Requirements regarding keeping databases for research databases differ by organization, so please check with your IRB. According to the federal regulations, research is defined as a systematic investigation designed to develop or contribute to general knowledge (45 CFR 46.102(d)). A human subject means a living individual about whom an investigator conducting research obtains 1) data through intervention or interaction with the individual, or 2) identifiable private information. Information regarding email address and name are, thus, identifiable information. However, as recruitment databases are not for a specific study and not intended to contribute to generalizable knowledge, many IRBs (but not all) do not consider them research in and of themselves. Therefore, IRB approval is not required to house and use a recruitment database.
HIPAA compliance brings this into slightly trickier territory. If you are a HIPAA-covered entity (e.g. a hospital), your recruitment database may fall under HIPAA regulations because of the nature of your operation as a health care provider/plan/clearinghouse. As many academic organizations are not HIPAA-covered entities, the compliance office can (and do) view these recruitment databases outside of HIPAA regulations. Regardless of whether you are a HIPAA-covered entity, it is best practice to have people ‘opt in’ to having their information stored for such a purpose. It just depends on whether you have to have the document and process IRB and/or Privacy Office approved.
Documenting approval by a person to store their information can be done several ways. It can be done with a HIPAA compliant PHI Authorization form (if HIPAA covered) or another non-research consent document that asks the person’s permission to store information (list the information stored) for the purpose of being contacted about future research studies (of which they don’t have to participate). If possible, have them opt-in or opt-out of the types of studies they want to be notified about. Just remember that if you give people the option of such notification, you have to be able to track it. If the database is a medical record, or other HIPAA-covered document, you also have the option to obtain a partial waiver of PHI Authorization to access that information for the purpose of research without the potential subject’s consent (even if you are part of the patient’s care team). This waiver would be a study-specific request and not umbrella approval to review records of anyone for any study.
All of this being said, in your recruitment plan that is being approved by the IRB, you should disclose that you are utilizing this database to recruit for your study, regardless of whether or not it has IRB approval. Discuss the information that you will be screening to identify potential participants and the method that you will be notifying them about a potential study opportunity.