A Case for Progressive Institutional Review Boards


Innovation is a constant topic in the biomedical research space. The pace of new tools, new techniques, and new discoveries is often hard to keep up with. Researchers and study participants expect innovation to deliver improvements as well as compatibility with new science, new methodologies, and new priorities, all in a constantly changing, complex environment for study participants.

This progress is almost always seen in the insights and outcomes of the research, but not in how the research is designed, begins, progresses, and is managed. Anyone who has done work in the biomedical research space knows that ethical oversight – whether by internal reviewers, external Institutional Review Boards (IRBs), or Ethics Review Boards (ERBs), collectively known as “reviewing bodies” – constitutes a significant part of all study construction and, therefore, is a significant part of all new science and discoveries. Shouldn’t the processes that enable study construction also be innovative and capable of adapting to new science, new methods, and new priorities?

A careful balance must always be maintained between ensuring protection of individuals participating in research and supporting innovative methods and processes to drive more efficient and cost-effective reviews and research.

The often broad, non-specific nature of regulations that govern “human research protections”, as they are called in the US, leave reviewing bodies somewhat adrift in what amounts to a vacuum. This vacuum forces them to make their own interpretation and implementation of the exact protections to uphold and leaves them without a mechanism to cross-communicate new processes for reviews or validations of new methods for research. At their core, reviewing bodies are simply a group of people working together to determine if a research study meets certain requirements and thresholds as interpreted from these regulations. The social psychology of how people interact on a larger social scale, how people make decisions in isolation and in aggregate, and how the context of their engagements changes their behavior in those different settings is sufficiently understood today. Yet, there is a large gap in transforming that understanding into the application of how reviewing bodies function. These factors have created a space that is prone to stagnation rather than innovation, languishing as a relatively static space for decades. The same study reviews are taking place, and the same study constructions are expected, with few changes permitted, let alone the ability to include entirely new methods. How do we inject innovation into such an environment to create what amounts to an adaptive or progressive IRB?

A careful balance must always be maintained between ensuring protection of individuals participating in research and supporting innovative methods and processes to drive more efficient and cost-effective reviews and research.

“At the Genetic Alliance IRB, we’ve found that an open dialogue between the IRB members, researchers, and technology providers is essential to understand pain points and inefficiencies in our process, and incorporate new techniques that improve both our processes and the research being done. We cannot limit ourselves to past methodologies, given the pace with which new technology is developing worldwide,” says Chris Carter, chair of the Genetic Alliance IRB.

IRBs and ERBs typically do not interact with service providers on the underlying technology by which data is collected for a study. Instead, their focus is on the burden of participation, the ethical considerations of what is being asked, and the privacy, burden, and safety risks to participants. However, we have seen a marked increase in the efficiency of designing and reviewing new studies when the IRB works in conjunction with the technical service provider to understand and approve the underlying mechanisms and processes first. By utilizing standard IRB practices to review and approve new processes and methodologies leveraging newly established technology supporting the research, we can increase the speed of research by reducing the complexity of new study design. Working with the Genetic Alliance IRB, we set out to find ways where an IRB and technology provider could work together to innovate reviews and research. Here’s what we did.

Case Study #1: Luna Platform – Simplifying the IRB Process for New Studies

“For several decades, standing in the shoes of research participants, I have been outraged at the delays and extra work some IRBs cause in the name of protecting the participants. From my perspective, many IRBs act to protect an institution rather than the people. In the case of advocacy organizations and communities working to accelerate research on their condition, making this as simple as possible and ensuring conduct of the best research for their communities is paramount,” said Sharon Terry, CEO of Genetic Alliance. “Working with LunaPBC, we did a first-of-its-kind submission to the Genetic Alliance IRB to approve an entire platform based on the methods it encompasses for participant engagement and retention, data collection, and analysis. This paves the way for a streamlined review process for any study being executed using the platform. There is no need for redundant approvals or long timelines.”

The Luna platform is a tool for researchers to establish new communities or cohorts to collect data and perform analyses for their studies in a continuously participant-connected environment. The platform has IRB approval, which includes a consent individuals e-sign to share de-identified data for research purposes on the platform. This allows CDI to be deployed on Luna by groups for the benefit of their community through a simple Organization-Specific CDI Addendum. Then study-specific consents are only needed for those studies that go beyond the standard methods described above for the platform and enables the IRB to focus on specific goals of and populations included in the research, since the underlying mechanics are the same from study to study. Examples of protocols that are not covered by the approval are 1) the collection of personally identifiable information instead of de-identified data, and 2) use of bespoke instruments on topics not prioritized by the community through Community Driven Innovation.

