Why governance comes first
Governance failures are the most common reason patient registries stall or collapse. Data collected without proper consent cannot be shared with researchers. Registries without clear data access policies cannot attract industry partners. Registries without defined oversight become targets for legal challenges.
Getting governance right at the start protects participants, protects your organization, and makes your data usable.
IRB Review
Do you need IRB approval?
The short answer for most patient registries: yes.
IRB (Institutional Review Board) review is required when:
- Research involves human subjects (identifiable individuals)
- The intent is to generate generalizable knowledge
- Data will be published or shared for research purposes
Common misconception: Advocacy organizations sometimes believe that because they are not a university or hospital, IRB requirements don't apply to them. This is incorrect. The regulatory standard follows the activity, not the organization type.
Types of IRB review
| Review type | When it applies | Timeline |
|---|---|---|
| Exempt | Minimal risk; surveys/interviews with adults; secondary use of deidentified data | Days to weeks |
| Expedited | Minimal risk; identifiable data; no vulnerable populations | 2 to 6 weeks |
| Full board | More than minimal risk; children; cognitive impairment; sensitive topics | 4 to 8 weeks |
Getting IRB coverage without an institutional affiliation
Advocacy organizations without a home institution have several options:
- Commercial/Independent IRBs, WCG (formerly Western IRB), Advarra, and Copernicus are commonly used. Expect $3,000, $8,000 for initial review plus annual continuation fees.
- Partner with an academic institution, An academic collaborator can serve as the PI and provide IRB coverage through their institution.
- WIRB-Copernicus Group or similar, Accepts non-institutional sponsors; experienced with participant led research.
Key resource: OHRP IRB Registration and Federalwide Assurance (FWA)
Informed Consent
Consent is not just a regulatory checkbox, it is the foundation of the participant-researcher relationship. A well-designed consent process builds trust and improves retention.
What consent must cover
- What data will be collected and why
- Who will have access to the data
- How the data will be stored and for how long
- Whether samples will be collected and what they may be used for
- Whether data may be shared with commercial entities (industry sponsors)
- The right to withdraw and what happens to data upon withdrawal
- Whether the registry is HIPAA-covered and how PHI is protected
- Whether participants will receive results or incidental findings
Consent models
Traditional one-time consent: Participant signs consent document once. Simple but inflexible, if the registry expands its scope, you may need to re-consent.
Broad consent: Participant consents to future unspecified research uses within a defined scope. Requires explicit IRB approval and specific regulatory language (45 CFR 46.116(d)).
Dynamic/tiered consent: Participant makes granular choices about data uses (e.g., "yes to academic research, no to commercial use, yes to contact for future studies"). More complex to implement but increasingly preferred by participants.
Electronic consent (eConsent): Enables multimedia consent, remote participation, and timestamped audit trails. Accepted by most IRBs. Tools include REDCap (free), Medidata Rave eConsent, and others.
Recommendation. For rare disease registries, dynamic consent is worth the extra investment. Participants are sophisticated advocates who appreciate control over their data, and tiered consent dramatically expands partnership options later.
Data Governance Policy
Your data governance policy defines who can access registry data, under what conditions, and with what oversight. This document is essential for:
- Protecting participant privacy
- Enabling data sharing with researchers
- Negotiating with industry partners
- Satisfying IRB requirements
Core components of a data governance policy
-
Data Access Committee (DAC), Who reviews and approves data access requests? Composition typically includes a participant representative, a scientific advisor, a legal/privacy officer, and a member of the advocacy organization's leadership.
-
Access tiers, Define levels of data access (e.g., summary statistics only → deidentified individual records → identified data under DUA → linked biosamples)
-
Data Use Agreements (DUAs), Legal contracts specifying permitted uses, prohibitions (e.g., no reidentification attempts, no selling), and data destruction requirements.
-
Publication policy, Who must be acknowledged or included as coauthor when registry data is published? Does the advocacy organization have review rights before submission?
-
Data retention and destruction, How long is data kept? What is the process for destroying data upon participant withdrawal or registry closure?
Key resource: Global Alliance for Genomics and Health (GA4GH) Framework for Responsible Sharing of Genomic and Health related Data
HIPAA and Participant Data Privacy
HIPAA applies if your registry is operated by or in partnership with a covered entity (healthcare provider, health plan, or healthcare clearinghouse) or their business associates.
If your advocacy organization collects data directly from participants outside a covered entity context, HIPAA may not technically apply, but you should still implement equivalent protections because:
- Participants expect and deserve strong privacy protections
- Industry and academic partners will require them
- State privacy laws (especially California CCPA/CPRA) may apply regardless
Safe Harbor deidentification: Removing 18 specific identifiers from a dataset creates a "Safe Harbor" deidentified dataset that is no longer subject to HIPAA. Key identifiers to remove: names, geographic data smaller than state, dates (except year), phone numbers, email addresses, SSN, medical record numbers, device identifiers, URLs, IP addresses, biometric identifiers, photos.
Checklist
- [ ] Determined whether IRB review is required
- [ ] Selected IRB (institutional or commercial)
- [ ] Drafted consent document covering all required elements
- [ ] Chosen consent model (traditional, broad, or dynamic)
- [ ] Drafted data governance policy
- [ ] Established Data Access Committee with participant representation
- [ ] Drafted Data Use Agreement template
- [ ] Determined HIPAA applicability and implemented appropriate protections
- [ ] Established publication policy