Office of Research Compliance


Human Subjects FAQs

1. What is the Institutional Review Board (IRB)?

The IRB is the University of South Carolina committee that reviews and approves protocols for the use of human subjects in research.  The IRB consists of representatives from a variety of scientific disciplines, non-scientists, and community members.  The primary function of the IRB is to protect the rights and welfare of human subjects and to assist investigators in this process.

2. Does my project involve human subjects?

Human Subject refers to a living individual about whom an investigator, research personnel or student obtains:

  • Data through intervention or interaction with the individual, or
  • Identifiable private information.

Intervention includes both physical procedures by which data are gathered or manipulations of the subject or the subject's environment that are performed for research purposes. Interaction includes communication or interpersonal contact between investigator and subject.

Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public.

3. Who determines if human subject research is exempt from review   by the IRB?

Exemptions are determined by the IRB or a designee of the IRB (i.e. an IRB Liaison).

4. My research with human subjects is not funded.  Do I Still have to submit an application to the IRB?

Yes.  ALL research that involves human subjects must be reviewed and approved by the IRB.

5. Do surveys and questionnaires require IRB approval?

Surveys and questionnaires used in the course of performing research require IRB approval.

6.  If I am only analyzing existing data, do I need to obtain IRB approval?

It is likely that your research is exempt, but consultation with the IRB is required to determine the appropriate review category. Some anonymous databases do not meet the definition of "human subjects" while others contain private identifiable information and require some level of review.

7. Do all student research projects have to be submitted to the IRB?

Research conducted to fulfill the requirements of a dissertation, thesis, or other University research requirement must receive IRB approval.

Course related activities (e.g. research methods instruction) that involve the use of human participants, but have no connection with research beyond the instructional function preclude the need for IRB review. However, efforts that lead to presentation outside of the classroom, and/or the publicizing of the student- prepared documents in any manner are considered research. Instructors of research courses are encouraged to consult with their IRB Liaison or Office of Research Compliance staff to determine the appropriate procedures for assuring that student projects conform to ethical guidelines

8. May I begin human subject research before I obtain IRB written approval?

No.  All human subject research must be approved by the IRB before the research may be conducted.

9. Can the IRB stop me from conducting my experiment?

Yes. The IRB has the authority to suspend or terminate research that is not carried out in accordance with its requirements or that has been associated with unexpected serious harm to subjects. Any suspension or termination of approval shall include a statement of the IRB's reasons for its action and will be reported promptly to the principal investigator, the Vice President for Research, and the funding agency.

10. If I do begin my research before I receive IRB approval, what action may be taken against me?

Research on human subjects without appropriate approval is a violation of University policy and government regulations; as such it can lead to a variety of sanctions and/or disciplinary actions. At a minimum, data gathered without approval must be excluded from the research study.

11. How long is my IRB approval valid?

Unless otherwise stated, your approval is valid for twelve (12) months from the date stated on your approval letter.

12. Must I notify the IRB with changes to my approved project/protocol?

Any changes in protocol must receive prior approval by the IRB.

Please note that ALL changes should be reported to the IRB, no matter how insignificant you may think they are. For example, any changes in study personnel, changes in expected participants, new advertising or promotions to recruit participants, changes to incentives offered, or even a one word change to the informed consent document must be submitted to the IRB for approval.

13. How long am I required to maintain my research documents?

All documentation relating to research must be maintained by the principal investigator for three years after completion of the research project for which the data were collected, unless a longer retention period is specified by the sponsor. Please see University of South Carolina Policies - Data Access and Retention.

14. How can an investigator obtain further information or advice regarding the use of human subjects?

Contact the Office of Research Compliance at(803) 777-7095.


1. What type of research qualifies as exempt?

2. What factors do the IRB consider in reviewing nonexempt research?

The IRB considers the a) soundness of the research protocol b) recruitment and selection of subjects c) the informed consent process d) assessment of benefits and risks.

3. What type of research is eligible for expedited review by the IRB?

4. I registered in eIRB a short while ago. Now when I try to log in, I get an error message. Why can't I log in?

Only after the registration form is validated, which is done by hand, will you have access to the eIRB system. Once the registration is validated the error message goes away.

5. My organization/department is incorrect. How can my profile be updated?

Changing organizations with in the HSSC sites is tricky. You should not create another registration form; instead, you should contact the IRB of the current institution responsible for the eIRB registration form. The contact will work with the other HSSC site to make the change.

Changing departments is easier, please contact the IRB and the person responsible for registration and update of the eIRB registration form can make the required changes.


