Institutional Review Boards (IRBs) and End-user License Agreements (EULAs)

Learn More about our Services and how can we help you with your research!

The Gap between Institutional Review Boards (IRBs) and End-user License Agreements (EULAs) in Digital Health Research

Digital technologies are evolving at a rapid pace, transforming clinical research and health care worldwide. By leveraging multimedia tools, mHealth apps, and big databases in medicine, however, security and privacy risks are also increasing. As wireless sensors, mobile devices, and software programs have the potential to collect and manage vast amounts of sensitive information, informed consent and user agreement become mandatory.

To protect patients’ welfare, institutional review boards (IRBs) – the primary administrative bodies which can approve or reject a clinical study – play a crucial role in enforcing research ethics and informed consent in medical research. Standard operating procedures (SOPs) can help institutional review board members enhance compliance with study protocols and ethical principles. Nevertheless, regulations fall behind the rapid development of digital health tools. In fact, due to the large number of mHealth apps available online, regulatory bodies are unable to assess novel digital health services in a timely and effective manner.

Similarly, to ensure compliance with federal law and international regulations, owners and licensors of mHealth apps and Web-based services impose end-user license agreements in practice. End-user license agreements (EULAs) define the rights between users and providers and give purchasers access to products. However, such digital contracts often contain exculpatory language that relieves the provider of their liability for harm, which is intolerable in clinical research.

Although ethical principles in digital health call for informed consent, research shows that participants accept legal documents without reading them. Interestingly, end-user licensing agreements may have desensitized end users for reading lengthy contracts (Barrera et al., 2016). Unable to ensure patients’ safety and confidentiality in digital health, a breach between institutional review boards and end-user license agreements has emerged.

End-user License Agreements (EULAs) and Digitalization of Health Care

The opportunities which digital health tools provide in medical research and routine clinical care are immense. Telemedicine and multimedia tools can improve patient access to medical care and facilitate electronic informed consent. Push notifications, mHealth apps, electronic health records (EHRs), and big data can improve patient outcomes and interoperability. On the other hand, the implementation of digital health data comes with numerous security and privacy risks. From data sharing with third-party sites to phishing, users’ safety and confidentiality are often exposed to risk. To enhance standards across digital tools and providers, end-user license agreements become vital tools to regulate data sharing and prevent data breaches.

End-user license agreements are defined as software licenses or documents that define users’ rights and responsibilities. In mHealth app development, end-user license agreements are mandatory; they are used to obtain consent in the use of technology (Barrera et al., 2016). Such contracts grant a patient a license to utilize apps and services, stating important terms and conditions. By entering the agreement, the user is given access to the product. In other words, a user must click on Agree to use the software. End-user license agreements, however, contain pages of legalistic language, and careful review by users is rare. Note that user contracts cover technicalities, such as:

  • License grant and intellectual property rights
  • Copy and use terms (restrictions, multiple platforms, updates, copies, etc.)
  • Technical support and maintenance
  • Termination and audit
  • Payments and Taxes
  • Limited warranty and liability
  • Privacy and confidentiality
  • General provisions and infringement rights
  • Contact information


Furthermore, although end-user licensing agreements restrict unauthorized use of the product, experts agree that such documents are designed to protect the owner of the product (not the user). In fact, end-user license agreements contain exculpatory language which limits a provider’s liability and allows them to disclaim warranties and repercussion. Such documents also protect a vendor’s intellectual property and give the vendor access to patients’ private data. The caveat is that end-user license agreements protect the copyright owner, not the patient. Therefore, today’s end-user license agreements cannot substitute the informed consent process, which is mandatory in digital health research.

Institutional Review Boards and Research Ethics

To protect patients’ rights and improve the informed consent process, institutional review boards play a crucial role in research. Institutional review boards, also known as independent ethics committees (IECs), are administrative bodies that review study protocols and assess potential benefits and risks to patients. To be more precise, the International Council on Harmonization (ICH) defines an institutional review board as a group designed to ensure patients well-being. Numerous unethical experiments on humans have stressed the importance of good clinical practice (GCP), voluntary consent, and drug safety testing. Note that the Nuremberg Code, the Declaration of Helsinki, and the Belmont Report are some of the first regulatory milestones in research ethics. Today, the International Conference on Harmonization (ICH) for Good Clinical Practice (GCP) guidance is among the essential factors which institutional review boards should consider. Regulations are vital to ensure standardization and compliance across research bodies, as well as replication. In fact, replication standards are fundamental to resolve the replication crisis in contemporary research.

Institutional review boards assess not only medical studies but academic research that involves human beings, including data mining (Leetaru, 2017). Standard procedures and guidelines can help institutional review board members improve the informed consent process in research. The informed consent process, as explained above, is crucial in clinical trials that involve human participants. Researchers must provide clear information about risks, benefits, and alternatives. Additionally, digital health researchers must minimize coercion and provide sufficient time for decision-making. Consent forms cover aspects, such as:

  • Purpose of the informed consent form
  • Information about the study protocol
  • Risks, benefits, and alternatives to patients
  • Legal, ethical, and administrative compliance
  • Support and contact information


Consent is required in both low and high-risk studies. When it comes to big data, patients must be informed about the way their data is stored and utilized. Institutional review board members must review informed consent documents in data mining of commercially and public datasets as well. Designing effective and clear to understand documents, however, is a challenge. The increasing length and complexity of informed consent documents also complicate the process, resulting in low recruitment and increased costs. In fact, research shows the majority of participants do not read the consent document before agreeing to participate in research (Desch et al., 2011). The majority of patients perceive consent documents like end-user license agreements, especially in low-risk studies. Desch and colleagues recruited 1,209 people who were asked to review a 2,833-word consent form. Although the minimum expected reading time was 566 seconds, the median time to agree was 53 seconds. Therefore, institutional review boards must optimize the consent process with the sole purpose of ensuring patients’ safety. After all, informed decision, voluntary participation, autonomy, and confidentiality are vital ethical principles in digital health.

