Responsibility for REP Oversight and Compliance

Feb 17, 2017 10:45 am

REP application and Application Supplement Form capture several different levels and types of information about a repository's processes and intents, including:     

  • information characterizing a repository to identify useful relationships for 
    • researchers intending to deposit into a repository
    • researchers intending "secondary use" of repository data/biospecimens
  • information to assure compliance with University policies 
    • data security 
    • physical security 
    • repository governance
  • Services available from large-scale repositories

    Large-scale biorepositories such as UMHS Central Biorepository are able to provide a variety of services to depositing researchers and "secondary use" researchers. These may include

    • sample processing
    • providing physical storage space for biospecimens "sequestered" for some time for use only by original research team
    • Established standard procedures for data/biospecimen integrity, sustainability, governance including dispute resolution, &c.
    • Specimens obtained under standard consent provisions unambiguous as to allowed and disallowed future uses.

    Individual research teams wishing to retain data/biospecimens for future research may appreciate the efficiency of depositing into a large-scale established repository rather than starting a new repository.

  • Compliance with Institutional Policy

    Consistent with Institutional policy, the REP application and Application Supplement Form should also include information regarding

    • Physical storage and maintenance
    • Governance and oversight of the repository

    Although the IRB may be able to provide feedback on storage and governance plans, IRB oversight does not include determinations as to adequacy of these plans.

  • IRB Oversight

    In order to protect human subjects, the IRB provides review, approval, and ongoing oversight for the following procedures associated with repositories:

    • Obtaining data/biospecimens for inclusion in the repository
    • Storage and management of data/biospecimens in the repository
    • Distribution of data/biospecimens to other investigators

    Informed Consent/HIPAA authorization

    Research repositories obtain data/biospecimens collected via:

    • IRB approved research informed consent/HIPAA Authorization
    • Research conducted under a waiver of informed consent granted by the IRB
    • Clinical informed consent permitting research use (no IRB approval)

    IRB approval for the repository (REP application) need not include consideration of informed consent/HIPAA authorization, or approval of waiver of consent/authorization, when

    • A research repository is created with data/biospecimens that are anonymous, and queries into the database could not result in situations where the data/biospecimens could become identifiable.
    • A query of a clinical or research data repository produces only deidentified aggregate counts and there is assurance that all HIPAA identifiers are removed.  The researcher never has access to identifiers.  A data use agreement may be required by entity managing the repository.

    IRB approval for the repository (REP application) must include consideration of informed consent/HIPAA authorization, or approval of waiver of consent/authorization, when

    • research repository containing identifiable information is created from data/biospecimens collected for clinical purposes, or data/biospecimens collected as part of a research study where the research or clinical consent did not contain permissions that would allow for the subject’s information to be placed in the repository
    • The research data repository contains identifiable information not collected under prior IRB approval/HIPAA Authorization and identifiable data may be extracted for research purposes (e.g., UMHS Research Data Warehouse [RDW]). Data could be directly identifiable, or could become identifiable if the data recipient has access to codes permitting re-identification. 

    Repositories may request IRB approval for waiver of informed consent (and, if appropriate, HIPAA authorization) by attaching a consent waiver request form (or consent/authorization waiver request form) in section 8.2 of the REP.

  • Repository responsibilities regarding risks of secondary uses

    Repositories should assess certain kinds of risks before making resources available for secondary research, even when that research is not subject to federal regulations and IRB oversight, most often because the resources are not "individually identifiable." (Secondary use that meets the definition of "human subjects research" also requires IRB oversight.)

    Type of risk

    Description/subtype Examples
    Group risks Individual-level risks of identification/association with a group described by the research If the BRCA1 gene is found and reported to be associated with increased risk of breast cancer and also to occur with greater frequency among Ashkenazi Jews, each individual who identifies or is identified as Ashkenazi Jewish becomes associated with BRCA1 and increased risk of breast cancer. This association could have various negative effects for these individuals.
    Group risks Risks to groups quagroups Genetic studies of blood samples from members of the Havasupai Indian Tribe traced the group’s migration from Asia across the Bering Strait to present day Arizona. This is in conflict with the Tribe’s traditional belief that they originated from the Grand Canyon and threatens certain aspects of the group’s identity.
    Moral risks Individual-level risks of supporting research to which one would object
    • Discovery of genotypes associated with phenotypes that some in society may deem undesirable could lead to prenatal genetic screening for the genotype and selective abortions, to which some donors of de-identified resources might object.
    • Surveys have shown that some donors of biospecimens and data to public institutions object to those materials being used for profit.


  • Repository responsibilities regarding disclosures of Protected Health Information (PHI)

    Protected Health Information (PHI) includes any information in the medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service. Disclosures of PHI (sharing outside the U-M covered component) without Authorization must be tracked. For more information, see UMHS Policy 01-04-335 (link requires level-2 or UMHS VPN).

    A repository that distributes PHI to a secondary user is not directly responsible for tracking additional disclosures made by the secondary user. However, the repository is responsible for ensuring via DUAs/MOUs/&c. that the secondary user agrees to appropriate privacy and confidentiality protections, including appropriate limits on re-disclosure.

    Repository Data provider Who tracks PHI disclosure into REP? Repository responsibility for PHI disclosed to 2nd user
    Inside U-M CE Inside U-M CE N/A Track disclosure
    Outside U-M CE Inside U-M CE Data provider  Ensure DUA(s) include protections accorded PHI
    Inside U-M CE Another non-U-M CE (e.g. Duke) Data provider  Ensure DUA(s) include protections accorded PHI
    Outside U-M CE (e.g. SPH) Another non-U-M CE (e.g. Duke) Data provider  Ensure DUA(s) include protections accorded PHI
    Inside or Outside U-M CE not part of any CE N/A N/A


    Posted 10/29/2014
    Updated 2/17/2017


Contact us at or 734-763-4768 / (Fax 734-763-1234)

2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By:
Last Updated: May 24, 2018 2:00 PM