IRB-HSR Home Institutional Review Board for Health Sciences Research
Researchers IRB Members Research Subjects IRB STaff







+ Calendars & Deadlines
+ Office Information
+ Directions & Hours
+ Staff Directory
+ Frequently Asked Questions
+ IRB-HSR Membership Lists
+ FWA Information
+ Organizational Charts
+ Research Concerns
+ Standard Operating Procedures
+ Getting Started
+ Protocol Review Process
+ Managing Protocol After Initial Approval
+ Special Issues
+ Protocol Builder and IRB On-Line: On Grounds or UVa VPN access only
+ Forms
+ CITI Training
+ Education
+ Regulations/Guidelines
+ Ethical Principles
+ Search IRB-HSR Protocols
+ Glossary/Acronyms
+ Useful Websites
+ Go to full list >>


IRB-HSR > Getting Started > Activities that Require IRB Review > Examples







Examples of Activities That Do and Do Not Require IRB–HSR Review

For additional information see the IRB-HSR Learning Shot:  SOM Salient Issue:  When do you need IRB review?

Examples of When an Activity Does Require IRB Review

  • Use of existing specimens that were collected either for research or for clinical reasons that are identifiable, or you have access to a code which identifies the donor (e.g., pathology number), or if the investigator has knowledge of the subject's identity (e.g., patient's surgeon is also an investigator on the study)
  • Use of data from medical records for non-clinical or non-quality improvement (QI) reasons
  • A review of your own patients' clinical records (i.e. medical records, x-rays, laboratory values and/or reports) in order to answer a research question.
  • Calling patients for follow-up information for purposes of research
  • Establishment of a database protocol when the primary purpose of the database is to collect data for future research.
  • Thesis or dissertation projects conducted to meet the requirement of a graduate degree are usually considered generalizable, and require IRB review and approval.
  • The investigator obtains specimens or data through intervention or interaction with a living individual (e.g. interviews, surveys, physical procedures, manipulations of the subject’s environment, private or limited access internet sites, or any other direct contact or communication with the subject.
  • The investigator is obtaining identifiable private information about living individuals (e.g. chart review, lab studies on tissues or specimens, information from data or tissue repository).
  • The data or specimens are received by or provided to the investigator with identifiable private information
  • The data or specimens are coded and the investigator has access to a link that would allow the data or samples to be identified.
  • The activity involves one or more individuals who are or become participants in research, either as a recipient of the test article (e.g. drug, biologic, medical device or other article subject to regulations under the Food, Drug & Cosmetic Act) or as a control
  • The activity involves one or more individuals who participate in an investigation, either as an individual on whom or on whose specimen an investigational device is used or as a control.
  •  The activity is a clinical investigation involving a project regulated by the FDA (e.g. drug, device or biologic)
  • The activity involves the use of a drug, excluding an FDA approved drug in the course of medical practice, in one or more human subjects.
  • The activity involves the use of a medical device, excluding an FDA approved device in the course of medical practice, in one or more human subjects.
  • The results of the project are required to be submitted to or held for inspection by the FDA
  • The activity involves the testing of a medical device using tissue specimens from one or more human subjects and the results are being submitted to the FDA for approval of the device.
  • The activity involves one of the activities listed above, however you are NOT performing the work as an AGENT of UVa.  You may be considered to NOT be working as an agent of UVa if either of the following situations exit.

You were NOT involved in the design of the research.
A UVa IRB has NOT approved the research. 
Funding to conduct the research will NOT come from UVa.
You have other reasons for traveling to the outside institution besides working on research
Working on this research is NOT required for your degree program. 
You confirm:

      • you are a student, employee and/or faculty member of the University of Virginia.
      • the project has or will have IRB approval from the outside institution and you will be listed on their application as personnel conducting the study. 
      • your work on this project will be overseen by the Principal Investigator and the IRB at the outside institution.
      • You will communicate with the IRB and the Contracts Office, to determine what approvals may be needed, prior to receiving any data from the outside institution. 


You designed this research. You are a student at UVa but employed by another institution.  All subjects will be enrolled at the outside institution.  The research will be overseen by their IRB.  There is no funding for this study.   You will notify the outside IRB that an UVa IRB will not be overseeing your work. 
Type of Submission Required

    • If your activity meets one of the examples above and you are NOT working as an agent of UVa submit the Determination of UVa Agent Form to the IRB-HSR. 
    • If your activity meets one of the examples above and you ARE considered to be working as an agent of UVa, proceed to Protocol Builder to submit your project to the IRB-HSR.

