The informed consent process is a basic ethical obligation for researchers. Informed consent is more than just obtaining a signature on a form. It is an active process of sharing information between researchers and potential subjects. The exchange of information can occur by various modes of communication including face-to-face contact, postal or email, telephone or internet calls, video, or through a shared drive. 

The virtual consent process should include all the key features of an in-person consent process: 

• Conducted by someone listed in the HawkIRB application as being involved in the consent process
• Provides necessary information about the research for potential subjects to make an informed decision
• The researcher has a mechanism to assess whether potential subjects understand the procedures and risks of the study
• Potential subjects make a voluntary decision to participate in the study, free from coercion or undue influence, and they can choose to withdraw from the study at any time.

This document outlines several alternatives to the traditional method of obtaining informed consent with an in-person interaction and signature on a paper Informed Consent Document. 

The first alternative is a waiver of documentation of consent which waives the requirement for researchers to obtain a signature on the Informed Consent Document. It does not waive the requirement for using an Informed Consent Document or conducting an informed consent process. One or more of the following criteria must be met for the IRB to approve a waiver of documentation of consent:

1. The only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality. As part of the consent process, the researcher may ask whether subjects wants to take a copy of the Informed Consent Document. EXAMPLE: Subjects are undocumented immigrants, or victims of domestic violence, where there could be harm to them if it were known that they participated in the research study.

2. The research presents no more than minimal risk of harm to subjects and involves no procedures for which written consent is normally required outside the consent. EXAMPLE: A web-based or paper survey about topics that do not present more than minimal risk to the subjects. Often, with electronic surveys, the consent document is presented on the first screen and subjects click a button or select an “I agree” to indicate their agreement to participate in the research. 

3. The subjects or legally authorized representatives are members of a distinct cultural group or community in which signing forms is not the norm, and the research presents no more than minimal risk of harm to subjects, and there is an appropriate alternative mechanism for documenting that informed consent was obtained. EXAMPLE: International research in a country where individuals typically only sign important legal documents like a marriage certificate, but it would not be the norm to sign research consent documents.

All conditions must be met for the IRB to grant a waiver of documentation of consent under one of these categories. 

With a waiver of documentation of consent, there is still a consent document that contains the required elements of consent (information about the research study). However, the subjects do not have to sign the document. The study could still have a verbal consent process, conducted by a member of the research team, although that is not required. 

There are also a variety of procedures to obtain a subject’s signature on the Informed Consent Document and to obtain the document signed by the subject when the Consent Process is not conducted in-person. The informed consent process must be described in HawkIRB (Sections VII.D.29/30) and approved by the IRB. Any method utilized by the study team to obtain a signed consent must include two components: 

1. Receiving the signed document from the subject
2. Providing a copy of the document to enrolled subjects. If the study involves the use of protected health information (PHI), subjects must receive a signed copy of the document. 

A subject’s signature can be obtained on the Informed Consent Document as, a traditional “wet” signature or by digital or electronic means. 

• A “wet” signature is obtained by using a writing utensil to physically sign on a piece of paper.
• A “digital” signature may be obtained via a stylus or finger to represent a signature.
• It must be consistent with a “wet” signature.
• If necessary, the signature can be verified by viewing a driver’s license, passport, or other picture identification card with a signature, etc.
• An “electronic” signature is obtained with a product or eSignature tool (Adobe, DocuSign, REDCap, etc.) where a password or other form of pre-identification is necessary to ensure tracking, privacy, and identity verification. 

Digital and electronic signatures are approved by the UI IRB and are consistent with State of Iowa law where electronic signature means “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” (Uniform Electronic Transactions Act HF 2205, State of Iowa)

Unencrypted email is not considered a secure method of transmitting sensitive, private information, including the fact that an individual qualifies or agrees to participate in a research study. The subject can return the signed document and the research team can provide a signed copy of the document to the subject via:

• Fax
• Scanned document
• Mail
• Encrypted email

The final alternative to consider as a method to obtain appropriate informed consent may be the use of an electronic consent (eConsent) process. The Office of Human Research Protections (OHRP) and the Food and Drug Administration (FDA) have provided joint guidance about documenting consent through electronic methods (Use of Electronic Consent, 2016). Electronic informed consent uses electronic systems or processes with an electronic media format to obtain informed consent. When using an electronic consent process, the electronic system:

