4. Need-to-Know Access
All confidential information should be accessible only on a need-to-know basis, both internally and externally.
- confidentiality agreements for all personnel
- access terminated when duties change
- no redisclosure
- external release for research requires IRB approval