IRB Application Instructions Establishing a Registry for Research [D130.0000]

Since there is extensive variation in how registries operate, the IRB submission should include sufficient information regarding the scientific goals, functions, and operational procedures. The following details are requested, including: 

• The purpose of the registry
• Entity funding the registry
• Scope of the data set, patient outcomes, and target population
• Data procurement - whether data will be extracted from a specific source (e.g., electronic medical record) or if data will be obtained through interaction with a participant
• The personal identifying information to be collected and stored
• A list of any data extracted from the medical record
• Management and physical storage of data (medical record information, etc.)
• The immediate and future secondary use (may be unspecified)
• From whom research data will be collected (e.g., minors, adults, healthy subjects, patients)
• Diagnosis or conditions of study (e.g., specific disease area or broad unspecified use)
• How personal identifying information will be shared and procedures for coding, de-identification, encryption, data-use agreements, etc.
• Role of an honest-broker* in sharing with recipient researchers and who will serve in that role
• With whom personal identifying information will be shared, (e.g., anyone; internal researchers, external collaborators, academic only, commercial industry)
• Data collection – both paper and electronic program/software – and levels of security to protect participant privacy and data confidentiality
• Risk associated with a breach of confidentiality including impact on privacy, insurability, stigmatization etc.
• The consent process (who obtains, documentation, place, time allotted)
• Tracking participant choices where options are provided
• Length of time personal identifying information will be kept (indefinitely, end of research protocol)
• The ability and procedure for locating/contacting participants (re-consent, incidental findings)
• Participant withdraw procedures
• The process of re-consent of research participants who are minors at the time of collection of data but turn 18 while the registry is active

_{*Honest Broker - an individual or system who collects and provides de-identified information/samples to a recipient secondary researcher.  The honest broker collects and collates pertinent information regarding the tissue source, replaces identifiers with a code, and releases only coded information to the researcher. The honest broker should not be involved with the recipient's study or co-author on resulting research publications.} 

_{For Protected Health Information, the honest broker should de-identify data or samples according to HIPAA safe-harbor standards before sending it to the researcher. See the Health & Human Services De-identification instructions for specifics on identifiers and allowable information. The honest broker retains a code which enables him/her to re-identify a donor should the donor choose to later withdraw, or should it be determined that an actionable result or incidental finding should be returned to the participant (see Return of Research Results Guidance).}

The informed consent and authorization document describes the intended use and procedures for using and sharing material with others for future research. The purpose may be described as broad and unspecified to allow for a wide range of potential future uses in research. However, even when future use is unspecified, the consent document and process should clearly describe key registry concepts such as unlimited medical record access, incidental findings, and obligations to return research results, procedures to withdraw material, large-scale data sharing, etc., so that participants understand the implications of participating.

CAUTION: AVOID SELF-IMPOSED LIMITS IN THE INFORMED CONSENT. 

While you must implement IRB-required limitations, be cautious in adding self-imposed limits that diminish the utility of the repository, without enhancing human subject protection. 

• If you choose to place limits on use, retention, or sharing and you communicate the limits in the informed consent, you must honor them. For instance, do not state in the consent that all information in the registry will be destroyed on a given timeline, if the intent is to retain and use it indefinitely.   
• If you provide the participant with options within the consent, you must operate according to the participant’s chosen wishes. For instance, if you allow the participant to choose whether the information provided to the registry will be used for research on a single disease or used for any type of health-related research, you must store, track, use, and share accordingly. 

The Sample Repository/Registry/Bank Consent document provides points to consider and template consent language describing risks, protections, and details regarding the collection, storage, and sharing of specimens and/or information. Because there is extensive variation in the design and operation of research repositories, a “one size fits all” template is not feasible. The template includes sample language for many different bank/registry operations. Include applicable language and delete other text. 

The registry may require recipient researchers to sign or agree to a Use Agreement. The agreement may specify that the recipient researcher will not attempt re-identification of data and that secondary research conducted will be consistent with the terms of the original registry informed consent. The agreement may also specify that registry personnel will serve as honest brokers and, as such, will not be involved in the conduct or reporting of the secondary research conducted by the recipient researcher. Ultimately, secondary research conducted by recipient researchers should be congruent with the uses described in the Registry Protocol, Informed Consent Form, and Use Agreement.

