Internet-Based Human Subjects Research

Computer and internet-based research protocols must address the same risks (e.g., violation of privacy, legal risks, and psychosocial stress) and provide the same level of protection as other types of research involving human participants.

All studies, including those using computer and internet technologies, must:

Ensure that the procedures fulfill the principles of voluntary participation and informed consent.
Maintain the confidentiality of information obtained from or about human participants.
Adequately address possible risks to participants.

Recruitment

One-way ads that do not involve direct communication with potential subjects (i.e. paid Facebook Ads), are reviewed according to existing IRB review policies.

Recruitment material should include:

Principal Investigator's contact information.
Purpose of research.
Inclusion/exclusion criteria in summary form.
A brief list of procedures involved.
Details on how to enroll, including time as well as other required commitments (number of visits, total duration during follow-up visits, etc.).
Location of research and contact person for further information.

Informed Consent in Internet-Based Research

Obtaining Consent

Informed consent is one of the fundamental principles of ethical conduct in human subjects research. It is mandated by Federal regulations 45 CFR 46.116 and 46.117, as well as 21 CFR Subpart B.

Obtaining consent for a research project is a PROCESS and not the act of simply signing a form. Whenever required by federal regulations, informed consent must be obtained and documented. The language of the consent must be designed in a way that will be understood by the age group as well as reading and comprehension level of the target audience.

Documenting Consent

Usually, consent is documented when the research participant signs a form. Other mechanisms include audio- or videotaping the subject's agreement to participate. However, this is often difficult in internet-based/online research.

Under certain circumstances, for low risk studies, the requirement to document (obtain signatures or record the consent process) informed consent for online research activities can be altered or waived. See Florida Atlantic IRB Policy "Waiver of Informed Consent" for guidance on this topic. ¹⁰

Excluding Minors Who Cannot Consent

People under the age of 18 cannot legally consent to participate in a research study. However, researchers recruiting from the internet cannot know the exact age of respondents. For this reason, it is best to limit online research studies to minimal risk research that would typically qualify for a waiver of parental consent under federal regulations (See section IV of Florida Atlantic IRB policy "Children in Research" ) ¹¹ unless you are able to authenticate the identity and age of your respondents through reliable means.

For internet research involving confidential and sensitive information, researchers must obtain written consent (on-line or hard copy) and within the studies procedure, include the proper methodology to verify the identity and age of the participant as well as to assure the security of the data.

Ensuring Understanding

When anyone who has access to the internet is a potential research subject, it may be difficult to ensure that he/she understands the consent information. One method of enhancing comprehension includes incorporating short questionnaires within the consent process to assess understanding of the information presented, and direct the subjects to additional explanatory material. Another method is to design and implement an interactive consent process tailored to the potential subjects' characteristics or primary language.

Right to Withdraw

The principle of respect for persons requires that subjects be allowed to withdraw from a research study without negative consequences. Online survey instruments must explain at the outset what options are available, if any, for retrieving and discarding responses, and for some studies, it may be appropriate to provide a "no response" option for questions subjects may consider to be sensitive or intrusive.

Deception & Debriefing

The internet provides unique opportunities for conducting observational research in "private" settings. For example, a researcher can join a closed group (e.g. a "members only" chat room devoted to a mutual topic of interest) with relative ease to observe interactions among the members while concealing his/her identity. Such research can only be approved if the IRB determines that the deception is justified. Any research involving deception should have a plan for debriefing subjects, so they may learn about the research that occurred and have the opportunity to withdraw use of their data if they choose.

Electronic Data Collection

Research involving the collection of data about people from medical records, through social media or networking sites involves the same considerations as any other research with human participants.

These considerations include:

Determining an appropriate and effective informed consent process;
Assuring that participation is voluntary;
Protecting privacy and confidentiality of individuals and the data collected;
Minimizing risks and maximizing benefits; and
Assuring equitable selection of participants.

However, with the dynamic and evolving nature of norms and technologies in social media use, translating these principles into real practice can be challenging.