Bridging the Gap between Institutional Review Boards (IRBs) and End-user License Agreements (EULAs)

Interconnected devices and services that facilitate data collection, recruitment, and interoperability are evolving at a rapid pace, raising numerous present-day concerns. Digital health research relies on technologies to facilitate drug development and improve patient outcomes. Big data research is also on the rise, allowing experts to access a wide variety of patient details and genomic data. However, as the numbers of datasets are rocketing, data restrictions and privacy risks are also increasing. To bridge the gap between institutional review board members and software developers:

  1. Users must be able to differentiate end-user license agreements from informed consent forms. An end-user license agreement protects the manufacturer from liability and gives users access to the product, while a consent form informs subjects of their rights and protects their well-being. Unlike user agreements, consent forms cannot include any exculpatory language which frees researchers from malpractice and fault. Consent forms need special consideration, especially in studies where a user agreement is in place.
  2. Information in both user agreements and consent forms must be easy to access and comprehend. Multimedia tools can improve the consent process in research and improve user experience. Multi-modal consents in e-platforms, for instance, can integrate visuals and interactive tasks to improve retention of knowledge and user experience.
  3. As software products and digital services come with end-user license agreements, institutional review board responsibilities increase. Institutional review board members should have the expertise to evaluate digital health tools and mHealth apps. Researchers should also be able to decide how data usage terms in the end-user licensing agreement can impact the informed consent form. For this reason, institutional review board members, principal investigators, and IT specialists must work together to improve digital health research.
  4. Ideally, mHealth apps should be created for the purpose of the research. A tailored app will allow ethics committee members to modify the end-user license agreement or create a temporary version of it. In case a software product is not offered on a research platform, it should be approved in an official app store. Note that contracts should exclude exculpatory language.
  5. In big data research, particularly, medical professionals and IT specialists must find a balance between data collection and study protocols. Interestingly, big data and low-risk research (e.g., human genetic research) constitute more than 50% of the costs to institutional review boards. Ethical review of research needs to be optimized in the field of computer science (Leetaru, 2017). To set an example, researchers can map out data collection and sharing points in a flowchart and describe data access rights in a table.
  6. In multisite clinical studies, reliance agreements can help digital health researchers avoid duplication between multiple institutional review boards. To set an example, experts must decide what happens if an institutional review board approves a study, but the manufacturer of the tool (or the Web-based service) rejects it as unethical. Note that SMART IRB is a platform which can improve multisite human subjects research.
  7. In the end, standards and ethics must be implemented in medical research and practice. Experts must create clear protocols, tools, and procedures to implement digital health standards in research. The Health Insurance Portability and Accountability Act (HIPAA), for instance, is one of the main sets of security standards utilized to facilitate patients’ safety and data exchange.

Institutional Review Boards (IRBs) and End-user License Agreements (EULAs): In a Nutshell

From sensors that analyze biometrics to social media channels that facilitate recruitment, digital health technology is reshaping medical practices worldwide. Nevertheless, security and privacy risks are rising along with the leveraging use of technology. Institutional review board members and IT specialists must establish strict standards and procedures to ensure patients’ security and confidentiality. Informed consent and user agreement become mandatory.

To optimize medical research and improve patient outcomes, though, digital health researchers must improve the understanding of consenting. Multimedia tools (e.g., online quizzes) can facilitate e-consent; such tools can improve the acquisition and retention of knowledge and boost user engagement. Consequently, consent documents must be approved by an institutional review board.

Institutional review boards must review the entire consent process, as well as the impact of end-user license agreements on research. Exposure to end-user licensing agreements presents unique challenges in digital health. Studies show that users accept the terms and conditions of contracts and end-user license agreements without reading them. While consent forms ensure patients’ safety, user agreements protect providers only. Although digital health research relies on software programs and Web-based services, such practices and exculpatory language are unacceptable in medical studies.

Users, IT specialists, ethics committee members, and investigators must ensure patients’ access to information and voluntary participation. In the end, digital health research ethics encompass more than an Agree box.


  1. Barrera, A., Dunn, L., Nichols, A., Reardon, S., & Munoz, R. (2016). Getting It ‘Right’: Ensuring Informed Consent for an Online Clinical Trial. Journal of Empirical Research on Human Research Ethics, 11 (14), p. 291-298.
  2. Desch, K., Li, J., Kim, S., Laventhal, N., Metzger, K., Siemieniak, D., & Ginsburg, D. (2011). Analysis of Informed Consent Document Utilization in a Minimal-Risk Genetic Study.  Annals of Internal Medicine, 155 (5), p. 316-322
  3. Leetaru, K. (2017, September 1).  A Case Study In Big Data And The Replication Crisis. Retrieved from
  4. Webinar Follow-up: Digital Health Technology and Human Subjects Research – What IRBs Need to Know (2018, May 28). Retrieved from

See more of Our Posts


Never miss our posts!


Louise Corscadden, PhD

Dr Louise Corscadden acts as Conduct Science’s Director of Science and Development and Academic Technology Transfer. Her background is in genetics, microbiology, neuroscience, and climate chemistry.

We’ve collected the items for you to purchase for your convenience.

Get the entire package for up to 50% discount with our Replication program.