When must an unanticipated problem involving an incident of data theft be reported to the IRB according to OHRP?

The requirement to report unanticipated problems involving incidents of data theft "promptly" is based on the need for immediate communication to ensure the safety and welfare of research participants. The term "promptly" reflects the urgency and importance of addressing such incidents as soon as they are recognized.

Failure to report these types of incidents in a timely manner could lead to prolonged risks to participants or potential violations of their confidentiality, further complicating the ethical obligations of researchers. The intent behind this guideline is to facilitate swift action to mitigate harm and uphold the integrity of the research study.

While specific timelines like 24 hours, 48 hours, or two weeks might provide clarity, "promptly" is used to allow researchers to use their best judgment in determining the most immediate timeframe that aligns with their institutional policies and the specific nature of the incident. This flexibility is essential in managing the varying circumstances that can surround data breaches and ensuring that critical information reaches the IRB without unnecessary delays.