Your IRB application is due in three days. You've described your study procedures, but now you're stuck on the risks section. Are surveys really risk-free? What counts as minimal risk? Should you mention that participants might feel uncomfortable answering personal questions? How detailed should your data security plan be? You keep revising, unsure whether you're being too cautious or not cautious enough. The application is 15 pages and you're second-guessing every paragraph.
IRB protocols aren't just bureaucratic hurdles. They're systematic assessments of whether your research protects participants adequately. Get them wrong and you face delays, requests for major revisions, or rejection that pushes your research back months. Get them right and you demonstrate that you've thought carefully about ethics, built appropriate protections, and can conduct research responsibly.
This guide shows you how to write IRB protocols that get approved. You'll learn how to assess and articulate risks honestly, design informed consent procedures that respect autonomy, build data protection plans that satisfy regulations, address vulnerable population protections appropriately, and respond to IRB feedback strategically when revisions are requested.
Understanding IRB Review Categories
Not all research requires the same level of review. Understanding categories helps you prepare appropriate applications.
Exempt Research
Research involving no more than minimal risk in specific categories:
- Educational research in normal educational settings
- Anonymous surveys/interviews on non-sensitive topics with adults
- Observation of public behavior without recording identifiable information
- Secondary analysis of existing de-identified data
- Some quality improvement activities
Exempt doesn't mean no review. It means streamlined review. You still submit a protocol, but approval is faster (often 1-2 weeks).
Common mistake: Assuming surveys are automatically exempt. If surveys ask about illegal behavior, traumatic experiences, or sensitive topics, they likely aren't exempt even if anonymous.
Expedited Review
Research involving no more than minimal risk using procedures on the expedited categories list:
- Collection of biological specimens by non-invasive means (blood draws, urine, saliva)
- Collection of data through non-invasive procedures used clinically
- Research on individual or group characteristics using surveys, interviews, or observations
- Prospective collection of biological specimens for research
Expedited review by IRB chair or designee, typically 2-4 weeks. Most social science research falls here.
Full Board Review
Research involving more than minimal risk or vulnerable populations often requires full board review:
- Research with vulnerable populations (children, prisoners, pregnant women, cognitively impaired)
- Research involving more than minimal risk
- Clinical trials of investigational drugs or devices
- Research using deception without complete disclosure
Full board meets monthly or bi-monthly. Review takes 4-8 weeks. Your protocol is discussed by the full committee and you may be asked to attend.
Defining Minimal Risk
IRB regulations define minimal risk as "the probability and magnitude of harm or discomfort anticipated in the research are not greater than those ordinarily encountered in daily life or during routine physical or psychological examinations."
This is subjective and IRBs interpret it differently. Here's how to think about it:
Examples of Minimal Risk
Standard surveys and questionnaires on non-sensitive topics: stress in college students, consumer preferences, exercise habits
Brief interviews about professional experiences, educational backgrounds, hobbies
Observation of public behavior without recording identifiers
Standard blood draws by trained phlebotomists: temporary discomfort equivalent to routine medical care
Non-invasive physiological measurements: blood pressure, height, weight
Examples of More Than Minimal Risk
Surveys or interviews about traumatic experiences, illegal behavior, stigmatized conditions when identifiable
Research inducing psychological stress beyond daily life: watching disturbing videos, social rejection paradigms
Physical risks beyond daily life: invasive procedures, experimental medications, strenuous exercise in at-risk populations
Significant privacy risks: research on highly sensitive topics with identifiable data
Grey Areas
Anonymous surveys about sensitive topics: probably minimal risk if truly anonymous, but explain why
Interviews about sensitive topics with strong confidentiality protections: could go either way depending on safeguards
Exercise research: minimal risk for healthy adults, may be more for cardiac patients
When in doubt, describe risks thoroughly and let the IRB decide. Don't minimize risks to try to fit in a lower category. IRBs see through this and it undermines credibility.
Unsure how to assess risks in your study?
River's AI helps identify potential risks across physical, psychological, social, and privacy domains, assess their likelihood and severity, and suggest mitigation strategies for IRB protocols.