1. When do projects require informed consent?

Consent is required from any human subject in research unless informed consent has been specifically waived by the IRB. The IRB may waive consent if the project involves no more than minimal risk; the waiver does not adversely affect subjects; the research could not practicably be carried out without the waiver; and, where appropriate, subjects are given information about the project afterwards. Otherwise, consent must be obtained.

2. Does the project require written consent?

The IRB may waive written consent if:

  • Signed consent is the only record linking the subject to the research and the greatest risk of the research is a breach of confidentiality;  or
  • The research presents no more than minimal risk and involves procedures for which consent would not normally be obtained outside of the research context.

3. What must I include in an informed consent statement?

Please see the Informed Consent Process.

4. Can deception or misrepresentation be used in studies with human subjects?

Yes, if the benefits outweigh the risks to the subjects for participating in such a study, and if the investigator provides a compelling scientific justification for such experimental manipulation. The participants must be informed that some information is being withheld until the end of their participation. If deception or misrepresentation is involved, the subjects must receive an explanation (a debriefing) about the nature of the experiment and why such manipulation was critical to its success. Such an explanation should be included with the materials submitted for IRB review and approval.

5. What consent material are required for research with minors?

Human subject research with minors requires completion of a parental consent form and an assent form. Please see The Investigator's Handbook and The Consent Process for more information.

6. What is assent?

Assent refers to agreement by a minor, 7 or above, to participate in human subject research. Assent must be accompanied by consent from a parent or guardian. The assent form must be written in the simplest terms possible. Please see The Consent Process for more information.

7. Is assent always required?

Assent must be sought from the child unless: 1) the child is incapable of providing assent (due to age or condition), or 2) the intervention holds out the prospect of direct benefit to the child and the intervention is available only in the context of the study. In these two situations, consent from parent(s) is sufficient.

8. What do I do with the consent forms once they are signed?

You must keep the signed consent forms in a secure location. These consent forms must be retained for a period of three years after the study is complete. For some disciplines and sponsored projects, the forms and data must be kept longer.

The research subject must receive a copy of the consent form.


1.  Who must comply with the HIPAA Privacy Rule?

The HIPAA Privacy Rule applies to a "covered entity" that uses or discloses "protected health information.

2. What is a covered entity?

A covered entity is

(1) a health plan
(2) a healthcare clearinghouse, or
(3) a healthcare provider

that transmits any health information in electronic form in connection with healthcare transactions.  In general, a researcher is a covered entity when he or she provides health care that is billed to an insurance plan in addition to conduction research.

The USC School of Medicine Specialty Clinics and our affiliated hospitals are "covered entities".

3. What is protected health information (PHI)?

PHI is individually identifiable health information, such as patient charts and medical billing and insurance records.  In general, PHI is health information that contains any of the 18 direct individual identifiers that are listed in the HIPAA definition of de-identified date.  All 18 identifiers are listed in response to Question #7.

4. As a site that sees patients as well as research subjects, am I covered under HIPAA?

Generally, Yes.  HIPAA applies to all healthcare providers that use or disclose PHI and bill for payment by electronic transfer of data.

5. As a site that only conducts research, am I covered under HIPAA?

Any site that uses or discloses PHI and meets the definition of a "covered entity" is covered by HIPAA.  Generally, if PHI is not used or disclosed for purposes of healthcare treatment, payment or other healthcare operations, the site is not a covered entity.  However, even when a site is not a covered entity, if it receives PHI from a covered entity, its use of the data may be restricted by the HIPAA privacy rules.

6. What is a hybrid entity?

A single legal entity that performs both covered and non-covered functions may choose to be a hybrid entity, for example, a university may have a medical center, which would be covered, and liberal arts schools, which would not.  If the entity declares itself to be a hybrid entity, it must define and designate the parts of the entity that engage in HIPAA-covered functions.  Only those designated parts of the entity need comply with HIPAA.  However, any disclosure (transfer) of protected health information (PHI) between the covered functions and the non-covered functions within the same entity must follow the HIPAA Privacy Rule for use and disclosure of PHI.  *USC is a "hybrid entity" with covered components.

7. What is de-identified data?

De-identified data has all of the following 18 individual identifiers removed:

  • Names
  • Geographic subdivisions smaller than State (e.g., cities, streets, counties)
  • All elements of dates (except year) for dates directly related to an individual, e.g., birthday, date of death, date of hospitalization

◊ Note: All ages over 89 must be aggregated into a single category called "age 90 or older"

  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code, except as permitted by the provision for re-identification.

8. Does HIPAA have a provision for tracking de-identified data?

Yes.  The process is called re-identification, and constitutes the assignment of a random code to each individual in the data set.  This process may be used to allow traceability of the data as long as the code key is kept securely by the investigator and the identity of the study subjects is not disclosed to the user(s) of the data.  The code may not be derived from information about the individual and may not be otherwise capable of being translated so as to identify the individual.

