Click on the following links for detailed information: (Back to Menu)
Impaired Consent/Surrogate Consent :
Surrogate Consent Guidelines and Forms
Note that prior IRB approval is necessary before utilizing a surrogate. If you have questions about the requirements or need help understanding the process, please contact your local IRB office for assistance.
- Rutgers Guidelines for Surrogate Consent [PDF]
- Appendix H - Surrogate Consent Process Addendum [WORD]
- Surrogate Self Certification [WORD]
- Surrogate Consent Template [WORD]
- Consent Template for Individuals Enrolled Under Prior Surrogate Consent [WORD]
- Internal Surrogate Consent Process Form [WORD]
- RWJUH Requirement for surrogate witness [PDF]
Data and Safety Monitoring: Print View (PDF format)
Federal regulations require the IRB to determine that, “when applicable, the research plan makes adequate provisions for monitoring the data collected to ensure the safety of subjects.” (45 CFR 46.111(a) (6))
The purpose of Data Safety Monitoring Plan (DSM) is to protect the safety of participants and ensure the integrity of the data. All studies involving human subjects require some level of data and safety monitoring.
Having a good DSMP helps insure the safety of study participants, the validity of data, and the appropriate termination of studies for which significant benefits or risks have been uncovered or when it appears that the investigation cannot be concluded successfully.
The following link to the National Institute of Health (NIH) Guide: Policy for Data and Safety Monitoring provides background, principals and different examples of Data Safety Monitoring information: http://grants.nih.gov/grants/guide/notice-files/not98-084.html
Click here for more information
Protocol Deviation - Print view (PDF format)
A protocol deviation is any change, divergence, or departure from the study design or procedures of a research protocol that is under the investigator's control and that has not been approved by the IRB. Upon discovery, the Principal Investigator is responsible for reporting protocol deviations to the IRB using the Deviation Report Form.
- A research subject is scheduled by study personnel for follow-up visits and/or treatment outside of the protocol defined window only if this does not adversely affect the well-being of the subject or the scientific validity of the study.
- Enrollment of subjects beyond the number approved by the IRB.
- Study schedule of events is not followed, i.e. study questionnaires are administered out of order.
- Unapproved advertisements are utilized for recruitment
A protocol violation is a deviation from the IRB approved protocol that may affect the subject's rights, safety, or well being and/or the completeness, accuracy and reliability of the study data. Protocol Violations must be submitted for Full Board IRB review.
If the deviation meets any of the following criteria, it is considered a protocol violation.
The deviation has harmed or posed a significant or substantive risk of harm to the research subject.
- A research subject received the wrong treatment or incorrect dose
- A research subject met withdrawal criteria during the study but was not withdrawn
- A research subject received an excluded concomitant medication.
The deviation compromises the scientific integrity of the data collected for the study.
- A research subject was enrolled but does not meet the protocol's eligibility criteria.
- Failure to treat research subjects per protocol procedures that specifically relate to primary efficacy outcomes. (if it involves patient safety it meets the first category above)
- Changing the protocol without prior IRB approval.
- Inadvertent loss of samples or data.
The deviation is a willful or knowing breach of human subject protection regulations, policies, or procedures on the part of the investigator(s).
The deviation involves a serious or continuing noncompliance with federal, state, local or institutional human subject protection regulations, policies, or procedures
- Failure to obtain informed consent prior to initiation of study-related procedures
- Falsifying research or medical records.
- Performing tests or procedures beyond the individual's professional scope or privilege status (credentialing)
The deviation is inconsistent with Rutgers research, medical, and ethical principles.
- Working under an expired professional license or certification
- Failure to follow federal and/or local regulations
- Repeated deviations.
- A breach of confidentiality.
- Improper destruction or removal of research records.
- Inadequate or improper informed consent procedure.
Obtaining the informed consent of individuals before involving them in research is a central protection afforded by federal regulation and a key ethical expression of respect for persons. Among other things, the consent process should assure investigators provide adequate information about the research, communicate it in a way that is easy for the individual to understand, and discuss the research in a context that ensures their decisions to participate or not are voluntarily made.
