IRB Approval Criteria Guidance – Review of Protocols Involving PHI
Common Rule Criteria for IRB Approval of Research
To approve research, the IRB shall determine that all of the following requirements are satisfied:
1. Risks to subjects are minimized a) by using procedures that are consistent with sound research design and that do not unnecessarily expose subjects to risk, and b) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.
2. Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result.
3. Selection of subjects is equitable. In making this assessment the IRB should consider the purposes of the research and the setting in which the research will be conducted. The IRB should be particularly cognizant of the special problems of research that involves a category of subjects who are vulnerable to coercion or undue influence, such as children, prisoners, individuals with impaired decision-making capacity, or economically or educationally disadvantaged persons.
4. Informed consent will be sought from each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by 45 CFR 46.116.
5. Informed consent will be appropriately documented or appropriately waived in accordance with 45 CFR 46.117.
6. When appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of subjects.
7. When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.
8. When some or all of the subjects are likely to be vulnerable to coercion or undue influence, such as children, prisoners, individuals with impaired decision-making capacity, or economically or educationally disadvantaged persons, additional safeguards have been included in the study to protect the rights and welfare of these subjects.
HIPAA Privacy Rule Criteria
To approve research subject to the HIPAA Privacy Rule, the IRB shall determine that the following requirements are satisfied:
1. The PHI that will be used in conducting the research is the minimum necessary to accomplish the research objectives.
2. Data confidentiality protections are sufficient.
3. A Data Use Agreement will be utilized, if appropriate, to control use and disclosure of PHI.
4. An Information Security Plan will be developed and implemented as appropriate, with guidance from the UTC IT Security Team.
Common Rule and HIPAA Privacy Rule Criteria for Waiver/Alteration of Informed Consent and Authorization to Disclose PHI
| Criteria for Waiver/Alteration of Informed Consent (Common Rule, 45 CFR 46.116[f][3]) | Criteria for Waiver/Alteration of Patient Authorization to Disclose PHI (HIPAA Privacy Rule,45 CFR 164.512[i][2][ii]) |
|---|---|
| The research involves no more than minimal risk to the subjects |
The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;
|
| The research could not practicably be carried out without the requested waiver or alteration | The research could not practicably be conducted without the waiver or alteration |
| If the research involves using identifiable private information or identifiable biospecimens, the research could not practicably be carried out without using such information or biospecimens in an identifiable format | The research could not practicably be conducted without access to and use of the PHI |
| The waiver or alteration will not adversely affect the rights and welfare of the subjects | |
| Whenever appropriate, the subjects or legally authorized representatives will be provided with additional pertinent information after participation* |
* Not applicable to secondary research with existing data. Applies when the research involves deception, and the true purpose of the study is not communicated to participants through the informed consent process.