Overview of Human Subject Research

Create a submission

Create a continuing review

Create a modification submission

Close a study

Add department chair for department chair signoff

Complete/submit an ancillary review

The Department Chair/Designated Signatory ancillary reviewer must submit their ancillary review certifying approval or disapproval of the proposed submission.

Submission of new studies in myResearch prior to Department Chair/Designated Signatory approval is not permitted. 

New Study Submission Requirements Checklist

Continuing Review Submission Requirements Checklist

Modification Submission Requirements Checklist

In order for you to be certified to conduct research involving human subjects, you must satisfy the following training requirement (along with obtaining IRB approval for the activity):

Training is completed through the CITI web-based courses in Human Research Protections (either biomedical or social behavioral).  In order to see your training in myResearch, please make sure to link your CITI program account to your netID.  

For those who must certify training to the NIH, this template is acceptable for your Certification of Completion of Human Subjects Training letter.

Learn about existing protection programs, review boards and processes, informed consent, and other governing regulations in order to allow research to be conducted as smoothly as possible.

In order to ensure ethical research performance on human subjects, Stony Brook issues the Human Subjects Standard Operating Procedures Manual and expects researchers to be familiar with its policies.

A case study/series is an analysis of up to 3 clinical cases and usually examines a condition, treatment, presentation, or outcome. If the analysis involves more than 3 cases it would need to be reviewed by the Human Research Protection Program and an application would need to be completed in the electronic management system myResearch.

A case study/series is not meant to draw broad conclusions about a population and does not meet the DHHS definition of research which is “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”

Some journals now require a letter or other form of acknowledgement from the Institutional Review Board prior to the submission of a case study/series to a journal. This memo may then be sent to the journal confirming the Stony Brook University policy. To access this memo please click here (updated 8/2025).

Medical records can be accessed with written, signed and dated permission from the patient (for the release of their records) via the HIPAA Release Form.

PIs of certain investigator-initiated clinical trials are required to comply with federal requirements concerning registration of their studies on ClinicalTrials.gov, no later than 21 days after enrollment of the first participant if it meets the requirements found under section 17.4 of the SBU Human Subjects Standard Operating Procedures Manual.

More information on Registration and Reporting requirements for ClinicalTrials.gov can be found here.

Contact the Office of Research Compliance for first-time access to the ClinicalTrials.gov site at ORC_ClinicalTrials@stonybrook.edu with the individuals full name, institution email, and institution phone number.

Certain research projects require compliance with a foreign privacy framework which require additional protections for Personal Data. When such a requirement applies, the campus will be required to comply with this policy and any other requirements of the applicable project. To ensure compliance with this privacy framework, please review the Data Protection Policy here.

The Human Research Protection Program (HRPP) has recently completed work on an Emergency Preparedness and Response Plan  for human subject research.

Information contained within the Emergency Preparedness and Response Plan establishes HRPP-specific emergency response planning and measures that are limited to those functions for the HRPP not otherwise covered by institutional-level plans. This plan is intended to supplement, not replace, emergency response planning by Stony Brook University (SBU) leadership and/or SBU-wide response measures.

If you have questions about the Plan, please contact Rebecca Dahl at 631-632-6541.

Department of Health and Human Services (DHHS)/Office for Human Research Protections (OHRP)

Website: http://www.hhs.gov/ohrp/
Regulations: DHHS: 45 CFR Part 46 DHHS -- Protection of Human Subjects
Guidance: http://www.hhs.gov/ohrp/policy/index.html#topics

Food and Drug Administration (FDA)

Website: http://www.fda.gov/
Regulations:​

FDA: 21 CFR Part 50 FDA - Protection of Human Subjects

FDA: 21 CFR Part 54 FDA - Financial Disclosure by Investigators

FDA: 21 CFR Part 56 FDA - Institutional Review Boards

FDA: 21 CFR Part 312 FDA - Investigational New Drug Application

FDA: 21 CFR Part 812 FDA - Investigational Device Exemptions

Department of Defense (DoD)

Website: https://www.defense.gov/

In addition to the Common Rule, human subjects research supported by the DoD is subject to requirements and ethical standards outlined in the Department of Defense Instruction 3216.02.

