Determination of Human Subjects Research


In certain cases, when you contact the IRB, rather than asking that you submit an IRB protocol, they instead determine that your proposed investigation does not constitute "Human Subjects Research." The official notice of this finding is known as a "Determination of Human Subjects Research."

The finding that your investigation does not constitute human subjects research does not obviate the need for a Data Privacy Attestation (DPA). The data in question remains highly sensitive and projects that work with it pose a potentially significant risk of regulatory compliance violation to the institution. The DPA is designed to mitigate those risks for everyone involved.

How to Complete a New HSR Data Privacy Attestation

To complete a new attestation associated with a determination, use the "New" button at the top of your Data Privacy Attestation Dashboard.

Since you have a determination, you are not conducting research. Please select "QI / QA (HSR determination)" from the Project Type dropdown. 

You will then be prompted to specify whether or not you are working with PHI. If you plan to work with PHI, please clearly document all planned PHI use, bearing in mind the principle of HIPAA Minimum Necessary. HIPAA may not apply, but it is always sensible to limit exposure to identifiers in order to minimize risk when working with sensitive data. 

The next section prompts you to specify what types of clinical data you will be working with. As noted in the diagram below, the form prompts you to clearly explain your intended use case for each type of clinical data, and certain choices may trigger additional compliance requirements or scrutiny. Also please note that not all of these data are currently available in the online chart review tool. Refer to our detailed clinical research data inventory for more information.

Note that clinical documents and procedure reports are considered high risk even when de-identified. This is due to the risk of incidental PHI slipping through the automatic de-identification process. The only 100% reliable way to guarantee that no PHI is present in narrative documents is to ask a person to read each document carefully.

By the same token, radiology images are considered high risk even after de-identification, due to the risk of PHI burned into the image itself. The de-identification process only reliably removes PHI in the image header.

Wait for Privacy Office Approval of the DPA

You can expect to hear back from the Privacy Office in about a week.

Once you have Privacy Office approval...


You now have permission to work with clinical data for Quality Assurance / Quality Improvement purposes from STARR.

To look up the DPA number associated with this approval for use in self-service chart review, go to your Privacy Dashboard.