Case reports

Guidance

A case report for IRB purposes is an analysis of one, two, or three cases or experiences. The case is defined by the activity. A case report that is composed of three or fewer cases does not constitute Human Research. This is because reporting on such a small series of cases is usually anecdotal and does not involve a systematic investigation, including defining a hypothesis that is then investigated prospectively and systematically, to develop or contribute to generalizable knowledge.

When do case reports require IRB review?

Submission of a ‘Determination of Human Research’ form is required when the case report involves the activities below, even though the case report may not be human research. This is because access to certain types of data or information, or specific populations, may require increased protections above the regulatory definition of human research.

HRPP review is required when there is:

• Access to an electronic medical record;
• Use or disclosure of Protected Health Information (PHI);
• The project is or will be supported by federal funds;
• The information will be used to support an application to the FDA or involves the use of a test article in a human;
• IRB certification for access to materials from dbGap; OR
• The project involves Native American/Alaskan Native or international indigenous populations.

What about a case series?

A case series (more than 3 cases) may meet the definition of research and would require IRB review. This is because when a larger series of cases is being prepared for presentation or publication, ordinarily a specific research question is defined, and then a systematic collection of data occurs. Such a systematic investigation more closely resembles prospectively designed Human Research.

HIPAA implications associated with publication of some case reports

The use of or access to Protected Health Information (PHI) for a case report must comply with the Health Insurance Portability and Accountability Act (HIPAA, 45 CFR § 164). The individual who is accessing the PHI:

1. Must obtain from the patient a signed HIPAA compliant authorization if the report requires access to a medical record or Protected Health Information maintained by a Covered Entity (e.g. a hospital, health plan, health care clearinghouse or a provider who conducts electronic transactions) and the researcher/individual is not a member of the Covered Entity’s workforce.
2. Must obtain from the patient a signed HIPAA compliant authorization if the report will publish case report data containing HIPAA identifiers.
3. Does not need to obtain a signed HIPAA compliant Authorization if all identifiers (including unique patient characteristics) are removed from the data prior to submission and publication of the article.

Contact the Privacy Officer to determine if authorization to use protected health information is required.

Version 2019-8