Office of Civil Rights (HIPAA: Privacy Law)

Website: https://www.hhs.gov/hipaa/index.html
Regulation: hipaa-simplification-201303

Name	Representative Capacity	Relationship to the Organization
Augello, Erin	Administration	Staff
* Biagas, Katherine	Pediatrics	Faculty
Bianchi-Hayes, Josette	Pediatrics	Faculty
Brennan, Katherine	Marketing	Non-Affiliated
Canli, Turhan	Psychology	Faculty
Chambers, Mark	History	Faculty
Chou, Timothy	Ophthalmology	Faculty
DeRosse, Pamela	Psychology	Faculty
Desai, Manisha	Sociology	Faculty
Doelger, Meghan	Nursing	Faculty
Eckardt, Patricia	Nursing	Non-Affiliated
Evinger, Marian	Pediatrics	Faculty
Fineberg, Iris	Social Welfare	Faculty
Fuellbier, Jamie	Administration	Staff
Gould, Omar	Electrical Engineering	Non-Affiliated
Hertz, Tyler	Pharmacy	Faculty
* Hom, Jeffrey	Pediatrics & Emergency Medicine	Faculty
Houghton, Jacob	Radiology	Faculty
Kier, Catherine	Pediatrics	Faculty
Kozlowski, Lu-Ann	Administration	Staff
Lee, Christina	Hematology Oncology	Faculty
Li,  Haifang	Radiology	Faculty
Li, Ruobing	Communication & Journalism	Faculty
Maduekwe, Echezona	Pediatrics	Faculty
Marmo, Robert	Criminal Justice	Faculty
* McMahon, Brian	Emergency Medicine	Faculty
McNurlan, Margaret	Surgery	Non-Affiliated
Milone, Gina	Obstetrics and Gynecology	Faculty
Minton, Aimee	Administration	Staff
O'Connor, Ryan	Pharmacy	Faculty
Perlman, Greg	Psychiatry	Faculty
Saltz, Mary	Radiology	Faculty
Samad, Abdool	Administration	Staff
Sasson, Aaron	Surgical Oncology	Faculty
Stewart, Diana	Administration	Staff
Strianse, Jeannine	Pharmacy	Faculty
Tetzloff, Katerina	Linguistics	Faculty
* Varela, Marie	Pharmacy	Faculty
Vitkun, Stephen	Anesthesiology	Faculty
Wallace, Christine	Nursing	Non-Affiliated
Weissbart, Steven	Urology	Faculty
Weldeslassie, Ghenet	Social Welfare	Faculty

* indicates IRB chair

Ethical Principals

Belmont Report

Declaration of Helsinki

Guidance

​Guidance for Institutional Review Boards, Clinical Investigations, and Sponsors

Good Clinical Practice

International Compilation of Human Research Standards

GDPR and Human Subjects Research Overview

European Union General Data Protection Regulation

The Common Rule - HHS

SBU ORC Guidance Involving Safeguarding Online Surveys Against Bots


​Office of Civil Rights (HIPAA: Privacy Law) Guidance (Research-related)

​HIPAA Privacy Rule, Information for Researchers

Helpful Links

PRIM&R Home Page

FDA - Institutional Review Boards Frequently Asked Questions

Available Research Databases

NIH - All of Us

The All of Us Research Program includes a database that works to improve health care through research.  All of Us is building a diverse database that can inform thousands of studies on a variety of health conditions.

To find out more about All of Us and what makes this research database different you can go to:

https://allofus.nih.gov/about/program-overview/what-makes-all-us-different

To contact All of Us you can go to:

https://allofus.nih.gov/about/contact-us

 

