Click on the following links for detailed information: (Back to Menu)
Impaired Consent/Surrogate Consent :
Surrogate Consent Guidelines and Forms
Note that prior IRB approval is necessary before utilizing a surrogate. If you have questions about the requirements or need help understanding the process, please contact your local IRB office for assistance.
Data and Safety Monitoring: Print View (PDF format)
Federal regulations require the IRB to determine that, “when applicable, the research plan makes adequate provisions for monitoring the data collected to ensure the safety of subjects.” (45 CFR 46.111(a) (6))
The purpose of Data Safety Monitoring Plan (DSM) is to protect the safety of participants and ensure the integrity of the data. All studies involving human subjects require some level of data and safety monitoring.
Having a good DSMP helps insure the safety of study participants, the validity of data, and the appropriate termination of studies for which significant benefits or risks have been uncovered or when it appears that the investigation cannot be concluded successfully.
The following link to the National Institute of Health (NIH) Guide: Policy for Data and Safety Monitoring provides background, principals and different examples of Data Safety Monitoring information: http://grants.nih.gov/grants/guide/notice-files/not98-084.html
Click here for more information
Protocol Deviation - Print view (PDF format)
A protocol deviation is any change, divergence, or departure from the study design or procedures of a research protocol that is under the investigator's control and that has not been approved by the IRB. Upon discovery, the Principal Investigator is responsible for reporting protocol deviations to the IRB using the Deviation Report Form.
- A research subject is scheduled by study personnel for follow-up visits and/or treatment outside of the protocol defined window only if this does not adversely affect the well-being of the subject or the scientific validity of the study.
- Enrollment of subjects beyond the number approved by the IRB.
- Study schedule of events is not followed, i.e. study questionnaires are administered out of order.
- Unapproved advertisements are utilized for recruitment
A protocol violation is a deviation from the IRB approved protocol that may affect the subject's rights, safety, or well being and/or the completeness, accuracy and reliability of the study data. Protocol Violations must be submitted for Full Board IRB review.
If the deviation meets any of the following criteria, it is considered a protocol violation.
The deviation has harmed or posed a significant or substantive risk of harm to the research subject.
- A research subject received the wrong treatment or incorrect dose
- A research subject met withdrawal criteria during the study but was not withdrawn
- A research subject received an excluded concomitant medication.
The deviation compromises the scientific integrity of the data collected for the study.
- A research subject was enrolled but does not meet the protocol's eligibility criteria.
- Failure to treat research subjects per protocol procedures that specifically relate to primary efficacy outcomes. (if it involves patient safety it meets the first category above)
- Changing the protocol without prior IRB approval.
- Inadvertent loss of samples or data.
The deviation is a willful or knowing breach of human subject protection regulations, policies, or procedures on the part of the investigator(s).
The deviation involves a serious or continuing noncompliance with federal, state, local or institutional human subject protection regulations, policies, or procedures
- Failure to obtain informed consent prior to initiation of study-related procedures
- Falsifying research or medical records.
- Performing tests or procedures beyond the individual's professional scope or privilege status (credentialing)
The deviation is inconsistent with Rutgers research, medical, and ethical principles.
- Working under an expired professional license or certification
- Failure to follow federal and/or local regulations
- Repeated deviations.
- A breach of confidentiality.
- Improper destruction or removal of research records.
- Inadequate or improper informed consent procedure.
Obtaining the informed consent of individuals before involving them in research is a central protection afforded by federal regulation and a key ethical expression of respect for persons. Among other things, the consent process should assure investigators provide adequate information about the research, communicate it in a way that is easy for the individual to understand, and discuss the research in a context that ensures their decisions to participate or not are voluntarily made.
Federal regulation requires certain informational elements to be present in consent documents to facilitate ‘informed consent’ in various circumstances (i.e., adult consent, assent of a minor, surrogate consent for the decisionally-impaired, consent of non-English speaking persons, etc.). We offer a variety of sample consent templates [link: http://rbhs.rutgers.edu/hsp/forms/consent.html] complete with directions and consent language. You may adopt the template language or use to guide the development of a custom consent that best suits your research needs and effectively communicates to the potential population you ask to participate in your research.