Examples of When an Activity Does Not Require IRB-HSR Review
If your activity meets one of the examples below you are not required to obtain an approval/authorization documentation from the IRB-HSR.  It is recommended that you complete the Determination of Human Subjects Research form and keep it with your records. Submission of this form to the IRB is OPTIONAL. The only exception to this involves certain projects that may be considered to be Quality Improvement or Research.

Specimens came from a cadaver.

Decedent Research:  The researcher must complete a Request for Medical Records or Statistical Data Form and submit this to the UVa Health System Department of Health Information Services (HIS).

Establishing a database.  The primary reason for establishing this database is for clinical or quality improvement purposes.   IRB approval of a new protocol must be obtained before any data from this database may be used for research purposes. Project team must comply with requirements found in the Privacy Plan.  See Appendix B.

A case series involving up to 3 patients ( UVa Health System Policy 0084:  Health Information Request for Non-Patient Care Usage also addresses this issue and must be followed.)

Preparatory to Research Activity

 Quality Improvement/ Quality Assurance Project  For additional information see QI vs Research Guidance

Receipt of Data from dbGap for which dbGaP does not require IRB approval: dbGaP does not require IRB approval for receipt of data  from Open Access Data or for data for which  the research team or their direct collaborators do not have access to identifiers as they did not originally provide the data to dbGaP.  The requirement for IRB approval may be found in the DUC on the GWAS website.   The researcher has attached a dbGaP_ Data Use Certification  signed by the researcher.  IRB-HSR staff will obtain the signature of the Institutional Official and provide the signed document back to the researcher.

Receiving De-identified Data/Specimens: 
Data/ Specimen will not be submitted to the FDA AND satisfies the  following conditions:
The data/specimen, in its entirety, was collected for purposes other than this project AND
The data/specimen is given to the researcher without any HIPAA identifiers (No codes or links of any sort will be maintained, either by the researcher or the person releasing the data/specimen)  OR
The researcher will delete all HIPAA identifiers*, including codes, prior to initiation of the research. Ultimately, the researcher will have NO WAY of identifying the source of the data/specimen at the time the research is done.
Allowed  if:
The data/specimen was collected solely for clinical purposes [for example, normally discarded tissue],
The data/specimen was collected solely for unrelated research purposes, with no "extra" data/specimen collected for use in this project
The specimen is a de-identified cell line.
Not allowed if:
You will be obtaining the data via a process like a chart review where identifiers will be viewed. 

Sending Data/Specimens outside of UVa and the following criteria are met:

  • The data/specimen, in its entirety, was collected for purposes other than this project
  • Individuals releasing the data/specimens are NOT working in collaboration with the recipients on the research project.
  • Data/ samples meet the HIPAA criteria of Limited Data Set or De-identified. All datasets will be reviewed by the Clinical Data Repository to confirm it meets one of these criteria.
  • Study team will obtain a Material Transfer Agreement with Grants and Contracts office prior to sending data/specimens. If the data/specimens meet the criteria of a Limited Data Set, Grants and Contracts office will incorporate a HIPAA Data Use Agreement into the Material Transfer Agreement.

Public Data Sets if the following conditions are met:
Research will NOT involve merging any of the data sets in such a way that individuals might be identified
Researcher will NOT enhance the public data set with identifiable, or potentially identifiable data
Researcher will NOT use a “restricted” data set
Researcher will use a Public Data Set that is  included on the list of IRB-HSR approved list of Public Data Sets
Researcher will NOT use data from the NIH GWAS ( Genome- Wide Association Studies) data repository
The data host does NOT require the researcher or the researcher’s institution to sign a Data Use Agreement.

De-identified Data:  Material/data will not be submitted to the FDA AND satisfies both of the following conditions:
The material/data, in its entirety, was collected for purposes other than this project (e.g., the material was collected solely for clinical purposes [for example, normally discarded tissue], or for unrelated research purposes, with no "extra" material collected for use in this project.)
The material/data is given to the researcher without any identifiers* (e.g., no codes or links of any sort may be maintained, either by the researcher or the person releasing the material/data.)

Medical Practice and Innovative Therapy:   A commonly cited definition of medical practice describes an activity that is designed solely to enhance the well-being of an individual patient.  A type of medical practice that is often confused with research is a class of activities that has been called “innovative therapy.”  Basically, innovative therapy describes an activity that is designed solely to benefit individual patient(s) but in which the ability of the activity to result in the desired outcome is to some degree unproven. 

