[Federal Register Volume 76, Number 143 (Tuesday, July 26, 2011)]
[Proposed Rules]
[Pages 44512-44531]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-18792]
[[Page 44512]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 46, 160, and 164
Food and Drug Administration
21 CFR Parts 50 and 56
Human Subjects Research Protections: Enhancing Protections for
Research Subjects and Reducing Burden, Delay, and Ambiguity for
Investigators
AGENCIES: The Office of the Secretary, HHS, and the Food and Drug
Administration, HHS.
ACTION: Advance notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Office of the Secretary of the Department of Health and
Human Services (HHS) in coordination with the Office of Science and
Technology Policy (OSTP) is issuing this advance notice of proposed
rulemaking (ANPRM) to request comment on how current regulations for
protecting human subjects who participate in research might be
modernized and revised to be more effective. This ANPRM seeks comment
on how to better protect human subjects who are involved in research,
while facilitating valuable research and reducing burden, delay, and
ambiguity for investigators.
The current regulations governing human subjects research were
developed years ago when research was predominantly conducted at
universities, colleges, and medical institutions, and each study
generally took place at only a single site. Although the regulations
have been amended over the years, they have not kept pace with the
evolving human research enterprise, the proliferation of multi-site
clinical trials and observational studies, the expansion of health
services research, research in the social and behavioral sciences, and
research involving databases, the Internet, and biological specimen
repositories, and the use of advanced technologies, such as genomics.
Revisions to the current human subjects regulations are being
considered because OSTP and HHS believe these changes would strengthen
protections for research subjects.
DATES: To be assured consideration, comments must be received at one of
the addresses provided below, no later than 5 p.m. on September 26,
2011.
ADDRESSES: You may submit comments, identified by docket ID number HHS-
OPHS-2011-0005, by one of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Enter the above docket ID number in the ``Enter Keyword or ID'' field
and click on ``Search.'' On the next Web page, click on ``Submit a
Comment'' action and follow the instructions.
Mail/Hand delivery/Courier [For paper, disk, or CD-ROM
submissions] to: Jerry Menikoff, M.D., J.D., OHRP, 1101 Wootton
Parkway, Suite 200, Rockville, MD 20852.
Comments received, including any personal information, will be
posted without change to http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Jerry Menikoff, M.D., J.D., Office for
Human Research Protections (OHRP), Department of Health and Human
Services, 1101 Wootton Parkway, Suite 200, Rockville, MD 20852;
telephone: 240-453-6900 or 1-866-447-4777; facsimile: 301-402-2071; e-
mail: jerry.menikoff@hhs.gov.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. Ensuring Risk-Based Protections
III. Streamlining IRB Review of Multi-Site Studies
IV. Improving Informed Consent
V. Strengthening Data Protections To Minimize Information Risks
VI. Data Collection To Enhance System Oversight
VII. Extension of Federal Regulations
VIII. Clarifying and Harmonizing Regulatory Requirements and Agency
Guidance
IX. Agency Request for Information
I. Background
U.S. Federal regulations governing the protection of human subjects
in research have been in existence for more than three decades. Twenty
years have passed since the ``Common Rule,'' (codified at Subpart A of
45 CFR part 46) was adopted by 15 U.S. Federal departments and agencies
in an effort to promote uniformity, understanding, and compliance with
human subject protections.\1\
Existing regulations governing the protection of human subjects in
Food and Drug Administration (FDA)-regulated research (21 CFR parts 50,
56, 312, and 812) are separate from the Common Rule but include similar
requirements.
The history of contemporary human subjects protections began in
1947 with the Nuremberg Code, developed for the Nuremberg Military
Tribunal as standards by which to judge the human experimentation
conducted by the Nazis. The Code captures many of what are now taken to
be the basic principles governing the ethical conduct of research
involving human subjects.
Similar recommendations were made by the World Medical Association
in its Declaration of Helsinki: Recommendations Guiding Medical Doctors
in Biomedical Research Involving Human Subjects, first adopted in 1964
and subsequently revised many times.
Basic regulations governing the protection of human subjects in
research supported or conducted by HHS (then the Department of Health,
Education and Welfare) were first published in 1974. In the United
States, a series of highly publicized abuses in research led to the
enactment of the 1974 National Research Act (Pub. L. 93-348), which
created the National Commission for the Protection of Human Subjects of
Biomedical and Behavioral Research (National Commission). One of the
charges to the National Commission was to identify the basic ethical
principles that should underlie the conduct of biomedical and
behavioral research involving human subjects and to develop guidelines
to assure that such research is conducted in accordance with those
principles. In 1979, the National Commission published ``Ethical
Principles and Guidelines for the Protection of Human Subjects of
Research,'' also known as the Belmont Report (http://www.hhs.gov/ohrp/policy/belmont.html) which identified three fundamental ethical
principles for all human subjects research--respect for persons,
beneficence, and justice.
Based on the Belmont Report and other work of the National
Commission, HHS revised and expanded its regulations for the protection
of human subjects in the late 1970s and early 1980s. The HHS
regulations are codified at 45 CFR part 46, subparts A through E. The
statutory authority for the HHS regulations derives from 5 U.S.C. 301;
42 U.S.C. 300v-1(b); and 42 U.S.C. 289.
In 1991, 14 other Federal departments and agencies joined HHS in
adopting a uniform set of rules for the protection of human subjects,
the ``Common Rule,'' identical to subpart A of 45 CFR part 46 of the
HHS regulations.
The Common Rule requires that Federally funded investigators in
most instances obtain and document the informed consent of research
subjects, and describes requirements for institutional review board
(IRB) membership, function, operations, research review, and
recordkeeping. The regulations also delineate criteria for, and levels
of, IRB review. Currently, except for human subjects research that
[[Page 44513]]
is determined to be exempt from the regulations, Federally funded
research involving human subjects is reviewed by an IRB in one of two
ways: (1) By a convened IRB, or (2) through an expedited review
process.
Since the Common Rule was developed, the landscape of research
activities has changed dramatically, accompanied by a marked increase
in the volume of research. It is estimated that total spending on
health-related research and development by the drug industry and the
Federal government has tripled since 1990.\2\ While traditional
biomedical research conducted in academic medical centers continues to
flourish, many studies are now also conducted at community hospitals,
outpatient clinics, or physician-based practices. Clinical research is
regularly conducted at multiple institutions across the U.S. and other
countries. Recruitment firms, bioinformatics specialists, clinical
trial coordinating centers, protocol developers, data analysts,
contract research organizations (CROs), data and safety monitoring
committees, community-based organizations, and other entities have
joined investigators and sponsors as part of the clinical research
enterprise.
Research has also increased, evolved, and diversified in other
areas, such as national security, crime and crime prevention,
economics, education, and the environment, using a wide array of
methodologies in the social sciences and multidisciplinary studies. The
application of technologies such as functional magnetic resonance
imaging in neuroscience has led to substantial advances in the
understanding of human physiology, cognition, and behavior. The advent
of sophisticated computer software programs, the Internet, and mobile
technology have created new areas of research activity, particularly
within the social and behavioral sciences, exponentially increasing the
amount of information available to researchers, while providing the
means to access and analyze that information. In many areas of society,
researchers are being called upon to provide evidence to more
effectively guide social policy and practices.
The rapid growth and expansion of human subjects research has led
to many questions about whether the current regulatory framework is
adequate and appropriate for the protection of human subjects in the
21st century. Furthermore, decades of experience have revealed a great
deal about the functioning--and limitations--of existing regulations,
and prompted critical evaluations by the Institute of Medicine
(IOM),\3\ \4\ the U.S. Government Accountability Office,\5\ \6\ \7\ and
many scholars.\8\ \9\ \10\ Federal consideration of such revisions to
the regulatory schema, in addition to the issues that suggest a need
for revision, is not without precedent. In its 2001 concluding report,
the National Bioethics Advisory Commission (NBAC) made 30
recommendations that addressed areas including the scope and structure
of the oversight system, the level of review applied to research,
emphasizing the informed consent process, documentation and waiver of
informed consent, protecting privacy and confidentiality, adverse event
reporting, and review of cooperative or multi-site research
studies.\11\ NBAC's recommendations are one source for the revisions in
the Common Rule currently being considered. Addressing these
considerations now is timely and consistent with the President's
Executive Order requiring Federal agencies to review existing
significant regulations to determine whether they should be modified,
streamlined, expanded, or repealed to make the agency's regulatory
program more effective or less burdensome in achieving the regulatory
objective.\12\
The concerns about the current Common Rule can roughly be
categorized into seven areas. First, the system has been criticized as
not adequately calibrating the review process to the risk of research.
Critics have raised concerns that some IRBs spend considerable time
reviewing minimal risk research, and that some IRBs have a tendency to
overestimate the magnitude and probability of reasonably foreseeable
risks.\13\ Because significantly more research studies require convened
IRB review, this greater IRB workload diverts time and resources from
review of research that poses greater risks, theoretically resulting in
inadequate attention to research that could seriously harm
subjects.\14\
Questions have been raised about the appropriateness of the review
process for social and behavioral research.\15\ \16\ \17\ \18\ The
nature of the possible risks to subjects is often significantly
different in many social and behavioral research studies as compared to
biomedical research, and critics contend that the difference is not
adequately reflected in the current rules. While physical risks
generally are the greatest concern in biomedical research, social and
behavioral studies rarely pose physical risk but may pose psychological
or informational risks. Some have argued that, particularly given the
paucity of information suggesting significant risks to subjects in
certain types of survey and interview-based research, the current
system over-regulates such research.\19\ \20\ \21\ Further, many
critics see little evidence that most IRB review of social and
behavioral research effectively does much to protect research subjects
from psychological or informational risks.\22\ Over-regulating social
and behavioral research in general may serve to distract attention from
attempts to identify those social and behavioral research studies that
do pose threats to the welfare of subjects and thus do merit
significant oversight.
