Exempt definition and criteria

Although the IRB currently reviews all research involving human subjects, the regulations provide that certain human research activities, detailed below, may be eligible for a determination of “exempt” status by the IRB.

A Principal Investigator may request exemption from review by submitting an Application for Exemption from Review. A Principal Investigator must obtain such a determination from the IRB prior to initiating the study. See the discussion on Exemption from IRB Review in the Policies and Procedures for more information on the IRB’s procedure for conducting such review. Note that an exemption from IRB review does not equate to an exemption from the HIPAA requirement for authorization or waiver of authorization when the research involves a covered entity’s protected health information.

Researchers who receive an exemption determination but whose research involves protected health information must still seek a waiver of authorization from the IRB or submit one of the following to the Privacy Officer for approval: a researcher representation form (for reviews preparatory to research or research on decedents information) or a data use agreement form (where a limited data set will be used).
Research may be exempt from review when the only involvement of human subjects in the research falls into one of the following categories:

1). Research conducted in established or commonly accepted educational settings, involving normal educational practices, such as (i) research on regular and special education instructional strategies, or (ii) research on the effectiveness of or the comparison amonginstructional techniques, curricula, or classroom management methods.

2). Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior unless: (i) information obtained is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and (ii) any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation. However, when a study involves children being interviewed, questioned or surveyed, that study must be reviewed by the IRB and may not be exempt. Similarly, studies involving children and observation of public behavior in which the Principal Investigator (or other investigator) participates in the activities being observed must be reviewed by the IRB.

3). Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures (e.g. anonymous questionnaire), interview procedures, or observation of public behavior that is not otherwise exempt if: (i) the human subjects are elected or appointed public officials or candidates for public office; or (ii) federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information will be maintained throughout the research and thereafter.

4). Research, involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

5). Research and demonstration projects which are conducted by or subject to the approval of department or agency heads, and which are designed to study, evaluate, or otherwise examine: (i) public benefit or service programs; (ii) procedures for obtaining benefits or services under those programs; (iii) possible changes in or alternatives to those programs or procedures; or (iv) possible changes in methods or levels of payment for benefits or services under those programs.

6). Taste and food quality evaluation and consumer acceptance studies, (i) if wholesome foods without additives are consumed or (ii) if a food is consumed that contains a food ingredient at or below the level and for a use found to be safe, or agricultural chemical or environmental contaminant at or below the level found to be safe, by the Food and Drug Administration or approved by the Environmental Protection Agency or the Food Safety and Inspection Service of the U.S. Department of Agriculture.

Anonymization makes a protocol eligible for exemption from IRB review; for a protocol to qualify as “anonymized” the data may not contain any ready identifiers or any linking code or field. Anonymized data are not automatically considered de-identified data under the Privacy Rule.

Under the Privacy Rule, a covered entity may share data without restriction only if the data have been “de-identified.” De-identified data may contain linking codes if such codes are not derived from any identifier (e.g., SSN or Medical Record number) and not used for any other purpose, provided that the covered entity does not disclose the code key to the researcher or anyone else. Although de-identified data may contain linking codes that meet the above criteria, a de-identified data set may not contain any of the 18 identifiers listed in the Privacy Rule. Researchers may not create de-identified data for the purpose of using or disclosing such data to parties not identified in the authorization form, waiver application, or data use agreement, without the approval of the Privacy Officer.

The Privacy Rule permits a covered entity to disclose a limited data set to a researcher without authorization or waiver if the researcher has signed data use agreement containing certain required elements. Limited data sets are not de-identified data, but permit the researcher to receive certain identifiers that must be otherwise be removed to render data de-identified (the identifiers permitted in a limited data set are listed in the Privacy Rule). Researchers who are seeking a limited data set from a covered entity should submit a completed data use agreement form to the Privacy Officer for approval.