Federal regulation requires certain informational elements to be present in consent documents to facilitate ‘informed consent’ in various circumstances (i.e., adult consent, assent of a minor, surrogate consent for the decisionally-impaired, consent of non-English speaking persons, etc.). We offer a variety of sample consent templates [link: http://rbhs.rutgers.edu/hsp/forms/consent.html] complete with directions and consent language. You may adopt the template language or use to guide the development of a custom consent that best suits your research needs and effectively communicates to the potential population you ask to participate in your research.
Please note that other HSPP Guidance we list may also link to sample consent templates for use. For example, the Research Tissue/Data Bank Guidance offers a main consent template for the development of a registry or repository and an addendum consent template for a secondary study.
If you have additional questions about how to craft a consent documents, please contact your local IRB Office.
Investigational Drugs and Devices
Investigational Drug Studies (Click here for more detail)
Studies involving the use of an investigational drug will be conducted in compliance with 21 CFR 312 Subchapter D, Drugs for Human Use / Investigational New Drug Application (IND).
An IND is required for experimental drugs if the drugs are used for the purpose of developing information about their safety or efficacy. Approved, marketed drugs also require an IND if the proposed use in research is different from its previously FDA-approved use or administered by an unapproved route or method of delivery or an altered dosage.
Investigational Device Studies (Click here for more detail)
A medical device is defined, in part, as any health care product that does not achieve its primary intended purposes by chemical action or by being metabolized.
An investigational device is a medical device that is the object of a clinical study designed to evaluate the effectiveness and/or the safety of the device. All investigational device use must have prior IRB review and approval by the IRB in accordance with applicable laws and regulations [FDA 21 CFR 812 and 814 Subpart H].
Clinical investigations of medical devices will comply with regulation 21 CFR 812 unless otherwise exempt, as noted below.
What is genetic research?
Rutgers defines genetic research as research that involves the analysis of DNA, RNA, chromosomes, proteins, or certain metabolites which might act as or identify markers associated with a known or suspected predisposition to disease or behavior. Usually genetic research involves the collection of human biological material such as blood, skin or other tissues, nail clippings or hair. Genetic research also may include the construction of pedigrees (maps of the distribution of a particular trait or condition among related individuals or family medical histories). Although gene transfer is another form of genetic research, this guidance document does not apply to gene transfer research.
Protecting the Rights, Safety, and Welfare of Study Subjects.
Good Clinical Practice - GCP - Print View
Good Clinical Practice (GCP) is an international quality standard. GCP Guidelines include standards on how clinical trials should be conducted; define the roles and responsibilities of clinical trial sponsors, clinical research investigators, and monitors. Adherence to the principles of good clinical practices (GCPs), including adequate human subject protection (HSP) is universally recognized as a critical requirement to the conduct of research involving human subjects. Many countries have adopted GCP principles as laws and/or regulations.
The links below will provide you with the specific GCP requirements of the Food and Drug Administration(FDA) and the International Conference on Harmonisation (ICH)
Non-English speaking subjects
The purpose of this guidance document is to ensure that Non-English speaking persons (or their legally
authorized representative or surrogate) are provided information about proposed research in a language
they understand in order to exercise autonomy to participate in research offered by and at Rutgers.
- Rutgers Guidance for Obtaining and Documenting Informed Consent of Research Subjects Who Do Not Speak English [PDF]
Through The Department of Care Coordination, UH provides and coordinates several ways to
ensure clear communication with patients who have limited or no English proficiency. Caregivers
MUST use these options rather than rely on the patient's family or friends to interpret important
HIPAA - Personal Identifiers and PHI
The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.
non human subjects research
Content under revision
Humanitarian Use Devices/Humanitarian Device Exemption
Unanticipated Problems/Adverse Events
- Print view (PDF format)
Under 45 CFR 46 "unanticipated problems" involving risk to subjects or others must be reported to the IRB, institutional officials, study sponsor and OHRP. In addition, under 21 CFR parts 56, 312 and 812, adverse drug events and unanticipated adverse device effects that are 'unanticipated problems" must be reported to the IRB, study sponsor, and FDA.