Assess Research RisksWriting the Procedures Section
The procedures section describes what participants will actually experience. This is where IRB members assess whether protections are adequate.
Be Extremely Specific
Vague procedures raise flags. Don't say "Participants will complete surveys." Say:
"Participants will complete three online surveys via Qualtrics during a single 45-minute session in a private laboratory room. Surveys assess: (1) Depression symptoms (PHQ-9, 9 items), (2) Anxiety symptoms (GAD-7, 7 items), and (3) Social support (MSPSS, 12 items). Research staff will be available outside the room if participants have questions or concerns. Participants may skip questions or withdraw at any time without penalty."
This tells the IRB: how long participation takes, what exactly participants do, what topics are covered, where it happens, who's present, and what options participants have.
Include Timeline and Duration
If research involves multiple sessions, specify timing:
"**Baseline (Week 0, 60 minutes):** Informed consent, demographic survey, baseline assessments
**Intervention period (Weeks 1-8):** Participants randomized to 8 weekly 1-hour group sessions (intervention) or no treatment (control)
**Post-test (Week 9, 45 minutes):** Repeat baseline assessments
**Follow-up (Week 21, 30 minutes):** Final assessment via phone"
This shows you've thought through logistics and allows IRB to assess burden on participants.
Address Special Procedures
If using deception, audio/video recording, vulnerable populations, or invasive procedures, explain necessity and protections:
"**Deception:** Participants will be told the study examines problem-solving, but the actual focus is how social feedback affects performance. Deception is necessary because knowledge of the true purpose would alter behavior. Participants will be fully debriefed immediately after completing the study, including explanation of deception and opportunity to withdraw data if they wish."
Informed Consent: More Than a Form
Informed consent isn't just getting a signature. It's ensuring participants understand what they're agreeing to.
Essential Elements of Consent
Federal regulations require consent forms to include:
- Statement that research is voluntary
- Purpose of research
- Expected duration of participation
- Description of procedures
- Reasonably foreseeable risks
- Benefits (or statement that there are none)
- Alternative procedures or treatments (if any)
- Confidentiality protections and limitations
- Compensation and medical treatment if injury occurs (if applicable)
- Who to contact with questions (researcher and IRB)
- Statement that refusal or withdrawal has no penalty
Writing Consent Forms for Comprehension
Consent forms are often too complex. Aim for 8th-grade reading level. Use short sentences and common words.
Bad: "The investigational procedures will consist of standardized psychometric assessments administered via computer-based methodology to ascertain current symptomatology."
Good: "You will answer questions on a computer about your mood and stress levels. This will take about 30 minutes."
Use headings, bullet points, and white space. Don't make consent forms dense legal documents. Make them readable guides to what participation involves.
Consent Process, Not Just Forms
Describe how you'll ensure understanding:
"Research staff will review consent forms verbally, highlighting key points: time commitment, what participants will do, potential discomforts, and right to withdraw. Staff will ask 'Do you have questions?' and encourage questions. We'll use teach-back method: 'Can you tell me what you'll do in this study?' to confirm comprehension. Only after questions are answered and comprehension confirmed will we ask for signatures."
Special Consent Situations
Children: Requires parental permission PLUS child assent. Assent forms should be age-appropriate. For young children (under 7), verbal assent is typical. For older children and teens, written assent using simpler language than adult consent.
Cognitively impaired: May require legally authorized representative consent. Assess capacity case-by-case. When possible, obtain both representative consent and participant assent.
Non-English speakers: Provide professionally translated consent forms and interpreters during consent process. Don't rely on family members to translate—this creates pressure and may not be accurate.
Waiver of documentation: For anonymous surveys, written consent can create the only link to identity. You can request waiver of signed consent if: (1) only record linking participant to research is consent form, (2) principal risk is breach of confidentiality, and (3) research involves no more than minimal risk.
Data Confidentiality and HIPAA
Data protection is where many protocols fall short. IRBs need specific plans, not vague assurances.