Second, critics have commented about the inefficiencies of review
by multiple IRBs for multi-site studies, which add bureaucratic
complexity to the review process and delay initiation of research
projects without evidence that multiple reviews provide additional
protections to subjects.\23\ There also has been a concern that the
current multiple review system might actually be leading to weaker
protections for subjects than if there were fewer reviews but greater
responsibility on the part of the IRBs involved.
Third, questions have been raised about the extent and quality of
the protections afforded by current informed consent requirements and
practices. A variety of critics have highlighted problems with consent
forms. In some research studies, consent forms have become lengthy and
are often written in highly technical terms.\24\ \25\ \26\ Many also
claim that consent forms have evolved to protect institutions rather
than to actually provide salient information to potential human
subjects.\27\ This is especially problematic if the forms fail to
include information that is crucial for making a decision about
participation, including appropriate information about financial
relationships between researchers and study sponsors, or are written in
a way that potential subjects are likely to fail to notice such
information. At the same time, others raise concerns about the rigid
application of written consent to all forms of research, especially
research involving surveys, interviews, focus groups, or other similar
methodologies.\28\ In these types of research, it has been argued that
written documentation of consent is unnecessary and that answering
questions should be sufficient to indicate individual consent to
participate.\29\
Fourth, increasing use of genetic information, existing (i.e.,
stored) biospecimens, medical records, and administrative claims data
in research has changed the nature of the risks and
[[Page 44514]]
benefits of research participation. Risks related to these types of
research are not physical but informational (e.g., resulting from the
unauthorized release of information about subjects). The Privacy Rule
promulgated under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) \30\ addresses some of these informational risks by
imposing restrictions on how certain identifiable health information
collected by health plans, healthcare clearinghouses, and certain
healthcare providers (``covered entities'') may be used and disclosed,
including for research. In addition, the HIPAA Security Rule requires
that these entities implement certain administrative, physical, and
technical safeguards to protect this information when in electronic
form from unauthorized use or disclosure. However, the HIPAA Rules
apply only to covered entities (and in certain respects to their
business associates), and not all investigators are part of a covered
entity (or business associates of a covered entity). Separate from the
HIPAA Rules, the Privacy Act of 1974, as amended (5 U.S.C. 552a \31\)
requires Federal agencies to protect personally identifiable
information in their possession and control. However, it does not apply
to non-Federal researchers.
Fifth, the monitoring and evaluation of the current system for
protecting human subjects has been criticized.\32\ There is concern
that current regulations do not provide an ideal mechanism for the
collection of information that would allow evaluation of the
effectiveness of the research oversight system in protecting human
subjects.
Sixth, concerns have been expressed that the current regulatory
system does not adequately protect all research subjects.\33\ For
instance, only some research studies funded by certain Federal agencies
or those that involve the development of products subject to regulation
by the FDA, are subject to the Common Rule or similar protections. As a
result, there are many studies that are not subject to any such Federal
oversight, even though they may involve substantial risks to the
subjects.
Seventh, the multiple, differing regulatory requirements that can
apply to a single research study have been criticized as complex,
inconsistent, and lacking in clarity, which results in unwarranted
variability across institutions and their IRBs in how the requirements
are interpreted and implemented.\34\ For example, Federal agencies that
have adopted the Common Rule have issued guidance and developed norms
of implementation that sometimes differ and may, in certain instances,
even conflict with guidance from other Common Rule agencies. Similarly,
the overlapping and sometimes, arguably, inconsistent requirements of
the Common Rule and the HIPAA Privacy Rule have been criticized as
being overly complex, causing confusion and frustration among
investigators, IRBs, and others trying to comply with both sets of
requirements.\35\
In response to these various criticisms, we propose changes to the
following seven aspects of the current regulatory framework. The
fundamental goal is to enhance the effectiveness of the research
oversight system by improving the protections for human subjects while
also reducing burdens, delays, and ambiguity for investigators and
research subjects.
1. Refinement of the existing risk-based regulatory framework
(Section II);
2. Utilization of a single IRB review of record for domestic sites
of multi-site studies (Section III);
3. Improvement of consent forms and the consent process (Section
IV);
4. Establishment of mandatory data security and information
protection standards for all studies that involve identifiable or
potentially identifiable data (Section V);
5. Establishment of an improved, more systematic approach for the
collection and analysis of data on unanticipated problems and adverse
events (Section VI);
6. Extension of Federal regulatory protections to all research,
regardless of funding source, conducted at institutions in the U.S.
that receive some Federal funding from a Common Rule agency for
research with human subjects (Section VII); and
7. Improvement in the harmonization of regulations and related
agency guidance (Section VIII).
We believe the proposals we are considering uphold and better
reflect the ethical principles upon which the Common Rule is based. We
recognize that this ANPRM is both lengthy and detailed. However this
level of detail reflects the importance and types of changes that have
been proposed by the Institute of Medicine (IOM), NBAC, and other
commentators and are now being considered for adoption. Comment is now
sought on these proposals and on the broader question of how to
modernize, simplify, and enhance the current system. The intent is to
revise the Common Rule \36\ recognizing that other laws and
regulations, such as the other subparts of the HHS human subjects
protection regulations (Subparts B, C, and D, which deal with
particular populations of vulnerable subjects, and Subpart E of 45 CFR
part 46), FDA regulations, and the HIPAA Privacy Rule most likely will
be affected and will need to be harmonized, as appropriate, with any
proposed regulatory changes made to the Common Rule.
As we consider how the current regulations governing human subjects
research should be revised, we will take into account the deliberations
of the Presidential Commission for the Study of Bioethical Issues. We
will also consider the public comments received on the request for
information that the Commission issued on March 2, 2011, that sought
public comment on the current Federal and international standards for
protecting the health and well-being of participants in scientific
studies supported by the Federal Government.\37\
II. Ensuring Risk-Based Protections
Currently, the Common Rule provides for several tiers of
independent review of research studies, as follows:
1. The highest level of review, applied to most studies involving
more than minimal risk and to many studies involving no more than
minimal risk, is review by a convened IRB.
2. The next level of review is expedited review.\38\ This generally
involves review by a single IRB member. A study is eligible for
expedited review if the research appears on a list published by the
Secretary of HHS of categories of research eligible for such review,
and the research is found by the reviewer(s) to involve no more than
minimal risk.
3. Certain studies are exempt from IRB review.\39\ The regulations
specify six ``exemption'' categories; a study must fall within one or
more of these six categories to be exempted from IRB review altogether.
Although these studies are not subject to the Common Rule, and no
review is actually required, guidance issued by the Office for Human
Research Protection (OHRP) recommends that there be some type of review
by someone other than the investigator to confirm that the study
qualifies as exempt, and many institutions do indeed impose such a
requirement.\40\
There has been criticism about this regulatory framework for
reviewing research studies. Although it does attempt to match the level
of review to the type of risks posed by a study, many argue that it
does so in a less than ideal manner. For instance, many surveys that
are unlikely to lead to any harm to subjects nonetheless undergo review
by a convened IRB.\41\ Further, arguments
[[Page 44515]]
have been made that some of the lines drawn between review categories
are vague and difficult to apply.\42\ Studies have shown that different
levels of review are sometimes required by different IRBs for the same
study.43 44
In response to these concerns, the IOM report on research
protections recommended revising the current approach: ``The degree of
scrutiny, the extent of continuing oversight, and the safety monitoring
procedures for research proposals should be calibrated to a study's
degree of risk. Minimal risk studies should be handled diligently, but
expeditiously, while studies involving high risk should receive the
extra time and attention they require.'' \45\ The IOM surmised that
this would reduce burdens that do not translate into meaningful
protections of human subjects and would limit unnecessary drain on
resources, enabling IRBs to give more attention to high risk studies
and critical protection activities while improving the efficiency with
which research projects are reviewed and overseen.
This ANPRM describes potential refinements to the current review
framework intended to ensure that protections are commensurate with the
level of risk of the research study. Five of the most significant
changes being considered are summarized below, followed by a more
detailed explanation of the proposals:
1. Establishing mandatory data security and information protection
standards for identifiable information and rules protecting against the
inappropriate re-identification of de-identified information that is
collected or generated as part of a research study to minimize
informational risks and thereby eliminate the need for IRBs to review
informational risks of the research. For purposes of the Common Rule,
we are considering adopting the HIPAA standards regarding what
constitutes individually identifiable information, a limited data set,
and de-identified information, in order to harmonize these definitions
and concepts. Since this provision would cover studies currently
considered ``exempt'' from the current regulations, a change in
terminology would need to be considered (see Section B(3), below).
2. Revising the rules for continuing review. Continuing review
would be eliminated for all minimal risk studies that undergo expedited
review, unless the reviewer explicitly justifies why continuing review
would enhance protection of research subjects. For studies initially
reviewed by a convened IRB, continuing review would not be required,
unless specifically mandated by the IRB, after the study reaches the
stage where procedures are limited to either (i) analyzing data (even
if it is identifiable), or (ii) accessing follow-up clinical data from
procedures that subjects would undergo as part of standard care for
their medical condition or disease (such as periodic CT scans to
monitor whether the subjects' cancers have recurred or progressed).
3. Revising the regulations regarding expedited review to provide
for mandatory regular updating of the list of categories of research
that may be reviewed under this mechanism, creating a presumption that
studies utilizing only research activities that appear on that list are
indeed minimal risk, and providing for streamlined document submission
requirements for review.
