Revised Common Rule strengthened human-subject protections, simplified IRB oversight simplified

In January 2017, the regulations for ethical conduct of human research, known as the Federal Policy for the Protection of Human Subjects and referred to as the Common Rule, were updated to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators (82 FR 7149, January 19, 2017). In addition, the revisions modernize and simplify the current system of independent review board (IRB) oversight. The changes to the Common Rule, which was originally adopted in 1991, become effective January 19, 2018. At a Health Care Compliance Association (HCCA) webinar, Laura Odwazny, Senior Attorney, HHS Office of the General Counsel, provided the background of, and insight into, the main changes made to the Common Rule.

The Common Rule

The Common Rule, which currently applies to 18 federal departments and agencies, outlines the basic provisions for prior approval of human subjects research by IRBs, informed consent of participants, and institutional assurances of compliance with the regulations. Some agencies have adopted regulatory protections for human subjects in addition to the Common Rule.

Organizations whose researchers receive federal funding to conduct human research must have a Federalwide Assurance (FWA), a written commitment to comply with federal regulations related to human research protections, on file with the OHRP. According to Odwazny, under the current regulations, if a research institution voluntarily extends FWA to all research regardless of the funding source, OHRP can extend its oversight of activities of privately funded research; however the preamble of the Final rule includes a plan to eliminate the voluntary extension of the FWA.

Major changes

Odwazny identified three major rules that were adopted in the Final rule: (1) single-IRB review for multi-institutional research in the U.S.; (2) extended compliance oversight jurisdiction to independent IRBs; and (3) improved informed consent, as well as allowing broad consent for unspecified future research use of already collected information and biospecimens.

The following areas were specifically addressed:

  • consent forms;
  • carve outs;
  • definitions of identifiable private information (IPI) and identifiable biospecimens;
  • concepts of broad consent;
  • limited IRB review; and
  • exemptions for secondary use research of IPI or identifiable biospecimens.

Streamlining IRB oversight

Odwazny explained that under the revised Common Rule, agencies have the authority to enforce compliance directly against IRBs not operated under the Federalwide Assurance. Under this change, compliance actions can be directed against an independent IRB responsible for regulatory noncompliance rather than against the institution working with the independent IRB. In addition, U.S. institutions engaged in cooperative research, which involves more than one institution, must rely on a single IRB approval for the portion of research conducted in the U.S. (the effective date for this provision is January 20, 2020). The single IRB must be identified by the federal department or agency supporting or conducting the research or by the lead institution subject to the acceptance of the federal department or agency supporting the research. The Final rule also provided exceptions to the mandated single IRB review, exceptions for continuing review, and changes to IRB recordkeeping requiring documentation related to these new exceptions.

Webinar tackles the tribulations of investigator initiated trials

Investigators should be careful to distinguish between interventional and observational studies when developing investigator initiated trials (IITs) because the distinction can effect billing strategies and budget, according a Health Care Compliance Association (HCCA) webinar, presented by Liz Christianson and David Russell of PFS Clinical. The webinar addressed key areas of focus for developing IITs, including protocol development, industry funding, and regulatory requirements.

IITs

Christianson noted there has been a remarkable renewed interest in IITs in the last two years, due largely due to industry sponsors realizing that IIT relationships are symbiotic. However, despite the renewed focus, IITs present challenges. In some cases, challenges arise from the fact that 85 percent of investigators have participated in only one clinical trial in their careers.

Protocols

Protocol development is important, particularly with respect to the articulation of an IIT as interventional or observational. Christianson noted that from reading the protocol it should be obvious whether an IIT is interventional or observational because the distinction can have significant downstream effects on budgets and billing. Christianson defined observational studies as trials where the investigator makes no intervention and allocates treatment based upon clinical decisions. She distinguished this from interventional studies, where participants are assigned to receive one or more interventions (or no intervention) so researchers can evaluate the effects of the interventions on health outcomes.

Billing

Because Medicare uses set criteria for reimbursement of trials, the objective language can be crucial to reimbursement. In observational studies, study actions should not be able to be linked to specific claims codes. Conversely, in an interventional study, actions should be linked to a specific billing code. Thus, the objective language in a study should clearly indicate what the PI’s true intent is—to treat with routine care, then collect patient data (observational) or to assign patients to specific treatment groups (interventional).

Registration

Russell discussed the registration of trials on ClinicalTrials.gov. All applicable clinical trials must be registered on the website in order to receive a unique National Clinical Trial (NCT) number, which is required on all CMS claims. Russell also covered specific data elements and registration information required by the September 21, 2016, Final rule for clinical trials (81 FR 64982). Russell reminded responsible parties that trials must be registered no later than 21 days after enrollment of the first participant and, at minimum, the applicable clinical trial must be updated every 12 months. Summary results (including adverse even information), must be submitted not later than one year after a trial’s primary completion date.

Human subject research: expert discusses recent privacy and security concerns

Recent privacy and security developments in human subject research were the topic of discussion during a recent Health Care Compliance Association (HCCA) webinar. The webinar presenter, William J. Roberts, a partner in Shipman & Goodwin LLP’s Health Law Practice Group and the Chair of its Privacy and Data Protection team, discussed: (1) the disclosure of substance use disorder records for research purposes; (2) the rights of a research subject to directly access their test results; and (3) electronic informed consent of research subjects.

Disclosure for research purposes

In discussing the disclosure of substance use disorder records of patients for research purposes, Roberts focused on the revised requirements for the research exception (42 C.F.R. sec. 2.52) set forth in the January 18, 2017 Final rule (82 FR 6052) issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), which are effective March 21, 2017.

