Guideline for Preparing a Research Protocol

Guideline for Preparing a Research Protocol

REPOSITORY/REGISTRY PROTOCOL

Protocol Title:
Principal Investigator:
Primary Contact Name:
Primary Contact Phone:
Primary Contact E-mail:
IRB Number:

Guidelines for Preparing a Research Protocol

Instructions:

  • You do not need to complete this document if you are submitting an Application for Exemption or Application for a Chart Review.
  • Do not use this template if:
  • Your study involves an FDA regulated product. In this case, use the Protocol Template – FDA Regulated Studies.
  • Your study has a protocol from a sponsor or cooperative group. In this case, use the Protocol Plus.
  • Your study involves anything more than the collection and banking of data or specimens for research purposes.
  • If a section of this protocol is not applicable, please indicate such.
  • Do not delete any of the text contained within this document.
  • Please make sure to keep an electronic copy of this document. You will need to use it, if you make modifications in the future.
  • Start by entering study information into the table above, according to these rules:
  • Protocol Title: Include the full protocol title as listed on the application.
  • Investigator: include the principal investigator’s name as listed on the application form
  • IRB Number: Indicate the assigned IRB number, when known. At initial submission, this row will be left blank.
  • Once the table information in entered, proceed to page 2 and complete the rest of the form.

 Continue to next page to begin entering information about this study 

  1. PREVIOUS STUDY HISTORY

Has this study ever been reviewed and rejected/disapproved by another IRB prior to submission to this IRB?

No Yes  if yes, please explain:

  1. BRIEF SUMMARY OF RESEARCH
  • The summary should be written in language intelligible to a moderately educated, non-scientific layperson.
  • It should contain a clear statement of the rationale and hypothesis of your study, a concise description of the methodology, with an emphasis on what will happen to the subjects, and a discussion of the results.
  • This section should be ½ page

Suggested language: The purpose of this project is to provide appropriate administrative and technical supports for the warehousing and use of ______data for research purposes. This protocol will outline the process for identification and capture of data, storage, as well as data use and sharing both internally and externally.

  1. Introduction/Background material/ Significance
  • Describe and provide the results of previous work by yourself or others, including animal studies, laboratory studies, pilot studies, pre-clinical and/or clinical studies involving the compound or device to be studied.
  • Include information as to why you are conducting the study and how the study differs from what has been previously researched, including what the knowledge gaps are.
  • Describe the importance of the knowledge expected to result

REQUIRED LANGUAGE – The text in red should remain in the protocol

Regulatory Background

HIPAA Privacy Rules do allow for the creation of this type of repository under specific provisions and in keeping with NIH Guidance we will address the aggregation of the data and subsequent use as separate issues. From Research Repositories, Databases, and the HIPAA Privacy Rule[1]

Q: How may a covered entity use or disclose PHI for the creation of a research repository or database when it is unknown at the time of collection what specific protocols will make use of the repository or database in the future?

A:There are two separate activities to consider: (1) The use or disclosure of PHI for creating a research database or repository and (2) The subsequent use or disclosure of PHI in the database for a particular research protocol.

A covered entity’s use or disclosure of PHI to create a research database or repository, and use or disclosure of PHI from the database or repository for a future research purpose, are each considered a separate research activity under the Privacy Rule. In general, the Privacy Rule requires Authorization for each activity, unless, for example, an IRB or Privacy Board waives or alters the Authorization requirement. (See Overview of Privacy Rule’s Impact on Repositories and Databases.) Documentation of a waiver or an alteration of Authorization to use or disclose PHI to create a research database requires, among other things, a statement that an IRB or Privacy Board has determined that the researcher has provided adequate written assurances that PHI in the database will not be further used or disclosed except as permitted by the Privacy Rule (e.g., for research uses and disclosures with an Authorization or waiver). A covered entity also could use or disclose a limited data set to create a research repository or database under conditions set forth in a data use agreement.

For subsequent use or disclosure of PHI for research purposes from a repository or database maintained by the covered entity, the covered entity may:

  • Obtain the individual’s Authorization for the research use or disclosure of PHI as specified under section 164.508
  • Obtain documentation of an IRB or Privacy Board’s waiver of the Authorization requirement that satisfies section 164.512(i)
  • Obtain satisfactory documentation of an IRB or Privacy Board’s alteration of the Authorization requirement as well as the altered Authorization from the individual
  • Use or disclose PHI for reviews preparatory to research with representations that satisfy section 164.512(i)(1)(ii) of the Privacy Rule
  • Use or disclose PHI for research on decedents’ PHI with representations that satisfy section 164.512(i)(1)(iii) of the Privacy Rule
  • Provide a limited data set and enter into a data use agreement with the recipient as specified under section 164.514(e)
  • Use or disclose PHI based on permission obtained prior to the compliance date of the Privacy Rule—informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or Authorization or other express legal permission to use or disclose the information for the research as specified under section 164.532(c) of the Privacy Rule

A covered entity may also use or disclose PHI from databases and repositories for other purposes without Authorization as permitted by the Privacy Rule, such as if required by law or to a public health authority for a public health activity (e.g., disclosures to cancer registries). Covered entities may also de-identify PHI according to standards set forth in the Privacy Rule so that its use and disclosure are not protected by the Privacy Rule.