Case Study #2: Community Driven Innovation – Innovative Methods for Research
Luna established the Community Driven Innovation™ (CDI) method for uncovering and validating the top priorities of a community or cohort, similar to methods like the Delphi technique, but without the disadvantage of inherent groupthink or expert bias those other techniques often introduce. By working collaboratively with the Genetic Alliance IRB and several researchers using CDI for their research goals, we were able to identify new ways to not only improve the research being done, but also simplify certain aspects of the IRB process itself.

 “The Genetic Alliance IRB immediately understood the value of the CDI method, not only in reducing burden on study participants, but also in reducing costs and time for their own reviews for both new studies using CDI and new data collection, typically surveys, being designed based on the insights from CDI,” shared Ian Terry, senior user experience research at Luna.

Together, we established two concepts that were integrated into the Luna platform protocol with the Genetic Alliance IRB: (1) A CDI “meta-study” design, and (2) “Related Topics” surveys.

CDI Meta-Study Design

We established a protocol that defines the CDI method leveraging the mechanisms on the Luna platform for consent, recruitment, data collection, and data analysis. New deployment of CDI can be added via an addendum to this protocol defining the specific populations and key personnel involved in recruitment since nothing else changes from CDI to CDI. This streamlines the time for review and cost to review by the IRB, and enables researchers with less scientific experience to take advantage of deploying a CDI to their communities or cohorts.

Related Topic Surveys

Building off of the CDI method protocol, we worked with the Genetic Alliance IRB to design a process to eliminate the need for researchers to submit all research questions during the initial study design and instead enable evolving content based on the insights generated from the CDI itself. Together, we established thresholds for specific topics and priorities uncovered by the CDI that could be turned into questions in follow-on surveys without requiring additional IRB reviews. We’ve now opened up the research such that the involved patient population can select the research topics using several well-documented methods from Computational Social Choice theory. By doing this, we don’t have to pre-decide what a specific population may need; we can build the very task of asking that question into the study design. This allows us to remove many steps that would have been spent attempting to figure out what the population wants and thereby speed up the time it takes to establish this study in the first place. But also gives the research population – versus the experts or researcher – the autonomy to decide where the research should be headed, a power that has been missing in the medical world for a long time.

These are only a couple of examples of how collaborative exploration of new processes, methods, and technologies can create an innovative and efficient environment for safe, ethical research. By focusing on technology and method innovation in our external and internal ethical reviews, we can explore new frontiers in the research that empower participants to help drive study design. Subsequently, elevating the participant to drive the study design ensures that the new inventions and products developed meet their needs and pain points directly, thereby expediting answers, time- to-market, and ultimately better health. We’ve turned a top-down study process into a dynamic ecosystem of iterative listening, accessible to non-scientists, that supports the privacy and safety of its members.

Learn more about Community Driven Innovation at www.lunadna.com/cdi


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Privacy-Preserving Technologies and Rights-Based Privacy Regulation Compliance


There has been increased interest over the past decade over what to do with the growing volume of digital information collected on individuals that are potentially used or sold by companies and governments. This interest is even more heightened when health data is involved and how this data might be used in ways contrary to the interests or values of individuals. In parallel, new data protection laws have passed in many parts of the world and increasingly in several states within the United States that express the control of data privacy as a human right.

It is commonplace to merge the concepts of data privacy and security, even though each has a unique role. Data security is the step taken to prevent unauthorized access to data. A common security approach involves data encryption that requires user-specific information to decrypt the data back to its original form. Privacy-preserving technologies, or PPTs, are a newer class of technologies that support the distribution of encrypted data that can be selectively decrypted to reveal some or all of the data that is encapsulated. PPTs are especially exciting for the sharing of genomic data so that only some of the data is made available to a researcher, which presents a lower risk to the individual for subsequent data misuse.

A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted, also known as the “right to be forgotten.”

Data privacy, in contrast to data security measures, is a set of policies that are applied to secure data. These policies typically govern the data collected, the purpose for which the data is collected, and the informed consent granted to the researcher to study the data. A common data privacy policy is the right to rescind one’s consent and to have the individual’s data deleted. This is also known as the “right to be forgotten.”

Security-based protections such as PPTs and privacy-based protections are very different in how they are implemented. With security-based approaches, data are distributed to researchers that are approved to access the data. Once access is granted, the control of the data is lost. Over time there can be many copies of the data that have been granted to multiple researchers, as shown in Figure 1A.

Figure 1A. Once permission is granted data is distributed to uncontrolled environment(s)

In contrast, privacy-based approaches maintain control of each piece of data within an environment that supports the removal of the data if an individual’s consent is withdrawn. Under the privacy-based approach, an individual has a virtual string on their data that supports the pulling back of their data at any time, as shown in Figure 1B.

