Reminders about Business Associate Agreements

Read more »

Under HIPAA, a Business Associate (BA) is a person who or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. When such a relationship exists, a Business Associate Agreement (BAA) holds the BA accountable for protecting KP’s PHI.

Research collaborators are NOT considered Business Associates, so BAAs in the context of research are relatively uncommon. However, there are a few situations when BA relationships do exist in research:

·         Transcription or translation services provided by someone outside KP

·         Use of a mailing house or similar vendor services

·         Use of a commercial lab for specimen testing

·         Certain types of consulting relationships for protocol development or quality assurance

When a BAA is needed, there is usually an associated vendor purchasing contract, and the BAA is incorporated into or attached to that agreement. This will be handled in the purchasing process. You do not need to contact Compliance for these types of BAAs.

If there is no associated vendor contract but you think you need a BAA for your study, please contact for guidance. Note: If you have a DTA/DUA/MDTA you do not also need a BAA.

The KPNW Regional Compliance Department’s website has some excellent resources and guidance about BAAs, including a decision tree to help determine when a BAA is required. The most current BAA template is available on the KFRI Contracting website.


New Sensitive-Data Section in eIRB

Read more »

You may have noticed that eIRB has some new questions regarding sensitive information on the Study Scope page. The purpose of the sensitive-data check boxes in eIRB is to help reviewers to assess study risks and benefits.

Sensitive data includes information from research subjects such as sexual attitudes, HIV/AIDS, and other sexually transmitted diseases, use of drugs or addictive products, or information about illegal conduct that could reasonably lead to social stigmatization, discrimination, or legal proceedings and/or, if disclosed, could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation.

If your study includes such data/information, ensure that your protocol or another uploaded document includes a detailed description of the data to be collected in each of these topic areas. Also, the consent form and PRA need to state that the information is being shared for any sensitive-data boxes that are checked.

Below are some helpful tips when determining whether you need to indicate your study includes sensitive data on the Study Scope page in eIRB:



Collection of sensitive information that will be shared in order to meet study objectives.


Exclusion criteria that are not being shared with the sponsor

Baseline screening diagnoses/information that are described in the consent form and PRA (if applicable)


Potential diagnoses or conditions (patient not diagnosed and/or no known condition at the time of consent)

Study team/CRSS determinations of relevant sensitive data that will be shared

Knowledge of diagnosis or condition after consenting and subject has to be to withdrawn from the study

The item is a specific data point listed on the CRF




*NOTE: The IRB reserves the right to make administrative changes to the boxes that are checked or unchecked in eIRB related to sensitive data based on regulatory and/or needed reports generated from eIRB. However, requests for modifications to checked boxes may be included in IRB review communications if other modifications are being requested as part of a study review.


Policy Updates

NWRC.RIM.03 – Quality Improvement Monitoring. This policy was revised to incorporate our region’s use of the KFRI shared service model for clinical trials monitoring in addition to our local monitoring program.

NWRC.HRPP.102 – Collaborative IRB Reliance Arrangements. This is a new policy to address how Research Compliance will evaluate requests from investigators to rely on an external IRB, or to serve as the IRB of record for another site. This new P&P will be the foundation for a collection of procedures and guidance materials, currently being developed by the RSPO team, that will help Research Compliance facilitate single IRB review arrangements. These arrangements are becoming more common and will eventually be required for certain federally funded studies.

NWRC.HRPP.02 – Continuing Review of IRB Approved Research. This policy was extremely outdated and was revised to reflect our current review process.

NWRC.PRIV.04 – Privacy Rule Documentation for Research. This policy was revised as part of a routine review to include several clarifications and corrections. The table in Appendix A is a particularly useful summary of agreement and other requirements for different types of data sharing.

IRB Announcements

Keeping Primary Contact and Study Team Information Current

Annual continuing review is a good time to check that a study’s primary contact and study team information are up to date. The primary contact is the person assigned to receive all communications from the IRB on behalf of the study team. Use the Assign Primary Contact activity to update the primary contact. Submit a combined modification and continuing review to add or remove study team members.


IRB Humor — Oh, What a Difference a Word Can Make

Participant developed neck and arm after receiving an initial dose of imaging contrast agent. This is not a typical reaction, so the PI at the time was unclear if this was related or not.