This section of the Investigator Manual provides information about HIPAA, FERPA, and FDA regulations.

HIPAA Privacy & Security Rules

The HIPAA Privacy Rule is a set of federal regulations providing protections for the confidentiality of health information used in clinical practice, research, and the operations of health care facilities. The purpose of the Privacy Rule is to ensure that health information confidentiality risks are minimized. If your study falls under HIPAA, you may need to obtain authorization from participants to use or access their protected health information (see Writing a HIPAA Authorization Form). For information on waivers of authorization and other HIPAA information related to submission of IRB applications, see HIPAA Processes & Documentation.

While the IRB serves as the HIPAA privacy board for UW-Madison, the Office of Compliance is responsible for HIPAA policy and oversight. For additional guidance on HIPAA and its application to human research – including training requirements – please review the Office of Compliance HIPAA website.

Link to this section

Federal Educational Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a Federal law administered by the U.S. Department of Education; 34 CFR Part 99. FERPA applies to all educational agencies and institutions that receive federal funding. FERPA aims to protect the privacy of Student Education Records. Education records include any record containing personally identifiable information (PII) directly related to the student. PII is not limited to name but may include indirect identifiers as well. Note that student medical records from University Health Services (UHS) are considered student records and subject to FERPA regulations. To use student records for research purposes, you must first obtain informed consent from those students (with certain exceptions).

For details on FERPA requirements in human research, refer to HRP 331-WORKSHEET-FERPA Compliance. Additional information about FERPA may also be found on the Office of the Registrar’s website.

Link to this section

FDA Regulations and IRB Review

The IRB reviews studies involving drugs, devices, biologics, radioactive materials, and in vitro diagnostic devices in accordance with relevant FDA regulations. In addition, some foods and dietary supplements, software, and mobile apps may need to be assessed in accordance with FDA regulations. Depending on how the test articles will used in a study, you may be asked to consult with the FDA and provide documentation from the FDA during the IRB review process.

For studies where a UW-Madison investigator will hold an investigational new drug (IND) and/or investigational device exemption (IDE), additional institutional requirements (including training and monitoring) must be met.

The IRB uses the following tools and policies when reviewing studies that may be regulated.

Additional information about relevant FDA regulations can be found in Appendix A. We encourage you to refer to the above resources when preparing an application that may be FDA regulated. IRB staff also are available to consult with you regarding how FDA regulations may apply to your study.

Investigator’s Drug Brochure (IDB) and Package Inserts

For investigational and FDA-approved drugs, you may need to submit IDBs and package inserts to provide the IRB with sufficient information to assess regulatory criteria for approval.

  • Initial review requirements
    • If a research study involves testing or evaluating drug(s) and their use in the research is covered under an IND, an IDB should be provided to the IRB. For any drugs being tested or evaluated as part of the research that are FDA-approved and an IND is not required for their use in the research, the study team should provide the IRB with package inserts rather than IDBs.
    • Many studies involve FDA-approved drugs used within their approved indication and which are not the focus of a study (e.g., drugs to mitigate side effects, lidocaine). The IRB may request package inserts or other documentation in these cases, so that the IRB is able to assess whether there are additional risks to study participation.
  • Change requirements
    • Updates to the IDBs and/or package inserts must be submitted as a change to the IRB within 60 days of receipt when the revisions will:
      • affect the risk/benefit ratio of the study (i.e., will result in a change to the study documents);
      • affect alternatives to study participation for subjects; OR
      • represent new information that should be provided to subjects.
    • With the change of protocol, research teams should submit the IDB and/or package insert that triggered the change as well as any prior versions of IDBs and/or package inserts that had been updated, but not yet submitted to the IRB for review.
    • Review the Reportable Event Reporting Requirements section as some IDB, package insert, or device labeling changes may require a New Information Reportable Event submission in addition to a Change of Protocol.
  • Continuing review requirements
    • Revised IDBs/Package Inserts may be submitted at continuing review if:
      • The revised IDBs/Package Inserts do NOT contain revisions that would require a change as describe above. Or
      • The study is permanently closed to enrollment locally, no local subjects are on treatment, and the revised IDB and/or package insert contains no new information that would affect past subjects (e.g., new latent risks).
    • In these cases, you must upload an IDB and Package Insert Log to the continuing review.
      • For IDBs: The log should include a brief summary of the revised information in the IDB as compared to the most recent version of the IDB the IRB has on file as well as an explanation why the IDB did not meet any of the criteria noted above that would require submission prior to continuing review.
      • For Package Inserts: If a summary of the changes is not available, you should confirm that the PI has reviewed the revised package insert and confirms it does not meet the criteria for reporting via a change.

Link to this section