4. Revising the regulations regarding studies currently considered
exempt to, among other things:
i. Require that researchers file with the IRB a brief form
(approximately one page) to register their exempt studies, but
generally allow the research to commence after the filing;
ii. Clarify that routine review by an IRB staff member or some
other person of such minimal risk exempt studies is neither required
nor even recommended;
iii. Expand the current category 2 exemption (45 CFR 46.101(b)(2))
to include all studies involving educational tests, surveys,
interviews, and similar procedures so long as the subjects are
competent adults, without any further qualifications (but subject to
the data security and information protection standards discussed
above);
iv. Add a new category for certain types of behavioral and social
science research that goes beyond using only survey methodology, but
nonetheless involves only specified minimal risk procedures, so long as
the subjects are competent adults (but subject to the data security and
information protection standards discussed above);
v. Expand the current category 4 exemption (regarding the
collection or study of existing data, documents, records and
biospecimens) (45 CFR 46.101(b)(4)) to include all secondary research
use of identifiable data and biospecimens that have been collected for
purposes other than the currently proposed research, provided that
specified new consent requirements are satisfied. This expanded
category 4 exemption would apply to the secondary use of identifiable
data and biospecimens even if such data or biospecimens have not yet
been collected at the time of the research proposal, and even if
identifiers are retained by the researcher (instead of requiring at
least expedited review, as is currently the case); and
vi. Require random retrospective audits of a sample of exempt
studies to assess whether the exemptions were being appropriately
applied.
5. Generally requiring written consent for research use of any
biospecimens collected for clinical purposes after the effective date
of the new rules (such as research with excess pathological specimens).
Such consent could be obtained by use of a brief standard consent form
agreeing to generally permit future research. This brief consent could
be broad enough to cover all biospecimens to be collected related to a
particular set of encounters with an institution (e.g. hospitalization)
or even to any biospecimens to be collected at any time by that
institution. These studies using biospecimens collected for clinical
purposes would also fall under the expanded and revised exempt
categories described in (4), above, and thus would not require IRB
review or any routine administrative review but would be subject to the
data security and information protection standards discussed above.
This change would conform the rules for research use of clinically-
collected biospecimens with the rules for biospecimens collected for
research purposes. The general rule would be that a person needs to
give consent, in writing, for research use of their biospecimens,
though that consent need not be study-specific, and could cover open-
ended future research.
Each of these five proposals and other proposed changes are
discussed below. We seek comments and recommendations on the specific
changes being considered.
A. A New Mechanism for Protecting Subjects From Informational Risks
Most research risks to the individual can be categorized into one
of three types: physical, psychological, and informational risks.
(Although there are other harms, such as legal, social, and economic
harms, these can usually be viewed as variations on those core
categories.) Physical risks are the most straightforward to
understand--they are characterized by short term or long term damage to
the body such as pain, bruising, infection, worsening current disease
states, long-term symptoms, or even death. Psychological risks can
include unintentional anxiety and stress including feelings of sadness
or even depression, feelings of betrayal, and exacerbation of
underlying psychiatric conditions such as post traumatic stress
disorder. Psychological risks are not
[[Page 44516]]
necessarily restricted to psychiatric or social and behavioral
research.
Informational risks derive from inappropriate use or disclosure of
information, which could be harmful to the study subjects or groups.
For instance, disclosure of illegal behavior, substance abuse, or
chronic illness might jeopardize current or future employment, or cause
emotional or social harm. In general, informational risks are
correlated with the nature of the information and the degree of
identifiability of the information. The majority of unauthorized
disclosures of identifiable health information from investigators occur
due to inadequate data security.\46\
Currently, IRBs evaluate all three categories of risk. IRB review
or oversight of research posing informational risks may not be the best
way to minimize the informational risks associated with data on human
subjects. It is not clear that members have appropriate expertise
regarding data protections. The current assumption that IRBs are
responsible for reviewing and adequately addressing informational risks
appears to lead to inconsistent protections and some cases in which
there are inadequate protections for the information.\47\ Furthermore,
review of informational risk is an inefficient use of an IRB's time.
Standardized data protections, rather than IRB review, may be a more
effective way to minimize informational risks.
Accordingly, we are considering mandatory standards for data
security and information protection whenever data are collected,
generated, stored, or used. The level of protection required by these
standards would be calibrated to the level of identifiability of the
information, which would be based on the standards of identifiability
under the HIPAA Privacy Rule. (These standards are discussed in detail
in Section V.) With these standards in place to minimize the
inappropriate use or disclosure of research information, the criteria
for IRB approval of studies would be modified so that an IRB would no
longer be responsible for assessing the adequacy of a study's
procedures for protecting against informational risks. This change
would not alter the IRB's role in assuring that the ethical principles
of respect for persons, beneficence and justice are adequately
fulfilled.
B. Calibrating the Levels of Review to the Level of Risk
To improve the link between the type of review and the level of
risk posed by research studies, we are considering the changes
described below. Since there would be new mandatory standards for data
security and information protection to address informational risks,
only non-informational risks would be considered in determining the
level of risk posed by research studies.
1. Full Convened IRB Review
The requirement that research involving greater than minimal risk
be reviewed by a convened IRB would not be changed from the current
system. Other changes considered in this ANPRM, such as improvements in
the ability of IRBs to require better consent forms, may enhance the
effectiveness of such review.
With regard to continuing review of such studies, we are
considering one change. Where the remaining activities in a study are
limited to either (i) data analysis (even if identifiers are retained)
or (ii) accessing follow-up clinical data from procedures that subjects
would undergo as part of standard care for their medical problems (such
as periodic CT scans to monitor whether the subjects' cancers have
recurred or progressed), the default would be that no continuing review
by an IRB would be required. The IRB would have the option to make a
determination that overrides this default. Researchers would still have
the current obligations to report various developments (such as
unanticipated problems, or proposed changes to the study) to the IRB.
This would be a change from the current rules, which require at least
expedited IRB review of the activities described in (i) and (ii)
directly above. By eliminating the requirement for continuing review of
these activities, this change would allow for more effective use of
IRBs' time by enabling the IRB to focus on reviewing information that
is necessary to ensure protections of research subjects.
2. Revise Approach to Expedited Review
Under the Common Rule, a new research study can receive expedited
review if the research activities to be conducted appear on the list of
activities published by the Secretary of HHS that are eligible for such
review (http://www.hhs.gov/ohrp/policy/expedited98.html), and is found
by the reviewer(s) to involve no more than minimal risk. For research
that will receive expedited review, three changes are being considered:
(1) Revising the criteria that make research studies eligible for
expedited review, (2) eliminating the requirement of routine annual
continuing review of expedited studies, and (3) streamlining submission
requirements.
(a) Eligibility for Expedited Review
Currently, a reviewer must determine that the study includes only
research activities that appear in the list promulgated by the
Secretary as eligible for expedited review, that the study as a whole
involves no more than minimal risk, and that all of the criteria listed
in 45 CFR 46.111 are met. We are considering changes in each of these
three areas:
i. List of Research Activities That Qualify a Study for Expedited
Review
We are considering initially updating the current list of research
activities, which was last updated in 1998. We also are considering
mandating that a standing Federal panel periodically (such as every
year or every two years) review and update the list, based on a
systematic, empirical assessment of the levels of risk. This would
provide greater clarity about what would be considered to constitute
minimal risk, and create a process that allows for routinely
reassessing and updating the list of research activities that would
qualify as minimal risk.
ii. Determination That the Study Involves No More Than Minimal Risk
As noted, currently a study can undergo expedited review if all of
the activities involved appear on the list of eligible research
activities and the study is found to be minimal risk. The current
definition of minimal risk encompasses research activities where ``the
probability and magnitude of harm or discomfort anticipated in the
research are not greater in and of themselves than those ordinarily
encountered in daily life or during the performance of routine physical
or psychological examinations or tests.'' \48\ Since the listed
activities are ones with which there is a great deal of experience, and
their risks are well known, it should be a rare instance in which a
study that uses only the listed activities will, as a whole, pose more
than minimal risk. Yet many studies which use only those activities--
particularly those in the social and behavioral field--are frequently
required to undergo review by a convened IRB.\49\ We are accordingly
considering providing a default presumption in the regulations that a
study which includes only activities on the list is a minimal risk
study and should receive expedited review. A reviewer would have the
option of determining that the study should be reviewed by a convened
IRB, when that
[[Page 44517]]
conclusion is supported by the specific circumstances of the study.
iii. Determination That the Study Meets All of the 45 CFR 46.111
Criteria
Given that a study is eligible for expedited review only if it
involves minimal risk, and only if its activities are limited to those
that appear on the published list, it is not clear that the study
should be required to meet all of the criteria for IRB approval at 45
CFR 46.111. Currently, before an IRB may approve a research study,
including research that is being reviewed under an expedited procedure,
the IRB must find that the following criteria have been satisfied as
required by 45 CFR 46.111:
1. Risks to subjects are minimized: (i) By using procedures which
are consistent with sound research design and which do not
unnecessarily expose subjects to risk, and (ii) whenever appropriate,
by using procedures already being performed on the subjects for
diagnostic or treatment purposes.
2. Risks to subjects are reasonable in relation to anticipated
benefits, if any, to subjects, and the importance of the knowledge that
may reasonably be expected to result. In evaluating risks and benefits,
the IRB should consider only those risks and benefits that may result
from the research (as distinguished from risks and benefits of
therapies subjects would receive even if not participating in the
research). The IRB should not consider possible long-range effects of
applying knowledge gained in the research (for example, the possible
effects of the research on public policy) as among those research risks
that fall within the purview of its responsibility.
3. Selection of subjects is equitable. In making this assessment
the IRB should take into account the purposes of the research and the
setting in which the research will be conducted and should be
particularly cognizant of the special problems of research involving
vulnerable populations, such as children, prisoners, pregnant women,
mentally disabled persons, or economically or educationally
disadvantaged persons.