Question	Answer
I think my research fits into one of the exempt categories. Do I need to submit my study documents to the IRB for approval?	Yes, exempt studies must be submitted through the electronic management system, myResearch, for approval prior to study commencement. Exempt studies are exempt from the requirements of the federal regulations. However, they are still subject to local policies as specified in the Stony Brook Human Subjects Standard Operating Procedures.
Does my project meet the definition of human subject research?	Research involving a living individual about whom data or biospecimens are obtained, used, studied or analyzed through interaction/intervention, or where identifiable, private information is used, studied, analyzed, or generated is considered to involve human subjects (45 CFR 46),
What types of studies have to be reviewed at the full meeting?	Studies that are considered “greater than minimal risk”. The definition of minimal risk is that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life of the general population or during the performance of routine physical or psychological examinations or tests.
How come my older research studies still need to be reviewed every year, instead of two?	The new Common Rule (federal regulations governing the protection of human subjects in research) went into effect on January 21, 2019. All minimal risk studies approved under an expedited category before this date are subject to the old Common Rule requirements. These requirements include an approval period of no more than one year and continuing review in order to extend the approval period. Studies approved under an expedited category on or after January 21, 2019 are subject to the new Common Rule. This revised Common Rule allows the IRB to determine if an approval period of one year or two years is appropriate. The IRB determination is included in the initial approval letter.
Can I use an outside IRB for my research study?	Generally, Stony Brook University researchers must receive Stony Brook University Institutional Review Board approval for investigator-initiated research studies. Industry Initiated/Sponsored studies and some collaborative research activities may qualify for review by an external IRB. For more information, please visit: https://www.stonybrook.edu/commcms/research-compliance/External-IRBs/index.php
What are QA/QI initiatives and do they need IRB review?	No, quality assessment or quality improvement (QA/QI) activities do not require review by the IRB. A QA/QI activity falls under the jurisdiction of SBUMC’s Division of Medical and Regulatory Affairs and/or a hospital-recognized departmental quality assurance committee (collectively referred as ‘Hospital QA’). QA/QI initiatives are a mandated function of the University Hospital. These activities are focused on a local practice and consequently limit their scope specifically to SBU. It is designed to continuously evaluate and improve performance in a clinical area or department. These activities primarily include changes to clinical systems or processes, the development of implementation guidelines, or training and education programs for SBU faculty and staff. The fundamental goal of QA/QI activities is continuous monitoring of hospital operations and improved care of our patients at Stony Brook University Medical Center. QA/QI initiatives can often seem like the type of human subjects research that the IRB needs to review. Common activities include surveys, reviewing identifiable data, drawing conclusions about problems, and suggesting methods for improvement. However, QA/QI activities do not meet the federal definition of research, and do not require review by the IRB.  Below are some criteria that tend to representative of either QA/QI or research; this list is to be used as a guide and not a definitive determination: Common Elements QA/QI Research The focus is local and specific, aiming to improve a particular institutional practice Aims to explore a hypothesis or theory in order to draw general conclusions beyond the scope of the institution Does not use participants as a representative sample of a broader population Results or data from participants may be generalized as being representative of the population at large Conclusions are intended to only be directly applicable to the particular institution; no claim that the results apply outside the institution Conclusions are meant to be disseminated and applicable to people and institutions beyond the site where the project took place Any publication or presentation on the project would still focus on the specific practice and improvement at the particular institution; it is only relevant to external institutions to the extent that they can draw their own conclusions about applicability at their institution Publications and presentations aim to be applicable to the field more broadly.  For example, if a particular intervention in the research study led to better outcomes, a publication would generalize those findings and suggest that they are applicable to other institutions as well. Approval Process for QA/QI Activities: The “Application for Designation of Activity as Quality Assurance/Quality Improvement or Research" is available in Qualtrics. Please see submission guidelines for QA/QI projects here.

 

Contact the Office of Research Compliance if your study will be enrolling subjects where GDPR regulations apply.

What is the GDPR?

GDPR is a regulation based on the protection of data and privacy of individuals in the 28 EU member states and three additional countries (Liechtenstein, Iceland, and Norway), which together constitute the greater European Economic Area (EEA).  

What countries are part of the EEA? 

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

What does GDPR apply to?

• Organizations anywhere in the world that process the personal data of those in the EEA related to offering of goods and services, regardless of whether payment is exchanged.
• Organizations anywhere in the world that monitor the behavior of subjects as far as their behavior takes place in the EEA. 
• GDPR likely applies to a study if the researcher continues to monitor the EEA research subjects or provides study related interventions after they return to the EEA (In this case, the Sponsor is not located in the EEA).

What does GDPR not apply to? 

Organizations not present in the EEA which process the personal data of citizens of EEA member countries while they are abroad in non-EEA countries (e.g., if an EU citizen travels to the US, a company in the US processing personal data the EU citizen leaves behind while visiting the US is not subject to GDPR. However, if that same company processed data the same EU citizen generated while in the EEA, that activity would be subject to GDPR.

What is Personal Data? 

Personal Data broadly means any information relating to an identified or identifiable natural person. An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” The GDPR frequently requires that data revealing any of the following considered to be “sensitive” data be collected through an informed consent process:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic, biometric, and health data
• Data concerning a person’s sex life or sexual orientation.

How to ensure that the consent process complies with GDPR? 

Specific language must be inserted into the informed consent form if GDPR applies. The GDPR Consent language may be added to a Common Rule Consent Form. In that way, the EEA Research Subject will need to sign the document to provide both the informed consent required by U.S. federal law and the GDPR Consent.

When does GDPR not apply?