• Should be easy to navigate; subjects can stop or continue the virtual consent at any point.
• Must employ a method to verify the identity of the subject, parent/legal guardian, and\or the Legally Authorized Representative (LAR) who sign the electronic Informed Consent Document. Possible verification solutions could include, but are not limited to, use of a:
  • unique log in and password
  • unique code
  • security question
• May use interactive electronic-based technology, including diagrams, images, graphics, videos, and narration.
• Should be appropriate for the subject population, taking into consideration the subject’s age, language, and comprehension level.
• May include a way to gauge the subjects understanding of the information in the consent (i.e., optional questions such as the Evaluation to Sign an Informed Consent for Research).
• Must be able to provide a signed copy of the Informed Consent Document to the subject.
• May be used to obtain assent from minors or cognitively impaired adults (when required) and permission from parent(s) or legal guardian(s) or a Legally Authorized Representative (LAR).

There are additional regulatory requirements under the FDA, FERPA, HIPAA and GDPR:

• FDA -regulated studies must utilize an electronic informed consent tool that complies with Part 11 regulations (21 CFR 11). The University of Iowa does not currently have a tool meeting these requirements, but a study sponsor may supply one.
• Studies falling under HIPAA (Health Insurance Portability and Accountability Act) or GDPR (General Data Protection Regulations) also have additional levels of security, privacy, and verification requirements.
• FERPA (Family Educational Rights and Privacy Act) has additional privacy expectations and requires a signature to release student education records. 

The IRB considers state and federal regulations regarding digital or electronic signature methods to ensure they are legally valid within the jurisdiction the consent is signed and the research is conducted. If a digital or electronic signature is not captured through a system that can verify identity (such as REDCap, DocuSign or Qualtrics), the IRB needs to ensure:

• The signature is unique to the subject
• The electronic or digital signature demonstrates the subject’s agreement to participate in the research
• The method of obtaining the signature satisfies the applicable regulations (e.g. FDA, HIPAA, state law, institutional policy)
• Whether the signature can be legitimately verified as coming from the subject participating in the research (i.e., it must be unlikely that any other individual signed the document) 

Note: For minimal risk studies, that do not involve minors or other vulnerable populations, it may not be necessary to require identity verification. "OHRP [Office of Human Research Protections] recognizes that it may not be possible or necessary for all types of research covered by 45 CFR part 46 to verify that the person signing the informed consent is the subject or the subject’s LAR who will be participating in the research study. OHRP encourages investigators to apply a risk-based approach to the consideration of subject identity. For example, social behavioral minimal risk research will not typically warrant such verification. In addition, informed consent may be waived for minimal risk research meeting the requirements at 45 CFR 46.117(c)(1)*.” (Use of Electronic Informed Consent, 2016)    *Citation updated to revised Common Rule

A virtual consent process is conducted, and Informed Consent Documents are accessed, stored, and/or shared, via electronic devices through a shared network or over the internet. Zoom and Skype are web conferencing tools that have the capability for video conferencing, as well as just audio to accommodate people who do not have web cameras. When the consent process will be recorded, research involving data protected by the HIPAA Privacy Act, UI Information Technology (ITS) and Health Care Information Systems (HCIS), have approved Skype for Business and Zoom. Zoom requires a technology review and extra security precautions. For more information, see the following Educational Tools:

• Data Security Guidance
• Secure Zoom Meetings and Recordings for Restricted and Critical Data 

Faculty, staff, and students have access to a Zoom account through the University of Iowa. Potential subjects are not required to have a Zoom account to answer calls or join videos. The version of Zoom available through UI and UIHC is compliant with HIPAA standards as long as the research team follows the instructions for Secure Zoom Meetings and Recordings for Restricted and Critical Data. Zoom calls/meetings can be conducted on all mobile devices, tablets, laptops, and desktop computers. 

Schedule a Zoom meeting/call

• If you have Zoom installed in Outlook, you can schedule a Zoom meeting through Outlook.
• If you do not have Zoom installed in Outlook, you can schedule a Zoom meeting through the Zoom website.

Provide Zoom information to potential subjects

If potential subjects use Zoom on a mobile device, they will need to download the application on their phone. The Zoom app is compatible with Android devices and iPhones. Zoom is compatible with all Windows and Mac computers.

Test Zoom Audio & Video Prior to Meeting

It is best practice to test your audio and/or video system prior to a call/virtual meeting. This will help save time for you and potential subjects.