Figure 1B. Use of permissive data is used within an environment that enforces privacy policies.

The question of which approach is better rests largely on the regulatory environment in which the research is being performed. In Europe, compliance with the General Data Protection Regulation, or GDPR, requires that the data rights of individuals persist when they share their sensitive personal data, such as health data. In states such as California, the California Privacy Rights Act (CPRA) that has come into law in 2023 requires similar protections for individuals. For historic datasets, databases, and biobanks that include genomic data, the use of PPTs has provided a more secure way to distribute such sensitive personal data.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Something Exciting Happened on October 6, 2022, Concerning Your Medical Records


Editor’s note: This article is jointly authored by Luna and Greenlight Health Data Solutions.

The Information Blocking Rule, now in effect, is a new federal regulation we should all celebrate as a big win for control over our health information, a right that we should always have had.

Let’s take a step back in time and then fast forward to today. In recognition of the importance of digital health information for advancing precision medicine, the Information Blocking Rule was a provision of the 21st Century Cures Act which aimed to modernize healthcare data interoperability and update a component of HIPAA that was oriented to paper-based medical records, not Electronic Health Records (EHRs). Part of the motivation to connect EHRs was to improve the portability of one’s health data to multiple healthcare providers and to give direct access to one’s health data using online patient portals. The Information Blocking Rule requires that all healthcare organizations give patients access to their full health records digitally (via a patient portal)–without delays or cost.

Why is this important? The new Information Blocking Rule unblocks access to Electronic Health Information (EHI), which Health and Human Services (HHS) defines as electronically Protected Health Information, or PHI. The significance of this rule has many threads–not least of which is bringing control and rights to the information much closer to the patient–the individual who the data is about, you! You can now review and research your own information to be a more informed patient. You can easily share your data with new healthcare providers if you relocate or change your insurance coverage. You can avoid time-consuming and costly duplication of diagnostic tests, which is commonplace whenever one engages with a new medical professional. You can also choose to share your data with a clinical research study or trial that is of interest to you to advance medical knowledge and health discoveries for society more broadly.

We’ve been advocates for individuals’ rights to access their health information for a long time. Greenlight Health was an early software platform specifically designed to offer patients online access to their health data. Luna has implemented Greenlight’s EHI data-sharing APIs which support connections to more than 90% of the U.S. provider market. This approach allows for the inclusion of EHR data, along with genomic and health survey data, for patient-centered research studies to understand and improve health outcomes. Gathering health information from multiple health systems, and across decades, provides convenience to individuals and their families while simultaneously providing a richness of data to researchers to unlock new insights for health improvements. Such patient-centered studies hold promise to enrich the standard of care more equally for individuals of all ethnic and racial backgrounds.

An essential aspect of inclusive clinical study participation requires that data shared by individuals is done with their informed consent and that the data is not used for other purposes outside the individual’s consent. Luna’s health data sharing and analysis platform uses rights-based data privacy measures to protect access to shared data so that a contributor (you) can remove their data from the platform and/or from any studies they joined with a simple click of a button. By implementing rigorous rights-based data protection and privacy that complies with all current privacy laws (such as GDPR in the EU), Luna provides a path to international clinical studies that can benefit from population diversity globally.

It’s no longer in the medical provider’s control to decide when to release a patient’s information. The Information Blocking Rule is really about information sharing and empowering the patient with ownership of their health data. Under HIPAA, healthcare providers are allowed 30 days to fulfill medical record requests; 60 days is permitted if the provider needs an extension. With this new rule and direct EHI access methods for patients, a healthcare provider cannot “interfere” with the flow of EHI, and it needs to flow without delay. When there are instances of interference, healthcare providers and EHR vendors are subject to financial penalties (up to $1 million per occurrence and/or reductions in Medicare and Medicaid reimbursement). Healthcare providers and vendors lobbied strongly against this rule being passed (in fact, the rule was held up for six years). Days before the rule became effective, 10 of the leading healthcare industry trade associations pushed HHS for a delay. As stated, the rule extends an individual’s right to access EHI through a patient portal. As the name implies, patient portals were designed to support functionality that allows individuals to connect to their medical records whenever needed. The intent of having immediate access to medical records through a patient portal is to provide a mechanism for sharing EHI with other healthcare providers, with family members, and for research.  

It’s no longer in the medical provider’s control to decide when to release a patient’s information.

This rule is one more step toward providing you with a comprehensive understanding of and access to your own healthcare information and, more importantly, control of how your health records are shared.