Please note that other HSPP Guidance we list [link: http://rbhs.rutgers.edu/hsp/guidance/index.html] may also link to sample consent templates for use. For example, the Research Tissue/Data Bank Guidance offers a main consent template for the development of a registry or repository and an addendum consent template for a secondary study.
If you have additional questions about how to craft a consent documents, please contact your local IRB Office.
Investigational Drugs and Devices
Investigational Drug Studies (Click here for more detail)
Studies involving the use of an investigational drug will be conducted in compliance with 21 CFR 312 Subchapter D, Drugs for Human Use / Investigational New Drug Application (IND).
An IND is required for experimental drugs if the drugs are used for the purpose of developing information about their safety or efficacy. Approved, marketed drugs also require an IND if the proposed use in research is different from its previously FDA-approved use or administered by an unapproved route or method of delivery or an altered dosage.
Investigational Device Studies (Click here for more detail)
A medical device is defined, in part, as any health care product that does not achieve its primary intended purposes by chemical action or by being metabolized.
An investigational device is a medical device that is the object of a clinical study designed to evaluate the effectiveness and/or the safety of the device. All investigational device use must have prior IRB review and approval by the IRB in accordance with applicable laws and regulations [FDA 21 CFR 812 and 814 Subpart H].
Clinical investigations of medical devices will comply with regulation 21 CFR 812 unless otherwise exempt, as noted below.
What is genetic research?
Rutgers defines genetic research as research that involves the analysis of DNA, RNA, chromosomes, proteins, or certain metabolites which might act as or identify markers associated with a known or suspected predisposition to disease or behavior. Usually genetic research involves the collection of human biological material such as blood, skin or other tissues, nail clippings or hair. Genetic research also may include the construction of pedigrees (maps of the distribution of a particular trait or condition among related individuals or family medical histories). Although gene transfer is another form of genetic research, this guidance document does not apply to gene transfer research.
Protecting the Rights, Safety, and Welfare of Study Subjects.
Good Clinical Practice - GCP - Print View
Good Clinical Practice (GCP) is an international quality standard. GCP Guidelines include standards on how clinical trials should be conducted; define the roles and responsibilities of clinical trial sponsors, clinical research investigators, and monitors. Adherence to the principles of good clinical practices (GCPs), including adequate human subject protection (HSP) is universally recognized as a critical requirement to the conduct of research involving human subjects. Many countries have adopted GCP principles as laws and/or regulations.
The links below will provide you with the specific GCP requirements of the Food and Drug Administration(FDA) and the International Conference on Harmonisation (ICH)
Non-English speaking subjects
The purpose of this guidance document is to ensure that Non-English speaking persons (or their legally
authorized representative or surrogate) are provided information about proposed research in a language
they understand in order to exercise autonomy to participate in research offered by and at Rutgers.
- Rutgers Guidance for Obtaining and Documenting Informed Consent of Research Subjects Who Do Not Speak English
Through The Department of Care Coordination, UH provides and coordinates several ways to
ensure clear communication with patients who have limited or no English proficiency. Caregivers
MUST use these options rather than rely on the patient's family or friends to interpret important
HIPAA - Personal Identifiers and PHI
The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.
non human subjects research
Content under revision
Humanitarian Use Devices/Humanitarian Device Exemption
Every IRB application must be accompanied by a protocol for research. The protocol must be a summary of the research plan outlined according to factors which the IRB considers essential for its review.
Unanticipated Problems/Adverse Events
- Print view (PDF format)
Under 45 CFR 46 "unanticipated problems" involving risk to subjects or others must be reported to the IRB, institutional officials, study sponsor and OHRP. In addition, under 21 CFR parts 56, 312 and 812, adverse drug events and unanticipated adverse device effects that are 'unanticipated problems" must be reported to the IRB, study sponsor, and FDA.
