifying data are separated from other survey data
  • How identifying data are stored (i.e., separately from survey data)
  • Form (as submitted or coded) of storage
  • If data are transferred to the researchers with identifiers attached, explain why this is necessary and at what point the researchers will strip identifiers from data (i.e., after verification that the participant completed the survey for compensation purposes).
  • How participants' requests for results will be handled AND whether information entered by subjects to request survey results will be stored in a separate data file from responses