4. Informed consent will be sought from each prospective subject or
the subject's legally authorized representative, in accordance with,
and to the extent required by Sec. 46.116.
5. Informed consent will be appropriately documented, in accordance
with, and to the extent required by Sec. 46.117.
6. When appropriate, the research plan makes adequate provision for
monitoring the data collected to ensure the safety of subjects.
7. When appropriate, there are adequate provisions to protect the
privacy of subjects and to maintain the confidentiality of data.
8. When some or all of the subjects are likely to be vulnerable to
coercion or undue influence, such as children, prisoners, pregnant
women, mentally disabled persons, or economically or educationally
disadvantaged persons, additional safeguards have been included in the
study to protect the rights and welfare of these subjects.
Accordingly, we are considering whether all of those criteria
should still be required for approval of studies that qualify for
expedited review, and if not, which ones should not be required.
(b) Eliminating Continuing Review of Expedited Studies
We believe that annual continuing review of research studies
involving only activities that are already well-documented to generally
involve no more than minimal risk may provide little if any added
protection to subjects, and that it may be preferable for IRB resources
to be devoted to research that poses greater than minimal risk.
Accordingly, we are considering changing the default to require no
continuing review for studies that qualify for expedited review.
Researchers would still be obligated to obtain IRB approval for changes
to a study and to report to the IRB unanticipated problems and other
similar items that are currently required to be reported.
For any specific study, the reviewer would have the authority to
make a specific determination and provide a justification about why
continuing review is appropriate for that minimal risk study, and to
specify how frequently such review would be required.
(c) Streamlining Documentation Requirements for Expedited Studies
Under the current Federal regulations, researchers typically must
submit the same documents including a detailed protocol, informed
consent documents, and any other supporting documents, regardless of
whether the study will be reviewed by a convened IRB or be approved by
the expedited review process. Although it is important to document why
research qualifies for expedited review, it is unclear whether the time
and effort expended in such preparation activities result in increased
benefit in terms of protecting subjects.
Ideally, standard templates for protocols and consent forms and
sample versions of those documents that are specifically designed for
use in the most common types of studies would facilitate expedited
review. Such forms would need to be carefully designed to eliminate
those elements that are of relevance only in studies that pose greater
than minimal risks and to substantially reduce the current burden of
researchers involved in producing these documents and of the IRB
members who review them.
Comments and recommendations are requested on any of the above
proposals under consideration and on the following specific questions:
Question 1: Is the current definition of ``minimal risk'' in the
regulations (45 CFR 46.102(i)--research activities where ``the
probability and magnitude of harm or discomfort anticipated in the
research are not greater in and of themselves than those ordinarily
encountered in daily life or during the performance of routine physical
or psychological examinations or tests'')--appropriate? If not, how
should it be changed?
Question 2: Would the proposals regarding continuing review for
research that poses no more than minimal risk and qualifies for
expedited review assure that subjects are adequately protected? What
specific criteria should be used by IRBs in determining that a study
that qualifies for expedited initial review should undergo continuing
review?
Question 3: For research that poses greater than minimal risk,
should annual continuing review be required if the remaining study
activities only include those that could have been approved under
expedited review or would fall under the revised exempt (Excused)
category described in section 3, below (e.g., a study in which a
physical intervention occurred in the first year, all subjects have
completed that intervention, and only annual written surveys are
completed for the next five years)?
Question 4: Should the regulations be changed to indicate that IRBs
should only consider ``reasonably foreseeable risks or discomforts''?
Question 5: What criteria can or should be used to determine with
specificity whether a study's psychological risks or other nonphysical,
non-information risks, are greater than or less than minimal?
Question 6: Are there survey instruments or specific types of
questions that should be classified as greater than minimal risk? How
should the characteristics of the study population (e.g. mental health
patients) be taken into consideration in the risk assessment?
Question 7: What research activities, if any, should be added to
the published
[[Page 44518]]
list of activities that can be used in a study that qualifies for
expedited review? Should any of the existing activities on that list be
removed or revised? For instance, should the following be included as
minimal risk research activities:
Allergy skin testing.
Skin punch biopsy (limited to two per protocol).
Additional biopsy during a clinical test (e.g., performing
an extra colonic biopsy in the course of performing a routine
colonoscopy).
Glucose tolerance testing among adults.
Question 8: Should some threshold for radiological exams performed
for research purposes, that is calibrated to this background level of
exposure, be identified as involving no more than minimal risk?
Question 9: How frequently should a mandatory review and update of
the list of research activities that can qualify for expedited review
take place? Should the list be revised once a year, every two years, or
less frequently?
Question 10: Which, if any, of the current criteria for IRB
approval under 45 CFR 46.111 should not apply to a study that qualifies
for expedited review?
Question 11: What are the advantages of requiring that expedited
review be conducted by an IRB member? Would it be appropriate to
instead allow such review to be done by an appropriately trained
individual, such as the manager of the IRB office, who need not be a
member of the IRB? If not, what are the disadvantages of relying on a
non-IRB member to conduct expedited review? If so, what would qualify
as being ``appropriately trained''? Would the effort to make sure that
such persons are appropriately trained outweigh the benefits from
making this change?
Question 12: Are there other specific changes that could be made to
reduce the burden imposed on researchers and their staffs in terms of
meeting the requirements to submit documents to an IRB, without
decreasing protections to subjects? Are there specific elements that
can be appropriately eliminated from protocols or consent forms? Which
other documents that are currently required to be submitted to IRBs can
be shortened or perhaps appropriately eliminated? Conversely, are there
specific additions to protocols or consent forms beyond those
identified in this notice that would meaningfully add to the protection
of subjects? What entity or organization should develop and disseminate
such standardized document formats?
Question 13: Given the problems with the current system regarding
wide variations in the substance of IRB reviews, would it be
appropriate to require IRBs to submit periodic reports to OHRP in the
instances in which they choose to override the defaults described in
Sections B(1), B(2)(a)(ii), and B(2)(b) above? Should IRBs have to
report instances in which they require continuing review or convened
IRB review of a study which involves only activities identified as
being on the list of those eligible for expedited review? If an IRB
that chose to override these defaults was required to submit a report
to OHRP, would this provide useful information about any lack of
appropriate consistency among IRBs so that clarifying guidance could be
provided as needed, or provide useful information to OHRP about the
possible need to revise the expedited review list or the continuing
review requirements?
3. Moving Away From the Concept of Exempt
We are considering revising the category of exempt research in ways
that would both increase protections and broaden the types of studies
covered. Specifically, although still not subject to IRB review, these
studies would be subject to the new data security and information
protection standards described in Section V, and in some cases,
informed consent would be required as described in Section (c) below.
Given that these studies would no longer be fully exempt from the
regulations, they could more accurately be described as ``Excused''
from being required to undergo some form of IRB review (which
terminology we will use hereafter in this ANPRM). (Note: FDA's statute
requires IRB review and approval of any clinical device investigation.
21 U.S.C. 360j(g)(3)(A) and (B). Therefore, FDA-regulated studies
involving specimens will not be eligible for the new Excused category
and will remain subject to IRB oversight.) The new data security and
information protection standards make it possible to increase the
coverage of the Excused category, thereby reducing the burden on
researchers conducting minimal risk studies, while actually increasing
the protections for participants.
Some specific aspects of these changes are described here:
(a) Types of Research Studies That Qualify for the Excused Category
The existing six exemption categories would be retained as part of
the new Excused category. The current criteria for defining those
categories would be reviewed and revised appropriately so that they are
clear enough that researchers could readily determine whether a study
qualified to be in these categories. In addition, the following
significant expansions of the current categories are being considered:
1. Limitations specified in the current exempt category 2 (research
involving educational tests, surveys, focus groups, interviews, and
similar procedures) would no longer be necessary when these studies are
conducted with competent adults. The current exemption 2 under 45 CFR
46.101(b)(2) states: ``Research involving the use of educational tests
(cognitive, diagnostic, aptitude, achievement), survey procedures,
interview procedures or observation of public behavior, unless: (i)
Information obtained is recorded in such a manner that human subjects
can be identified, directly or through identifiers linked to the
subjects; and (ii) any disclosure of the human subjects' responses
outside the research could reasonably place the subjects at risk of
criminal or civil liability or be damaging to the subjects' financial
standing, employability, or reputation.'' Specifically it is proposed
that the language that appears after the word ``unless'' in provisions
(i) and (ii) would be deleted. Thus, research conducted with competent
adults, that involve educational tests, surveys, focus groups,
interviews, and similar procedures would qualify for the new Excused
category, regardless of the nature of the information being collected,
and regardless of whether data is recorded in such a manner that
subjects can be identified. It is proposed that the limitations on the
current category 2 be eliminated since these studies would be conducted
with competent adults and because these studies would now be subject to
standard data security and information protection standards. The term
``competent'' as used here and throughout this ANPRM refers to adults
who would be able to provide ``legally effective informed consent,'' as
currently required by 45 CFR 46.116. This concept has been included in
the Common Rule for decades, and is routinely implemented by
researchers, generally with little difficulty. For example, researchers
who currently conduct non-exempt surveys must make determinations
regarding which subjects to include in their studies, and we are not
aware of any evidence that suggests making such determinations has been
a problem.
2. We are considering whether to include on the list of Excused
studies certain types of social and behavioral research, conducted with
competent
[[Page 44519]]
adults, that would involve specified types of benign interventions
beyond educational tests, surveys, focus groups, interviews, and
similar procedures, that are commonly used in social and behavioral
research, that are known to involve virtually no risk to subjects, and
for which prior review does little to increase protections to subjects.
