7.3 Data Registries

Last Revised: 4/16/2025

1.0. Purpose

The purpose of this policy is to describe the Organization’s requirements for creation and operation of a data registry, and for research use of data from a registry.

2.0. Policy

It is the policy of the Organization that

2.1. Internal registries, as defined in section 3.0 below, utilized either wholly or in part for human subject research must be reviewed and approved by the IRB. All IRB approved registries must comply with the following requirements.
- 2.1.1. The purpose and goals of the registry are clearly justified.
- 2.1.2. The registry complies with all applicable requirements of HHS regulations at 45 CFR 46 and FDA regulations at 21 CFR 56.
- 2.1.3. The minimum amount of protected health information (PHI) or identifiable private information (IPI) necessary to accomplish the purpose and goals of the registry are retained in the registry.
- 2.1.4. There are acceptable safeguards to protect the confidentiality and integrity of data in the registry in accordance with the HIPAA Privacy Rule, other regulations as appropriate, and Organizational policies.
- 2.1.5. Procedures in place for release of PHI or IPI from the registry comply with Organization privacy policies.
- 2.1.6. As necessary, a Data Use Agreement (DUA), Data Transfer Agreement (DTA), or a Business Associate Agreement (BAA) is in place before any data is released.
2.2. External Data Registries (as defined in Section 3.0 below) must be reviewed by the Office of Regulatory Affairs (ORA) before PHI or IPI from persons associated with the Organization are submitted.

3.0. Definitions

3.1. Internal Data Registry is a repository of data housed and administered within the Organization under the oversight of the UNMC IRB. The data may include PHI, IPI or may be limited to de-identified data. For the purpose of this policy, a data registry is intended to be used wholly or in part for human subject research.
3.2. External Data Registry is a repository of data housed and administered at an external site normally under the oversight of an external IRB. The data may include PHI, IPI or may be limited to de-identified data. For the purpose of this policy, a data registry is intended to be used wholly or in part for human subject research.
3.3. Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (for example, a medical record) (45 CFR 46.102(e)(4)).
3.4. Identifiable Private Information refers to private information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information (45 CFR 46.102(e)(5)).

4.0. ORA and IRB Responsibilities

4.1. Internal Data Registries
- 4.1.1. The IRB will review creation of an Internal Data Registry in accordance with all applicable federal regulations and HRPP policies.
  - 4.1.1.1. An expedited review process may be utilized as applicable in accordance with HRPP policy 2.3 (Expedited Review)
- 4.1.2. The IRB will ensure that informed consent of subjects whose data is to be entered into the data registry is obtained and documented, or provide a waiver of informed consent, in accordance with 45 CFR 46.116 and 117, FDA 21 CFR 50.20 and 27, and institutional policies.
- 4.1.3. The ORA must ensure that appropriate agreements (Data Use Agreement, Data Transfer Agreement) are fully executed prior to final release of the Data Registry.
4.2. External Registries
- 4.2.1. Submission of clinical data with or without identifiers that has been collected solely for clinical purposes to an external data registry (that is utilized, either wholly or in part, for human subject research) does not constitute engagement in human subject research. It is therefore not subject to UNMC IRB approval, provided the healthcare professional submitting the data (1) is not involved with the research (aside from submitting the clinical data), and (2) will not, in the future, use data in the external registry for research in which they are participating.
- 4.2.2. If the clinical data contains PHI, authorization for disclosure of the PHI to the External Data Registry must be obtained in accordance with 45 CFR 164.508(c), or authorization must be waived by the UNMC IRB or the Privacy Board associated with the External Data Registry in accordance with 45 CFR 164.512(i).
- 4.2.3. In consideration of such factors as sensitivity of the data collected, the subject population, whether the registry is under the oversight of an external IRB or government entity, and Organizational requirements, Assistant Vice-Chancellor for Regulatory Affairs, in consultation with the IO, may require submission of additional information regarding administration of the registry, data security, and processes for release of data.
- 4.2.4. If the healthcare professional submitting the data is involved with the research (for example, will be an author on manuscripts, or plans to subsequently use data in the registry for different research purposes) then the Organization is engaged, and the submission of identifiable private information constitutes research. It is therefore subject to UNMC IRB approval (per section 4.2 above) and the requirement for informed consent (per sections 4.5 and 4.6 above).

5.0. Investigator Responsibilities

5.1. The creation of a registry that is utilized, either wholly or in part, for human subject research is subject to IRB review, and the investigator who develops and/or maintains the registry must submit a Data Registry Application.
- 5.1.1. If the registry will also include collection of human biological material (HBM) the Human Biological Material Banking Application must be completed instead.
5.2. The investigator must obtain appropriate agreements (Data Use Agreement, Data Transfer Agreement) prior to collecting data into the registry.
5.3. The investigator must obtain informed consent of subjects whose data is to be entered into the data registry, or obtain a waiver of informed consent, in accordance with 45 CFR 46.116 and 117, FDA 21 CFR 50.20 and 27, and institutional policies, prior to collecting data into the registry.

