Skip to main content
NC TraCS logo

Institutional Review Board

Institutional Review Board

This section describes IRB requirements for research registries and includes issues to consider when preparing your application.

IRB oversight is required to set up a research registry or repository involving data and/or specimens. The requirements for and extent of IRB oversight depends on (1) whether or not the data and specimens in the registry or repository include or are linked to individually identifiable health information and (2) the terms of the informed consent under which the data and specimens were originally collected.

How does the IRB define Research?

The UNC-Chapel Hill IRB SOP defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of registries, repositories and databases for research.”

Under the definition of human subject at 45 CFR 46.102(e)(1), obtaining identifiable private information or identifiable specimens for research purposes constitutes human subjects research, thus requiring IRB review.

OHRP Video:

  • Research Use of Human Biological and Other Private Information
  • Ms. Julie Kaneshiro, Office of Human Research Protections (OHRP) Policy Team Leader, is interviewed and discusses the challenges and complexities of the application of the HHS regulations at 45 CFR part 46 to activities involving biological specimens and other private information. Ms. Kaneshiro discusses how to assess whether an activity constitutes non-exempt human subjects research. She clarifies when the HHS regulations do and do not apply to an activity and when an institution is engaged in human subjects research. This is an advanced topic video and is best suited to viewing by individuals already possessing a basic understanding of the HHS regulations for the protection of human subjects

Research use of data/specimens stored in registry/repositories is governed by the federal human subject protection regulations known as the Common Rule, 45 CFR 46, the HIPAA Privacy Rule, and by institutional policies and standard operating procedures (SOPs). According to SOPs by the UNC-Chapel Hill IRB:

  • IRB oversight is required to set up and maintain a research database, registry or repository
  • IRB oversight is required for each new research protocol that creates a research repository
  • Researchers should submit an application for IRB review and receive IRB approval before initiating or developing a research registry or repository
  • When research involves identifiable private information or identifiable human specimens, each new research project using the data or specimens must receive IRB review and approval
  • Investigators who believe their research registry may be exempt from the human subject regulations should include a request for exemption #4 with the IRB application
  • Where applicable, the IRB application should include any available information about the circumstances under which the information or specimens were originally collected

The IRB may require researchers to obtain the informed consent of subjects for research projects that involve information (data) or specimens contained in non‐research databases or repositories or request a waiver of consent where applicable.
The investigator in consultation with the IRB Chair or Director of the IRB Office, will determine if research involving coded information or specimens requires IRB review, following the procedures for Human Subjects Research Determinations.

Is IRB oversight needed for non-research registries and repositories?

Even though some repositories, registries, and databases are created for purposes other than research, they may contain information that is of great interest to researchers. The creation (or operation) of non‐research databases, registries, or repositories does not involve human subject research and does not require IRB oversight. However, IRB oversight is required when identifiable private information or identifiable human specimens from non‐research databases, registries, and repositories (including data/tissue banks and registries) are used in research. Non‐research registries, databases, and repositories that are altered to facilitate research (e.g., through the addition of data fields not necessary for the core purpose of the repository) are also considered research repositories.

If the protocol only includes quality improvement objectives for the registry, this is hospital operations and does not require IRB oversight. However, if the protocol also includes research objectives or if additional variables are collected purely for research, then an element of the activity is research and requires IRB oversight.

Proposals to establish a registry or repository must be submitted to the IRB specifying the conditions under which data and specimens may be accepted and shared, and ensuring adequate provisions to protect the privacy of subjects and maintain the confidentiality of data. The IRB may review and require approval for everything from the sample collection protocol and the informed consent document for distribution to sample collectors and their local IRBs. Reminder: IRB oversight is required for each new research protocol that creates a research repository.

General Study Information

The initial IRB application should address the following information:

  • Describe the purpose of registry or repository (e.g., identify potential subjects for department-based research, collect observational data or long term follow up of subjects with a specific condition, develop a repository of bio-specimens for future research in XX disease)
  • Answer IRB screening questions (“is this research”, “interaction with living individuals” and “obtaining identifiable private information”)
  • Describe how long the registry or repository will remain open.
    Describe study procedures, what subjects will be asked to do, and samples that will be collected

Subjects and Participant Information

Identify number of subjects to be enrolled and specific inclusion / exclusion criteria. Justify the sample size by providing a rationale for the number or for requesting unlimited accrual.

  • Describe if there will be any follow-up of subjects in registry and how that will occur
  • Identify any questionnaires or surveys (paper or electronic) subjects complete and describe content generally. Upload a copy of the document to the IRB
  • Identify the risks of participation (include the potential for breach of confidentiality and any social or economic harms if genetic testing is conducted)
  • Describe methods of recruiting subjects (in person, online portal, website recruitment, flyers, or letters) and explain how potential subjects will be identified (in clinic by MD, self-identify by accessing website, review of electronic health records for subjects meeting eligibility)
  • Describe how informed consent will be obtained (by whom, on paper or online, any alterations in the consent process, or waiver of written documentation of informed consent). Also, describe the method or plans for tracking consent of those subjects who opt-in or opt-out of storage of their data / specimens for future research purposes
  • Address issues related to use of Protected Health Information (PHI) in the registry (need for limited waiver of HIPAA to identify potential subjects, need ongoing access to medical records).

Data Management and Security

  • Describe what if, any identifiers, will remain with or linked to the data or specimens
  • Describe procedures for maintaining confidentiality of the data you will collect (e.g., security of online portals, where data will be stored, who will have access to the registry)
  • Describe sharing of data or specimens with other researchers and whether this includes any identifiable information
  • Address issues related to use of Protected Health Information (PHI) in the registry (need for limited waiver of HIPAA to identify potential subjects, need ongoing access to medical records)

A research registry, database, or repository may contain codes that link information and specimens to the donor’s identity.

Coded means that:

  1. a number, letter, symbol, or combination thereof (i.e., the code) replaces the identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertains; and
  2. a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens. When a key to the code is retained, it may be maintained either by the registry/repository/database or by the provider of the data
    • To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images
    • An honest broker is an individual who has access to the desired data by virtue of his or her Hospital / University responsibilities and who is not involved as a listed researcher on the respective research study. An honest broker can provide a firewall between the investigator and subjects’ identifiable information. For example, an honest broker could generate or receive a dataset and then strip out subject identifiers so that the data were no longer readily identifiable. They could create either a de-identified data set or a limited data set