• General Data Protection Regulations do not apply when the collection of data does not include information that is linked to a subject’s identity such as an anonymous survey in which the identity of the subject cannot be traced to the individual.
• Another key point of GDPR is whether the data is anonymized (i.e., impossible to connect back to a single person). Fully anonymized data is not subject to GDPR.

Does the GDPR apply to Pseudonmymized Data? 

Coded research data is considered to be “Pseudonymized Data” and therefore Personal Data under the GDPR because the data can be attributed to a person by the use of additional information such as a key to the code. If the researcher maintains the key (or a third party maintains the key for the researcher), such data will generally not be treated as anonymized Personal Data under the GDPR. Full anonymization of Personal Data requires not only the removal of all identifiers from the data set, but also the destruction of any keys to the code. Pseudoanonymized data is data that may be able to be connected back to identifiable information.  Additionally, the GDPR applies when the university conducts research in the US in which subject data is transmitted to a sponsor, server, or data core facilities in the EU.

Where can you find additional information about GDPR? 

Complete guide to GDPR compliance

Research Databases

NIH - All of Us

The All of Us Research Program includes a database that works to improve health care through research.  All of Us is building a diverse database that can inform thousands of studies on a variety of health conditions.

To find out more about All of Us and what makes this research database different you can go to:

https://allofus.nih.gov/about/program-overview/what-makes-all-us-different

To contact All of Us you can go to:

 https://allofus.nih.gov/about/contact-us


New York State Statewide Planning and Research Cooperative System (SPARCS)

SPARCS is a comprehensive all payer data reporting system established in 1979 as a result of cooperation between the healthcare industry and government. The system was initially created to collect information on discharges from hospitals.

SPARCS currently collects patient-level detail on patient characteristics, diagnoses and treatments, services, and charges for each hospital inpatient stay and outpatient (ambulatory surgery, emergency department, and outpatient services) visit; and each ambulatory surgery and outpatient services visit to a hospital extension clinic and diagnostic and treatment center licensed to provide ambulatory surgery services.

This github tool can be used to query SPARCS data.

See this video on how to use the tool.

For questions/comments related to:

SPARCS data submission or compliance reports: sparcs.submissions@health.ny.gov
SPARCS data use, data access, statistics reports:https://sparcssupport.zendesk.com/hc/en-us

TriNetX

TriNetX is a research network combining Stony Brook’s Electronic Medical Record data with the data of over 110 other Health Institutions. Researchers can use TNX to query either Stony Brook’s data alone, or in combination with other provider data via the other Research Networks.

Please review the documents below for example text to assist in preparing  protocols using TriNetX. Please be aware that researchers are ultimately responsible for the accuracy of their protocol language, so review carefully in the context of your planned research.  The documents below and additional resources on TriNetX can be found https://rci.stonybrook.edu/trinetx/documentation

• TNX Sample Data File

• Sensitive terms restricted to protect PHI in datasets (v.18May2021)

• HIPAA waiver template for recruitment (v.25Oct2023)

• Protocol Template – Retrospective Chart Review Using TNX (v.30Sep2021) 

• Limited Dataset Exempt Protocol Template (v.23Oct2023)

For more information on how to use TriNetX, please visit their FAQs here.

Research Registries

Stony Brook Research Ripple Registry

The Stony Brook Research Ripple is a Subject Volunteer Registry of people who have indicated that they are interested in being contacted about research participation opportunities at Stony Brook for studies that may relate to their specific health, demographic, or interest profile. Information collected in the registry is voluntarily provided in a survey by those in the registry within the Ripple platform hosted by Ripple Science.

Study teams will be provided access by the Stony Brook Ripple administrator to only those people in the registry that may be eligible for a study based on the IRB-approved protocol’s eligibility criteria.

See this document for language to be used in IRB protocol.

Contact Melanie Keister for further questions regarding Ripple.

List of Registries from the National institute of Health

https://www.nih.gov/health-information/nih-clinical-research-trials-you/list-registries

ResearchMatch

ResearchMatch.org is a national electronic, web-based recruitment tool that was created through the Clinical & Translational Science Awards Consortium in 2009 and is maintained at Vanderbilt University. There is no cost for researchers at Stony Brook University to use ResearchMatch for the purposes of conducting recruitment feasibility analysis or participant recruitment. This national registry provides a secure, web-based approach to address a key barrier to advancing research: participant recruitment.

To use this recruitment tool, Researchers are required to submit individual requests for approval by the Stony Brook IRB.

Please review this document for instructions on how to use ResearchMatch as well as guidelines and required language.