  1. Objective(s)/Specific Aims and Hypotheses
  • A concise statement of the goal(s) of the current study.
  1. Recruitment methods
  2. Describe the source of potential subjects
  3. Describe the methods that will be used to identify potential subjects
  4. Describe any materials that will be used to recruit subjects. A copy of any advertisements (flyers, radio scripts, etc.) should be submitted along with the protocol.
  5. If monetary compensation is to be offered, this should be indicated in the protocol
  1. Eligibility criteria
  • Describe the characteristics of the subject population, including their anticipated number, age, ranges, sex, ethnic background, and health status. Identify the criteria for inclusion or exclusion of any subpopulation.
  • Explain the rationale for the involvement of special classes of subjects, such as fetuses, pregnant women, children, prisoners or other institutionalized individuals, or others who are likely to be vulnerable. You cannot include these populations in your research, unless you indicate such in the protocol
  • Similarly, detail exclusionary criteria: age limits, special populations (minors, pregnant women, decisionally impaired), use of concomitant medications, subjects with other diseases, severity of illness, etc.
  1. number of subjects
  • Indicate the total number of subjects to be accrued locally. If applicable, distinguish between the number of subjects who are expected to be pre-screened, enrolled (consent obtained), randomized and complete the research procedures.
  • If your study includes different cohorts, include the total number of subjects in each cohort.
  • If this is multisite study, include total number of subjects across all sites.
  1. research procedures

Data/specimens will be collected into this repository from ______.

REQUIRED LANGUAGE – The text in red should remain in the protocol

In keeping with IRB and NIH/DHHS guidance on database creation we are requesting IRB approval for the creation of a data repository for the specific aim articulated above and for future research with a request for a waiver of informed consent for the aggregation of medical record data into a single database. Approval and consent for use of data will be addressed separately.

Request for a Waiver of Informed Consent for the Aggregation of Data into this Registry

  1. The Research involves no more than minimal risk. This protocol involves no interventions or interactions with human subjects other than with their data. All procedures are occurring as per standard of care. The majority of data will already exist prior to aggregation and will not be altered in any way other than for purposes of data validity and integrity (for example clearly erroneous data such as an individual whose age is listed as 200 years old as opposed to 20 years old will be cleaned and verified.) Therefore the principal risk of the study would be a breech of confidentiality. There are significant plans for the protection of identifiers within the database and the security of the electronic information is in compliance with HIPAA’s security provisions. No identifiable information will be made available to any individuals outside the covered entity and access to all information will be made based on the minimum necessary standards. Specifics regarding the plan for protection of identifiers and role based security are discussed in greater detail under confidentiality. These plans and procedures mitigate the potential for a breech and therefore the aggregation of data presents no more than minimal risk.
  1. The waiver or alteration will not adversely affect the rights and welfare of the subjects. The public health and research benefits of the proposed aggregation of data in this format outweigh the potential for any breeches in confidentiality as discussed above. In addition investigators are not proposing to perform any procedures or actions that would not be allowable under other circumstances.
  1. The research could not practicably be carried out without the waiver or alteration. All of the data to be included in the database will exist prior to its inclusion. The majority of subjects will have been seen prior to the beginning of this study and therefore separating out subjects based on subjects who consented or did not consent to its use would be impracticable and could lead to bias in the study sample. We need to know what happened to all subjects who underwent the procedure.
  1. Whenever appropriate, the subjects will be provided with additional pertinent information after participation. The results of any analysis conducted on the data would be experimental, primarily de-identified, and will be conducted in aggregate. No information will be relayed back to clinical sites for specific subjects as this information will not be used for treatment or diagnosis. As a result there are no plans to provide subjects with specific results as it would not be appropriate.

While we are asking for a waiver of informed consent it is important to note that data will already exist prior to transfer into the data repository and that all health system patients are provided with and sign a Notice of Privacy Practices which discusses research use of their data. It is equally important to note that everyone who has access to Protected Health Information (PHI) as part of this initiative is a member of the workforce of the covered entity. The North-Shore-LIJ Health System is an Organized Health Care Arrangement (“OHCA”) and shares information across the above referenced entities for treatment, payment, and operations.

The Notice of Privacy Practices also contains the following provisions,

Research. In most cases, The Provider will ask for your written authorization before using your PHI or sharing it with others in order to conduct research. However, under some circumstances, the Provider may use and disclose your PHI without your authorization if the Provider obtains approval through a special process to ensure, among other things, that research without your authorization poses minimal risk to your privacy and could not reasonably be performed without waiving your consent. Under no circumstances, however, would the Provider allow researchers to use your PHI publicly. The Provider also may release your PHI without your authorization to people who are preparing a future research project, so long as any information identifying you does not leave the facility. In the event of your death, the Provider may share your PHI with people who are conducting research using the information of deceased persons, as long as they agree not to remove from the facility any information that identifies you.