These would be methodologies which are very familiar to people in
everyday life and in which verbal or similar responses would be the
research data being collected. For example, a researcher might ask
subjects to watch a video, or read a paragraph or solve puzzles, and
then ask them some questions to elicit word associations or time
performance of activities. The specific methodologies might be spelled
out in regulations, or they might be promulgated via a periodic
mechanism to announce and update lists similar to the list that is
published for activities that allow a study to be expedited.
3. Limitations specified in the current exempt category 4 (research
involving the use of existing information or biospecimens) would be
eliminated. The current exemption 4 under 45 CFR 46.101(b)(4) states:
``Research involving the collection or study of existing data,
documents, records, pathological specimens, or diagnostic specimens, if
these sources are publicly available or if the information is recorded
by the investigator in such a manner that subjects cannot be
identified, directly or through identifiers linked to the subjects.''
Specifically, it is proposed that the category would be revised to
clarify that the word ``existing'' means collected for purposes other
than the proposed research and not that all of the data or biospecimens
need exist at the time the study commenced. In addition, the limitation
that the researcher cannot record and retain information that
identifies the subjects would be eliminated. In other words, research
that only involves the use of data or biospecimens collected for other
purposes, even if the researcher intends to retain identifiers, would
now come within the new Excused category, unless there are plans to
provide individual results back to the subjects. Studies that include a
plan to provide to subjects individual results from the analysis of
their biospecimens or data would not qualify for this proposed Excused
category.
As described below in Section (c), it is contemplated that certain
relatively flexible consent requirements would be imposed on some of
these studies. (See Table 1 at the end of Section V for a summary of
this proposal.)
(b) Tracking and Auditing Excused Research
We are considering a mechanism to track Excused research, and to
audit only a small but appropriate portion of such research, because it
would still be subject to other regulatory protections, such as the
proposed data security and information protection standards and certain
consent requirements. In addition, such a mechanism to track and audit
Excused research will also enable institutions to assure that the
research does indeed meet the criteria for inclusion in the Excused
category. (That is all that an audit would in most cases involve: a
brief review of the registration form, similar to what many
institutions currently do when they determine whether a study is
exempt.) Key to this would be a requirement that researchers register
their study with an institutional office by completing a brief form.
This would make the institution aware of the research and identify the
study's principal investigator. In addition the institution could
choose to review some of the submissions at the time they are filed
(and we contemplate that this would only be done in a relatively small
percentage of the filings) and if deemed appropriate, require that the
study be sent for expedited review or, in exceptionally rare cases,
convened IRB review.
The proposed auditing requirement is intended to encourage
institutions to use the regulatory flexibility proposed for the Excused
category of research. Rather than maintaining many institutions'
current practice of routinely requiring that research that meets the
current exemption categories undergo some type of review before it is
permitted to proceed, the proposed auditing requirement would provide
institutions with information needed to assess their compliance with
the new Excused category without unnecessarily subjecting all such
research to either prospective review, or even routine review sometime
after the study is begun.
(c) Consent Rules for Excused Research
We are contemplating that the consent practices for studies
currently designated as exempt would remain in most respects unchanged
for research falling within the new Excused category, even if some of
those practices are clarified. For example, oral consent without
written documentation would continue to be acceptable for many research
studies involving educational tests, surveys, focus groups, interviews,
and similar procedures.
However, we are considering the following revisions to the consent
rules for the category of Excused research that involves the use of
pre-existing data or biospecimens as described in Section 3(a)(3)
above.
First, written general consent (as described below) would be
required for the research use of such biospecimens. This would be a
change from the current rules which allow research without consent when
a biospecimen is used for research under conditions where the
researcher does not possess information that would allow them to
identify the person whose biospecimen is being studied.
Second, with regard to the researchers' use of pre-existing data
(i.e. data that were previously collected for purposes other than the
currently proposed research study):
a. If the data was originally collected for non-research purposes,
then, as is currently the rule, written consent would only be required
if the researcher obtains information that identifies the subjects.
There would accordingly be no change in the current ability of
researchers to conduct such research using de-identified data or a
limited data set, as such terms are used in the HIPAA Rules (see
Section V), without obtaining consent.
b. If the data was originally collected for research purposes, then
consent would be required regardless of whether the researcher obtains
identifiers. Note that this would be a change with regard to the
current interpretation of the Common Rule in the case where the
researcher does not obtain any identifiers. That is, the allowable
current practice of telling the subjects, during the initial research
consent, that the data they are providing will be used for one purpose,
and then after stripping identifiers, allowing it to be used for a new
purpose to which the subjects never consented, would not be allowed.
In most instances, the consent requirements described above would
have been met at the time that the biospecimens or data were initially
collected, when the subject would have signed a standard, brief general
consent form allowing for broad, future research. This brief consent
could be broad enough to cover all data and biospecimens to be
collected related to a particular set of encounters with an institution
(e.g. hospitalization) or to any data or biospecimens to be collected
at anytime by the institution. Importantly, this standardized general
consent form would permit the subject to say no to all future research.
In addition, there are likely to be a handful of special categories of
research with
[[Page 44520]]
biospecimens that, given the unique concerns they might raise for a
significant segment of the public, would be dealt with by check-off
boxes allowing subjects to separately say yes or no to that particular
type of research (e.g., perhaps creating a cell line, or reproductive
research). Participation in a research study (such as a clinical trial)
could not be conditioned on agreeing to allow future open-ended
research using a biospecimen. With regard to the secondary research use
of pre-existing data, on those occasions when oral consent was
acceptable under the regulations for the initial data collection, it is
envisioned that subjects would have typically provided their oral
consent for future research at the time of the initial data collection;
a written consent form would not have to be signed in that
circumstance. Table 1 at the end of Section V illustrates the consent
requirements for pre-existing data in the context of the data security
and information protection requirements which would also apply.
Third, these changes would only be applied prospectively, not
retrospectively. In other words, they would only apply to biospecimens
and data that are collected after the effective date of the new rules.
And fourth, there would be rules (to be determined) that would
allow for waiver of consent under specified circumstances, though those
conditions would not necessarily be the same as those for other types
of research.
(d) Overall Consequences for Current Review Practices
The proposal for changes described in sections (a) through (c)
above would eliminate the current practice of not allowing researchers
to begin conducting such minimal risk studies until a reviewer has
determined the study does indeed meet the criteria for being exempt.
Such delay is not currently required by the Common Rule, and appears to
slow research without adding significant protection to subjects.
Instead, under the plan being considered, researchers would file with
their institution or IRB a brief registration form (about one page
long) that provides essential information about the study, including,
for example, information about who will be the principal investigator,
and the purpose of the study. The researchers would then be authorized
to begin conducting the study after the filing (unless the institution
chose to review that filing and determined that the research did not
qualify as Excused). It would be made clear that the regulations would
not require, and in fact, would discourage, having each of these
registration forms undergo a comprehensive administrative review prior
to commencing the study or even afterward.
Comments and recommendations are requested on any of the above
proposals under consideration and on the following specific questions:
Question 14: Are these expansions in the types of studies that
would qualify for this Excused category appropriate? Would these
changes be likely to discourage individuals from participating in
research? Might these changes result in inappropriately reduced
protections for research subjects, or diminished attention to the
principles of respect for persons, beneficence, and justice?
Question 15: Beyond the expansions under consideration, are there
other types of research studies that should qualify for the Excused
category? Are there specific types of studies that are being considered
for inclusion in these expansions, that should not be included because
they should undergo prospective review for ethical or other reasons
before a researcher is allowed to commence the research?
Question 16: Should research involving surveys and related
methodologies qualify for the Excused category only if they do not
involve topics that are emotionally charged, such as sexual or physical
abuse? If so, what entity should be responsible for determining whether
a topic is or is not emotionally charged?
Question 17: What specific social and behavioral research
methodologies should fall within the Excused category? Under what
circumstances, if any, should a study qualify for the Excused category
if the study involves a form of deception (and if so, how should
``deception'' be defined)?
Question 18: Currently some IRBs make determinations regarding
whether clinical results should be returned to study participants. How
should such determinations be made if the study now fits in the Excused
category? Can standard algorithms be developed for when test results
should be provided to participants and when they should not (e.g., if
they can be clinically interpreted, they must be given to the
participants?).
Question 19: Regarding the Excused category, should there be a
brief waiting period (e.g. one week) before a researcher may commence
research after submitting the one-page registration form, to allow
institutions to look at the forms and determine if some studies should
not be Excused?
Question 20: The term ``Excused'' may not be the ideal term to
describe the studies that will come within the proposed revision of the
current category of exempt studies, given that these studies will be
subject to some protections that are actually greater than those that
currently exist. Might a term such as ``Registered'' better emphasize
that these studies will in fact be subject to a variety of requirements
designed to protect participants? We welcome other suggestions for
alternative labels that might be more appropriate.
Question 21: Is it appropriate to require institutions holding a
Federalwide Assurance to conduct retrospective audits of a percentage
of the Excused studies to make sure they qualify for inclusion in this
category? Should the regulations specify a necessary minimum percentage
of studies to be audited in order to satisfy the regulatory
requirements? Should some other method besides a random selection be
used to determine which Excused studies would be audited?
Question 22: Are retrospective audit mechanisms sufficient to
provide adequate protections to subjects, as compared to having
research undergo some type of review prior to a researcher receiving
permission to begin a study? Might this new audit mechanism end up
producing a greater burden than the current system? Do researchers
possess the objectivity and expertise to make an initial assessment of
whether their research qualifies for the Excused category? By allowing
researchers to make their own determinations, without prospective
independent review, will protections for some subjects be
inappropriately weakened? If allowing researchers to make such
determinations without independent review would generally be
acceptable, are there nonetheless specific categories of studies
included in the proposed expansion for which this change would
inappropriately weaken protections for subjects? And will the use of a
one-page registration form give institutions sufficient information to
enable them to appropriately conduct the audits?
