Protocol Violations

A Protocol Violation is any deviation from the study procedures, as outlined in the Protocol Summary Form that has received review and approval by the IRB, that has occurred without informing the IRB prospectively*. A significant protocol deviation would be a deviation that increases the risk to participants or others, or decreases the potential benefits of the study, undermines the scientific integrity of the study, or occurs more than once. In the event of a report of a protocol violation, special monitoring may require a systematic audit of study compliance with consent documentation requirements.

* If an investigator anticipates the need for a deviation from the protocol, IRB approval for an exception must be requested via

Protocol Violations must be reported to the IRB via PRISM under the tab titled "Start a Protocol Violation/Serious Adverse Event Form". Protocol Violation reports can only be submitted in PRISM under the login credentials of the study's Principal Investigator. No other member of the research team can submit a PV report through PRISM


Other Reporting Requirements

IRB leadership routinely discusses SAEs, UPs, and PVs with NYSPI administration and leadership in NYS OMH and RFMH Central Office.

Certain SAEs, UPs, and PVs require the institution to provide a report to the Office of Human Subjects Research, the funding agency (e.g., NIH), or the study sponsor. We will discuss this with you when necessary. 

Principal Investigators are responsible for familiarizing themselves with other requirements. For example:

  • Local incident and adverse event reporting requirements at the research site.

  • NYSPI has a separate incident reporting policy when Office of Mental Health patients are participants. Contact the Office of Quality Management for information.

  • Requirements of the funding agency or study sponsor regarding adverse event reporting.

  • FDA reporting requirements for studies conducted under an IND or IDE.

  • Radiation safety committee requirements regarding adverse events related to radioactive compounds.


Data Breach

A data breach is a type of Protocol Violation that needs to be reported to the IRB. A data breach compromises the security or privacy of Protected Health Information (PHI). The US Department of Health and Human Services presumes a breach, an impermissible use or disclosure of PHI, has occurred unless the covered entity (NYSPI) demonstrates a low probability that PHI has been compromised based on a risk assessment of the following factors:

          1.The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,

          2.The unauthorized person who used the PHI or to whom the disclosure was made,

          3.Whether the PHI was actually acquired or viewed, and

          4.The extent to which the risk to the PHI has been mitigated.