Module 2 · Part 1 · Planning
Governance & IRB
Establish the governance structures and regulatory approvals your registry needs before collecting any data.
Patient Registries 101 · Dr. Danielle Boyce · EpilepsyLive
Why governance comes first
- Governance failures are the most common reason patient registries stall or collapse.
- Getting governance right at the start protects participants, protects your organization, and makes your data usable.
Do you need IRB approval?
- The short answer for most patient registries: yes .
- IRB (Institutional Review Board) review is required when
- Research involves human subjects (identifiable individuals)
- The intent is to generate generalizable knowledge
- Data will be published or shared for research purposes
- Common misconception: Advocacy organizations sometimes believe that because they are not a university or hospital, IRB requirements don't apply to them.
Getting IRB coverage without an institutional affiliation
- Advocacy organizations without a home institution have several options
- Commercial/Independent IRBs , WCG (formerly Western IRB), Advarra, and Copernicus are commonly used. Expect $3,000, $8,000 for initial review plus annual continuation fees.
- Partner with an academic institution , An academic collaborator can serve as the PI and provide IRB coverage through their institution.
- WIRB-Copernicus Group or similar , Accepts non-institutional sponsors; experienced with participant led research.
- Key resource: OHRP IRB Registration and Federalwide Assurance (FWA)
Informed Consent
- Consent is not just a regulatory checkbox, it is the foundation of the participant-researcher relationship.
What consent must cover
- What data will be collected and why
- Who will have access to the data
- How the data will be stored and for how long
- Whether samples will be collected and what they may be used for
- Whether data may be shared with commercial entities (industry sponsors)
- The right to withdraw and what happens to data upon withdrawal
What consent must cover (cont.)
- Whether the registry is HIPAA-covered and how PHI is protected
- Whether participants will receive results or incidental findings
Consent models
- Traditional one-time consent: Participant signs consent document once.
- Broad consent: Participant consents to future unspecified research uses within a defined scope.
- Dynamic/tiered consent: Participant makes granular choices about data uses (e.g., "yes to academic research, no to commercial use, yes to contact for future studies").
- Electronic consent (eConsent): Enables multimedia consent, remote participation, and timestamped audit trails.
- Recommendation. For rare disease registries, dynamic consent is worth the extra investment.
Data Governance Policy
- Your data governance policy defines who can access registry data, under what conditions, and with what oversight.
- Protecting participant privacy
- Enabling data sharing with researchers
- Negotiating with industry partners
- Satisfying IRB requirements
Core components of a data governance policy
- Data Access Committee (DAC) , Who reviews and approves data access requests? Composition typically includes a participant representative, a scientific advisor, a legal/privacy officer, and a member…
- Data Access Committee (DAC) , Who reviews and approves data access requests?
- Access tiers , Define levels of data access (e.g., summary statistics only → deidentified individual records → identified data under DUA → linked biosamples)
- Data Use Agreements (DUAs) , Legal contracts specifying permitted uses, prohibitions (e.g., no reidentification attempts, no selling), and data destruction requirements.
Core components of a data governance policy (cont.)
- Publication policy , Who must be acknowledged or included as coauthor when registry data is published? Does the advocacy organization have review rights before submission?
- Publication policy , Who must be acknowledged or included as coauthor when registry data is published?
- Data retention and destruction , How long is data kept? What is the process for destroying data upon participant withdrawal or registry closure?
- Data retention and destruction , How long is data kept?
- Key resource: Global Alliance for Genomics and Health (GA4GH) Framework for Responsible Sharing of Genomic and Health related Data
HIPAA and Participant Data Privacy
- HIPAA applies if your registry is operated by or in partnership with a covered entity (healthcare provider, health plan, or healthcare clearinghouse) or their business associates .
- If your advocacy organization collects data directly from participants outside a covered entity context, HIPAA may not technically apply, but you should still implement equivalent protections because
- Participants expect and deserve strong privacy protections
- Industry and academic partners will require them
- State privacy laws (especially California CCPA/CPRA) may apply regardless
- Safe Harbor deidentification: Removing 18 specific identifiers from a dataset creates a "Safe Harbor" deidentified dataset that is no longer subject to HIPAA.
Checklist
- [ ] Determined whether IRB review is required
- [ ] Selected IRB (institutional or commercial)
- [ ] Drafted consent document covering all required elements
- [ ] Chosen consent model (traditional, broad, or dynamic)
- [ ] Drafted data governance policy
- [ ] Established Data Access Committee with participant representation
Checklist (cont.)
- [ ] Drafted Data Use Agreement template
- [ ] Determined HIPAA applicability and implemented appropriate protections
- [ ] Established publication policy
Key resources
- AHRQ Registry User's Guide Chapter 8: Legal and Liability Issues
- OHRP Human Subjects Regulations (45 CFR 46)
- GA4GH Data Access Framework
- WCG IRB (Independent IRB)
- Advarra IRB
- NIH Broad Consent Template
Key resources (cont.)
- IAPP Privacy Resource Center
- ← Module 1 | Module 3: Scientific Advisory Boards →