Question 23: Under what circumstances should it be permissible to
waive consent for research involving the collection and study of
existing data and biospecimens as described in Section 3(a)(3) above?
Should the rules for waiving consent be different if the information or
biospecimens were originally collected for research purposes or non-
research purposes? Should a request to waive informed consent trigger a
requirement for IRB review?
[[Page 44521]]
Question 24: The Common Rule has been criticized for
inappropriately being applied to--and inhibiting research in-- certain
activities, including quality improvement, public health activities,
and program evaluation studies. 50 51 52 Regarding quality
improvement, for example, these activities are in many instances
conducted by health care and other organizations under clear legal
authority to change internal operating procedures to increase safety or
otherwise improve performance, often without the consent of staff or
clients, followed by monitoring or evaluation of the effects. It is far
from clear that the Common Rule was intended to apply to such
activities, nor that having it apply produces any meaningful benefits
to the public. Indeed, its application to such activities, and
requiring IRB review and compliance with informed consent requirements,
might have a chilling effect on the ability to learn from, and conduct,
important types of innovation. We seek comment on whether and, if so,
how, the Common Rule should be changed to clarify whether or not
oversight of quality improvement, program evaluation studies, or public
health activities are covered. Are there specific types of these
studies for which the existing rules (even after the changes proposed
in this Notice) are inappropriate? If so, should this problem be
addressed through modifications to the exemption (Excused) categories,
or by changing the definition of ``research'' used in the Common Rule
to exclude some of these studies, or a combination of both? And if the
definition of research were to be changed, how should the activities to
be excluded be defined (e.g., ``quality improvement'' or ``program
evaluation'')? Are there some such activities that should not be
excluded from being subject to the Common Rule because the protections
provided by that rule are appropriate and no similar protections are
provided by other regulations? With regard to quality improvement
activities, might it be useful to adopt the distinction made by the
HIPAA Privacy Rule (45 CFR 164.501(1)), which distinguishes between
``health care operations'' and ``research'' activities, defining
``health care operations'' to include ``conducting quality assessment
and improvement activities, including outcomes evaluation and
development of clinical guidelines, provided that the obtaining of
generalizable knowledge is not the primary purpose of any studies
resulting from such activities''?
Question 25: Are there certain fields of study whose usual methods
of inquiry were not intended to or should not be covered by the Common
Rule (such as classics, history, languages, literature, and journalism)
because they do not create generalizable knowledge and may be more
appropriately covered by ethical codes that differ from the ethical
principles embodied in the Common Rule? If so, what are those fields,
and how should those methods of inquiry be identified? Should the
Common Rule be revised to explicitly state that those activities are
not subject to its requirements?
Question 26: The current exempt category 5 applies to certain
research and demonstration projects that are designed to study or
evaluate public benefit or service programs. Is the circumstance that a
particular demonstration project generates ``broad'' knowledge
incorrectly being used as a reason to prevent certain activities
(including section 1115 waivers under Medicaid) from qualifying for
exempt category 5? If so, how should this exemption (as part of the new
category of Excused research) best be revised to assure that it will no
longer be misinterpreted or misapplied? Would broadening the
interpretation of the exemption result in inappropriately increased
risks to participants in research? If so, how could such risks be
mitigated? Also, is there a need to update or otherwise revise the
``OPRR Guidance on 45 CFR 46.101(b)(5)''?
Question 27: The Common Rule currently states (45 CFR 46.111(a)(2))
that an IRB ``should not consider possible long-range effects of
applying knowledge gained in the research (for example, the possible
effects of the research on public policy) as among the research risks
that fall within the purview of its responsibility.'' Do IRBs correctly
interpret this provision as meaning that while they should be
evaluating risks to the individual subjects participating in a study,
it is not part of their mandate to evaluate policy issues such as how
groups of persons or institutions, for example, might object to
conducting a study because the possible results of the study might be
disagreeable to them? \53\ If that is not how the provision is
typically interpreted, is there a need to clarify its meaning?
Question 28: For research that requires IRB approval, the Common
Rule does not currently require that the researcher always be allowed
some form of appeal of a decision (e.g., disapproval of a project).
Some institutions have voluntarily chosen to provide appeal mechanisms
in some instances, by, for example, allowing the researcher to present
the project to a different IRB, or by having it reviewed by a special
``appeal'' IRB that is composed of members chosen from among the
membership of the institution's other IRBs. Should the Common Rule
include a requirement that every institution must provide an
appropriate appeal mechanism? If so, what should be considered
acceptable appeal mechanisms? Should such appeal mechanisms, or
different ones, be available for appeals asserting that the
investigation is not research, or that the research does not require
IRB approval?
Question 29: As noted above, IRBs sometimes engage in activities
beyond those that are required by the regulations. For example, an IRB
might review some studies for the purpose of determining whether or not
they qualify for exemption (the new Excused category), or might review
studies involving the analysis of data that is publicly available.
Would it be helpful, in furtherance of increased transparency, to
require that each time an IRB takes such an action, it must
specifically identify that activity as one that is not required by the
regulations?
III. Streamlining IRB Review of Multi-Site Studies
Currently, a substantial amount of research takes place by means of
multi-site studies wherein a single research study is conducted at
numerous institutions. Multi-site studies are particularly common in
clinical trials, survey epidemiology, and education contexts. While the
Common Rule does require that each institution engaged in a multi-site
research study obtain IRB approval of the study, it does not require
that a separate local IRB at each institution conduct such review.
(Note: While the Common Rule does not require local IRB review by each
institution engaged in a multi-site research study, the statute that
pertains to FDA's regulation of device investigations requires sponsors
to submit the protocol to the ``local institutional review committee
which has been established in accordance with regulations of the
Secretary to supervise clinical testing of devices in the facilities
where the proposed clinical testing is to be conducted.'' The only
statutory exception is if a local IRB does not exist or its review is
determined to be ``inadequate'' (21 U.S.C. 360j(g)(3)(A)). Accordingly,
the change proposed in this ANPRM regarding the use of one IRB of
record for multi-site studies would not apply to FDA-regulated device
studies.) However, in many cases, a local IRB for each institution does
independently review the research protocol, informed consent
[[Page 44522]]
documents and other materials, sometimes resulting in hundreds of
reviews for one study. When any one of these IRBs requires changes to
the research protocol that are adopted for the entire study,
investigators must re-submit the revised protocol to all of the
reviewing IRBs. This process can take many months and can significantly
delay the initiation of research projects. Separately, there are
reports showing that there can be widely differing outcomes regarding
the level of review required from IRB to IRB, even for identical
studies.\54\
The choice to have multi-site research reviewed by a central IRB,
or by an IRB at another institution, is voluntary. In practice, most
institutions have been reluctant to replace review by their local IRBs
with review by a central IRB.55 56 Participants in two
meetings on alternative IRB models that OHRP co-sponsored in November
2005 and November 2006 indicated that one of the key factors
influencing institutions' decisions about this issue is OHRP's current
practice of enforcing compliance with the Common Rule through the
institutions that were engaged in human subjects research, even in
circumstances when the regulatory violation is directly related to the
responsibilities of an external IRB.\57\
Many commentators\58\ claim that multiple IRB reviews do not
enhance the protection of human subjects and may, in fact, divert
valuable resources from more detailed reviews of other studies.
Relevant local contextual issues (e.g., investigator competence, site
suitability) pertinent to most clinical studies can be addressed
through mechanisms other than local IRB review. For research where
local perspectives might be distinctly important (e.g., in relation to
certain kinds of vulnerable populations targeted for recruitment) local
IRB review could be limited to such consideration(s), but again, IRB
review is not the only mechanism for addressing such issues. The
evaluation of a study's social value, scientific validity, and risks
and benefits, and the adequacy of the informed consent document and
process generally do not require the unique perspective of a local IRB.
To respond to this concern, central IRBs have been developed. The
National Cancer Institute created a central IRB for adult research
studies in 2001 and a central pediatric oncology IRB in 2004.
Similarly, the Department of Veterans Affairs has required review of
certain multi-site protocols by a single national IRB since 2008. Also,
certain groups of private institutions have joined together to develop
their own central IRBs. These central IRBs reduce the workload for
local IRBs and may minimize institutional conflicts of interest. Since
2006, FDA has endorsed the use of a centralized IRB review process in
multi-site clinical trials of investigational new drugs and has issued
guidance intended to assist sponsors, institutions, IRBs, and clinical
investigators on its implementation.\59\
Public comment is requested on the feasibility, advantages, and
disadvantages of mandating that all domestic sites in a multi-site
study rely upon a single IRB as their IRB of record for that study.
(This would apply regardless of whether the study underwent convened
review or expedited review.) This proposal would only affect which IRB
would be designated as the IRB of record for institutional compliance
with the IRB review requirements of the Common Rule. It would not
relieve any site of its other obligations under the regulations to
protect human subjects. Nor would it prohibit institutions from
choosing, for their own purposes, to conduct additional internal ethics
reviews, though such reviews would no longer have any regulatory status
in terms of compliance with the Common Rule (and could be discouraged).
To address institutions' concerns about OHRP's practice of enforcing
compliance with 45 CFR part 46 through the institutions that are
engaged in human subjects research, appropriate accompanying changes
would be made in enforcement procedures to hold external IRBs directly
accountable for compliance with certain regulatory requirements (see,
e.g., the proposal on IRB accountability released by OHRP in 2009, at
http://www.hhs.gov/ohrp/newsroom/rfc/com030509.html)
This change is being considered only for domestic sites in multi-
site studies. In most cases, independent local IRB reviews of
international sites are appropriate because it might be difficult for
an IRB in the U.S. to adequately evaluate local conditions in a foreign
country that could play an important role in the ethical evaluation of
the study.