9. How does HIPAA affect study subject Informed Consent documents?

The HHS/FDA rules require an informed consent document.  HIPAA requires an individual authorization agreement whish contains specific additional elements for use and disclosure of PHI in prospective research.  In addition to an informed consent form, all subjects enrolled on or after the compliance date, April 14, 2003, must also sign a HIPAA authorization agreement.  The authorization agreement can be a separate document or it can be combined with the informed consent document for the research project.

10. What are the elements that must be included in the authorization agreement?

A brief description of each element follows.  Some of the explanations required are met in current informed consent documents that are well-written and complete.  Others require additional specific wording to be added, either in the informed consent document or in a stand-alone authorization agreement.

  • The authorization must be written in plain language;
  • Each purpose of the requested use or disclosure must be described;
  • The information to be used or disclosed must be identified in a specific and meaningful fashion;
  • The name of the person(s) authorized to make the requested use or disclosure;
  • The name of the person(s) to whom the requested use or disclosure is made
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization;
  • The covered entity must provide the individual with a copy of the signed authorization;
  • Signature of the individual patient and date;
  • The potential for information disclosed to pursuant to the authorization to be redisclosed by the recipient and no longer be protected by this rule;
  • There must be an expiration date or an expiration event for the authorization.  For research, a statement "end of research study", "none", or similar language is sufficient;
  • The individual's right to revoke the authorization in writing;
  • If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual;
  • For studies that involve treatment decisions, a notice that the individual's right of access to PHI contained in the study records has been suspended until the study is completed.

11. Does HIPAA require changes in the informed consent interview process?

Yes.  When the HIPAA authorization agreement is combined with the informed consent elements, the interview for the study must explain and discuss, all of the HIPAA authorization elements in addition to the informed consent elements.

12. Can study subjects withdraw from the study without exercising their right of formal Revocation of Authorization under HIPAA?

Yes.  The right of study subjects to withdraw from the study at any time for any reason under the Common Rule (HHS and FDA regulations) has not changed.  They can do so by giving verbal notice to the study staff or by simply not reporting for their scheduled visits.  That right is not affected by HIPAA.

However, if the subject wished to revoke (cancel) the "HIPAA Authorization," as well as withdraw from the study, the revocation must be done in writing to the clinical investigator.

The PHI collected in the study up to the time of Revocation of Authorization can be used or disclosed under the terms of the Authorization Agreement, as needed for orderly withdrawal of the subject and to preserve the integrity of the research data.  However, no further PHI can be collected from the study subject or obtained from his/her medical records.

13. Must all subjects be re-consented with HIPAA-compliant wording after the compliance date, April 14, 2003?

The HIPAA Privacy Rule requires a written authorization agreement to be explained and signed for all new subjects enrolling in studies on or after April 14, 2003.

Already enrolled subjects are "grandfathered," in that informed consent documents signed prior to April 14, 2003 that do not contain the required HIPAA authorization elements remain valid for continued participation in the study after that date.  However, if new information requires re-consenting of already-enrolled subjects after April 14, 2003, the HIPAA authorization elements must be included in the revised informed consent document, or they must be included in a separate authorization agreement that is explained and agreed to before continuing with the study.

14. Is recruitment of research subjects considered marketing or a health care operation under HIPAA?

Research recruitment is neither a marketing nor a health care operations activity, but is a separate category in the HIPAA Privacy Rule.

15. May a physician discuss a research study with his/her patients without first obtaining permission under the HIPAA Privacy Rule?

Health care providers who are covered entities and who have a direct treatment relationship with patients may discuss with them the option of enrolling in a clinical trial without either prior patient authorization, or an IRB or Privacy Board waiver of patient authorization.

However, a covered entity may not disclose an individual's PHI to a third party for purposes of recruitment in a research study unless the disclosure follows the HIPAA Privacy Rule.  Generally, one of the following must be met:

  • a signed authorization agreement from that individual patient;
  • a waiver of authorization by an IRB or Privacy Board; or
  • the use is within the scope of "review preparatory research," as discussed below.

16. How does the provision for "review preparatory research" help a researcher recruit study subjects?

A health care provider that is a covered entity may permit access to medical records containing PHI by an outside researcher for the purpose of developing a protocol or determining whether enough possibly eligible candidates are present.  The researcher may review the records without patient authorization or IRB/Privacy Board waiver of authorization.  However, the researcher may not contact the prospective subjects directly or remove PHI from the site.  "Removal" includes telephone, fax, electronic transmission, as well as physical removal.

