Section 18
Data/Tissue Registries

Revised January 2004

*** FOR DATA REGISTRIES, SECTION 25 MUST BE REVIEWED FOR NEW PRIVACY RULE ('HIPAA') IMPLICATIONS ***

Mandated Database/Tissue Registries: defined as databases or registries that are required by a state or federal governmental agency. These activities are not under IRB jurisdiction, and specific research consent is not required. However, the IRB does have jurisdiction over any SBU investigator-proposed research use of identifiable and primary (i.e., not aggregate/anonymous) data/specimens from such mandated entities.

Non-mandated Tissue Registries: defined as a tissue repository not required by a state or federal governmental agency. These activities are under IRB jurisdiction. See section 19 for issues to be considered when applying for approval from CORIHS.

Non-Mandated Databases/Data Registries:

If the sole intent of the registry is that of quality assurance, i.e., to centrally aggregate patient data from many sites to maintain best practices within a specific discipline, then the activity is not considered to be under the jurisdiction of the IRB. The entity providing the data must comply with all regulations governing privacy protections (HIPAA).

(Note: CORIHS approval is required before SBU QA data are prepared for publication and/or presentation outside the University. See section 1, ”Stony Brook University Definitions’)

If there is any intent of the database/data registry to provide data for future use in research activities, IRB approval is required in order for an investigator to submit data to such entities. IRB approval will be solely for the activity of data submission to the entity, i.e., the ‘banking’ of the data. Future use of the data for research purposes will be subject to further regulatory review by the researchers’ specific IRB.

The type of data, as well as the identifiers linked to the data, will necessarily impact upon:

  • the review category under which the activity falls (exempt, expedited, full committee)
  • the ability of the IRB to waive or require consent from the patient from whom the data were obtained (see section 12 for waiver criteria)
  • The requirement of the IRB (acting as privacy board) to invoke HIPAA regulations governing de-identification, limited data sets, authorization waiver, or the requirement for full HIPAA authorization from the subject.

Return to Human Subjects Research at SBU

Last Updated: 2004-04-28