Northwestern University – Institutional Review Board Office
Supplement for Research Projects Funded by the
Department of Energy (DOE)
Please use this form only when:
The study receives funding from or is supported by the Department of Energy (DOE)
For more information: http://humansubjects.energy.gov/
1. Principal Investigator Name:
2. Project Title:
3. IRB Study Number: STU
4. This form is an attachment to a
new study or
existing study (select one)
Instructions:



Handwritten or incomplete forms will not be accepted
Complete all applicable sections of this form and do not leave any blanks unless directed
Within eIRB, upload a copy of the completed form into the same section as the protocol.
The Department of Energy requires the protocol have clear and detailed plans for protecting
Personally Identifiable Information (PII) in accordance with Federal and Department of Energy
(DOE) requirements, including the encryption of any data to be transferred and immediate
notification of any incident involving potential compromise or loss of PII data. Likewise, any
human subject’s research funded by DOE or using DOE data must comply with DOE
requirements for protecting PII.
A. Research requirements- Check the boxes below to confirm that the statements are
true.
The information in this form is in compliance with Department of Energy requirements
for the protection of Personally Identifiable Information (see the checklist at the end of this
form for specific information the protocol must include as related to PII)
The information described in Section B and C of this form is included in the research
protocol.
Version date 04/04/2013
Page 1 of 3
Northwestern University – Institutional Review Board Office
B. Transferring PII Requirements:
Check if “yes” or indicate the question is not applicable. Provide a response for all items listed below.
Yes
N/A – When PII is transferred from one organization to another as part of a human
research project, the data will first be encrypted consistent with PII protection
requirements stated in the Department of Energy Cyber Security Incident
Management Manual.
C. Prompt Reporting Requirements:
Check each box to acknowledge you have read and understood each entry.
Confirm – Investigators must promptly report the following to the human subject research
program manager within 48 hours of learning of any unanticipated problem that
does not involve PII.

Any significant adverse events, unanticipated risks and complaints about
the research. A description of any corrective actions to be taken should be
submitted with the report

Any suspension or termination of IRB approval of research

Any significant non-compliance with HRPP procedures or other
requirements
Confirm – If a potential loss or compromise of PII is involved, Federal and DOE
requirements mandate that any incident involving a potential loss or compromise of
PII be reported immediately (within 3 business days).
Version date 04/04/2013
Page 2 of 3
Northwestern University – Institutional Review Board Office
DOE CHECKLIST
FOR USE BY RESEARCHERS CONDUCTING
HUMAN SUBJECTS RESEARCH THAT UTILIZES
PERSONALLY IDENTIFIABLE INFORMATION (PII)
The following items must be addressed in all protocols:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Keeping PII confidential;
Releasing PII, where required, only under a procedure approved by the responsible
IRB(s) and DOE;
Using PII only for purposes of this program;
Handling and marking documents containing PII as “containing PII or PHI;
Establishing reasonable administrative, technical, and physical safeguards to prevent
unauthorized use or disclosure of PII;
Making no further use or disclosure of the PII except when approved by the responsible
IRB(s) and DOE, where applicable, and then only under the following circumstances: (a)
in an emergency affecting the health or safety of any individual; (b) for use in another
research project under these same conditions and with DOE written authorization; (c) for
disclosure to a person authorized by the DOE program office for the purpose of an audit
related to the project; (d) when required by law; or (e) with the consent of the participant.
Protecting PII data stored on removable media (CD, DVD, USB Flash Drives, etc.) using
encryption products that are Federal Information Processing Standards (FIPS) 140-2
certified;
Using passwords to protect PII used in conjunction with FIPS 140-2 certified encryption
that meet the current DOE password requirements cited in DOE Guide 205.3-1;
Sending removable media containing PII, as required, by express overnight service with
signature and tracking capability, and shipping hard copy documents double wrapped;
Encrypting data files containing PII that are being sent by e-mail with FIPS 140-2
certified encryption products;
Sending passwords that are used to encrypt data files containing PII separately from the
encrypted data file, i.e. separate e-mail, telephone call, separate letter;
Using FIPS 140-2 certified encryption methods for websites established for the
submission of information that includes PII;
Using two-factor authentication for logon access control for remote access to systems and
databases that contain PII. (Two-factor authentication is contained in the National
Institute of Standards and Technology (NIST) Special Publication 800-63 Version 1.0.2
found at: http://csrc.nist.gov/publication/nistpubs/800-63/SP800-63V 1 0 2.pdf);
Reporting the loss or suspected loss of PII immediately upon discovery to: 1) the DOE
funding office Program Manager; and 2) the applicable IRBs (as designated by the DOE
Program Manager). If the DOE Program Manager is unreachable, immediately notify the
DOE-CIRC (1-866-941-2472, www.doecirc.energy.gov).
Version date 04/04/2013
Page 3 of 3