Medical Practice for the Benefit of Others:  In some situations, the goal of medical practice is to benefit people other than those directly affected by the health care intervention.  Examples of medical practice for the benefit of others include blood donation and some vaccination programs.  In terms of the research/non-research issue, the critical feature of this form of medical practice is that the goal of the activity is to benefit a well-defined group of people in a predictable way.

Public Health Practice:  Public health practice is similar to medical practice for the benefit of others in that the activity involves people who do not directly benefit from the intervention.  The most common situation in which there is confusion about the distinction between a public health practice and research is with public health practices that require the review of private, identifiable information about health status.  Examples of public health practices that often do not involve research include surveillance (e.g., monitoring of diseases) and program evaluation (e.g., immunization coverage or use of clinical preventive services such as mammography).

Resource Utilization Review:  Medical record review is often conducted to evaluate the use of resources in a specific health care activity.  Terms such as cost control are used to describe this class of activity, but the terms utilization review or resource utilization review are more general and often more accurately reflect the fundamental goal of projects in this category.  Although a research project may involve review of resource utilization, the term resource utilization review usually refers to a non-research activity.

Education:  The transferring of information from one group of people to another is a common activity in all aspects of society.  The regulatory definition of research focuses on the desire to develop or contribute to “generalizable knowledge.”  The reason to mention education in the context of a discussion about the definition of research is that it is important to recognize that the goal of most educational activities is to spread or “generalize” knowledge.  The fact that an activity is undertaken for the specific purpose of teaching somebody something does not mean that the activity involves research.
Appendix A.  HIPAA Identifiers
1.  Name
2.  All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of the zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same 3 initial digits contains more than 20,000 people and (2) The initial 3 digits of a zip code for all such geographic units containing 20,000 is changed to 000.
3.  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
4.  Telephone numbers
5.  Fax numbers
6.  Electronic mail addresses
7.  Social Security number
8.  Medical Record number
9.  Health plan beneficiary numbers
10.  Account numbers
11.  Certificate/license numbers
12.  Vehicle identifiers and serial numbers, including license plate numbers
13.  Device identifiers and serial numbers
14.  Web Universal Resource Locators (URLs)
15.  Internet Protocol (IP) address numbers
16.  Biometric identifiers, including finger and voice prints
17.  Full face photographic images and any comparable images
18.   Any other unique identifying number, characteristic, code that is derived from or related to information about the individual (e.g., initials, last 4 digits of Social Security #, mother's maiden name, first 3 letters of last name.)
19.   Any information that could be used alone or in combination with other information to identify an individual (e.g., rare disease.)

Appendix B: Privacy Plan

The following procedures will be followed.

    • Only investigators for this study and clinicians caring for the patient will have access to the data.  They will each use a unique log-in ID and password that will keep confidential.
    • Each investigator will sign the University’s Electronic Access Agreement forward the signed agreement to the appropriate department as instructed on the form.

If you currently have access to clinical data it is likely that you have already signed this form.  You are not required to sign it again.

    • UVa Institutional Data Protection Standards will be followed  Identifiable data is considered to be   “Highly Sensitive”.  A Limited Data Set is usually considered to be “Moderately Sensitive” and de-identified data is usually considered to be “Not Sensitive”. 

Summary of Requirements to Comply with UVa Health System, Medical Center and University Policies and Guidance as noted above:

Highly Sensitive Data is:
-personal information that can lead to identify theft if exposed or
-health information that reveals an individual’s health condition and/or history of health services use.

PHI- Protected Health Information is a type of Sensitive Data:  health information combined with a HIPAA identifier
Identifiable Health Information under HIPAA regulations is considered Highly Sensitive Data
A Limited Data Set under HIPAA regulations is considered Moderately Sensitive Data

  • LIMIT- Limit the HIPAA identifiers to the minimal amount needed- e.g. use initials instead of name, use a code instead of initials, limit amount/type of health information collected, and collect and share only those items you state you will in this protocol.


