Ask the Expert: Protocol Deviations and Publishing Case Studies

September 16, 2019

This monthly feature presents a variety of questions from clinical trial professionals with answers from WCG Clinical’s expert staff. To ask a question of WCG’s experts, click here:


In case of an unscheduled visit, or a serious adverse event that occurred and was treated outside the study site, should a protocol deviation be created if not all tests are done per protocol? — Clinical team at large biopharma company


The determination of what should be considered a protocol deviation, “violation,” or “minor/major” deviation, etc., is usually based on a policy or SOP from the study sponsor, or sometimes from the study site. Tracking protocol deviations can be useful for explaining missing or out-of-window data, for identifying parts of the protocol that are difficult and may need revision, for identifying instances of non-compliance of study site teams that need to be addressed and for identifying events that may require prompt reporting to the IRB.

Some protocols define procedures to be completed if the participant must have an unscheduled study visit — perhaps for the assessment or treatment of an adverse event during the study. If the protocol does define procedures for that type of visit, and the procedures were not completed, that seems like it would meet the definition of a protocol deviation, although the applicable policy should be consulted.

However, if an adverse event/serious adverse event occurs and the participant is seen and treated at a facility that is not participating in the clinical study, the providers there will presumably perform clinically appropriate testing. They may not complete every test that is defined in the protocol to be completed at a scheduled or unscheduled study visit. But they are not a study site, and they don’t have the protocol to follow. So it doesn’t seem to be useful or productive to document that there was a “deviation from the protocol,” when the providers didn’t have a protocol to follow. — Lindsay McNair, chief medical officer, WCG Clinical


Is IRB review required for publication of a single-patient case study from a case that occurred several years ago? — Physician at a private practice with a university faculty appointment


Research is defined by federal regulations as systematic investigation designed to contribute to generalizable knowledge. The retrospective analysis of the experience of a single patient’s experience with standard treatments would not likely meet an IRB’s definition of research and would not require review or exemption by the IRB.

Many IRB policies state that the analysis of a case series, which is more than three cases, meets the definition of human research and requires the submission and review by the IRB.

Note that some journals may require acknowledgement from the IRB that review of a case study is not required. You may want to check with the specific journal on its requirements. If you are trying to publish in a journal that is asking for evidence of IRB review, it can be difficult when IRB review was not prospectively obtained, even if the reason that it was not obtained is that it was not actually required.

Some IRBs will look at the project and provide letters that state that, had the project been submitted to them prospectively, they would have found that it did not require IRB review, and that documentation is satisfactory to the journal. However, we have heard of situations in which journals refused to accept this kind of retrospective letter. — Yvonne Higgins, QA advisor, WIRB-Copernicus Group


A subject in a clinical trial signed the informed consent document but did not sign the HIPAA authorization. Does this failure to obtain the subject’s signature need to be reported to the IRB or can the missing signature just be documented in a Note to File? — Project manager at a device company


Under the HIPAA Privacy Rule, an individual’s signed authorization allows the use or disclosure of the subject’s protected health information collected during the clinical trial. HIPAA authorizations for research can be either embedded within the research consent form or be separate from the research consent form. When they are separate, an IRB may review the HIPAA authorization but does not have to do so.

If the authorization has been reviewed and approved by the IRB, whether embedded or separate, then the failure to have the authorization signed should be reported to the IRB as noncompliance. However, if the IRB did not review the authorization, then the failure to have the authorization signed should be reported to the privacy officer or other institutional office of the covered entity. — David Forster, chief compliance officer, WCG Clinical