All deaths in interventional studies that occur within 30 days of the intervention must be reported to the IRB within 24 hours of discovery whether or not considered study-related when Rutgers is the IRB of record.
Incidents, experiences, outcomes and adverse events which meet all the criteria below also must be reported to the Rutgers IRB:
- unexpected in terms of nature, severity or frequency, given the research protocol, investigator's brochure, IRB-approved informed consent document, product labeling and other sources of information, and given the characteristics of the subject population being studied (expected natural progression of subjects' disease, disorder or condition or predisposing risk factor profiles)?
- related or possibly related to participation in the research, i.e., is there a definite or reasonable possibility that the incident, experience or outcome may have been caused by the research drug/device or research procedures?
- potentially place the research subjects or others at a greater risk of harm (including physical, psychological, economic or social harm) than was previously known or recognized?
Unanticipated problems which are serious adverse events must be reported within one week of discovery. All other unanticipated problems must be reported to the IRB within two weeks of discovery.
The following must be included in the submission of an Unanticipated Problems / Adverse Events in Human Subjects Research Report:
- 1 original and 2 copies of the Unanticipated Problems/Adverse Events in Human Subjects Research Report
If changes are to be made in the approved study protocol or documents in response to the event, then the following must also be included with the submission:
- 1 original and 2 copies of the Modification Request Form outlining what changes have been made and where.
- 1 original and 2 copies of all revised documents with proposed changes highlighted.
- 1 original of any revised documents with no highlighting for approval stamping.
Following review, the Unanticipated Problem/Serious Adverse Event will receive one of the following status determinations: Accepted or Not Accepted. This determination will be provided to the principal investigator, outlining follow-up steps as deemed necessary by the committee.
Advertising/Recruitment - Print View (PDF format)
Guidance for Advertising Materials
The following are examples of advertisements:
Flyer Newspaper Ad Radio or Television Announcement
Bulletin Board Tear-Off Internet Posting Poster
For guidance regarding FDA regulated advertisements please visit: http://www.fda.gov/RegulatoryInformation/Guidances
Elements that must be included in advertisements:
- The location of the research and the person or office to contact for further information
- Research project title
- A description of the type of research and purpose of the research
- The word “research” must be included in the description.
- Specific location of the research
- The name and address of the clinical investigator and/or research facility
- The condition under study and/or purpose of the research
- In summary form, the criteria that will be used to determine eligibility
- A brief list of benefits (e.g. no-cost health examination)
- The time or other commitment required of subjects
- Footer with version # and date. ( Rutgers IRB requirement)
FDA guidance can be found at http://www.fda.gov/RegulatoryInformation/Guidances)
Research Staff Do’s and Do not’s prior to IRB submission:
- Do make plain that the solicitation is for the purpose of participation in research and not for the provision of medical care.
- Do use the term “research” when describing the study.
- Do use the term “investigational” if a test article or treatment is referenced in the advertisement.
- Do indicate that the research involves the “investigational use” of an approved drug if applicable to the study.
- Do make sure that the material complies with applicable state and local laws and institutional or IRB policies.
- Do submit the material in final format, including site-specific information as appropriate and graphics that will be used.
- Do submit radio and television scripts for IRB review before production of the recording is started.
- Do submit final recordings for IRB review and approval prior to broadcast.
- Do read radio scripts for live broadcast exactly as approved by the IRB.
- Do not use language or graphics that may be coercive or misleading.
- Do not state or imply a guarantee of benefits, cures, or favorable outcomes.
- Do not emphasize “free” treatment or study products.
- Do not claim the study product or treatment is safe, effective, equivalent, or superior to other options when it is investigational.
- Do not place emphasis on payment, including bolding or highlighting the compensation language.
- Do not use the terms “safe,” “effective,” “new,” “best,” “cure,” “treatment,” “therapy,” or “free.”
FDA Inspection readiness
Successful FDA Inspections at Investigative Sites for Clinical Trials of Drugs and Biologics - Print View (PDF - Format)
Certificate of Confidentiality - Print View (PDF- format)
Certificates of Confidentiality are an important tool to protect the privacy of research study participants
Certificates of Confidentiality are issued by the National Institutes of Health (NIH) to protect identifiable research information from forced disclosure. They allow the investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. By protecting researchers and institutions from being compelled to disclose information that would identify research subjects, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by helping assure confidentiality and privacy to participants.