  • SECURE- Secure Highly Sensitive Data
  • Because single-use electronic devices and media, such as desktops, laptops, memory sticks, CDs, smartphones etc., can be easily lost or stolen, the University strictly limits the circumstances under which Highly Sensitive Data may be stored on them. In accordance with the University’s Electronic Storage of Highly Sensitive Data Policy, you must obtain written approval from your Department AND VP or Dean prior to moving data to single use devices or media by using the Highly Sensitive Data Storage Request Form.
    •  You additionally are responsible for applying all security safeguards covered in that policy, including but not limited to password protecting and encrypting any document on a single access electronic device.
    • If you use your smartphone to send email and your phone is not managed was not purchased and/or set up for you by the Health System, you cannot send Highly Sensitive Data via email. 
      • In addition, do not use Outlook Web to send your email if it contains sensitive data. 
      • Also, you are not allowed to auto forward your email to outside email systems like Gmail or Yahoo. 
      • Do not save any email attachment containing Highly Sensitive Data to a single use device. 
    • You are allowed to access Highly Sensitive Data stored on the University or Health Systems network via a VPN, however you cannot download any of the information onto your desktop or laptop.
    • Store files containing Highly Sensitive Data on a network drive specifically designated for storing this type of data, e.g. high-level security servers managed by Information Technology Services or the “F” and “O” managed by Heath Systems Computing Services.  You may access it via a shortcut icon on your desktop, but you are not allowed to take it off line to a local drive.
    • If data will be collected and/or viewed via a website, it is critical that the website and associated data file are set up in a highly secured manner. Do not attempt without assistance from:

University Side:
Health System:   Web Development Center:   (434-243-6702)

    • Encrypt any electronic file containing Highly Sensitive Data that is not on a network drive specifically designated for this purpose.  . See encryption solutions guidance.
    • Password protect any electronic device containing Highly Sensitive Data.
    • Lock up hard copies of Highly Sensitive Data.
  • PROTECT- Protect Highly Sensitive Data
    • Do not leave a hard copy file open on your desk when not using it and secure your computer when not attended.
    • Have discussions in private.
    • Do not share Highly Sensitive Data with those not on the study team or those who do not have a need to know.
    • Do not share with sponsor unless subject has already signed a consent form or IRB has approved waiver of consent.
    • If faxing Highly Sensitive Data within UVa
  • Verify fax numbers before faxing, and use fax cover sheets with a confidentiality statement.
  • If printing to a central printer, ensure that names and identifiers on the documents are given to the correct patient.
    • If faxing Highly Sensitive Data outside of UVa to the sponsor or CRO after the subject has signed consent:
      • the receiving fax machine is in a restricted-access location,
      • the intended recipient is clearly indicated,
      • the recipient has been alerted to the pending transmission and is available to pick it up immediately.
      • Verify fax numbers before faxing, and use fax cover sheets with a confidentiality statement.
      • If printing to a central printer, ensure that names and identifiers on the documents are given to the correct patient.
  • Highly Sensitive Data may not be stored in a Drop Box.
  • If you plan to store data in the Cloud, you must consult with UVa Information Technology Services (ITS) to verify all essential security measures are in place.  If you have a contract to use the cloud, the contract must include required security measures as outlined by ITS. 
    • DO NOT email health information with name, medical record number or Social Security number to or from an email address that does not have an *HS in the address.  May use subject initials if within the UVa HIPAA covered entity:  The "UVA HIPAA covered entity" includes the hospital, health system, School of Medicine School of Nursing and the VP for Research Office. 
    • Be aware:  PHI collected without consent/ HIPAA authorization will NOT be allowed to leave UVa in an identifiable form unless the disclosure is tracked with Health Information Services. 
    • Any Highly/Moderately Sensitive Data sent outside of UVa (e.g. to sponsor) that was obtained under a consent must be encrypted and password protected. 
  • If your electronic device is sent outside of UVa for repair, all institutional data, whether Highly Sensitive or not, must be either encrypted or removed.
  • If transporting Highly/Moderately Sensitive Data in paper format from one UVa building to another, take the following steps to protect it:
  • Put paper inside a closed container such as a briefcase, or sealed envelope to limit the chance of a losing a piece.
  • Do not leave Highly Sensitive Data unattended in a public area if it is not locked up.
  • When the study is complete, all electronic files containing Highly/Moderately Sensitive Data must be stored on a network drive specifically designated for that purpose.  They may not be stored on a single use device such as a CD.


    • If this was your Highly Sensitive Data how would you want it protected?
    • There are significant monetary fines to the individual and the institution for loss or misuse of sensitive data.
    • Your job may also be on the line.


Version Date:  03/21/14