And

Completely De-Identified or Partially De-Identified Information

The Provider may use and disclose your PHI if the Provider has removed any information that has the potential to identify you so that the health information is “completely de-identified.” The Provider also may use and disclose “partially de-identified” PHI about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. Partially de-identified PHI will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address or license number).

  1. SPECIMEN BANKING
  • If specimens will be banked for future research, describe where the specimens will be stored, how long they will be stored, how they will be accessed and who will have access to the specimens
  • List the information that will be stored with each specimen, including how specimens are labeled/coded
  • Describe the procedures to release the specimens, including: the process to request release, approvals required for release, who can obtain the specimens, and the information to be provided with the specimens.
  1. DATA MANAGEMENT AND CONFIDENTIALITY

REQUIRED LANGUAGE – The text in red should remain in the protocol

Provisions to Maintain the Confidentiality of Information

All data collected from all health system sources will be maintained on a password protected server. Study staff will have restricted access to directories and files on the server, according to project responsibilities. “Login/password security” is used to control access to the network. Individuals with data entry permissions are able to add records only to the databases to which they have access. As is health system practice all data are backed up every 24 hours.

A unique identifying number will be assigned to each subject at the time of enrollment in the registry. In an effort to correlate information every individual will be provided a unique patient ID# (coded link) which links together their medical record information. The coded link between this unique identifier and the subject’s identifying information will be maintained in locked files. When information is shared internally or externally investigators will only be provided with the subject’s unique ID. The sharing of information and provisions for special protections based on the identifiable nature of requests is explained in greater detail below.

Sharing of Data

The purpose of the Registry is to systematically capture and share data with both internal and external researchers to study the diagnosis, management and treatment of disease. This can generally be done by sharing selected clinical data on study subjects without the need for personally identifying information on these subjects by the investigator. The Registry is specifically designed to allow for the broad collection of relevant clinical information along with personally identifying information; however, the information will generally be distributed for analysis in a de-identified fashion to researchers.

The PI of the registry will review the conditions under which data will be released to recipient- investigators. Each application for use will need the approval of the PI and will follow the process outlined below. Investigators will be allowed to request information from the registry in four ways. The level of identifiability will determine the process for review and approval as well as the manner in which information is shared.

  1. Identifiable Data: Informed Consent Usually Required Requests for access to identifiable data must first have obtained IRB review and approval. Investigators who would like access to the identifiable information in the data warehouse must have a) valid IRB approval and b) signed consent from subjects or a waiver of informed consent and authorization from the IRB governed by the investigator’s engagement. In keeping with current OHRP rules of engagement all protocols that request sharing of identifiable information will require the approval of the North Shore-LIJ Health System IRB in addition to the investigative site’s IRB. Note that it is expected most requests for identifiable information will require informed consent.
  1. Coded Data: Informed Consent Not Required Requests for access to coded data where the investigator receiving the information has no way to break the code is not considered identifiable under the Common Rule (45CFR46) as a result IRB review and approval for sharing of coded data will not require IRB review and approval prior to PI review and sharing of data.
  1. Limited Data Set: Informed Consent Not Required, Data Use Agreement is Required Requests for access to a Limited Data Set is where the investigator has requested information along with limited identifiers as defined by HIPAA. A Limited Data Set currently consists of elements of dates and geographic codes. Since these are considered identifiers under HIPAA (45CFR164) any sharing of information that requires use of a Limited Data Set would require IRB review and approval. Investigators who would like access to information in the data warehouse with a Limited Data Set must have a) valid IRB approval and b) signed a Data Use Agreement. Informed Consent or a waiver of informed consent and HIPAA authorization are not required when accessing a Limited Data Set. In keeping with current OHRP rules of engagement all protocols that request sharing of information with a Limited Data Set will require the approval of the North Shore-LIJ Health System IRB in addition to the investigative site’s IRB.
  1. De-Identified Data: Informed Consent Not Required Requests for access to de-identified data where there are no identifiers included in the data and there are no links to subject identity are not considered identifiable human subject information under the Common Rule (45CFR46) or HIPAA (45CFR164) as a result IRB review and approval for sharing of de-identified data will not require IRB review and approval prior to review.

Investigators will be required to submit a request to the PI outlining the purpose of the study, the data elements to be accessed, preferred method of transmission, and preferred file type. In addition if investigators need access to identifiable information or information utilizing a limited data set they must submit a copy of valid IRB approval and informed consent, where applicable. The PI will evaluate the request and ensure that appropriate regulatory approvals have been obtained. Once approved the investigator will be informed and relevant data transferred for analysis.

Top View