Taking the power of your health records to the next level, Greenlight Health and Luna combine capabilities to enable you to consolidate your records in one place and safely share your health records and other unique experiences in research studies that are of interest to you. You are in the driver’s seat now. The steps you take next could make a big difference in finding treatments and cures for those who need them most.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Prioritize the Safety of Your Health Data

Here’s Why You Should Prioritize the Safety and Security of Your Health Data

By Lena Huang, LunaDNA Contributor


Over the past few decades, scientists and researchers have made great strides in understanding how to use genomic data to drive important medical discoveries.

However, as the scientific community continues to gain access to genomic data at rapid speeds, concerns about the privacy of that data are emerging. Today, there are hundreds of companies that offer genetic testing for thousands of disease-causing genes. Many of these companies also offer whole-exome sequencing, in which all of an individual’s protein coding genes are analyzed for mutations that may cause disease. While this testing can save lives, it also creates a large amount of data that may or may not be secure.

Over the past few decades, scientists and researchers have made great strides in understanding how to use DNA data to drive important medical discoveries. However, as the scientific community is beginning to gain access to more data than ever before, concerns about the privacy of that data are emerging.

Today, there are many companies that offer genetic testing for disease-causing genes. Some of these companies also offer whole-exome sequencing, in which all of an individual’s protein-coding genes are analyzed for mutations that may cause disease. While this testing can save lives, it also creates a large amount of data that may or may not be secure.

DNA data plays a significant role in accelerating medical breakthroughs, so it’s no wonder why more tools are becoming readily available to drive discovery. Advances in technology allow doctors to analyze genetic data quicker and can be used to discover a person’s risk for developing disease, including getting neurological diseases, such as Huntington’s disease or Alzheimer’s disease. Although the advances in health technology have allowed people to better understand their risk for certain conditions and diseases, this information could be used adversely if it falls into the wrong hands.

For example, what if an insurance company could discriminate if they knew a person was at a greater risk for arrhythmia, stroke, or heart attack? What if an employer could fire an employee if it discovered that person was genetically predisposed to developing dementia in the next 10 years? What if an employee did not know his or her employer had access to this genetic information?

Sadly, cases of genetic discrimination are already happening. In 2012 in Palo Alto, Calif., Colman Chadam was asked to transfer middle schools because he was a carrier of cystic fibrosis (CF), even though he was unaffected by the disease. Two children with CF were already attending the school, and because individuals with CF should avoid contact with others who have the disease due to cross infection, their parents petitioned the school district for Chadam to be transferred. Chadam’s parents filed a genetic discrimination lawsuit so he could attend the school.

In 2012, employees of Atlas Logistics Group Retail Services in Atlanta were asked to submit to a cheek swab in an attempt to identify who had been vandalizing one of its warehouses. Two employees recognized the dangers of submitting their personal genetic information and learned that they shouldn’t have to under the Genetic Information Nondiscrimination Act (GINA). GINA makes it illegal to discriminate against employees or applicants because of genetic information. GINA also states that it is “an unlawful employment practice for an employer to request, require, or purchase genetic information with respect to an employee.”

How can we avoid potentially dangerous situations involving our own DNA? It is up to individuals to be informed and do their research on the companies that store and use their data.

So before sending in a saliva sample or DNA data, be sure the company you’re sending it to will strip all information of personal identifiers. Make sure any company that you send data to understands the importance of privacy and will keep your data secure. Understanding how companies plan to use your data not only allows you to maintain control but also helps you avoid situations where your personal information ends up in the wrong hands. Read the privacy and terms of use policies when your personal data is involved.

The control of data privacy is all about being able to decide who can access your data, under the conditions and for the purposes that resonate with you,” says Scott Kahn, Chief Information Officer at LunaPBC. “Isn’t this a better model of control than having institutions make these decisions for you?”

LunaDNA takes your privacy seriously. All personal information is removed and de-identified from any health or DNA data that is given to LunaDNA. Personal information is stored on a separate database from the health data so that there is no connection. All data is securely encrypted to protect your privacy. Finally, you are in control of your data, and it never leaves the LunaDNA platform. Researchers can only access the de-identified data on the platform and cannot export the information. You can choose to access or delete your information at any time.

Discoveries depend on research which relies on data. We think data use should permissioned by you. Contributing to science by sharing health and genetic information will allow researchers to perform important studies that are needed for medical breakthroughs. During this exciting time, remember that while sharing DNA data is absolutely vital to advancing the field, it is equally important that you share it safely.

Luna is bringing together individuals, communities, and researchers to better understand life. The more we come together to contribute health data for the greater good, the quicker and more efficient research will scale, and improve the quality of life for us all.  

Directly drive health discovery by joining the Tell Us About You study. 


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data—health records, lived experience, disease history, genomics, and more—for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.