Information about how to apply for a Certificate of Confidentiality can be found at: http://grants.nih.gov/grants/policy/coc/
CITI - Human Subjects Training
All Rutgers faculty, students, and other individuals involved in human subjects research are required to complete the Collaborative Institutional Training Initiative (CITI) Basic Course prior to IRB approval. This requirement also extends to all IRB members and Human Subjects Protection program staff. Campus IRBs will not issue final approval of any IRB submissions until it is verified that listed study personnel have completed the current requirements for human subjects research education.
For more information click here.
Clinical Trials Registration: Print View (PDF format)
All clinical trials must be registered with ClinicalTrials.gov, a service of the U.S. National Institutes of Health. For information about how to register a trial, please contact the Human Subject Protection Office at: firstname.lastname@example.org.
The FDA Amendments Act of 2007 requires all clinical trials be registered in a public database. The Act of 2007 contains trial registration requirements at ClinicalTrials.gov. Consequences of not registering can include monetary and civil penalties. Additionally, many journals require that the trials have been registered before papers will be considered for publication. Rutgers requires investigators to register all Investigator-initiated and National Institute of Health (NIH) trials into the University’s profile at www.clinicaltrials.gov . Industry sponsored studies are registered by the Sponsor.
The following links provide detail:
Closure of studies
Your campus IRB administrative office must be notified when a study is completed. This notification should be sent when enrollment of participants and data collection is complete and data analysis is to the point that participants' records will no longer be required. Please complete a Final Study Report and submit it to the IRB within 30 days of closure of the study. Notification of the closure of exempt studies is also recommended.
If you originally submitted your study via eIRB, click on the create Final Report option in your study workspace.
If you have originally submitted your study on paper, click here to complete a FInal Report form.
Conflict of interest
On August 25, 2011, the U.S. Department of Health and Human Services, Public Health Service adopted a revised regulation for managing potential or real conflicts of interest in “Responsibility of Applicants for Promoting Objectivity in Research” (42 C.F.R. Part 50, Subpart F). The link to the notice is: http://grants.nih.gov/grants/guide/notice-files/NOT-OD-11-109.html
Rutgers has revised its Investigator Conflict of Interest Policy to be consistent with these amended PHS regulations which are intended to provide the reasonable expectation that the design, conduct, and reporting of the research will be free from bias resulting from Investigator financial conflicts of interest. All Institutions receiving PHS funding are required to implement the new rules prior to August 24, 2012. After August 7, 2012, you will be able to find a copy of the revised policy at:http://policies.rutgers.edu/
Study Managment Tools: Print View - Table of Contents
The Study Management Tools are intended to be used as an aid to help the researcher and research team. This template attempts to provide a general format applicable to all types of research. After choosing the appropriate template, it should be modified to reflect the unique attributes of the study
The following logs are in Microsoft Word format:
- Study Staff Delegation Log: Use this log to document study staff signatures/initials and their research related responsibilities as delegated by the Principal Investigator. Update as responsibilities change
- Study Staff Training Log: Use this log to document any education or training completed by study staff (eg. CITI, GCP, Sponsor protocol Training, Certificate Programs completed)
- Subject Enrollment Log: Use this log to document to keep track of participant screening, eligibility, enrollment or reasons for exclusion.
- Monitoring Log: Use this log to document date of monitoring visits, name of monitor and type of monitoring visit taking place.
- Drug Accountability Log: Use this log to manage study drug compliance. Document Subject ID, date received, Kit #, dispensing amounts, who dispensed drug, dates, return dates, amount returned, etc.
- Device Log: Use this log to manage study device compliance. Document Subject ID, Model #, Serial #, Lot #, date device used, date destroyed and/or returned.
- Unanticipated or Adverse Event Log: Use this log to document to keep track of participant unanticipated or adverse events. Document Subject ID, date event occurred, date staff learned of event, describe event, date reported to IRB and/or Sponsor.