Data Storage and Security
Specify exactly how data will be protected:
"**Electronic data:** Stored on password-protected, encrypted university servers. Only PI and research coordinator have access via unique passwords. Data files encrypted using AES-256 encryption. Automatic logout after 15 minutes inactivity.
**Physical data:** Consent forms stored in locked filing cabinet in PI's locked office on campus. Only PI has keys.
**Audio recordings:** Stored on encrypted server during transcription. Professional transcription service is HIPAA-compliant and has signed confidentiality agreement. Recordings deleted after transcripts verified.
**Master list:** Linking participant IDs to names stored separately from data in password-protected file accessible only to PI."
Data Retention and Destruction
Federal regulations require maintaining data for specified periods (often 3-7 years). Specify:
"Data will be retained for 7 years per NIH requirements. After 7 years, electronic files will be permanently deleted using secure deletion software. Physical documents will be shredded. Audio recordings will be deleted after transcription verification (approximately 3 months after collection)."
HIPAA Compliance (for Health Research)
If you're collecting protected health information (PHI) from covered entities (hospitals, clinics, health plans), you need HIPAA authorization in addition to IRB consent.
HIPAA authorization must include:
- Specific description of information to be used/disclosed
- Who will receive information
- Purpose of use/disclosure
- Expiration date or event
- Right to revoke authorization
- Statement that information may be redisclosed
Many IRBs have combined consent/HIPAA authorization templates. Use them.
Data security plan feeling incomplete?
River's AI helps structure comprehensive data protection plans with storage protocols, access controls, encryption methods, retention policies, and HIPAA compliance measures for IRB protocols.
Build Security PlanRecruiting Participants Without Coercion
IRBs scrutinize recruitment for potential coercion, especially with vulnerable populations.
Avoiding Coercion
Students: Don't recruit your own students. If recruiting from courses, offer alternative ways to earn credit. Never make participation a course requirement.
"Students can earn extra credit through research participation OR completing an alternative assignment (reading and summarizing research article) of equivalent effort."
Employees: Don't recruit your supervisees. If recruiting employees, ensure supervisors aren't involved and participation doesn't affect employment.
"Recruitment flyers will be posted in break rooms. Supervisors will not know who participates. Participation is completely voluntary and will not affect employment, evaluations, or advancement."
Patients: Healthcare providers should not directly recruit their own patients. Use third-party recruiters or posted notices.
"Clinic staff will provide informational flyers to eligible patients. Interested patients will contact research team directly. Treating physicians will not know who participates. Participation will not affect medical care, and declining will not affect physician relationship."
Compensation Without Coercion
Compensation should be reasonable but not so high it's coercive. IRB red flag: compensation that seems disproportionate to time and risk, especially for low-income populations.
Reasonable: $15-20 per hour for survey research, $25-50 per hour for more burdensome research, plus compensation for travel/parking
Questionable: $500 for a 2-hour survey study
Pro-rate compensation: "Participants will receive $20 after Session 1, $20 after Session 2, and $20 after Session 3. Those who withdraw early receive compensation for sessions completed."
Addressing Risks Honestly
Don't minimize risks to make your protocol look cleaner. IRBs appreciate thorough risk assessment and see through attempts to downplay problems.
Psychological Risks in Survey Research
Even surveys can create risks:
"While surveys pose minimal physical risk, questions about trauma may cause psychological discomfort. Some participants may experience temporary emotional distress when reflecting on difficult experiences. To minimize: (1) Participants informed during consent that questions may be sensitive. (2) Participants can skip questions or withdraw without penalty. (3) Contact information for counseling resources provided. (4) If participants become distressed, research staff will provide support and referral information."
Confidentiality Risks
Perfect confidentiality is impossible. Acknowledge this:
"Despite extensive protections, we cannot guarantee absolute confidentiality. Risks include: (1) Data breach (low probability): While data are encrypted and secure, no system is completely breach-proof. (2) Deductive disclosure (very low probability): In aggregate publications, someone might deduce participant identity if sample is small and characteristics are unique. We minimize this by aggregating data and not reporting demographic details that could identify individuals."
