IRB: Policies, Rules and Regulations
Aside from reviewing research for the ethical treatment of humans, the NC State University IRB is beholden to federal laws and regulations, NC State University regulations and policies, and IRB unit standards and procedures.
IRB Unit Standards
This section provides details about the NC State University IRB’s unit-level standards. They are treated as living documents and updated as laws, regulations, university policy, and societal contexts shift.
Full List of Unit Standards
- Noncompliance
- Pilot Work and Feasibility Studies
- Faculty Points of Contact
- Department of Defense (DoD) Research
- Repositories (coming soon)
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Participant Concerns
- Inclusion of Minors Attending Post Secondary Institutions in Research
- IRB Staff as Expedited Reviewers
- Convened Full Board Meetings
- Expedited Review Procedures
- Adult Consent, Minor Assent, and Parental Permission
- Research Involving Minors
- Managing Conflicts of Interest
- Research with Those Who Are Incarcerated
- Local Context and Participant Context Reviews
- Collaborative Research, Reliance Agreements, and Single IRB
- Use of ResearchMatch (coming soon)
- Health Insurance Portability and Accountability Act (HIPAA)
- Medical Devices
- Research with Pregnant People and Neonates
- Renewals and Amendments
- Clinical Trials
- NC State University Researchers’ Use of a Private IRB (coming soon)
- Principal Investigator, Co-Principal Investigators, Additional Personnel, and Faculty Points of Contact Eligibility (coming soon)
- IRB Review and Approval for Research Involving Human Subjects from the Joint Department of Biomedical Engineering (BME)
NC State University Regulations
This section provides details about the NC State University Regulations. If you have a question about the university’s Human Subjects Research regulation, please contact IRB-Director@ncsu.edu for assistance. If you have a question about the university’s Privacy/Confidentiality regulation, please contact the Office of General Counsel for assistance.
- REG 10.10.03 – Human Subjects Research
- REG 01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information
- REG 01.25.17 Surveys of NC State Students, Alumni, Faculty, Staff and/or Administrators
- REG 01.25.18 Programs that Involve the Participation of Minors
- RUL 08.00.18 Endpoint Protection Standard
Federal Laws and Regulations
A number of federal laws and regulations govern research with human subjects, namely 45.CFR.46. Other applicable laws and regulations include but are not limited to FERPA, HIPAA and GDPR.
The Final Rule (45.CFR.46)
This regulation governs research with human subjects and applies to all federally funded research involving human subjects. Due to NC State University REG 10.10.03, 45.CFR.46 is applied to all NC State University research studies involving human subjects, regardless of funding.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords adult students or parents of minors the right to have access to their own or their child’s education records. This includes the right to seek to have the records amended and the right to have some control over the disclosure of personally identifiable information from the education records. The IRB does not manage anything related to FERPA for NC State University. However, when researchers are completing research with human subjects that also intersects with FERPA-related activities, FERPA must be addressed in the IRB protocol and Informed Consent/Parental Permission/Assent documents.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” NC State University is considered a Hybrid Covered Entity. The IRB does not decide what is and is not subject to HIPAA. However, when researchers are completing research with human subjects that also intersects with HIPAA, HIPAA must be addressed in the IRB protocol and supplemental documents. In rare cases, the NC State IRB will act as a “Privacy Board” to determine if waiving “Participant Authorization” to access PHI is appropriate.
Department of Defense (DoD): Protection of Human Subjects
Examples of DoD Entities
- Air Force
- Air Force Academy
- Army
- Coast Guard
- Coast Guard Academy
- DARPA
- Defense Intelligence Agency
- Laboratory for Analytic Sciences (LAS)
- Marines
- Military Academy (West Point)
- Missile Defense Agency
- National Geospatial-Intelligence Agency
- National Guard
- National Security Agency
- National War College
- Navy
- Naval Academy
- Office of Naval Research
- Pentagon Force Protection Agency
- ROTC
- Tricare Health System
- U.S. Army Corps of Engineers
- U.S. Naval Observatory
Additional requirements for DoD-supported research are noted in the guidance below. These requirements include specific content to be included in study documents and procedures, a possibly required scientific merit review before submission, and an additional review process with a Human Research Protection Officer (HRPO) once IRB approval is granted.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation(GDPR) is a European law that establishes protections for the privacy and security of personal data about individuals located in the European Economic Area (EEA). This applies to research being completed with people located in the EEA when the research is being completed or to research accessing identifiable data from the EEA. Matt, I edited this paragraph. It needs to be updated on the website. The IRB does not decide what is and is not subject to the GDPR. However, when researchers are completing research with human subjects that also intersects with the GDPR, then the GDPR must be addressed in the IRB protocol and supplemental documents. This most often manifests in the Informed Consent Form.
- General Data Protection Regulation (GDPR) Law
- NC State IRB Guidance: General Data Protection Regulation (GDPR)
Countries Adhering to GDPR
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Lichtenstein
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
Food and Drug Administration (FDA) Regulations
FDA regulations apply to research with human subjects when a drug, biologic, medical device, or certain foods, cosmetics, or tobacco products are used in research with humans. Much of NC State University’s human subjects research endeavors do not require FDA oversight. However, FDA regulations do apply to research at NC State University when a medical device is being tested for safety and efficacy. The NC State IRB will review research where a medical device is being used as a tool for research and is determined to be “Exempt from the IDE” requirements. The NC State IRB will review research where a medical device is being tested for safety and efficacy if the device warrants a “Not Significant Risk Device” (NSR) determination and is subsequently eligible for an “Abbreviated IDE.” All studies involving “Significant Risk” (SR) medical devices or requiring an Investigational New Drug Application (UND) for the use of drugs or biologics in research with human subjects will be reviewed by the WCG IRB unless a collaborating institution accepts oversight.
Genetic Information Nondiscrimination Act of 2008 (GINA)
GINA protects individuals against discrimination based on their genetic information in health coverage and in employment. This relates to research with human subjects, as it serves as a risk mitigation measure when genetic information is collected by researchers. This law sets boundaries around employers’ ability to discriminate based on genetic information. If an NC State researcher is analyzing data or specimens for genetic information, this law can be referred to as a risk-mitigation measure regarding employment risks.