- Protocol Deviation Log: Use this log to document to keep track of deviations from the IRB approved protocol. Document Subject ID, date deviation occurred, type of deviation (code), date protocol deviation form was completed and submitted to IRB.
The following glossary is not intended to be a complete biomedical and social behavioral research glossary, but the intent of this glossary is to cover concepts that are important in the completion of IRB applications. This glossary does not include terms specific to any one research project.
- IRB Terms Glossary [WORD]
Frequently Asked Questions (FAQs): PDF Format
Who may be a Principal Investigator (PI) for Human Subjects Research
Definition of Principal Investigator: A principal investigator is the individual who assumes full responsibility for a research project, including the supervision of any co-investigators, research assistants, house staff and students. The Institutional Review Board only recognizes one principal investigator per human subjects research study, no matter how many research sites may be involved. Other individuals may be named co-investigators. The principal investigator must possess the expertise, time and commitment to conduct and provide the necessary oversight for all aspects of the study, and must be willing to accept full responsibility for the study. In multi-site studies for which Rutgers is the coordinating institution, the principal investigator assumes the responsibility for the conduct of the study at each performance site and by each site-specific principal investigator.
Human Subjects Research Policy: PDF Format
STANDARD OPERATING PROCEDURES: (Click here to view)
GUIDANCE: Print View
- If approval for continuation is not granted prior to the expiration date of the protocol, all recruitment, subject enrollment, and other research related activities (e.g. study visits, chart reviews, data analysis using subject identifiable data, manuscript development, and etc.) must stop.
- Currently enrolled subjects should continue to receive treatment and follow‐up that is in their best interest.
- Failure to submit timely requests for continuing review demonstrates non‐compliance with federal regulations and institutional policy and is reportable to the FDA, OHRP, and the study sponsor (when applicable).
- Continued non‐compliance affects the investigators standing with the IRB and may prohibit the investigator from conducting future research at the University.
IRB Office Requirements:
- In order to prevent non‐compliance due to an expired protocol, an investigator must submit his/her Continuing Review Application or Final Study Report to the IRB office
- At least 4 weeks in advance of the expiration date of IRB approval for minimal risk (expedited) protocols
- At least 8 weeks in advance of the expiration date of IRB approval for greater than minimal risk (full board) protocols
- If non‐compliance occurs due to an expired protocol, then the investigator must submit the Expired Study Report Form with his/her Continuing Review Application or the Closure Form with his/her Final Study Report. Both forms require the investigator to provide a detailed corrective action plan.
Corrective Action Plan for Expired Protocols:
A corrective action plan describes how a delayed submission resulting in an expired protocol will be prevented from occurring in the future and what changes in procedure are being implemented to prevent protocol approvals from expiring in the future. Below are three examples of acceptable corrective action plans:
Example #11. My system/procedure to track deadlines will be by placing the dates in my calendar and in the calendar of the co‐investigators and other study personnel.
2. The visual tool, with an available alarm, is the Outlook calendar that we will be using.
3. My plan for maintaining calendar notifications for expiring protocols will be to set an alarm in the calendar which will notify us of expiration dates. The calendar will be backed up on the departmental server in case the local drive fails.
Example #2The study’s coordinator is going to construct a well‐organized e‐file system for every study under the PI’s name. The folder will be located on the PI’s shared drive and will be organized by protocol. There will be subfolders within each protocol’s folder, organized in chronological order, for each of the continuing reviews, amendments, and etc. This system will provide anyone new to the study, such as new research fellows, with easy access to the status of all studies under this PI and the most current IRB documents. Additionally, the coordinator is going to develop a spreadsheet for all protocols under the PI. The spreadsheet will be updated as needed and will serve as a quick reference for when continuing reviews need to be compiled and submitted.
Upon receiving approval from the IRB:
1. I will complete corrections to the final chapter of the project. At the time of suspending the project all of the research was completed. My faculty advisor had only reviewed the data that I compiled and only made recommendations for corrections to the written report.
2. I will complete those corrections to the written report and then give my faculty advisor a weekly progress update on Fridays.
3. My faculty advisor and co‐investigator will review my final written report.
4. I will schedule a weekly meeting in person with my faculty advisor to review her recommendations to the final document.