Yes, or possibly yes, unless the secondary researcher has obtained an official NHR determination from the IRB. [Not Human Subject Research (NHR) Form]  

In making the NHR determination, the IRB considers whether the information was properly de-identified according to HIPAA standards prior to receipt by the secondary researcher; the recipient researcher has no knowledge of or way to readily identify participants providing the information, and the registry personnel will not be involved in the conduct or reporting of the secondary research. 

In addition, the proposed secondary use must be consistent with the use described in the original consent used to obtain the participant’s information. The UK Informed Consent Templates include language to inform participants that it is possible that their information will be de-identified and shared with other researchers for future research, without the participant’s additional informed consent.

The National Institutes of Health (NIH) provides a flowchart to aid researchers in determining whether secondary research with private information or specimens meets the criteria of human subject research. 

To obtain an official IRB determination that secondary research does not require IRB review, the recipient researcher submits a description and/or the online Not Human Subject Research (NHR) Form for a determination of whether an activity qualifies as NHR.

IRB review would be required if the recipient researcher (and personnel involved with the secondary research): 

• wants to conduct research that goes beyond what is described in the Registry Informed Consent;
• wants to use personal identifying information in a manner that goes beyond the Registry Use Agreement;
• needs participant identifiers to track outcomes in the medical record;
• can ascertain the identity of the donor through direct knowledge or associated information;
• has knowledge of the participant’s surgical procedure schedule in order to obtain personal identifying information.

IRB review and approval would also be required if registry personnel wish to collaborate with the recipient researcher on the conduct, analysis, or reporting of the research. 

For secondary research requiring IRB review, the IRB would consider the need for additional research-specific consent and authorization. Informed consent may not be required if the IRB determines the recipient researcher’s proposed use is consistent with the use described in the informed consent.

If use is not consistent, additional consent may be required, or the researcher may submit a request to their IRB to alter or waive the requirement for additional consent. Specific criteria must be met for the IRB to consider approving a waiver. The IRB would likely not approve a waiver in cases where the recipient researcher has an opportunity to obtain informed consent from registry participants who have agreed to future contact.  

Also, other regulatory statutes prohibit the IRB from waiving informed consent, even if data is de-identified (e.g., Department of Defense Classified Research, NIH Funded Genomic Data Sharing).

Resources:

US Office of Science and Technology Policy: Desirable Characteristics of Data Repositories for Federally Funded Research (May 2022)

Table 2. Additional Considerations for Repositories Storing Human Data (De-Identified)

• Fidelity to Consent: The repository employs documented procedures to restrict dataset access and use to those that are consistent with participant consent (such as for use only within the context of research on a specific disease or condition) and changes in consent.
• Security: The repository implements and provides documentation of appropriate approaches (e.g., tiered access, credentialing of data users, security safeguards against potential breaches) to protect human subjects’ data from inappropriate access.
• Limited Use Compliant: The repository employs documented procedures to communicate and enforce data use limitations, such as preventing re-identification or redistribution to unauthorized users.
• Download Control: The repository controls and audits access to and download of datasets.
• Request Review: The repository makes use of an established and transparent process for reviewing data access requests.
• Plan for Breach: The repository has security measures that include a response plan for detected data breaches.
• Accountability: The repository has procedures for addressing violations of terms of use and data mismanagement. 

References:

• Gliklich RE, Dreyer NA, eds. Registries for Evaluating Patient Outcomes: A User’s Guide. (Prepared by Outcome DEcIDE Center [Outcome Sciences, Inc. dba Outcome] under Contract No. HHSA29020050035I TO1.) AHRQ Publication No. 07-EHC001-1. Rockville, MD: Agency for Healthcare Research and Quality. April 2007. http://bok.ahima.org/PdfView?oid=79053
• Gliklich RE, Dreyer NA, Leavy MB, editors. Registries for Evaluating Patient Outcomes: A User's Guide [Internet]. 3rd edition. Rockville (MD): Agency for Healthcare Research and Quality (US); 2014 Apr. 25, Assessing Quality. Available from: https://www.ncbi.nlm.nih.gov/books/NBK208634/.
• Minikoff, Jerry. “Clinical Data Registries - OHRP Correspondence (2015).” Office for Human Research Protections (OHRP), HHS.gov, 25 June 2015, www.hhs.gov/ohrp/regulations-and-policy/guidance/june-25-2015-letter-to-robert-portman/index.html.