All deaths in interventional studies that occur within 30 days of the intervention must be reported to the IRB within 24 hours of discovery whether or not considered study-related when Rutgers is the IRB of record.
Incidents, experiences, outcomes and adverse events which meet all the criteria below also must be reported to the Rutgers IRB:
- unexpected in terms of nature, severity or frequency, given the research protocol, investigator's brochure, IRB-approved informed consent document, product labeling and other sources of information, and given the characteristics of the subject population being studied (expected natural progression of subjects' disease, disorder or condition or predisposing risk factor profiles)?
- related or possibly related to participation in the research, i.e., is there a definite or reasonable possibility that the incident, experience or outcome may have been caused by the research drug/device or research procedures?
- potentially place the research subjects or others at a greater risk of harm (including physical, psychological, economic or social harm) than was previously known or recognized?
Unanticipated problems which are serious adverse events must be reported within one week of discovery. All other unanticipated problems must be reported to the IRB within two weeks of discovery.
The following must be included in the submission of an Unanticipated Problems / Adverse Events in Human Subjects Research Report:
- 1 original and 2 copies of the Unanticipated Problems/Adverse Events in Human Subjects Research Report
If changes are to be made in the approved study protocol or documents in response to the event, then the following must also be included with the submission:
- 1 original and 2 copies of the Modification Request Form outlining what changes have been made and where.
- 1 original and 2 copies of all revised documents with proposed changes highlighted.
- 1 original of any revised documents with no highlighting for approval stamping.
Following review, the Unanticipated Problem/Serious Adverse Event will receive one of the following status determinations: Accepted or Not Accepted. This determination will be provided to the principal investigator, outlining follow-up steps as deemed necessary by the committee.
Advertising/Recruitment - Print View (PDF format)
Any advertisement that will be seen or heard by prospective subjects to solicit their participation in a study is considered Direct Advertisement for Research Subjects.
This includes, but is not necessarily limited to: e-mail announcements, online advertisements, newspaper, radio, TV, bulletin boards, posters, and flyers that are intended for prospective subjects.
Not included are:
- communications intended to be seen or heard by health professionals, such as "dear doctor" letters and doctor-to-doctor letters (even when soliciting for study subjects)
- news stories
- publicity intended for other audiences, such as financial page advertisements directed toward prospective investors.
FDA considers direct advertising for study subjects to be the start of the informed consent and subject selection process. Advertisements should be reviewed and approved by the IRB as part of the package for initial review. However, when the clinical investigator decides at a later date to advertise for subjects, the advertising may be considered a modification to the ongoing study.
When direct advertising is to be used, the IRB must review the information contained in the advertisement and the mode of its communication, to determine that the procedure for recruiting subjects is not coercive and does not state or imply a certainty of favorable outcome or other benefits beyond what is outlined in the consent document and the protocol.
Generally, FDA believes that any advertisement to recruit subjects should be limited to the information the prospective subjects need to determine their eligibility and interest. When appropriately worded, the following items must be included in advertisements.
- the name and address of the clinical investigator and/or research facility;
- the condition under study and/or the purpose of the research;
- in summary form, the criteria that will be used to determine eligibility for the study;
- a brief list of participation benefits, if any (e.g., a no-cost health examination);
- the time or other commitment required of the subjects; and
- the location of the research and the person or office to contact for further information.
FDA Inspection readiness
Successful FDA Inspections at Investigative Sites for Clinical Trials of Drugs and Biologics - Print View (PDF - Format)
Certificate of Confidentiality - Print View (PDF- format)
Certificates of Confidentiality are an important tool to protect the privacy of research study participants
Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect identifiable research information from forced disclosure. They allow the investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by helping assure confidentiality and privacy to participants.
Information about how to apply for a Certificate of Confidentiality can be found at: http://grants.nih.gov/grants/policy/coc/
CITI - Human Subjects Training
All Rutgers faculty, students, and other individuals involved in human subjects research are required to complete the Collaborative Institutional Training Initiative (CITI) Basic Course prior to IRB approval. This requirement also extends to all IRB members and Human Subjects Protection program staff. Campus IRBs will not issue final approval of any IRB submissions until it is verified that listed study personnel have completed the current requirements for human subjects research education.