5. I plan to present the findings and submit the paper for publication. The results of this study will provide evidence based information to the ongoing discussion among stakeholders as they attempt to provide enhanced healthcare for foster children in the State of New Jersey.
6. I will submit a Final Study Report/Study Closure Form to the IRB at least 4 weeks before my IRB approval expires after my paper has been accepted for publication or presentation and no additional analysis of the data will be done. If further data analysis is needed before my paper is accepted, then I will submit a Continuing Review Application to the IRB at least 4 weeks before my IRB approval expires.
Please note that exact duplication of these examples in place of an original corrective action plan will not be accepted by the IRB and will be returned to the investigator to be revised and then resubmitted to the IRB.
Research Tissue or Data Bank
These guidance documents may be used as a resource for investigators who wish to develop: (a) standard operating procedures to establish a research tissue bank or a research data bank; (b) a consent document to collect tissue for future research; and (c) an addendum consent document to collect tissue for future research secondary to a main study. This guidance applies to activities that include the collection and storage of blood, tissue or other biological materials (excluding embryos* or embryonic stem cells*) and/or health data that will be used by a single investigator or shared with multiple investigators for future research not yet defined, including genetic (but not stem cell*) research. This guidance does not apply to the collection and storage of specimens or data as part of a single IRB-approved protocol for defined research purposes. *Contact your IRB Office for guidance on embryo or stem cell research.
Guidance for the development of standard operating procedures for a research tissue bank or a research data bank: PDF Format
Guidance for the development of a consent form for a research tissue bank or research data bank: Rutgers Tissue or Data Bank Consent Template [WORD]
Guidance for the development of a consent form appended to a main study to collect tissue for future research secondary to a main study: Rutgers Tissue Bank Addendum Consent Template [WORD]
SACHRP Recommendations : PDF Format
National Institutes of Health (NIH) Guidance
NIH on August 2, 2012 issued a notice that provides detailed guidance on the types of changes in human subjects research awards that require prior NIH approval. It also provided information on the process for the submission of such requests. A separate notice "clarifies NIH requirements related to prior NIH approval of human subjects research plans for awards which were submitted with the intent to conduct human subjects research during the period of support, but for which definitive plans could not be described in the grant application."
Research noncompliance refers to a failure (intentional or unintentional) to follow the regulations, institutional policies governing human subject research, or requirements of or determinations by the IRB by the investigators or research staff, or any member of the Human Subjects Protection Program, including the IRBs or IRB administrative staff. Noncompliance can result from action or omission. Noncompliance may be non-serious (minor) or serious, and may also be continuing:
Click Here for Details [PDF]
Research Misconduct means any fabrication, falsification, plagiarism, or other practice that seriously deviates from those that are commonly accepted with the scientific community in proposing, performing, or reviewing research, or in reporting research results. Research misconduct does not include honest error, conflicting data, differences of opinion, or differences in interpretations or judgments about data or experimental design. :
Click Here for Details [PDF]
Quality Assurance/Quality Improvement (QA/QI) Projects
Quality Assurance (QA) and Quality Improvement (QI) consist of activities that are undertaken to measure the effectiveness of standard accepted processes, programs, or services, the results of which are intended to be shared only with individuals associated with the process, program or service being evaluated. QA/QI projects cannot expose individuals to any additional risks.
AUDIO/VIDEO/PHOTOGRAPHIC RECORDING OF HUMAN SUBJECTS
This guidance applies to all human research studies that involve the audio, video, photographic, or any other recording (hereafter referred to as recording) of research subjects
Engagement in Research
Research protocols involving decedents do not require IRB review. However, based upon federal regulations for HIPAA at 45 CFR 46.160 and 164, a review by the Institution's Privacy Board is required.
Rutgers University IRBs also serve as the Privacy Boards. Principal investigators conducting research with decedent PHI must submit an eIRB application to the IRB for review and determination prior to conducting their research.