6.0. Research Use of Data from a Registry

6.1. Use of data from a Data Registry requires submission of a Medical Records application (Records Review application), and review and approval of the IRB in accordance with HRPP policies 2.2 (Full Board Review) or 2.3 (Expedited Review), or by the ORA in accordance with HRPP policy 2.6 (Exempt Research).
6.2. The use of PHI or IPI stored in a data registry requires informed consent of the donor, unless:
- 6.2.1. Consent obtained at the time the data was placed into the registry was sufficiently detailed regarding the future use of the data that a reasonable person would expect that the consent would permit the types of research conducted; or
- 6.2.2. Consent is waived under 45 CFR 46.116(f)) or 21 CFR 50.22, and, if PHI is involved, authorization is waived under 45 CFR 164.512(i).

DOCUMENT HISTORY:

 Written: 1/14/2016 (Approved: 1/14/2016) - original author not recorded

 Revised: 3/2/2018 - revision not documented

 Revised 4/16/2025 - Revised definition of data registry to be inclusive of non-clinical registries; restructured policy to focus on responsibilities of investigators and IRB/ORA; deleted description of processes more appropriate for SOPs; stylistic changes

1.1 Human Research Protection Program (HRPP)

1.2 Authority Granted to the IRB by the Organization

1.3 UNMC IRB Serving as the Single IRB for Multisite Research

1.4 UNMC Ceding Review to an External Central IRB

1.5 Requirements for Research Conducted with International Sites

1.6 IRB Composition, Leadership, Qualifications, and Responsibilities

1.7 IRB Member, Consultant, Staff and Guest Conflict of Interest Identification and Management

1.8 Investigational Activities Requiring IRB Review and Approval

1.9 Resources Necessary to Protect Subjects

1.10 Scientific and Other Committee Review of Research

1.11 HRPP Access to Legal Counsel

1.12 Sponsored Research

1.13 Compliance with ICH-GCP Guidelines

1.14 Research Subject to Department of Defense Regulatory Requirements

1.15 Research Subject to Department of Justice Regulatory Requirements

1.16 ORA Record Keeping Requirements

1.17 Retention of Research Records

1.18 Review and Approval of HRPP Policies and Procedures

1.19 IRB Signature Authority

1.20 Community Involvement in Outreach Activities and Community Based Participatory Research (CBPR)

1.21 Post-Approval Monitoring of Research

1.22 Assessment of the Effectiveness and Efficiency of the HRPP

1.23 HRPP Training Requirements

1.24 HRPP Training Requirements for IRB Members

1.25 Financial Conflicts of Interest

1.26 PI Qualifications and Responsibilities

1.27 Research Personnel Qualifications and Responsibilities

1.28 External Investigator Assurance

1.29 ClinicalTrials.gov Reporting

1.30 Use of the Rapid Response IRB

1.31 Observers at IRB Meetings

1.32 Confidentiality of the Review Process

1.33 Posting of Clinical Trial Consent Forms

1.34 Emergency Preparedness for the Office of Regulatory Affairs and IRBs

2.1 Submission for Items for Review by the IRB

2.2 Full IRB Review

2.3 Expedited Review

2.4 IRB Review of Changes in Previously Approved Research

2.5 Criteria for IRB Approval

2.6 Exempt Research

2.7 Continuing Review of Research

2.8 Limited IRB Review

2.9 Closure of On-Going Research

3.1 Assessing the Need for Increased Monitoring, Interim Continuing Review, and Verification from Sources Other than the PI

3.2 Data and Safety Monitoring

3.3 Privacy Interests and Confidentiality of Research Data

3.4 Use of Protected Health Information in Research

3.5 Subject Recruitment Through Advertisements

3.6 Subject Recruitment Through Direct Invitation

3.7 Finder’s Fees and Recruitment Bonuses

3.8 Research Subject Compensation and Reimbursement

3.9 Contraception Requirements

3.10 Pregnancy Testing

3.11 Collecting Data from Pregnant Partners of Research Subjects

3.12 Ethical Access

3.13 Use of Placebo or Wash-Out of Effective Therapy in Clinical Trials

3.14 Phase I and First-in-Human Studies

3.15 Managing Radiographic Incidental Findings in Human Subjects Research

4.1 Additional Protections for Vulnerable Persons

4.2 Research Involving Pregnant Women, Human Fetuses, and Neonates (Nonviable or of Uncertain Viability)

4.3 Research Involving Prisoners

4.4 Research Involving Children

4.5 Local 407 Panel Review of Pediatric Research

4.6 IRB Review of Research Involving Subjects with Impaired Decision-Making Capacity

4.7 Research Involving Employees of the Organization and Students as Subjects

5.1 Obtaining Informed Consent From Research Subjects

5.2 Waiver or Alteration of Informed Consent and HIPAA Authorization

5.3 Use of a Remote Consent Process

5.4 Waiver of Requirement to Obtain Signed Consent Form

5.5 Use of the Short Form Consent Document

5.6 Exceptions from Informed Consent Requirements for Emergency Research

5.7 Obtaining Informed Consent from Non-English Speaking Persons, or Persons with Additional Needs or Vulnerabilities

6.1 Research Involving Investigational and Marketed Drugs

6.2 Research Involving Investigational and Marketed Devices

6.3 Humanitarian Use Device (HUD)

6.4 Emergency Use of a Test Article

6.5 Expanded Access to Investigational Drugs and Devices for Treatment Use

7.1 Banking Human Biological Material

7.2 Use of Human Biological Material in Research

7.3 Data Registries