MSU HRPP Manual Section 2-2-E

U.S. Department of Energy

This policy applies to research involving human subjects conducted or supported by the U.S. Department of Energy (DOE). In addition to the Basic DOE policy for Protection of Human Subjects (10 CFR 745), additional requirements are provided in DOE 443.1B, Protection of Human Subjects (approved March 7, 2011) and DOE Memo dated April 25, 2013. Individuals engaged in human subject research conducted or supported by the DOE are responsible for complying with the DOE requirements as applicable, including exempt research.

Human Subject Research Definition
Any DOE-funded or DOE laboratory managed or conducted research involving intentional modification of an individual’s or a group of individual’s environment, for example through installation of devices in homes and/or through introduction of gases / chemicals to trace airflow in occupied residential, commercial, or public settings will be managed as human subjects research and thus will be subject to the requirements of DOE Order 443.B. Such projects must be reviewed and approved by the Central DOE IRB, a DOE laboratory IRB or (if conducted by a university) a university IRB with an approved Federalwide Assurance of compliance, prior to initiation of the research and after consultation with the appropriate Human Subjects Protection (HSP) program manager. (DOE Memo dated April 25, 2013)

Human Terrain Mapping (HTM) is managed as human subject research and is subject to 443.1B. Human Terrain Mapping is research and data gathering activities primarily conducted for military or intelligence purposes to understand the ―human terrain, the social, ethnographic, cultural, and political elements of the people among whom the U.S. Armed Forces are operating and/or in countries prone to political instability. This work includes observations, questionnaires, and interviews of groups of individuals, as well as modeling and analysis of collected data, and may become the basis for U.S. military actions in such locations. In addition to Human Terrain Mapping (HTM), such activities are often referred to as human social culture behavior (HSCB) and human terrain systems (HTS) studies. It is DOE policy that HTM activities will be managed as HSR.443.1B(7)(i). See 443.1B(4)(a)(2) for additional approval requirements.

Contractor Requirements
443.1B includes a “Contractor Requirements Document, Attachment 1,” (CRD), which sets forth the requirements of 443.1B that apply to contractors. The CRD will be included in contracts for the management or operation of a DOE-owned or leased facility that involves human subject research, irrespective of the party conducting the human subject research under the contract. For all other contracts that involve human subject research, the applicable requirements set forth in the CRD are included in the contract terms and conditions as appropriate.

When a human research project is submitted to the IRB where DOE requirements are applicable, the contract will be reviewed by an IRB administrator who will confirm with the investigator that they are aware of and will comply with the requirements. The HRPP will comply with the terms as appropriate. For example, as directed by the contracting officer, the contractor shall ensure notification of the HSP Program Manager (and, when a National Nuclear Security Administration (NNSA) element is involved, the NNSA HSP Program Manager) of criteria as defined in the CRD (e.g. within 48 hours of the any significant adverse event, unanticipated problems, and complaints about the research, any suspension or termination of IRB approval of research, and any significant non-compliance with HSP Program procedures or other requirements, which shall be reported to the IRB for evaluation for further action with the appropriate HSP Program Manager).

The CRD also requires that contractors periodically conduct self-assessments to ensure compliance with the HSP Program procedures and other requirements. MSU periodically conducts self-assessments to ensure compliance with the HRPP procedures and requirements. The HRPP monitors the effectiveness of the program through routine, for-cause, internal, and self-assessment evaluations. See HRPP Manual 3-3 “Evaluation and Quality Improvement” and 8-10 “Site Visits” for policy and procedures on self-assessments.

Checklist for Verification of Compliance
In accordance with the Privacy Act, the DOE has established requirements for the protection of Personally Identifiable Information (PII) with the DOE Privacy Program (DOE Order 206.1); DOE Manual for Identifying and Protecting Official Use Only Information (DOE M 471.3-1); and DOE Cyber Security Incident Management Manual (DOE M 205.1-8). Investigators are required to follow DOE requirements for the protection of personally identifiable information. Investigators must submit the “Checklist for Verification of Compliance with the Department of Energy (DOE) Requirements for the Protection of Personally Identifiable Information (PII) or Protected Health Information (PHI)” The IRB must review and approve the checklist submitted by the investigators to verify compliance with the DOE requirements for the protection of personally identifiable information.

The “Checklist for Verification of Compliance with the Department of Energy (DOE) Requirements for the Protection of Personally Identifiable Information (PII) or Protected Health Information (PHI)” encompasses the following:

Research protocols must include a description of the processes for the following:

  1. Keeping PII confidential.

  2. Releasing PII only under a procedure approved by the responsible IRB(s) and DOE, when required.

  3. Using PII only for purposed of the DOE-approved research and/or EEOICPA.

  4. Handling and marking documents containing PII as “containing PII” or “containing PHI.”

  5. Establishing reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of PII.

  6. Making no further use or disclosure of the PII except when approved by the responsible IRB(s) and DOE, where applicable, and then only:

    1. In an emergency affecting the health or safety of any individual;

    2. For use in another research study under these same conditions and with DOE written authorization;

    3. For disclosure to a person authorized by the DOE program office for the purpose of an audit related to the study; or

    4. When required by law.

  7. Protecting PII data stored on removable media (CD, DVD, USB Flash Drives, etc) using encryption products that are Federal Information Processing Standards (FIPS) 140-2 certified.

  8. Using FIPS 140-2 certified encryption that meet the current DOE password requirements cited in DOE Guide 205.3-1.

  9. Shipping removable media containing PII, as required, by express overnight service with signature and tracking capability, and shipping hard copy documents double wrapped via express overnight service.

  10. Encrypting data files containing PII that are being sent by e-mail with FIPS 140-2 certified encryption products.

  11. Sending passwords that are used to encrypt data files containing PII separately from the encrypted data file, i.e., separate e-mail, telephone call, separate letter.

  12. Using FIPS 140-2 certified encryption methods for websites established for the submission of information that includes PII.

  13. Using two-factor authentication for logon access control for remote access to systems and databases that contain PII. (Two-factor authentication is contained in the National Institute of Standards and Technology (NIST) Special Publication 800-63-2 found at:

In addition to other reporting requirements, reporting the loss or suspected loss of PII immediately upon discovery to the DOE Project Officer; and the applicable IRB(s). HQ Expectations of DOE Site IRBs (May 7, 2009)

Types of breaches that must be reported include, but are not limited to the following

  • Loss of control of DOE employee information consisting of names and social security numbers;

  • Loss of control of Department credit card holder information;

  • Loss of control of PII pertaining to the public;

  • Loss of control of security information (e.g., logons passwords);

  • Incorrect delivery of PII;

  • Theft of PII; and

  • Unauthorized access to PII stored on Department-operated web sites.

Additional Requirements

  1. The IRB also assesses risks associated with the research and whether the individuals to be included in the research will be properly informed and protected.

  2. In addition, the IRB chair must review the application and determine the level of review.

  3. The approval letter will include special language indicating that the research has been approved in accordance to DOE regulations and guidance and that the research will be monitored and tracked by the MSU IRB.

 See the following sections of the HRPP Manual for specific requirements (e.g., timeframes): 4-8 “Reporting,” 9-1 “Unanticipated Problems Involving Risks to Subjects or Others,” 9-2 “Noncompliance,” and 9-3 “Termination or Suspension of Research.”

This policy and procedure supersedes those previously drafted.

Approved By: Vice President of Research and Graduate Studies, 7-19-2011. Revision 1 approved by VP Research & Graduate Studies on 12-9-2015.

Related HRPP Manual Sections