For more information click here.
Clinical Trials Registration: Print View (PDF format)
All clinical trials must be registered with ClinicalTrials.gov, a service of the U.S. National Institutes of Health. For information about how to register a trial, please contact the Human Subject Protection Office at: email@example.com.
The FDA Amendments Act of 2007 requires all clinical trials be registered in a public database. The Act of 2007 contains trial registration requirements at ClinicalTrials.gov. Consequences of not registering can include monetary and civil penalties. Additionally, many journals require that the trials have been registered before papers will be considered for publication. Rutgers requires investigators to register all Investigator-initiated and National Institute of Health (NIH) trials into the University’s profile at www.clinicaltrials.gov . Industry sponsored studies are registered by the Sponsor.
The following links provide detail:
Closure of studies
Your campus IRB administrative office must be notified when a study is completed. This notification should be sent when enrollment of participants and data collection is complete and data analysis is to the point that participants' records will no longer be required. Please complete a Final Study Report and submit it to the IRB within 30 days of closure of the study. Notification of the closure of exempt studies is also recommended.
If you originally submitted your study via eIRB, click on the create Final Report option in your study workspace.
If you have originally submitted your study on paper, click here to complete a FInal Report form.
Conflict of interest
On August 25, 2011, the U.S. Department of Health and Human Services, Public Health Service adopted a revised regulation for managing potential or real conflicts of interest in “Responsibility of Applicants for Promoting Objectivity in Research” (42 C.F.R. Part 50, Subpart F). The link to the notice is: http://grants.nih.gov/grants/guide/notice-files/NOT-OD-11-109.html
Rutgers has revised its Investigator Conflict of Interest Policy to be consistent with these amended PHS regulations which are intended to provide the reasonable expectation that the design, conduct, and reporting of the research will be free from bias resulting from Investigator financial conflicts of interest. All Institutions receiving PHS funding are required to implement the new rules prior to August 24, 2012. After August 7, 2012, you will be able to find a copy of the revised policy at:http://policies.rutgers.edu/
Study Managment Tools: Print View - Table of Contents
The Study Management Tools are intended to be used as an aid to help the researcher and research team. This template attempts to provide a general format applicable to all types of research. After choosing the appropriate template, it should be modified to reflect the unique attributes of the study
- Study Staff Delegation Log: Use this log to document study staff signatures/initials and their research related responsibilities as delegated by the Principal Investigator. Update as responsibilities change
- Study Staff Training Log: Use this log to document any education or training completed by study staff (eg. CITI, GCP, Sponsor protocol Training, Certificate Programs completed)
- Subject Enrollment Log: Use this log to document to keep track of participant screening, eligibility, enrollment or reasons for exclusion.
- Monitoring Log: Use this log to document date of monitoring visits, name of monitor and type of monitoring visit taking place.
- Drug Accountability Log: Use this log to manage study drug compliance. Document Subject ID, date received, Kit #, dispensing amounts, who dispensed drug, dates, return dates, amount returned, etc.
- Device Log: Use this log to manage study device compliance. Document Subject ID, Model #, Serial #, Lot #, date device used, date destroyed and/or returned.
- Unanticipated or Adverse Event Log: Use this log to document to keep track of participant unanticipated or adverse events. Document Subject ID, date event occurred, date staff learned of event, describe event, date reported to IRB and/or Sponsor.
- Protocol Deviation Log: Use this log to document to keep track of deviations from the IRB approved protocol. Document Subject ID, date deviation occurred, type of deviation (code), date protocol deviation form was completed and submitted to IRB.
The following glossary is not intended to be a complete biomedical and social behavioral research glossary, but the intent of this glossary is to cover concepts that are important in the completion of IRB applications. This glossary does not include terms specific to any one research project.