All faculty, staff, and student employees have access to a version of Skype for Business . 

Note: UI Health Care and UI campus are considered different systems for Skype for Business purposes. 

• If researchers only have the basic version of Skype for Business, they will not be able to call, create video meetings, or share screens, to conduct the eConsent process, with subjects who are outside their system.
  • For example, a UIHC researcher with the free basic version of Skype for Business cannot call, create video meetings, or share screens, with someone on UI campus, and vice versa.
• A researcher can add a subject as a presenter, which then gives them screen sharing capability when using a device/program that supports screen sharing (see Figure 1).

Skype for Business meetings/calls can be conducted on all mobile devices, tablets, laptops, and desktop computers. Potential subjects are not required to have a Skype for Business account to answer calls or join videos.  Instructions for joining via the Skype for Business Web app or via phone are available on the ITS website. 

Schedule a Skype for Business meeting/call

Schedule a Skype for Business meeting through the Outlook calendar. The instructions cover how to modify the default settings and create a meeting that is accessible to non-UI users.

Download Skype for Business information for potential subjects

If potential subjects will use Skype for Business on a mobile device, they will need to download the application on their device. For potential subjects with a Skype for Business account, they should log into the app with their Office 365 username and password. The app is compatible with Apple and Android devices. For potential subjects who do not have a Skype for Business account, there is a different log in process for Apple and Android devices. 

Join a Skype for Business meeting

The way subjects will join a Skype for Business meeting, and the functions available during the meeting, depend on whether they have a Skype for Business account and the type of device they have. The following links provide information about how to join Skype for Business meetings on a variety of platforms.

• Web app on a desktop/laptop computer
• iPhone
• Android 
• iPad

Test Audio & Video Prior to Meeting

It is best practice to test your audio and/or video system prior to a call/virtual meeting. This will help save time for you and for potential subjects.

Documentation of electronic consent using REDCap meets HIPAA compliance requirements. However, HIPAA compliant technology may not be FDA Part 11 compliant for FDA regulated studies. Any electronic informed consent process requires verification of a subject’s identity or authentication of subject signature. None of the electronic tools outlined below can currently be used for FDA regulated studies.   

DocuSign

The UI has a license for DocuSign that researchers can use to capture electronic signatures. For instructions, see  DocuSign Guidance.

REDCap

REDCap is available as an eConsent tool to conduct HIPAA and non-FDA regulated research. REDCap is supported and managed by the Institute for Clinical and Translational Science (ICTS). Researchers can use REDCap on tablets, mobile phones, and laptop/desktop computers. Use of REDCap requires the setup of an electronic consent document prior to use. REDCap allows individual access with a unique id and password on a per subject basis to assist with subject signature authentication. 

Qualtrics

Researchers may use Qualtrics for non-FDA regulated studies, and studies that do not use HIPAA data. Qualtrics surveys can be created to include password protected Informed Consent Documents with the ability to capture electronic signatures. If the consent process occurs over the phone, or through Zoom/Skype for Business, once the subject’s identity is verified, the research team member provides each potential subject with a unique password to access the Qualtrics survey. The unique password should be retained as part of the documentation of the subject’s identity. Subjects will then electronically sign the Informed Consent Document with their fingers, using a touch pad, or by using a mouse.

All consent processes and documentation methods must be described in HawkIRB exactly as they will be implemented. The HawkIRB sections listed below, though not exhaustive, highlight the most likely sections that need to address the eConsent process and documentation procedures.

The Consent process and documentation procedures should follow best practices for collecting, storing, and transmitting human subjects data. The Data Security Guidance document, provides detailed information about privacy and confidentiality protections, data classifications, and electronic storage & transfer tools.

The terms “Privacy” and “Confidentiality” are often used interchangeably, but for IRB purposes they are two distinct concepts. Privacy measures protect the person at the point of data collection. Confidentiality measures protect data when it is stored and transferred. 

Researchers ensure subject privacy for the consent process by:

• Conducting the consent process in a private location 
• Reminding subjects to check privacy settings on their computers and mobile devices
• Reminding subjects to join a call/meeting in a place where they can be alone

Researchers ensure confidentiality protections for storing and transferring Informed Consent Documents by:

• Knowing the ITS data classifications that apply to data being collected, stored, and transmitted 
• Using ITS-approved tools and completing a Technology Review and Security Review prior to use of any tool that is not on the list of ITS reviewed agreements.