Registries and Repositories

Repositories and registries are not just limited to the use in ongoing research investigations. Rather, they reflect a source of information gathered for addressing important scientific questions as well as billing, marketing, quality improvement and control purposes. If a registry/repository is being used for a non-research purpose, IRB approval is not needed. However, if that information is being used later for the purpose of research (systemic investigation including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge) IRB approval must be acquired. Examples of the repositories used for non-research purposes include:

• Anesthesia electronic record system
• Pathology department biospecimens
• Operating room management database
• EPIC
• Quality assurance/quality improvement initiatives

After the completion of a research study, the database may be retained but its future use is complex. IRB approval must be attained for every research protocol involving the use of any database containing identifiable or re-identifiable information regardless of whether or not that database had been used before. Investigators should be encouraged to include information about future use of the subject’s data when taking informed consent. The informed consent form should clearly contain an option for subjects to either opt-in or opt-out of storage of data for future purposes. The subject’s decision must also be tracked prior to using the data even if the subject had previously consented to opting in to allowing their data to be used. Tracking must be done to ensure that the subject did not change their mind about using their data and still provides their authorization for the use of their data.

Examples of research databases include:

• Data that is compiled from a clinical trial
• List of names, diagnosis, and contact information developed and maintained in order to identify prospective research subjects, perform internal quality assurance programs, and conduct generalizable studies on the effectiveness of particular treatment interventions.
• A collection of medical information intended for use in future
• A compilation of patient information that was originally created and used for billing purposes but is now routinely used to identify prospective research subjects.

Repositories refer to the collection of leftover biospecimen data at the end of a study. IRB approval must be attained prior to each use of repositories regardless of if the data was used previously for research purposes. If there is an intent to set up a repository at the culmination of a research study, informed consent documentation must clearly state whether subjects authorize to opt-in or opt-out for the storage of their biospecimens. The subject’s decision must continue to be tracked in case they change their minds about the future use of their data.

Operators of the investigators must have physical and procedural safeguards implemented for the secure, receipt, storage, and transmission of specimens. These protocols must be outlined and submitted to the IRB for review and approval prior to starting research using the specimens. The IRB heavily focuses on ensuring the subject’s privacy and confidentiality of the subject’s information.

Elements that should be included in an informed consent/authorization form include:

• General concept and purpose of the
• Name and location of repository(ies).
• Nature and type of future research using the data
• Summary of physical and procedural mechanisms for protecting subject’s privacy and confidentiality of data/biospecimens.
• Conditions (if any) under which the subject may withdraw their consent/authorization to use of specimens.
• Elements of PHI (Protected Health Information) that could potentially be shared with research investigators.
• Outline of risks related to breach of confidentiality including impact on privacy, insurability, and stigmatization.
• If human genetic research is utilized, information about consequences of DNA typing and possible confidentiality risks.

Research data and biospecimens stored under registries and repositories are governed by federal human subject protection regulations (45 CFR 160) and HIPAA Privacy Rules. These regulations provide a general guideline; however, there may be more specific protocols on the collection, storage, use, and sharing of data that varies based on the research being performed. IRB approval depends on whether the data being stored contains individually identifiable health information. The IRB also carefully assesses if proper informed consent processes have been put into place to secure the data.

Repository protocol that is submitted to the IRB outlines the general operating parameters for maintenance of the repository. The protocol also specifies how the repository may be converted into an existing database or non-research repository into a research repository. When looking at potential use of repositories in research, the IRB looks at the following issues:

• The language of the informed consent/authorization that specifies how the individual’s biospecimens may be used in future research.
• Registry/repository SOPs (Standard Operating Procedures) for storage, use, back-up, and sharing the data/biospecimens.
• The security measures that will be put into place to protect the
• Process of anonymizing the data to protect subject privacy and
• Method for how the data/biospecimens may be shared to
• Specifics conditions under which data/biospecimens may be accepted into the repository such as requirement for FWA (Federal Wide Assurance) number for each site IRB and copy of IRB approval letter

The Repository IRB outlines conditions that the collector (individuals involved in data/biospecimen collection) must comply with for the data to be safely stored in a repository. Responsibilities of the collector include:

• Obtaining appropriate IRB approval from the local
• Obtaining and documenting informed consent/authorization.
• Obtaining the required data/biospecimens in the appropriate form and storage medium within the specified time points.
• Coding and labeling the samples before
• Uploading the data/biospecimens to the registry/repository.
• Removing all unnecessary PHI from the data/biospecimens.

Individuals that receive the data from the repository (recipients) are also required to comply with Repository and Local IRB regulations. These regulations are targeted towards protecting sensitive identifiable biospecimens.

Repository activities that do not require a protracted IRB review include permitting new collecting investigators, adding more research projects, and adding new recipient investigators to be added to the repository’s activities. Some activities may only require an expedited review by the IRB or even just a timely notification of the IRB. The use and disclosure of information from a research repository are determined by the following:

• Repository IRB: those who are responsible for review, approval, and oversight of the
• Local IRB: those who are responsible for research at the site where information/specimens will be used.