Policies, Rules, and Regulations
Aside from reviewing research for the ethical treatment of humans, the NC State University IRB is beholden to federal laws and regulations, NC State University regulations and policies, and IRB unit standards and procedures.
IRB Unit Standards
This section provides details about the NC State University IRB’s unit-level standards. They are treated as living documents and are updated as laws, regulations, university policy, and societal contexts shift.
Full List of Unit Standards
- Adult Consent, Minor Assent, and Parental Permission
- Clinical Trials
- Collaborative Research, Reliance Agreements, and Single IRB
- Convened Full Board Meetings
- Department of Defense (DoD) Research
- Exemption Requests
- Expedited Review Procedures
- Faculty Points of Contact
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Inclusion of Minors Attending Post-Secondary Institutions in Research
- IRB Review and Approval for Research Involving Human Subjects from the Joint Department of Biomedical Engineering (BME)
- IRB Staff as Expedited Reviewers
- Local Context and Participant Context Reviews
- Managing Conflicts of Interest
- Medical Devices
- NC State University Researchers’ Use of a Private IRB
- Noncompliance
- Participant Concerns
- Pilot Studies and Feasibility Work
- Post-Approval Monitoring
- Renewals, Amendments, Closures, and Transfers
- Research Involving Minors
- Research with Those Who Are Incarcerated
- Research with Pregnant People and Neonates
- Unanticipated Problems and Adverse Events
NC State University Regulations
This section provides details about the NC State University regulations. If you have a question about the university’s human subjects research regulation, please contact IRB-Director@ncsu.edu for assistance. If you have a question about the university’s privacy/confidentiality regulation, please contact the Office of General Counsel for assistance.
- REG 10.10.03 – Human Subjects Research
- REG 01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information
- REG 01.25.17 – Surveys of NC State Students, Alumni, Faculty, Staff and/or Administrators
- REG 01.25.18 – Programs that Involve the Participation of Minors
- RUL 08.00.18 – Endpoint Protection Standard
- Principal Investigator Eligibility and Standing
Federal Laws and Regulations
A number of federal laws and regulations govern research with human subjects, namely 45 CFR 46. Other applicable laws and regulations include, but are not limited to, FERPA, HIPAA, and the GDPR.
The Final Rule (45 CFR 46)
This regulation governs research with human subjects and applies to all federally funded research involving human subjects. Due to NC State University REG 10.10.03, 45 CFR 46 is applied to all NC State University research studies involving human subjects, regardless of funding.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords adult students or parents of minors the right to have access to their own child’s education records. This includes the right to seek to have the records amended and the right to have some control over the disclosure of personally identifiable information from the education records. The IRB does not manage anything related to FERPA for NC State University. However, when researchers are completing research with human subjects that also intersects with FERPA-related activities, FERPA must be addressed in the IRB protocol and the informed consent/parental permission/minor assent documents.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” NC State University is considered a hybrid covered entity. The IRB does not decide what is and is not subject to HIPAA. However, when researchers are completing research with human subjects that also intersects with HIPAA, HIPAA must be addressed in the IRB protocol and supplemental documents. In rare cases, the NC State IRB will act as a “Privacy Board” to determine if waiving participant authorization to access PHI is appropriate.
Department of Defense (DoD): Protection of Human Subjects
Examples of DoD Entities
- Air Force
- Air Force Academy
- Army
- Coast Guard
- Coast Guard Academy
- DARPA
- Defense Intelligence Agency
- Laboratory for Analytic Sciences (LAS)
- Marines
- Military Academy (West Point)
- Missile Defense Agency
- National Geospatial-Intelligence Agency
- National Guard
- National Security Agency
- National War College
- Navy
- Naval Academy
- Office of Naval Research
- Pentagon Force Protection Agency
- ROTC
- Tricare Health System
- U.S. Army Corps of Engineers
- U.S. Naval Observatory
Additional requirements for DoD-supported research are noted in the guidance below. These requirements include specific content to be included in study documents and procedures, a possibly required scientific merit review before submission, and an additional review process with a Human Research Protection Officer (HRPO) once IRB approval is granted.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European law that protects the privacy and security of personal data about individuals located in the European Economic Area (EEA). This applies to research being completed with people located in the EEA when the research is being completed or to research accessing identifiable data from the EEA. The IRB does not decide what is and is not subject to the GDPR. However, when researchers are completing research with human subjects that also intersects with the GDPR, then the GDPR must be addressed in the IRB protocol and supplemental documents. This most often manifests in the informed consent form.
- General Data Protection Regulation (GDPR) Law
- NC State IRB Guidance: General Data Protection Regulation (GDPR)
Countries Adhering to GDPR
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Lichtenstein
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
Food and Drug Administration (FDA) Regulations
FDA regulations apply to research with human subjects when a drug, biologic, medical device, or certain foods, cosmetics, or tobacco products are used in research with humans. Much of NC State University’s human subjects research endeavors do not require FDA oversight. However, FDA regulations do apply to research at NC State University when a medical device is being tested for safety and efficacy. The NC State IRB will review research where a medical device is being used as a tool for research and is determined to be “exempt from the IDE” requirements. The NC State IRB will review research where a medical device is being tested for safety and efficacy if the device warrants a “Not Significant Risk Device” (NSR) determination and is subsequently eligible for an “Abbreviated IDE.” All studies involving “Significant Risk” (SR) medical devices or requiring an Investigational New Drug Application (IND) for the use of drugs or biologics in research with human subjects will be reviewed by the WCG IRB unless a collaborating institution accepts oversight.
FDA Regulations and Medical Devices
- NC State IRB Unit Standard on Medical Devices
- Medical Devices Used in Research (Form)
- NC State IRB Medical Device Determination Notes
Genetic Information Nondiscrimination Act of 2008 (GINA)
GINA protects individuals against discrimination based on their genetic information in health coverage and in employment. This relates to research with human subjects, as it serves as a risk mitigation measure when genetic information is collected by researchers. This law sets boundaries around employers’ ability to discriminate based on genetic information. If an NC State researcher is analyzing data or specimens for genetic information, this law can be referred to as a risk-mitigation measure regarding employment risks.