Comments and recommendations are requested on the following:
Question 30: What are the advantages and disadvantages of
mandating, as opposed to simply encouraging, one IRB of record for
domestic multi-site research studies?
Question 31: How does local IRB review of research add to the
protection of human subjects in multi-site research studies? How would
mandating one IRB of record impair consideration of valuable local
knowledge that enhances protection of human subjects? Should the public
be concerned that a centralized IRB may not have adequate knowledge of
an institution's specific perspective or the needs of their population,
or that a centralized IRB may not share an institution's views or
interpretations on certain ethical issues?
Question 32: To what extent are concerns about regulatory and legal
liability contributing to institutions' decisions to rely on local IRB
review for multi-site research? Would the changes we are considering
adequately address these concerns?
Question 33: How significant are the inefficiencies created by
local IRB review of multi-site studies?
Question 34: If there were only one IRB of record for multi-site
studies, how should the IRB of record be selected? How could
inappropriate forms of ``IRB shopping''--intentionally selecting an IRB
that is likely to approve the study without proper scrutiny--be
prevented?
IV. Improving Informed Consent
Currently, under the Common Rule and FDA regulations, investigators
generally must obtain and document the subjects' informed consent to
participate in research.\60\ The regulations currently require that the
consent forms include at least eight specific items of information.
Various aspects of the consent forms have been heavily criticized, as
has the amount of time IRBs devote to editing and revising consent
forms.
In addition, consent forms may frequently fail to include some of
the most important pieces of information that a person would need in
order to make an ``enlightened decision'' (to quote the Nuremberg Code)
to enroll in a research study.\61\ Instead of presenting the
information in a way that is most helpful to prospective subjects--such
as explaining why someone might want to choose not to enroll--the forms
often function as sales documents, instead of as genuine aids to good
decision-making.\62\
While the regulations have changed in only relatively modest ways
since 1974, the average length of consent forms has been increasing
since then,\63\ and the forms have become excessively long and
legalistic, even for relatively routine and low risk research
studies.\64\ For example, it is not uncommon for the documents to
stretch to 15 or even 30 pages in length. Moreover, studies have shown
that the reading level of many of these documents is above the desired
8th grade level. 65 66 67 Length and high reading levels may
inhibit people from reading the full document and from understanding
relevant information.
[[Page 44523]]
Further, some have argued that the requirements for obtaining
waivers of informed consent or waivers of documentation of informed
consent are confusing and inflexible, which leads to inconsistent
application.\68\ These problems may not be inherent in the language of
the Common Rule, but there may be some changes to the regulations or
clarifications as to how to interpret and implement such regulations
that could improve informed consent documents and process.
A. Improving Consent Forms
We are considering a number of modifications to the regulations to
improve consent forms, including (1) prescribing appropriate content
that must be included in consent forms, with greater specificity than
is provided in the current regulations; (2) restricting content that
would be inappropriate to include in consent forms; (3) limiting the
acceptable length of various sections of a consent form; (4)
prescribing how information should be presented in consent forms, such
as information that should be included at the very beginning of the
consent form, or types of information that should be included in
appendices and not in the main body of the consent form; (5) reducing
institutional ``boilerplate'' in consent forms (that is, standard
language that does little to genuinely inform subjects, and often is
intended to primarily protect institutions from lawsuits); and (6)
making available standardized consent form templates, the use of which
could satisfy applicable regulatory provisions.
Comments and recommendations are requested on the following:
Question 35: What factors contribute to the excessive length and
complexity of informed consent forms, and how might they be addressed?
Question 36: What additional information, if any, should be
required by the regulations to assure that consent forms appropriately
describe to subjects, in concise and clear language, alternatives to
participating in the research study and why it may or may not be in
their best interests to participate? What modifications or deletions to
the required elements would be appropriate?
Question 37: Would the contemplated modifications improve the
quality of consent forms? If not, what changes would do so?
Question 38: Should the regulations require that, for certain types
of studies, investigators assess how well potential research subjects
comprehend the information provided to them before they are allowed to
sign the consent form?
Question 39: If changes are made to the informed consent
requirements of the Common Rule, would any conforming changes need to
be made to the authorization requirements of the HIPAA Privacy Rule?
Question 40: Would informed consent be improved if the regulations
included additional requirements regarding the consent process, and if
so, what should be required? For example, should investigators be
required to disclose in consent forms certain information about the
financial relationships they have with study sponsors?
B. Waiver of Informed Consent or Documentation of Informed Consent in
Primary Data Collection
Currently the Common Rule permits an IRB to waive the requirements
for obtaining informed consent under two sets of circumstances (45 CFR
46.116 (c) or (d)).\69\ The most common set of circumstances requires
that four specific criteria be satisfied (45 CFR 46.116(d)). Many
commentators have argued that these conditions for waiver of consent
are vague and applied haphazardly at different institutions.
70 71 In response to these concerns, the Secretary's
Advisory Committee on Human Research Protections (SACHRP), through its
Subcommittee on Subpart A, developed several recommendations regarding
the interpretation of these waiver criteria.\72\
IRBs, under the Common Rule (45 CFR 46.117(c)), also may waive the
requirement for the investigator to obtain a signed consent form for
some or all subjects. The current criteria for such a waiver may not be
flexible enough for dealing with a variety of circumstances, such as
when Federally-sponsored research is conducted in an international
setting where for cultural or historical reasons signing documents may
be viewed as offensive and problematic. It is worth noting that for
studies that only involve surveys, focus groups, and interviews with
competent adults, there will usually be no need to apply the waiver of
documentation criteria provided at 45 CFR 46.117(c). Such studies will
generally qualify for the new Excused category, with only oral consent
required.
Comments and recommendations are requested on the following:
Question 41: What changes to the regulations would clarify the
current four criteria for waiver of informed consent and facilitate
their consistent application?
Question 42: In circumstances where the regulations would permit
oral consent, what information should investigators be required to
provide to prospective subjects? Are all of the elements of informed
consent included at 45 CFR 46.116 necessary to be conveyed, or are some
elements unnecessary? If some elements should not be required for oral
consent, which ones are unnecessary?
Question 43: Are there additional circumstances under which it
should be permissible to waive the usual requirements for obtaining or
documenting informed consent?
Question 44: Are there types of research involving surveys, focus
groups, or other similar procedures in which oral consent without
documentation should not be permitted? What principles or criteria
distinguish these cases?
C. Strengthening Consent Protections Related to Reuse or Additional
Analysis of Existing Data and Biospecimens
Critics of the existing rules have observed that the current
requirements for informed consent for future research with pre-existing
data and biospecimens are confusing and consume substantial amounts of
researchers' and IRBs' time and resources. Under the Common Rule and
the HIPAA Privacy Rule, if identifiers are removed, specimens and data
that have been collected for purposes other than the proposed research
can be used without any requirement for informed consent or a HIPAA
authorization. When these identifiers have not been removed, under the
Common Rule, investigators may be allowed in certain situations to
obtain a general consent for future research with existing biospecimens
and other information stored in databases. Conversely, the Department's
current interpretation of the HIPAA Privacy Rule requires that
authorizations for research be study-specific. Thus, the Privacy Rule
currently has not been interpreted to permit general authorizations for
future unspecified research uses of health information. Importantly,
the HHS Office for Civil Rights (OCR) has recently sought and is
currently reviewing public comment on the extent to which a single
general authorization may cover a range of future research uses of an
individual's health information (see 75 FR 40868, 40893 available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf).
Because biospecimens and data that have been collected for clinical
use or purposes other than for the proposed research are often an
important source of information and material for investigators, and the
reuse of existing data and materials can be an efficient
[[Page 44524]]
mechanism for conducting research without presenting additional
physical or psychological risks to the individual, it seems prudent to
consider changes to current regulations. As the IOM recently stated in
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health
Through Research, it is important to ``facilitate important health
research by maximizing the usefulness of patient data associated with
biospecimens banks and in research databases, thereby allowing novel
hypotheses to be tested with existing data and materials as knowledge
and technology improve.'' \73\
Some critics, including potential and former research subjects,
object to research performed on a person's biospecimens without
consent. This was recently highlighted in the book, The Immortal Life
of Henrietta Lacks. \74\ Conversely, investigators are concerned that
the need for informed consent for every use of a biospecimen will
greatly inhibit research.75 76 77 They worry that obtaining
individual consent for each separate research study will create
unmanageable logistical demands, making valuable research impossible.
They also worry that research will be skewed by individuals who refuse
consent, undermining the scientific validity of the research. An
accumulating body of data indicates that while most individuals want to
be able to decide whether their biospecimens are available for
research, they often do not desire to have control over which specific
researchers use their samples, for which diseases, at which
institutions.78 79 80
The potential changes to the consent rules that were described in
detail in Section II(B)(3)(c) (in the discussion of revising the rules
for exempt studies) are being considered to strengthen and align
consent protections, simultaneously addressing the concerns of
individuals, while ensuring the pursuit of important research.
Comments and recommendations are requested on any of the above
proposals under consideration and on the following specific questions:
Question 45: Under what circumstances should future research use of
data initially collected for non-research purposes require informed
consent? Should consent requirements vary based on the likelihood of
identifying a research subject? Are there other circumstances in which
it should not be necessary to obtain additional consent for the
research use of currently available data that were collected for a
purpose other than the currently proposed research?
Question 46: Under what circumstances should unanticipated future
analysis of data that were collected for a different research purpose
be permitted without consent? Should consent requirements vary based on
the likelihood of identifying a research subject?
Question 47: Should there be a change to the current practice of
allowing research on biospecimens that have been collected outside of a
research study (i.e. ``left-over'' tissue following surgery) without
consent, as long as the subject's identity is never disclosed to the
investigator?
