Whether the Common Rule changes requirements for handling exempt studies, IRBs might choose to stay involved in these decisions. How they accomplish that depends on the IRB’s policies, procedures, and goals, but one important focus should be on data confidentiality.

“We have looked forward to the changes in the Common Rule, related to expanding exemptions,” says Teresa Doksum, PhD, MPH, senior director of quality and research ethics and IRB chair at Abt Associates Inc., an independent research organization in Cambridge, MA.

“We look forward to expanding exemptions as long as limited IRB review is conducted to ensure researchers are maintaining confidentiality and have adequate provisions to do so,” she says. “The way we typically handle exemption requests by a researcher is for our staff, including me and an IRB chair or administrator, to screen the project to see if it’s eligible for exemption.”

The same approach will apply to surveys and interviews. “If they’re eligible for the new exemption category, we’ll be allowed to exempt it as long as we can conduct a limited IRB review and as long as there are adequate provisions for confidentiality,” Doksum says.

The IRB requires researchers to submit a minimum amount of information before it makes an exemption eligibility determination, she says.

“If they want to be exempt and they have sensitive data, we want to see what their provisions are to maintain the confidentiality,” she explains. “And we have a data security plan template we use to see what their plans are to protect data.”

Protecting participants’ confidentiality is very important to researchers and the IRB, Doksum says.

Doksum offers the following suggestions for how IRBs can make sure they maintain some control over exempt determinations:

• Read the confidentiality provisions. One way to handle the exempt status is to review all provisions for maintaining confidentiality. IRBs might still want information about projects that are exempt from IRB review so that they can ensure data security and confidentiality.

“We want to help them think about how to prepare for this type of exemption and to look at provisions to maintain confidentiality,” Doksum says. “We show how we’ve been doing this, and it’s a way to get them started to think about the main risk in the studies they do.”

Some institutions have access to an IT security professional who can partner with the IRB on data security.

• Set up protocols and a data security plan. IRBs can set up protocols for data security. Although each study is different, there can be a common set of IT tools for securely transferring and storing data, Doksum says.

“The tools must comply with all federal and international standards,” she adds.

Abt Associates published in 2015 a 16-page data security plan development guide for researchers. The plan includes a checklist of items each data security plan needs, including the following:

- research grant or contract;

- data use agreements;

- study design, including data collection instruments and consent language;

- protocol approved by IRB;

- Office of Management and Budget Paperwork Reduction Act clearance submission (confidentiality section);

- Privacy Act System of Record Notice;

- national and state privacy laws.

• Cross-train IRB and IT partners. “What we recommend for smaller institutions that may not have an IT expert [on staff] is they can at least cross-train,” Doksum says. “Our IT security partners and our IRB members are not researchers, so over the years we’ve trained them on research methods, data collection, data flow.”

The IT security professionals taught IRB members enough about encryption to let them know when they really need it, she adds.

“Our advice for smaller institutions is to find a partner in their IT department and to start working together and training them and having them train you,” she says.

• Educate and monitor. As regulations change, including changes to the Common Rule, it’s important to educate researchers, IRB members, and staff on these changes.

IRBs can base education sessions on federal guidance. The same guidance could inform changes to protocols and templates.

Monitoring is part of the IRB’s oversight and review process.

“After we review and approve a data security plan, our researchers check in with us to see if anything changes,” Doksum says.

For example, if there’s a substantive change to the study design that affects confidentiality, then researchers must come back to the IRB with updates to their data security plan, she says.

“If they add a new partner to the project or want to change the questions they’re asking to include something more sensitive, then they come back to us,” she adds.

The IRB also can train staff on how the exempt status is used and changed under the Common Rule.

“We’re a small-volume IRB, so we have a lot of communication, every day, with researchers,” Doksum says. “And they are protecting people’s sensitive information because it is just as important to them as it is to us.”