Mandatory Reporting
If research could uncover situations requiring reporting (child abuse, imminent harm), disclose this:
"Confidentiality has legal limits. If we learn of child abuse, neglect, or that you intend to harm yourself or others, we are required by law to report to appropriate authorities. We will inform you if this occurs unless doing so would place someone at risk."
Responding to IRB Feedback
Most protocols receive conditional approval requiring revisions. How you respond determines approval timeline.
Common IRB Requests
"Provide more detail about [procedures/risks/protections]." Add specificity. Don't just say "we'll protect confidentiality"—explain exactly how.
"Revise consent form for reading level." Simplify language, shorten sentences, use bullets. Online readability checkers help.
"Explain how you'll minimize [specific risk]." Add concrete mitigation strategies. Generic assurances don't satisfy IRBs.
"Clarify compensation." Specify amounts, timing, pro-rating. Make clear it's not coercive.
"Address vulnerable population protections." If working with children, prisoners, etc., explain additional safeguards.
Writing Your Response
Use a point-by-point response format:
**IRB Request 1:** "Provide more detail about how psychological distress will be managed if participants become upset during interviews."
**Response:** We have revised the protocol (page 8, Risk section) to include detailed distress management procedures: (1) All interviewers will complete mental health first aid training before conducting interviews. (2) If a participant shows signs of distress (crying, becoming withdrawn, requesting to stop), the interviewer will pause the interview, offer a break, and ask if the participant wants to continue. (3) We have partnered with [University Counseling Center] to provide same-day emergency counseling if needed. Contact information is included in consent form. (4) Participants will receive follow-up contact within 48 hours after interviews on sensitive topics to assess wellbeing. (5) If serious concern arises, we will facilitate referral to appropriate services.
Revised section is highlighted in yellow in attached revised protocol.
Common IRB Mistakes That Delay Approval
Using templates without customizing. Generic language like "appropriate protections will be implemented" flags protocols as incomplete. Be specific.
Inconsistencies between sections. Consent form says participation takes 30 minutes, protocol says 60 minutes. This suggests carelessness.
Missing required elements. IRB applications have checklists. Follow them exactly. Missing sections cause automatic rejections.
Overpromising confidentiality. Saying "all data will be completely anonymous" when you're collecting names and contact information. Don't promise what you can't deliver.
Inadequate risk assessment. Saying "there are no risks" for any human subjects research is almost never true. Even minimal risk surveys have some risk.
Vague data security plans. "Data will be kept secure" doesn't tell IRB how. Specify encryption, passwords, physical locks, access restrictions.
Not explaining deviations from standard practice. If you're requesting waiver of documentation, expedited review for sensitive research, or other exceptions, justify thoroughly.
Key Takeaways
IRB protocols are systematic assessments of whether research adequately protects participants. Thorough, honest protocols get approved faster than those that minimize risks or provide vague assurances.
Understand review categories before writing. Most social science research qualifies for exempt or expedited review if risks are minimal and procedures are standard. Research with vulnerable populations or more than minimal risk requires full board review.
Define risks honestly and specifically. Identify potential physical, psychological, social, legal, and privacy risks. For each risk, assess likelihood and severity, then explain concrete mitigation strategies. Don't say "we'll protect participants"—explain exactly how.
Write procedures sections with enough detail that IRB can evaluate adequacy of protections. Specify what participants will do, how long it takes, where it happens, who's involved, and what options participants have at each stage.
Design informed consent as a process ensuring understanding, not just signature collection. Use clear language, provide time for questions, assess comprehension, and accommodate special populations appropriately.
Build comprehensive data protection plans with specific storage, encryption, access control, retention, and destruction procedures. If collecting health information, ensure HIPAA compliance. Acknowledge that perfect confidentiality is impossible but explain extensive protections.
Address recruitment carefully to avoid coercion. Be especially cautious with vulnerable populations, students, employees, or patients. Compensation should be reasonable but not coercive. Explain how you'll ensure participation is truly voluntary.
When responding to IRB feedback, provide specific revisions addressing each concern. Point to exact locations in revised documents. Don't just say you'll make changes—show exactly what you changed and why it addresses the concern. Thorough responses expedite final approval.