TITLE 8. HEALTH
CHAPTER 2A. DEATH RECORDS
SUBCHAPTER 2. ACCESS TO DEATH RECORDS
N.J.A.C. 8:2A-2.2 (2013)
Any certification of a death record, with or without last sickness and death particulars, may be released without consent under the following conditions:
To qualified personnel for the purpose of conducting scientific research only under the following conditions:
- An Institutional Review Board, constituted pursuant to Federal regulation 45 C.F.R. 46.101 et seq., shall review and approve the research protocol prior to release of the death record;
- Research personnel shall not identify the subject of the record, directly or indirectly, in any report of the research; and
- Research personnel shall not disclose the identity of the subject of the record in any manner;
Each person with access to the Rutgers, The State University of New Jersey, computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations, and with applicable State and Federal laws and regulations.
Security for “Non-Public Personal Information” (NPPI)
Security for “Non-Public Personal Information” (NPPI), as mandated by federal and state law, as well as Rutgers policy (e.g., Rutgers Policy 50.3.9, http://policies.rutgers.edu).
NPPI consists of financial, health information, social security numbers, driver license numbers and similar data. Certain NPPI, specifically electronic Protected Health Information (ePHI), has additional federally mandated requirements. All units and staff responsible for creating, storing, or transmitting this information are required to do so in a manner which protects NPPI and maintains compliance with regulation and policy. Any breach of security or compromise of systems containing NPPI must be reported immediately to the Office of Information Protection and Security (IPS) (email@example.com) and your local unit head. Please take this opportunity to meet with your staff to review the following practices.
Securing University Data
All data records are not the same. The classification of data ensures that university information is properly identified, classified, and handled according to its value, legal requirements, sensitivity, and criticality to the University. Consideration should be given to protect data based upon its classification. Information on the classification of data can be found by visiting: http://rusecure.rutgers.edu/content/data-classification.
Hard Copy Records
Hardcopy records of NPPI (e.g. paper payroll documents, DVD’s or tape backups with personal information) should be kept in locked cabinets, behind locked doors. Protected hard copy data should be shredded as part of the disposal process. The retention and appropriate disposition of these records should be in accordance to the Rutgers Records Management Policy 50.3.10: http://policies.rutgers.edu
If there is a need to send NPPI to another department or external agency, the documents should be sent in a sealed envelope or other packaging, marked confidential, and addressed to a specific recipient. If NPPI is sent in email the message must be encrypted. Where applicable, instructions should be provided regarding the return, storing, and appropriate disposal of documents containing NPPI.
If you are maintaining NPPI or ePHI in electronic form, access should be strictly controlled and the information encrypted. If you are unsure whether your electronic systems hold NPPI, OIT/IPS has tools that can help. NPPI is often found in locally developed databases, personnel systems and spreadsheets, email files, class rosters, and files created by faculty and staff. Tools, with instructions for their use, are available at: http://rusecure.rutgers.edu/content/working-software-scan-nppi
Due to the vulnerability of information on portable/mobile devices, such as laptops, external hard drives or USB memory sticks, we recommend that all information on these devices be encrypted.
Personally owned portable devices
NPPI and ePHI may not be stored on personal portable/mobile devices including laptops, cell phones, USB memory sticks, and tablets. The Office of Information Technology - Division of Information Protection and Security (OIT/IPS) can provide guidance (firstname.lastname@example.org).
Cell Phones and Tablets
Cellphones and tablets that have access to NPPI must utilize additional security measures such as strong access codes, disabling location services, time-out screen locking, and account lockout and/or remote wiping.
There are additional risks that need to be taken in consideration when using cloud or third party providers. Using a third party cloud service or provider to handle data does not absolve you from the responsibility of ensuring that the data is properly and securely managed. It remains your responsibility to assure that the data is maintained with comparable security, as required by university guidelines. Information on cloud and third party computing can be found at: http://rusecure.rutgers.edu/content/cloud-computing-overview
The use of cloud services for the storage of ePHI data must have a signed Business Associate agreement with the service provider. University data housed on portable devices (laptops, cellphones, tablets, pen drives, etc.) or transmitted to and/or stored on "cloud services" should be encrypted with the encryption key separate from the device.