Frequently Asked Questions (FAQs): PDF Format
Who may be a Principal Investigator (PI) for Human Subjects Research
Definition of Principal Investigator: A principal investigator is the individual who assumes full responsibility for a research project, including the supervision of any co-investigators, research assistants, house staff and students. The Institutional Review Board only recognizes one principal investigator per human subjects research study, no matter how many research sites may be involved. Other individuals may be named co-investigators. The principal investigator must possess the expertise, time and commitment to conduct and provide the necessary oversight for all aspects of the study, and must be willing to accept full responsibility for the study. In multi-site studies for which Rutgers is the coordinating institution, the principal investigator assumes the responsibility for the conduct of the study at each performance site and by each site-specific principal investigator.
Human Subjects Research Policy: PDF Format
STANDARD OPERATING PROCEDURES: (Click here to view)
GUIDANCE: Print View
- If approval for continuation is not granted prior to the expiration date of the protocol, all recruitment, subject enrollment, and other research related activities (e.g. study visits, chart reviews, data analysis using subject identifiable data, manuscript development, and etc.) must stop.
- Currently enrolled subjects should continue to receive treatment and follow‐up that is in their best interest.
- Failure to submit timely requests for continuing review demonstrates non‐compliance with federal regulations and institutional policy and is reportable to the FDA, OHRP, and the study sponsor (when applicable).
- Continued non‐compliance affects the investigators standing with the IRB and may prohibit the investigator from conducting future research at the University.
IRB Office Requirements:
- In order to prevent non‐compliance due to an expired protocol, an investigator must submit his/her Continuing Review Application or Final Study Report to the IRB office
- At least 4 weeks in advance of the expiration date of IRB approval for minimal risk (expedited) protocols
- At least 8 weeks in advance of the expiration date of IRB approval for greater than minimal risk (full board) protocols
- If non‐compliance occurs due to an expired protocol, then the investigator must submit the Expired Study Report Form with his/her Continuing Review Application or the Closure Form with his/her Final Study Report. Both forms require the investigator to provide a detailed corrective action plan.
Corrective Action Plan for Expired Protocols:
A corrective action plan describes how a delayed submission resulting in an expired protocol will be prevented from occurring in the future and what changes in procedure are being implemented to prevent protocol approvals from expiring in the future. Below are three examples of acceptable corrective action plans:
Example #11. My system/procedure to track deadlines will be by placing the dates in my calendar and in the calendar of the co‐investigators and other study personnel.
2. The visual tool, with an available alarm, is the Outlook calendar that we will be using.
3. My plan for maintaining calendar notifications for expiring protocols will be to set an alarm in the calendar which will notify us of expiration dates. The calendar will be backed up on the departmental server in case the local drive fails.
Example #2The study’s coordinator is going to construct a well‐organized e‐file system for every study under the PI’s name. The folder will be located on the PI’s shared drive and will be organized by protocol. There will be subfolders within each protocol’s folder, organized in chronological order, for each of the continuing reviews, amendments, and etc. This system will provide anyone new to the study, such as new research fellows, with easy access to the status of all studies under this PI and the most current IRB documents. Additionally, the coordinator is going to develop a spreadsheet for all protocols under the PI. The spreadsheet will be updated as needed and will serve as a quick reference for when continuing reviews need to be compiled and submitted.
Upon receiving approval from the IRB:
1. I will complete corrections to the final chapter of the project. At the time of suspending the project all of the research was completed. My faculty advisor had only reviewed the data that I compiled and only made recommendations for corrections to the written report.
2. I will complete those corrections to the written report and then give my faculty advisor a weekly progress update on Fridays.
3. My faculty advisor and co‐investigator will review my final written report.
4. I will schedule a weekly meeting in person with my faculty advisor to review her recommendations to the final document.
5. I plan to present the findings and submit the paper for publication. The results of this study will provide evidence based information to the ongoing discussion among stakeholders as they attempt to provide enhanced healthcare for foster children in the State of New Jersey.
