Skip to content



Tip of the Month

Monthly research compliance reminders and information.

subscribe to tip of the month


Explore our Tip of the Month Archive below


April 2024

Elements of ALCOA+ for Data Integrity

ALCOA+ Elements





Breaches of Confidentiality

Investigators are responsible for the confidentiality of participant information collected during a study,
including how this information will be stored and shared.

A breach of confidentiality is an unanticipated problem that must be reported to the IRB

Immediately contact the applicable Privacy Office(s) and Institutional Official(s) if the breach involves PHI


Examples of data breaches include, but are not limited to, the following:


Lost or stolen laptops storing participant information


Lost or stolen USB/thumb drives with unencrypted participant information

Accessing PHI without a business need to know

Any unencrypted PHI sent outside of the University Health Sciences


Faxes with PHI sent to the wrong fax machine outside of the University Health Sciences network


Paper with PHI not disposed of properly -i.e., shredded


Information delivered to the wrong participant using the postal service, courier, or other delivery method


All lab, imaging, and diagnostic report results should be assessed in a timely manner by the Principal Investigator or Sub Investigator listed on the FDA 1572 form. If applicable, the PI can delegate the responsibility to medically qualified Sub-I(s) on the Delegation of Authority Log. 

Out-of-range values and/or abnormalities should be assessed and indicated to be Clinically Significant (CS) or Not Clinically Significant (NCS). The PI or Sub-I should sign and date each assessment. 

Any results deemed Clinically Significant (CS) should be assessed for potential Adverse Event’s (AE) and if applicable, added to the participant’s medical history.

Under ICH GCP E6 (R2), PI’s are required to demonstrate oversight of a clinical trial. The review and assessment of lab and test results is one way to demonstrate PI oversight.


The following basic elements of informed consent are described in the Common Rule, FDA, and International Conference on Harmonization (ICH).

Is there a statement that the study involves research and an explanation of the purposes of the research?

Is the expected duration of participation stated?

Is there a description of the procedures to be followed including the identification of any procedures that are experimental?

Is there a description of any foreseeable risks or discomforts to the participant?

Is there a description of any benefits to the participants or others?

Is there a disclosure of any alternative procedures or courses of treatment?

Is there a statement describing the confidentiality of records?

For research involving more than minimal risk, is there a statement about what options are available if injury to the participant occurs?

Is the necessary contact information provided?

Is there a statement that participation is voluntary?

Is there a statement that individuals may refuse to participate or discontinue participation without penalty or loss of benefits?

Is there a statement about the collection of identifiable private information or identifiable biospecimens?


Additional elements of informed consent necessary under other regulations, such as Veterans Health Administration (VHA), Department of Defense (DoD), or HIPAA will have an additional checklist.

Single IRB (sIRB) Protocol & Consent Versions

The single or central IRB model is used to allow multiple institutions performing the same protocol to use the same IRB, for consistency in the execution of the study. The University of Utah IRB may act as the sIRB, but another institution’s IRB may serve as the IRB of record depending on the study.

After approval of amended sIRB protocols & consents, it is recommended to track and review the following: 

  • It is recommended to track dates of sIRB approval, version date(s) of amended protocols and consents, and dates received at our site to ensure the most up-to-date versions are being utilized
  • Does the sIRB require re-consent from participants?
  • Does the approved amended protocol/consent require local IRB submission/approval?
  • Local IRB submission guidelines can include, but are not limited to:
  • Updates to Conflict of Interest (COI) management plans for investigators with an active COI
  • Addition of a pediatric population to a trial
  • Changes that require review from another University group (RDRC, CTSI, HCI, PCH, etc.)
  • If unsure whether an sIRB-approved amendment needs to be submitted locally, please contact the IRB at



UUSOP-07: Deviations and Reporting

An updated version of UUSOP-07: Deviations - Documentation and Reporting will
be released in December 2023 for immediate implementation.

The FDA has recently been observed to issue 483 letters to investigators that have deviated from the IRB-approved protocol with what is referred to as "sponsor approval." Sponsor approval is not an exemption from deviation. The FDA expects investigators to obtain IRB approval for alternate procedures before implementation.

In order to protect the Institution and University investigators, UUSOP-07 will be updated to require any departure from the IRB-Approved protocol first be sent to the IRB for review and approval prior to enactment.

This will require investigators and study teams to be thoughtful when reviewing protocols. If there are areas of the protocol that are unfeasible or unnecessarily limiting, such as eligibility criteria or treatment parameters, efforts should be made to correct them before enrolling participants.

In addition, study teams are required to request an amended protocol from the sponsor for any changes that are only included in protocol administrative letters (or equivalent). Records of these requests to the sponsor must be filed in the study's regulatory binder.

Strict adherence to the IRB-approved protocol is the most effective way to ensure research integrity and compliance, and to eliminate the risks associated with FDA investigation.


Elements of Effective Corrective and Preventative Action Plans (CAPAs)

Description of Problem

Describe the problem/deviation that occurred, and when it was discovered.

Conduct Root Cause Analysis

Identify the underlying reason the problem/deviation occurred. Use the Five Why’s, a method of “digging deeper” into a problem by repeating the question “Why?” five times after each possible cause to ensure the ultimate root cause is identified.

Corrective Action

The procedures/steps taken to resolve the problem/deviation. Corrective action taken or planned should be short-term and provide immediate resolution of any nonconformities found.  



Determine how the corrective action will be implemented, who will implement it and the date implemented. 


Preventative Action

Describe the procedures/steps taken to prevent the problem from reoccurring. This should be a long-term, sustainable solution to address the root cause and prevent recurrence. 

Evaluation Plan

Provides details of how the CAPA will be assessed for effectiveness. Documentation must be maintained to demonstrate planning and implementation in addition to providing evidence of decisions made and actions taken. 


18 HIPAA PHI Identifiers

    1. Names
    2. Address
    3. Dates related to an individual
    4. Phone Numbers
    5. Fax Numbers
    6. Email Address
    7. Social Security Numbers
    8. Medical Record Numbers
    9. Health Plan Beneficiary Numbers
    10. Account Numbers
    11. Certificate/License Numbers
    12. Vehicle Identifiers and Serial Numbers
    13. Device Numbers and Serial Numbers
    14. Web URLs
    15. IP Address
    16. Finger or Voice Print
    17. Photographic Image
    18. Any other Unique Identifying Number

Publishing post-analysis data with identifiable datasets includes the above PHI identifiers. If identifiable datasets are included in publishing post-analysis data, it must align with the IRB approved Informed Consent Form (ICF) signed by the participant. The ICF and IRB application must indicate if identifiable datasets will be






Last Updated: 5/15/24