Traveling with Electronic Devices
Travel with electronic devices requires special precautions. Remote devices and the information they contain should be protected while accessing the Internet or not physically under your control. University transmissions should only be performed through a VPN (virtual private network). See http://rusecure.rutgers.edu/content/it-security-guidelines-domestic-and-international-travel
If you have any questions regarding the above, please contact OIT/IPS at 848-445-8011 or via email: email@example.com.
Student Research Projects
Course Related Student Research Projects
Federal regulations require that research protocols involving human subjects be reviewed by an Institutional Review Board for the Protection of Human Subjects in Research (IRB). These regulations also allow certain types of studies to be exempted from IRB review. Rutgers University abides by an approved “Federalwide Assurance” (FWA00003913) that assures the federal Office for Human Research Protections (OHRP) that the rights and welfare of human research subjects recruited to participate in research activities conducted under the auspices of the university are adequately protected. In the case of a student course-related research project assignment, it may be difficult at times to distinguish between that which would require IRB or exemption review and that which is designed simply to provide an experience in research methodology. In an effort to clarify the matter, the IRB has established the following guidelines for determining when institutional review and approval is necessary for projects that are part of an academic course:
1) Student projects that are solely classroom directed exercises do not require IRB review if they meet all following criteria:
- [i] take place in a classroom, department, dormitory, or other campus setting, or in a public setting with generally unlimited access to the public such as shopping center, park, or street;
- [ii] the primary purpose is a learning experience in the methods and procedures of research
- [iii] Involve no more than minimal risk; and
- [iv] the date must be recorded anonymously by the students (i.e., with no names, social security numbers, or any other codes that can be linked to a list of names, or the recorded data will not identify the subjects through their behavior).
- [v] the project does not include sensitive topics or
These projects shall be deemed to be “classroom exercises” and are not subject to review by the IRB. If the instructor is not certain that all of the four criteria above have been met, they should contact his/her local campus Institutional Review Board.
2) Student Projects qualifying under one or more of the six federally allowed exempt categories but not suited to the item 1 above. As an example, all of the students’ projects might involve interview procedures in which data is collected anonymously (i.e., with no names, social security numbers, or any other codes that can be linked to a list of names) or otherwise qualifying under exemption category 2 of the federal regulations. Requests for granting this type of exemption must be received at the office of the IRB not later than September 12 for the fall term and February 12 for the spring term. In the case of a two-semester course, the request of exemption should be submitted at least a month before the students will begin their projects. For the purposes of this guideline, an exemption request form should be completed by the course instructor, and all of the student projects qualifying as exempt shall be aggregated as “one classroom project.” Exemption requests are considered and acted by a subcommittee of the IRB.
3) All non-exempt student research projects must be submitted for regular IRB review. A faculty member may choose to have their students design and conduct individual projects that do not qualify under an exemption category. All requests for review of non-exempt projects that are to be completed during the fall semester must be submitted by September 12 for consideration at the October IRB meeting. For non-exempt projects to be completed during spring semester, the requests for review must be submitted by February 12 for consideration at the March IRB meeting. In the case of a two-semester course, the students should submit their requests for review at least a month before they wish to start their data collection. It shall be the responsibility of faculty members to familiarize themselves with the Rutgers regulations for approval of these projects, to review and, if necessary, to assist students in the modification of each project before it is submitted to the IRB office. The IRB is aware that, if approval of student projects is not obtained according to the above schedule, it may not be possible for the projects to be completed in timely manner, and will provide consultation to the extent that its resources allow.
Considerations and Recommendations Concerning Internet Research and Human Subjects Research Regulations
A data steward is any individual who is responsible for creating, maintaining, or storing data files.
Data Stewards are managers, researchers and others who oversee the capture, maintenance, and dissemination of Data for a particular purpose. They are expected to know the specific types of Data for which they are responsible, the appropriate uses of the Data, and the applicable regulatory and policy requirements.
Data Stewards are responsible for making security decisions regarding access to and protection of Data under their charge. This includes developing and executing procedures for granting, maintaining and terminating access to the Data for which they are responsible. These procedures should be developed taking into account the risks associated with the specific Data and/or system being accessed, as well as the burdens associated with implementing the procedures.
Please note that the data steward must be listed as study personnel on the protocol.