The UNC Chapel Hill med school mammography study victimized by a computer hacker did not need to get the consent of patients whose data was submitted to it due to a federal regulation related to studies of large populations.
Judging from the emails and phone calls I've received over the last week since writing this story, that explanation isn't sitting well with many of the more than 100,000 women whose social security numbers and other personal information was exposed when the hacking took place.
Some folks have asked about the federal regulation. Well, here you go: Click here for the government website and scroll down to the section 46.116 (d)
Here's what it says:
An IRB may approve a consent procedure which does not include, or which alters, some or all of the elements of informed consent set forth in this section, or waive the requirements to obtain informed consent provided the IRB finds and documents that:
(1) The research involves no more than minimal risk to the subjects;
(2) The waiver or alteration will not adversely affect the rights and welfare of the subjects;
(3) The research could not practicably be carried out without the waiver or alteration; and
(4) Whenever appropriate, the subjects will be provided with additional pertinent information after participation.