17. Do research study sites need to have a Business Associate Agreement with the IRB?

Generally, no.  A Business Associate Agreement (BAA) is a means of assuring protection of PHI when it is disclosed to an entity that performs a service for a covered entity.  Examples are accounting or billing services, attorneys and consultants.

Sponsors, contract research organizations and IRBs generally do not need BAAs because the privacy of the PHI they use and disclose is adequately protected by other parts of the privacy rule.  These include:

  • a HIPAA authorization agreement;
  • IRB or Privacy Board waiver of authorization;
  • de-identification of the data;
  • disclosure of a Limited Data Set;
  • review preparatory to research; and
  • review of PHI of decedents.

Any quality assurance or auditing activities of prospective studies performed by the IRB as part of its study oversight are also covered by the HIPAA Authorization Agreement, since they are part of the IRB's routine and expected activities.  So, no Business Associate Agreement or additional contract or agreement is needed for those IRB activities required by the regulations or guidance.

Generally, where a written confidentiality agreement existed between a covered entity and an entity that provided a service to the covered entity, the agreement should be rewritten to include the BAA required elements.

18. What is a Data Use Agreement?

A covered entity must have a Data Use Agreement with the researcher in order to provide a Limited Data Set to the researcher (defined in Questions #19 and 20).  The Data Use Agreement defines the purposes for which the data will be used and obtains assurances from the researcher that it will not be redisclosed, except under the same restrictions and conditions.  It also requires assurance the researcher will not attempt to identify or contact the individuals whose PHI is contained in the LDS.

19. What is a Limited Data Set (LDS)?

A limited data set is PHI that has all direct identifiers removed.  The LDS was specifically designed for research use.  Authorization or waiver of authorization is not required, however a Data Use Agreement is required.

20. What are the elements of a LDS?

A Limited Data Set may contain any health information except for certain direct identifiers of individuals or relatives, employers, or household members of the individuals.  Note: This list of elements is not the same as the list under de-identified data.

The direct identifiers that must be removed from an LDS are:

  • Names
  • Postal address information, other than city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs (web addresses)
  • IP address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographs

21. What happens when a subject cannot provide consent on his/her own behalf but has a caregiver, relative or another person who has the formal authority to do so?

That individual must sign and indicate in writing how they have authority to act on behalf of the individual who is the subject (for example: healthcare power of attorney, including power of attorney for research; court order, or next-of-kin when allowed by applicable (state) law).

22. Does HIPAA require anything different in reporting Adverse Events and Serious Adverse Events to the IRB?

No.  Reporting of adverse events to the IRB is part of the routine reporting that is generally covered by the HIPAA authorization Agreement.

23. Does HIPAA affect reporting of Adverse Events and Serious Adverse Events to FDA?

Reporting of adverse events and serious adverse events with respect to an FDA-regulated product is specifically exempted by section 164.512(b) of the HIPAA Privacy Rule.  The reporting must be to FDA or an entity responsible for reporting the event to GDA.

Covered entities may disclose PHI, without authorization, to a person who is subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility for the purpose of activities related to the quality, safety, or effectiveness of the product.  For this reporting, HIPAA defines "person" as an individual, institution or corporation.

Such purposes include, but are not limited to, the following:

  • to collect or report adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations,
  • to track FDA-regulated products,
  • to enable product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and
  • to conduct post-marketing surveillance.

24. How does HIPAA affect reporting of adverse events of a study to the sponsor?

  1. Reporting of adverse events to FDA is allowed without authorization or waiver.  Reporting can be made to a person subject to the jurisdiction of FDA when that person has responsibility for the quality, safety, or effectiveness of FDA regulated products.
  2. Reporting without authorization of the study subject is limited to safety, effectiveness, or quality of the FDA regulated product.  Disclosures to measure the effectiveness of a marketing campaign, for example, are not included.
  3. The regulation states reporting should be made to a responsible person.  "Person" is not limited to an individual, but includes a partnership, corporation, or association.
  4. Foreign public health authorities are not specifically included in the Rule's definition of "public health authority."  The U.S. Department of Health and Human Services (including NIH and FDA) appears to have left the door open to future modification of the rule if experience shows lack of such inclusion is a serious problem.
  5. The reports of adverse events may be made to an authority that is authorized to receive or collect such reports for forwarding to FDA, such as the sponsor of the study or manufacturer of the product.
  6. The reports of adverse events can be made to a private database for tracking products pursuant to FDA direction or requirements for post-marketing surveillance to comply with FDA requirements or direction.
© University of South Carolina Board of Trustees