6. I will submit a Final Study Report/Study Closure Form to the IRB at least 4 weeks before my IRB approval expires after my paper has been accepted for publication or presentation and no additional analysis of the data will be done. If further data analysis is needed before my paper is accepted, then I will submit a Continuing Review Application to the IRB at least 4 weeks before my IRB approval expires.
Please note that exact duplication of these examples in place of an original corrective action plan will not be accepted by the IRB and will be returned to the investigator to be revised and then resubmitted to the IRB.
Research Tissue or Data Bank
These guidance documents may be used as a resource for investigators who wish to develop: (a) standard operating procedures to establish a research tissue bank or a research data bank; (b) a consent document to collect tissue for future research; and (c) an addendum consent document to collect tissue for future research secondary to a main study. This guidance applies to activities that include the collection and storage of blood, tissue or other biological materials (excluding embryos* or embryonic stem cells*) and/or health data that will be used by a single investigator or shared with multiple investigators for future research not yet defined, including genetic (but not stem cell*) research. This guidance does not apply to the collection and storage of specimens or data as part of a single IRB-approved protocol for defined research purposes. *Contact your IRB Office for guidance on embryo or stem cell research.
Guidance for the development of standard operating procedures for a research tissue bank or a research data bank: PDF Format
Guidance for the development of a consent form for a research tissue bank or research data bank: Rutgers Tissue or Data Bank Consent Template
Guidance for the development of a consent form appended to a main study to collect tissue for future research secondary to a main study: Rutgers Tissue Bank Addendum Consent Template
National Institutes of Health (NIH) Guidance
NIH on August 2, 2012 issued a notice that provides detailed guidance on the types of changes in human subjects research awards that require prior NIH approval. It also provided information on the process for the submission of such requests. A separate notice "clarifies NIH requirements related to prior NIH approval of human subjects research plans for awards which were submitted with the intent to conduct human subjects research during the period of support, but for which definitive plans could not be described in the grant application."
Research noncompliance refers to a failure (intentional or unintentional) to follow the regulations, institutional policies governing human subject research, or requirements of or determinations by the IRB by the investigators or research staff, or any member of the Human Subjects Protection Program, including the IRBs or IRB administrative staff. Noncompliance can result from action or omission. Noncompliance may be non-serious (minor) or serious, and may also be continuing:
Research Misconduct means any fabrication, falsification, plagiarism, or other practice that seriously deviates from those that are commonly accepted with the scientific community in proposing, performing, or reviewing research, or in reporting research results. Research misconduct does not include honest error, conflicting data, differences of opinion, or differences in interpretations or judgments about data or experimental design. :
Quality Assurance/Quality Improvement (QA/QI) Projects
Quality Assurance (QA) and Quality Improvement (QI) consist of activities that are undertaken to measure the effectiveness of standard accepted processes, programs, or services, the results of which are intended to be shared only with individuals associated with the process, program or service being evaluated. QA/QI projects cannot expose individuals to any additional risks.
AUDIO/VIDEO/PHOTOGRAPHIC RECORDING OF HUMAN SUBJECTS
This guidance applies to all human research studies that involve the audio, video, photographic, or any other recording (hereafter referred to as recording) of research subjects
Research protocols involving decedents do not require IRB review. However, based upon federal regulations for HIPAA at 45 CFR 46.160 and 164, a review by the Institution's Privacy Board is required.
Rutgers University IRBs also serve as the Privacy Boards. Principal investigators conducting research with decedent PHI must submit an eIRB application to the IRB for review and determination prior to conducting their research.
TITLE 8. HEALTH
CHAPTER 2A. DEATH RECORDS
SUBCHAPTER 2. ACCESS TO DEATH RECORDS
N.J.A.C. 8:2A-2.2 (2013)
Any certification of a death record, with or without last sickness and death particulars, may be released without consent under the following conditions:
To qualified personnel for the purpose of conducting scientific research only under the following conditions:
- An Institutional Review Board, constituted pursuant to Federal regulation 45 C.F.R. 46.101 et seq., shall review and approve the research protocol prior to release of the death record;
- Research personnel shall not identify the subject of the record, directly or indirectly, in any report of the research; and
- Research personnel shall not disclose the identity of the subject of the record in any manner;
Each person with access to the Rutgers, The State University of New Jersey, computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations, and with applicable State and Federal laws and regulations.
