Tip of the Month
Monthly research compliance reminders and information.
Explore our Tip of the Month Archive below
April 2024
Breaches of Confidentiality
Investigators are responsible for the confidentiality of participant information collected
during a study,
including how this information will be stored and shared.
A breach of confidentiality is an unanticipated problem that must be reported to the IRB
Immediately contact the applicable Privacy Office(s) and Institutional Official(s) if the breach involves PHI
Examples of data breaches include, but are not limited to, the following:
Lost or stolen laptops storing participant information
Lost or stolen USB/thumb drives with unencrypted participant information
Accessing PHI without a business need to know
Any unencrypted PHI sent outside of the University Health Sciences
Faxes with PHI sent to the wrong fax machine outside of the University Health Sciences network
Paper with PHI not disposed of properly -i.e., shredded
Information delivered to the wrong participant using the postal service, courier, or other delivery method
All lab, imaging, and diagnostic report results should be assessed in a timely manner by the Principal Investigator or Sub Investigator listed on the FDA 1572 form. If applicable, the PI can delegate the responsibility to medically qualified Sub-I(s) on the Delegation of Authority Log.
Out-of-range values and/or abnormalities should be assessed and indicated to be Clinically Significant (CS) or Not Clinically Significant (NCS). The PI or Sub-I should sign and date each assessment.
Any results deemed Clinically Significant (CS) should be assessed for potential Adverse Event’s (AE) and if applicable, added to the participant’s medical history.
Under ICH GCP E6 (R2), PI’s are required to demonstrate oversight of a clinical trial. The review and assessment of lab and test results is one way to demonstrate PI oversight.
The following basic elements of informed consent are described in the Common Rule, FDA, and International Conference on Harmonization (ICH).
Is there a statement that the study involves research and an explanation of the purposes of the research?
Is the expected duration of participation stated?
Is there a description of the procedures to be followed including the identification of any procedures that are experimental?
Is there a description of any foreseeable risks or discomforts to the participant?
Is there a description of any benefits to the participants or others?
Is there a disclosure of any alternative procedures or courses of treatment?
Is there a statement describing the confidentiality of records?
For research involving more than minimal risk, is there a statement about what options are available if injury to the participant occurs?
Is the necessary contact information provided?
Is there a statement that participation is voluntary?
Is there a statement that individuals may refuse to participate or discontinue participation without penalty or loss of benefits?
Is there a statement about the collection of identifiable private information or identifiable biospecimens?
Additional elements of informed consent necessary under other regulations, such as Veterans Health Administration (VHA), Department of Defense (DoD), or HIPAA will have an additional checklist.
Single IRB (sIRB) Protocol & Consent Versions
The single or central IRB model is used to allow multiple institutions performing
the same protocol to use the same IRB, for consistency in the execution of the study.
The University of Utah IRB may act as the sIRB, but another institution’s IRB may
serve as the IRB of record depending on the study.
After approval of amended sIRB protocols & consents, it is recommended to track and review the following:
- It is recommended to track dates of sIRB approval, version date(s) of amended protocols and consents, and dates received at our site to ensure the most up-to-date versions are being utilized
- Does the sIRB require re-consent from participants?
- Does the approved amended protocol/consent require local IRB submission/approval?
- Local IRB submission guidelines can include, but are not limited to:
- Updates to Conflict of Interest (COI) management plans for investigators with an active COI
- Addition of a pediatric population to a trial
- Changes that require review from another University group (RDRC, CTSI, HCI, PCH, etc.)
- If unsure whether an sIRB-approved amendment needs to be submitted locally, please contact the IRB at irb@hsc.utah.edu
UUSOP-07: Deviations and Reporting
An updated version of UUSOP-07: Deviations - Documentation and Reporting will
be released in December 2023 for immediate implementation.
The FDA has recently been observed to issue 483 letters to investigators that have deviated from the IRB-approved protocol with what is referred to as "sponsor approval." Sponsor approval is not an exemption from deviation. The FDA expects investigators to obtain IRB approval for alternate procedures before implementation.
In order to protect the Institution and University investigators, UUSOP-07 will be updated to require any departure from the IRB-Approved protocol first be sent to the IRB for review and approval prior to enactment.
This will require investigators and study teams to be thoughtful when reviewing protocols. If there are areas of the protocol that are unfeasible or unnecessarily limiting, such as eligibility criteria or treatment parameters, efforts should be made to correct them before enrolling participants.
In addition, study teams are required to request an amended protocol from the sponsor for any changes that are only included in protocol administrative letters (or equivalent). Records of these requests to the sponsor must be filed in the study's regulatory binder.
Strict adherence to the IRB-approved protocol is the most effective way to ensure research integrity and compliance, and to eliminate the risks associated with FDA investigation.
Elements of Effective Corrective and Preventative Action Plans (CAPAs)
Description of Problem
Describe the problem/deviation that occurred, and when it was discovered.
Conduct Root Cause Analysis
Identify the underlying reason the problem/deviation occurred. Use the Five Why’s, a method of “digging deeper” into a problem by repeating the question “Why?” five times after each possible cause to ensure the ultimate root cause is identified.
Corrective Action
The procedures/steps taken to resolve the problem/deviation. Corrective action taken or planned should be short-term and provide immediate resolution of any nonconformities found.
Implementation
Determine how the corrective action will be implemented, who will implement it and the date implemented.
Preventative Action
Describe the procedures/steps taken to prevent the problem from reoccurring. This should be a long-term, sustainable solution to address the root cause and prevent recurrence.
Evaluation Plan
Provides details of how the CAPA will be assessed for effectiveness. Documentation must be maintained to demonstrate planning and implementation in addition to providing evidence of decisions made and actions taken.
18 HIPAA PHI Identifiers
-
- Names
- Address
- Dates related to an individual
- Phone Numbers
- Fax Numbers
- Email Address
- Social Security Numbers
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate/License Numbers
- Vehicle Identifiers and Serial Numbers
- Device Numbers and Serial Numbers
- Web URLs
- IP Address
- Finger or Voice Print
- Photographic Image
- Any other Unique Identifying Number
Publishing post-analysis data with identifiable datasets includes the above PHI identifiers.
If identifiable datasets are included in publishing post-analysis data, it must align
with the IRB approved Informed Consent Form (ICF) signed by the participant. The ICF
and IRB application must indicate if identifiable datasets will be
shared/published.