7.3 Data Registries
1.0 Purpose
The purpose of this policy and procedure is to describe the Organization’s requirements for creation and operation of a data registry, and for research use of data from a registry.
2.0 Policy
-
2.1. It is the policy of the Organization that internal registries, as defined in section 3.1 below, utilized, either wholly or in part, for human subject research must be reviewed and approved by the IRB. All IRB approved registries must comply with the following requirements.
- 2.1.1. The purpose and goals of the registry are clearly justified.
- 2.1.2. The registry complies with all applicable requirements of HHS regulations at 45 CFR 46.
- 2.1.3. The minimum amount of PHI necessary to accomplish the purpose and goals of the registry is entered into the registry.
- 2.1.4. There is acceptable security to safeguard the confidentiality and integrity of data in the registry, and which satisfies the requirements of Organizational policies regarding data and PHI security.
- 2.1.5. There are procedures in place for release of PHI from the registry that comply with Organization privacy policies.
- 2.1.6. As necessary, a Data Use Agreement (DUA), Data Transfer Agreement (DTA), or a Business Associate Agreement (BAA) is in place before any data is released.
- 2.2. It is the policy of the Organization that External Data Registries (as defined in Section 3.3 below) must be reviewed by the ORA.
3.0 Definitions
-
3.1. Internal Data Registry is a repository of clinical or other patient data housed and administered within the Organization under the oversight of the UNMC IRB. The data may be used for: a) human subject research, b) assessment of patient outcomes; c) improve healthcare delivery; or d) other non-research purposes.
-
3.2. External Data Registry is a repository of clinical or other patient data which is housed and administered at an external site normally under the oversight of an external IRB or other oversight body. The data may be used for: a) human subject research, b) assessment of patient outcomes; c) improve healthcare delivery; or d) other non-research purposes.
-
3.3. Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (for example, a medical record).
-
3.4. *Identifiable Private Information refers to private information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information, as per 45 CFR 46.102(e)(5).
Note: Per Federal regulations, what constitutes “identifiable” will be re-examined on regular occasions; therefore, HBM currently considered not identifiable may become identifiable in the future as technologies and techniques change.
4.0 IRB Review and Consent Requirements for Internal Data Registries
- 4.1. The creation of a registry that is utilized, either wholly or in part, for human subject research is subject to IRB review, and healthcare professionals who develop and maintain the registry must submit a Data Registry Application. If the registry will also include collection of human biological material (HBM) the Human Biological Material Banking Application must be completed instead.
-
4.2. The collection of identifiable private information into a registry that is utilized, either wholly or in part, for human subject research constitutes human subject research, and will be reviewed in accordance with all applicable federal regulations and HRPP policies. Specifically, the IRB must find that
- 4.2.1. The registry complies with all applicable requirements of HHS regulations at 45 CFR 46.
- 4.2.2. The purpose and goals of the registry are clearly justified.
- 4.2.3. The minimum amount of PHI necessary to accomplish the purpose and goals of the registry is entered into the registry.
- 4.2.4. There is acceptable security to safeguard the confidentiality and integrity of data in the registry, and which satisfies the requirements of Organizational policies regarding data and PHI security.
- 4.2.5. There are procedures in place for release of PHI from the registry that comply with Organization privacy policies.
- 4.2.6. As necessary, a Data Use Agreement (DUA), Data Transfer Agreement (DTA), or a Business Associate Agreement (BAA) is in place before any data is released.
-
4.3. The collection of identifiable private information into a data registry that is utilized, either wholly or in part, for human subject research may qualify for expedited review (as per HRPP policy 2.
3)3) or may be exempt (as per HRPP policy 2.6)6). -
4.4. The collection of identifiable private information into a registry that is utilized, either wholly or in part, for human subject research requires informed consent of the person from whom the data is obtained.
- 4.4.1. If the data to be entered into the registry will be collected as an addendum to another (clinical) protocol, separate informed consent must be obtained from the subject.
- 4.4.2. Collection of data for a registry cannot be a requirement for participation in another study for which there is the potential of direct subject benefit.
- 4.5. The informed consent must include basic and additional elements of consent related to identifiable private information as per 45 CFR 46.116.
5.0 ORA Review and Consent Requirements for External Data Registries
-
5.1. Submission of clinical data with or without identifiers that has been collected solely for clinical purposes to an external data registry (that is utilized, either wholly or in part, for human subject research) does not constitute engagement in human subject research. It is therefore not subject to UNMC IRB approval, provided the healthcare professional submitting the data (1) is not involved with the research (aside from submitting the clinical data), and (2) will not, in the future, use data in the external registry for research in which he/she is participating.
- 5.1.1. Healthcare professionals who submit clinical data to external data registries as described above must submit the Data Registry Application to the ORA. The information will be entered into the IRB database for tracking purposes.
- 5.1.2. If the clinical data contains PHI, authorization for disclosure of the PHI to the External Data Registry must be obtained in accordance with 45 CFR 164.508(c), or authorization must be waived by the UNMC IRB or the Privacy Board associated with the External Data Registry in accordance with 45 CFR 164.512(i).
- 5.1.3. In consideration of such factors as sensitivity of the data collected, the subject population, whether the registry is under the oversight of an external IRB or government entity, and Organizational requirements, Assistant Vice-Chancellor for Regulatory Affairs, in consultation with the IO, may require submission of additional information regarding administration of the registry, data security, and processes for release of data.
- 5.2. If the healthcare professional submitting the data is involved with the research (for example, will be an author on manuscripts, or plans to subsequently use data in the registry for different research purposes) then the Organization is engaged, and the submission of identifiable private information constitutes research. It is therefore subject to UNMC IRB approval (per section 4.2 above) and the requirement for informed consent (per sections 4.5 and 4.6 above).
- 5.3. The appropriate agreements (Data Use Agreement, Data Transfer Agreement) must be fully executed prior to final release of the Data Registry or Medical Records Research.
6.0 Research Use of Data from a Registry
- 6.1. The Data Registry Application must be submitted in accordance with HRPP policy 2.1 (Submission of Items for Review by the IRB).
-
6.2. Applications which require review by the full IRB will be processed and reviewed in accordance with HRPP policy 2.
2.2. -
6.3. Applications that are eligible for review by the expedited method will be processed and reviewed in accordance with HRPP policy #2.
3.3. -
6.4. Applications which appear to be eligible for exemption will be processed and reviewed in accordance with HRPP policy #2.
6.6. -
6.5. The use of identifiable private information previously stored in a data registry requires informed consent of the donor, unless:
- 6.5.1. Consent can be waived under 45 CFR 46.116(d) (or rev 45 CFR 46.116(f)), and, if PHI is involved, authorization is waived under 45 CFR 164.512(i).
- 6.5.2. Consent obtained at the time the data was placed into the registry was sufficiently detailed with regard to the future use of the data that a reasonable person would expect that the consent would permit the types of research conducted.
ADMINISTRATIVE APPROVAL: BRUCE G. GORDON, MD IRB EXECUTIVE CHAIR & ASSISTANT VICE CHANCELLOR FOR REGULATORY AFFAIRS CHRISTOPHER KRATOCHVIL, MD INSTITUTIONAL OFFICIAL
POLICY AMENDED:
REVISED MARCH 2, 2018
INITIAL JANUARY 14, 2016