First, under the revised research exception at 42 C.F.R. 2.52(a), Roberts noted that a federally-assisted program or other lawful holder of patient identifying information may disclose this information to qualified personnel for the purpose of conducting scientific research if the individual designated as director or managing director, or other individual with comparable authority determines that the researcher or recipient of the patient identifying information satisfies the following requirements:

  • has obtained and documented patient authorization or a waiver/alteration of authorization consistent with HIPAA; and
  • provides documentation that (1) the researcher is in compliance with the requirements of the HHS regulations regarding the protection of human subjects, including the informed consent/waiver of consent requirements or (2) the research qualifies for exemption under the HHS regulations or any successor regulations.

In addition, under revised 42 C.F.R 2.52(b), Roberts pointed out that the researcher who receives the information must: (1) not re-disclose patient identifying information except back to the individual or entity from whom the information was obtained; (2) maintain and destroypatient identifying information in accordance with the security policies and procedures under the Part 2 regulations; (3) retain records in compliance with applicable federal, state, and local record retention laws; and (4) if necessary, resist in judicial proceedings any efforts to obtain access to patient records containing Part 2 data.

Further, under 42 C.F.R. 2.52(c), Roberts pointed out that researchers may link to data from federal and non-federal data repositories holding patient identifying information, if the researcher: (1) has the request for data linkages reviewed and approved by an institutional review board (IRB) registered with the HHS Office for Human Research Protections; and (2) ensures that patient identifying information obtained is not provided to law enforcement agencies or officials.

Finally, under 42 C.F.R. 2.52(d), Roberts indicated that upon receipt of patient identifying information, data repositories are fully bound by Part 2 regulations and must: (1) after providing the researcher with the linked data, destroy or delete the linked data from its records (including sanitizing any associated hard copy or electronic media); and (2) ensure that patient identifying information is not provided to law enforcement agencies or officials.

Roberts believes that the key take-aways from the revised Part 2 regulations are that: (1) we can expect a more simplified process for obtaining patient information from Part 2 subject facilities and providers, which may open more doors to research collaborations and projects: (2) population health studies will benefit from linkages; and (3) future revisions to the regulations may be possible because SAMHSA has been soliciting additional comments and has expressed openness to future changes.

Rights of research subjects

In discussing the right of research subjects to directly access their test results, Roberts focused on some problems with the February 6, 2014 joint CMS and Office of Civil Rights (OCR) Final rule designed to harmonize the requirements of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act (HIPAA) rules (see Amended CLIA, HIPAA regulations provide patients direct access to lab test results, Health Law Daily, February 6, 2014).

According to Roberts, while the joint Final rule amended the CLIA requirements to permit laboratories to give completed test results directly to a patient or patient’s representative upon request, and the HIPAA rule to require HIPAA covered laboratories to provide access rights to patients, it also created a conflict. For example, CLIA prohibits non-CLIA certified research laboratories from returning results to individuals for the “diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients,” while HIPAA-covered laboratories have a legal responsibility to provide research results to research subjects upon request if the information is in the “designated record set.”

Roberts explained that the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has made three recommendations to resolve the CLIA/HIPAA conflict:

  • HHS (including OCR, FDA, CMS) should clarify and ratify necessary regulatory interpretations or amendments so that researchers in a non-CLIA-certified laboratory are able to refer, without penalty, a research subject to a CLIA-certified laboratory for additional testing after identifying clinically actionable information.
  • HHS should clarify the duties of HIPAA covered entities to provide results to individuals, upon their request, from non-CLIA-certified laboratories.
  • OCR should provide guidance on how to interpret the “designated record set” in the context of access to test results from non-CLIA research laboratories.

Until there is closure on these recommendations, Roberts recommended that covered entities: (1) review existing practices of researchers with respect to participants’ access to test results; (2) review the standard for determining what test results are part of the “designated record set”; and (3) consult the IRB or counsel about responding to requests.

Electronic informed consent

Roberts’ discussion of electronic informed consent (eIC) included the examination of: (1) a joint FDA/Office for Human Research Protections (OHRP) frequently asked questions guidance; (2) paper v. eIC; (3) electronic signatures; and (4) verification of the research subject’s identity.

The upshot of the joint guidance, according to Roberts, is that: (1) if the research is conducted or supported by HHS and involves a FDA-regulated product, it is subject to both the FDA and HHS regulations; and (2) in the event the regulations differ, the regulations that offer the greater protection to human subjects should be followed.

Roberts explained that both OHRP and FDA regulations allow for the use of eIC and paper informed consent, independently or in combination with each other, and for electronic signatures to be used in lieu of traditional signatures.

Roberts suggested that an eIC should: (1) be easy to navigate, (2) allow the user to proceed forward and backward and to stop and continue at a later time, (3) use hyperlinks where helpful, (4) give patients options to use paper or electronic; and (5) ask: Do research subjects need assistance in completing the eIC? Roberts also suggested that research subjects be given a copy of the written informed consent form, preferably with the subject’s signature and the date the form was executed.

Finally, Roberts cautioned that before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization must verify the identity of the individual.

Overall, with regard to eIC, Roberts recommends checking with the IRB about the use of eIC to ensure that the IRB agrees that the format may be used for the particular research. Examples of possible formats include: encrypted digital signature, electronic signature pad, voice print, and digital fingerprint.

Roberts also recommended: (1) reviewing and revising privacy policies and procedures with respect to any eIC data stored in “the cloud” to ensure compliance with applicable laws; (2) ensuring that eIC materials are easy for the research subject to navigate; and (3) ensuring eIC technology allows an easy way for subjects to ask questions and get answers.