Please consider the following aspects when collecting electronic data:

Jurisdictional authority

On-line research id different geographical areas adds an additional level of complexity (researcher located in one area, participants in another (or multiple locations) and the data is stored in another location.

Authentication for internet-based research

Researchers should take steps to authenticate online research participants.

Using bot prevention tools and tactics will help ensure rigor in data collection. This includes actions such as:

Including two or three open-ended questions in the study and require responses to them. Monitor these questions for unusual responses or identical responses across “participants.”
Track timestamps.
Flag impossible dates and times, bundles of participants beginning and completing the survey at the same time, and respondents who completed the survey impossibly fast.
Use a completely automated, public Turing test to tell computers and humans apart (CAPTCHA).
Make it personal: Consider including a public link to screen potential participants for eligibility, with ballot-stuffing protections in place. Those who meet eligibility requirements can then be sent a unique link to the survey that can be used only once.
Include at least one hidden item: This can be accomplished by adding the @HIDDEN action tag to an item in REDCap or by adding custom JavaScript code to an item in Qualtrics
Add redundancy: Ask the same question — “What is your age?” is a good example — at two separate points and check for differences in responses.
Add honeypot questions: These are embedded in a survey but are coded in a way that prevents human participants — but not bots— from viewing and responding to them.

Use of Mobile Apps in research

Florida Atlantic Researchers should seek expert IT review when purchasing a mobile app or building their own app for collection of data from research participants. If the app is commercially available, Florida Atlantic central university purchasing needs to be part of the process to assure legal and data security review occurs. It is the researcher's responsibility to understand known or potential risks of any downloaded app, whether free or at a cost and disclose those risks to study participants. App downloads frequently collect data stored or linked on the phone on which the app is installed. Researchers must clearly delineate such risks to participants. The "terms of service" of commercially available apps must be understood by the researcher utilizing the app and communicated to the study participants.

Survey Software

All surveys conducted at Florida Atlantic should preferably be conducted using Qualtrics or REDCap. If researchers are interested in using other survey software OIT should review the software data security and purchasing process to assure they are following the appropriate university channels.

The Florida Atlantic - HIPAA website provides information and guidance on the policies, procedures and forms related to HIPAA compliance at Florida Atlantic: www.fau.edu/hipaa/

Encryption: strongly recommended for PHI data.

When to use Qualtrics or Redcap?

QUALTRICS

Florida Atlantic maintains a license for Qualtrics to conduct online surveys. All administrators, faculty, staff, and students have access to use the software using their Florida Atlantic Net ID and password. All surveys conducted at Florida Atlantic should be conducted using Qualtrics at the site below. Qualtrics is a very common tool to conduct surveys but is less secure. It CANNOT be used to collect PHI.

Access Qualtrics

REDCAP

REDCap is a secure web application for building and managing online surveys and databases. While REDCap can be used to collect virtually any type of data (including 21 CFR Part 11, FISMA, and HIPAA-compliant environments), it is specifically geared to support online or offline data capture for research studies and operations.

If a study meets the requirements for IRB review and approval such approval must be granted prior to the research project being published in REDCap. It is the responsibility to the researcher to obtain any and all approvals.

Access REDCap

Human Subject Research

Studies requiring IRB approval will typically need to submit data collection instrumentation as part of the approval process. Florida Atlantic – Office of Information Technology encourages users planning on using REDCap to design their instruments prior to requesting IRB approval as instrumentation changes typically do require re-authorization.

For more information about RedCap visit here.

In addition to the above mentioned security aspects, research instruments are often copyrighted. When obtaining a copy of the instrument(s) to be used in research, researchers should also ensure they obtain permission to use the instrument. If someone posts a published test or instrument without the permission of the copyright holder, he or she is violating copyright laws and could be legally liable. Contact the copyright holder in writing (print or email) to obtain permission to use a research instrument.

The person should be able to state in writing that they are indeed the copyright holder and that they grant you permission to use the instrument.