Security for “Non-Public Personal Information” (NPPI)
Security for “Non-Public Personal Information” (NPPI), as mandated by federal and state law, as well as Rutgers policy (e.g., Rutgers Policy 50.3.9, http://policies.rutgers.edu).
NPPI consists of financial, health information, social security numbers, driver license numbers and similar data. Certain NPPI, specifically electronic Protected Health Information (ePHI), has additional federally mandated requirements. All units and staff responsible for creating, storing, or transmitting this information are required to do so in a manner which protects NPPI and maintains compliance with regulation and policy. Any breach of security or compromise of systems containing NPPI must be reported immediately to the Office of Information Protection and Security (IPS) (firstname.lastname@example.org) and your local unit head. Please take this opportunity to meet with your staff to review the following practices.
Securing University Data
All data records are not the same. The classification of data ensures that university information is properly identified, classified, and handled according to its value, legal requirements, sensitivity, and criticality to the University. Consideration should be given to protect data based upon its classification. Information on the classification of data can be found by visiting: http://rusecure.rutgers.edu/content/data-classification.
Hard Copy Records
Hardcopy records of NPPI (e.g. paper payroll documents, DVD’s or tape backups with personal information) should be kept in locked cabinets, behind locked doors. Protected hard copy data should be shredded as part of the disposal process. The retention and appropriate disposition of these records should be in accordance to the Rutgers Records Management Policy 50.3.10: http://policies.rutgers.edu
If there is a need to send NPPI to another department or external agency, the documents should be sent in a sealed envelope or other packaging, marked confidential, and addressed to a specific recipient. If NPPI is sent in email the message must be encrypted. Where applicable, instructions should be provided regarding the return, storing, and appropriate disposal of documents containing NPPI.
If you are maintaining NPPI or ePHI in electronic form, access should be strictly controlled and the information encrypted. If you are unsure whether your electronic systems hold NPPI, OIT/IPS has tools that can help. NPPI is often found in locally developed databases, personnel systems and spreadsheets, email files, class rosters, and files created by faculty and staff. Tools, with instructions for their use, are available at: http://rusecure.rutgers.edu/content/working-software-scan-nppi
Due to the vulnerability of information on portable/mobile devices, such as laptops, external hard drives or USB memory sticks, we recommend that all information on these devices be encrypted.
Personally owned portable devices
NPPI and ePHI may not be stored on personal portable/mobile devices including laptops, cell phones, USB memory sticks, and tablets. The Office of Information Technology - Division of Information Protection and Security (OIT/IPS) can provide guidance (email@example.com).
Cell Phones and Tablets
Cellphones and tablets that have access to NPPI must utilize additional security measures such as strong access codes, disabling location services, time-out screen locking, and account lockout and/or remote wiping.
There are additional risks that need to be taken in consideration when using cloud or third party providers. Using a third party cloud service or provider to handle data does not absolve you from the responsibility of ensuring that the data is properly and securely managed. It remains your responsibility to assure that the data is maintained with comparable security, as required by university guidelines. Information on cloud and third party computing can be found at: http://rusecure.rutgers.edu/content/cloud-computing-overview
The use of cloud services for the storage of ePHI data must have a signed Business Associate agreement with the service provider. University data housed on portable devices (laptops, cellphones, tablets, pen drives, etc.) or transmitted to and/or stored on "cloud services" should be encrypted with the encryption key separate from the device.
Traveling with Electronic Devices
Travel with electronic devices requires special precautions. Remote devices and the information they contain should be protected while accessing the Internet or not physically under your control. University transmissions should only be performed through a VPN (virtual private network). See http://rusecure.rutgers.edu/content/it-security-guidelines-domestic-and-international-travel
If you have any questions regarding the above, please contact OIT/IPS at 848-445-8011 or via email: firstname.lastname@example.org.