Scientific Design & Minimizing Risk Questions/Answers
Questions
In addition to researchers, who is involved in conducting scientific review of human research at UK?
What is the minimum IRB requirement for maintenance of research records?
What additional information privacy regulations apply to select protocols?
What is the difference between protecting the privacy interests of participants and maintaining the confidentiality of data?
How do IRB regulations define minimal risk?
How does the IRB assess the risk-benefit ratio of the research?
How might investigators minimize risks in research?
Answers
In addition to researchers, who is involved in conducting scientific review of human research at UK?
- Department Chairperson/Faculty Advisor attest in the IRB application, that the science is meritorious and deserving of conduct in humans by considering the:
- validity and utility of science;
- availability and qualifications of personnel;
- potential subject population; facilities and equipment;
- ongoing mentoring and guidance; and
- resolves issues prior to the IRB’s receipt of the submission.
- The IRB considers the scientific study design only within context of human subject protection and risk benefit analysis. IRB members draw on their own knowledge and disciplinary expertise to determine if research procedures are consistent with sound research design and the protocol has potential to yield the expected knowledge. When needed, the IRB seeks consultation from content experts.
What is the minimum IRB requirement for maintenance of research records?
At a minimum, research records should be maintained for six (6) years after completion of the study. Longer retention may be required by sponsors or for studies that fall under the authority of other agencies. For more information see the ORI/IRB Study Closure SOP.
Note: this IRB Record Retention requirement is separate from the University’s Data Retention and Ownership Policy which applies to all types of research.
What additional information privacy regulations apply to select protocols?
- Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation designed to protect the use and disclosure of Protected Health Information or PHI. PHI is defined as any of the 18 HIPAA identifiers in combination with health information transmitted or maintained in any form (electronic, paper, or oral) that relates to the past, present or future physical or mental health or conditions of an individual.
- Family Educational Rights and Privacy Act (FERPA) [PDF] is a federal law that protects the privacy of personally identifiable information contained within a student’s educational record.
- General Data Protection Regulation (GDPR) [PDF] is a regulation affecting the way data is processed in the European Economic Area (EEA). This regulation increases the rights afforded to research participants and reshapes the way organizations handle and process personal data from individuals located in the EEA.
Click each title for information or guidance on when and how these impact human research.
What is the difference between protecting the privacy interests of participants and maintaining the confidentiality of data?
Privacy concerns people.
The following are considerations and strategies for respecting the privacy of potential participants:
- Consider the methods used or setting where potential participants are identified. What is the targeted study population's expectation of privacy, both in person and online?
- Only approach individuals known to you or make contact on behalf of someone the individual knows.
- Comply with privacy guidelines of applicable professional associations and scholarly disciplines (e.g., oral history, anthropology, psychology).
- Access the minimum amount of information necessary.
Confidentiality concerns data.
Confidentiality refers to the researcher’s agreement with the participant about how the participant’s identifiable private information will be handled, managed, and disseminated. In the IRB application, investigators describe their plan to preserve the confidentiality of identifiable data, including:
- controls on storage, handling, and sharing of data;
- physical security measures (e.g., locked facility, limited access);
- data security (e.g., password-protection, data encryption) see IRB Data Security Guidance [PDF];
- safeguards to protect identifiable research information (e.g., coding, certificate of confidentiality);
- procedures employed when sharing material or data, (e.g., honest broker (if applicable), written agreement with recipient not to re-identify); and
- measures that you will take to secure and safeguard confidentiality if protocol involves storing or sharing information or tissue/specimens/data for use in current or future research.
How do IRB regulations define minimal risk?
The Department of Health and Human Services defines minimal risk to mean “the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests” [45 CFR 46.102(2)(i)].
Research risks may be categorized as physical, psychological, sociological, economic, and legal.
How might investigators minimize risks in research?
- Using procedures already being conducted for non-research reasons
- Incorporating criteria to exclude “at risk” subjects
- Choosing least intrusive design that yields valid data (outcomes vs. randomized intervention; comparative drug vs. placebo)
- Conducting safety monitoring including safety labs and other assessments
- Planning for responding to clinically significant abnormalities including withdraw of study product and re-challenge with product if appropriate
- Including provisions for medical services or professional intervention (e.g., counseling) in the event of adverse events
- Adopting strategies for research with a focus on, treatment for, or potential for suicidal ideation or behaviors. See the ORI Guidance on Suicidality and Research Ethics
- Ensuring protections to secure confidential or private identifiable information
- Establishing data and safety monitoring
- Obtaining a Certificate of Confidentiality to protect against compulsory legal demands such as subpoena