Question 48: What, if any, are the circumstances in which it would
be appropriate to waive the requirement to obtain consent for
additional analysis of biospecimens?
Question 49: Is it desirable to implement the use of a
standardized, general consent form to permit future research on
biospecimens and data? Are there other options that should be
considered, such as a public education campaign combined with a
notification and opt-out process?
Question 50: What is the best method for providing individuals with
a meaningful opportunity to choose not to consent to certain types of
future research that might pose particular concerns for substantial
numbers of research subjects beyond those presented by the usual
research involving biospecimens? How should the consent categories that
might be contained in the standardized consent form be defined (e.g. an
option to say yes-or-no to future research in general, as well as a
more specific option to say yes-or-no to certain specified types of
research)? Should individuals have the option of identifying their own
categories of research that they would either permit or disallow?
Question 51: If the requirement to obtain consent for all research
uses of biospecimens is implemented, how should it be applied to
biospecimens that are collected outside of the U.S. but are to be used
in research supported by a Common Rule agency? Should there be
different rules for that setting, and if so, what should they be?
Should they be based on the relevant requirements in the countries
where the biospecimens were collected?
Question 52: Should the new consent rules be applied only
prospectively, that is, should previously existing biospecimens and
data sets be ``grandfathered'' under the prior regulatory requirements?
If so, what are the operational issues with doing so?
Question 53: In cases in which consent for future research use is
not obtained at the time of collection, should there be a presumption
that obtaining consent for the secondary analysis of existing
biospecimens or identifiable data would be deemed impracticable, such
that consent could be waived, when more than a specified threshold
number of individuals are involved? (SACHRP provided the Secretary with
recommendations on this issue.\81\) If so, what threshold number should
constitute impracticability? Is the number of potential human subjects
the only measure of impracticability?
V. Strengthening Data Protections To Minimize Information Risks
Collection of identifiable data, as well as secondary analyses of
such data, poses informational risks. The assurance that identifiable
information will be safeguarded is important for an individual's
willingness to participate in research. Further, we recognize that
there is an increasing belief that what constitutes ``identifiable''
and ``de-identified'' data is fluid; rapidly evolving advances in
technology coupled with the increasing volume of data readily available
may soon allow identification of an individual from data that is
currently considered de-identified. In this sense, much of what is
currently considered de-identified is also potentially identifiable
data.
While there are currently some regulatory approaches that can be
used to safeguard and maintain the confidentiality of research
participants' information, such protections are limited in scope. The
HIPAA Privacy and Security Rules generally require safeguards for
individually identifiable health information and place limits and
conditions on the use and disclosure of such information. However, the
Rules only apply to researchers if they are part of a HIPAA covered
entity (e.g., a covered health care provider or health plan) and, to a
certain extent, to researchers that are business associates of a
covered entity.
Separate from the HIPAA Rules, the Privacy Act of 1974, as amended
(5 U.S.C. 552a \82\) binds Federal agencies to protect personally
identifiable information in their possession and control. It prohibits
the disclosure (without prior consent or notice) of records that are
retrieved by personal identifiers. In addition, there are other Federal
privacy provisions that may need to be considered, but all have a
limited scope. For example, Title 5 of the E-Government Act,\83\
entitled the ``Confidential Information Protection and Statistical
Efficiency Act of 2002,''(CIPSEA) provides additional protections for
confidential statistical
[[Page 44525]]
information collected by the Federal government. However, neither the
Privacy Act nor CIPSEA generally apply to grant-funded investigators
who are neither Federal employees nor contractors. (An additional
example is the Department of Justice's set of regulations for
protecting information collected in certain research and other
programs, at 28 CFR part 22.)
Furthermore, none of these statutes was written with an eye toward
the advances that have come in genetic and information technologies
that make complete de-identification of biospecimens impossible and re-
identification of sensitive health data easier. Certificates of
confidentiality may be issued upon request through the authority of HHS
(section 301(d) of the Public Health Service Act (42 U.S.C. 241(d)) to
any investigator conducting IRB-approved research that involves the
collection of sensitive and identifiable information. However,
certificates of confidentiality do not require investigators to refuse
to disclose identifying information; rather, they convey the legal
right to refuse to disclose. Certificates of confidentiality also do
not protect against unauthorized or accidental disclosures of
identifiable private information due to inadequate data security
procedures. The National Institute of Justice (NIJ) provides a
different model for privacy protection: all NIJ-funded investigators
collecting identifying information must apply for a privacy certificate
and are required to keep identifiable data confidential (28 CFR part
22).
Consequently, other fundamental protections for research
participants may be warranted beyond updating the requirements for
independent review and informed consent currently provided by the
Common Rule. As noted above (Section II(A)), a solution we are
considering is to mandate data security and information protection
standards that would apply to all research that collected, stored,
analyzed or otherwise reused identifiable or potentially identifiable
information. This would include research with biospecimens, survey
data, and research using administrative records as well as secondary
analysis of the data. However, we are considering applying these new
protections only to prospective collections of data and biospecimens
after the implementation of any changes to the Common Rule and not
retrospectively to research involving existing data, including stored
biospecimens and their subsequent analysis. Further, it is envisioned
that these data security and information protection standards would be
scaled appropriately to the level of identifiability of the data.
While the discussion below focuses on these data security and
information protection standards, we also are interested in whether
there are other changes that might be made to the Common Rule, such as
appropriate limitations on researchers' disclosure of identifiable or
potentially identifiable information, that would strengthen, and create
more uniformity in, the promises of confidentiality that currently
exist for human subjects.
A. Consistently Characterizing Information With Respect to Potential
for Identification
Currently, the HIPAA Privacy Rule's standards for identifiable and
de-identified information are not aligned with what is considered human
subjects research under the Common Rule. Under the Common Rule research
does not involve ``human subjects'' if the investigator does not obtain
data about individuals through an interaction or intervention or obtain
identifiable private information about individuals.\84\ Under the
regulatory definition of human subject, ``private information'' is
described as ``information about behavior that occurs in a context in
which the individual can reasonably expect that no observation or
recording is taking place, and information which has been provided for
specific purposes by an individual and which the individual can
reasonably expect will not be made public (for example, a medical
record).'' Private information is not considered to be identifiable
under the Common Rule if the identity of the subject is not or may not
be ``readily ascertained'' by the investigator from the information.
Under the HIPAA Privacy Rule, health information is de-identified and
thus exempt from the Rule, if it neither identifies nor provides a
reasonable basis to identify an individual.
The HIPAA Privacy Rule provides two ways to de-identify
information: (1) A formal determination by a qualified expert that the
risk is very small that an individual could be identified; or (2) the
removal of all 18 specified identifiers of the individual and of the
individual's relatives, household members, and employers, as long as
the covered entity has no actual knowledge that the remaining
information could be used to identify the individual (45 CFR
164.514(b)). Under these rules, some information that is not considered
identifiable under the Common Rule may be considered identifiable for
purposes of the HIPAA Privacy Rule, such as dates of service or zip
codes. However, to accommodate investigators' need to have access to
data elements such as these, the Privacy Rule also provides for a
limited data set to be used for research purposes, which is data that
has been stripped of direct identifiers but that may retain certain
elements, such as dates of service and zip codes (45 CFR
164.514(e)(2)). Because a limited data set is not considered fully de-
identified, the Privacy Rule requires that a covered entity enter into
a data use agreement with the investigator to prohibit the re-
identification of the information and to otherwise protect the
information.
We are considering adopting the HIPAA standards for purposes of the
Common Rule regarding what constitutes individually identifiable
information, a limited data set, and de-identified information, in
order to address inconsistencies regarding these definitions and
concepts between the HIPAA Privacy Rule and the Common Rule.
Furthermore, in light of emerging technologies and evolving
informational risks, it might be advisable to evaluate the set of
identifiers that must be removed for a data set to be considered ``de-
identified'' under both human subjects regulations and the HIPAA
Privacy Rule. Table 1 in Section II illustrates how the HIPAA Privacy
Rule's standards of identifiability would apply to the Excused category
of research involving pre-existing information or biospecimens.
Regardless of what information is removed, it is possible to
extract DNA from a biospecimen itself and potentially link it to
otherwise available data to identify individuals. Consequently, we are
considering categorizing all research involving the primary collection
of biospecimens as well as storage and secondary analysis of existing
biospecimens as research involving identifiable information (see Table
1, at the end of this section).
Comments and recommendations are requested on the following:
Question 54: Will use of the HIPAA Privacy Rule's standards for
identifiable and de-identified information, and limited data sets,
facilitate the implementation of the data security and information
protection provisions being considered? Are the HIPAA standards, which
were designed for dealing with health information, appropriate for use
in all types of research studies, including social and behavioral
research? If the HIPAA standards are not appropriate for all studies,
what standards would be more appropriate?
Question 55: What mechanism should be used to regularly evaluate
and to recommend updates to what is
[[Page 44526]]
considered de-identified information? Beyond the mere passage of time,
should certain types of triggering events such as evolutions in
technology or the development of new security risks also be used to
demonstrate that it is appropriate to reevaluate what constitutes de-
identified information?
Question 56: DNA extracted from de-identified biospecimens can be
sequenced and analyzed in other ways, with the results sometimes being
linked to other available data than may allow a researcher to identify
the persons whose specimens were being studied. How should Federal
regulations manage the risks associated with the possibility of
identification of such biospecimens? Should a human biospecimen be
considered identifiable in and of itself? What are the advantages and
disadvantages of considering all future research with biospecimens to
be research with identifiable information?
Question 57: Should some types of genomic data be considered
identifiable and, if so, which types (e.g., genome-wide SNP analyses or
whole genome sequences)?
B. Standards for Data Security and Information Protection
The goal of information protection is to prevent breach of
confidentiality through unauthorized access, inappropriate disclosure,
or re-identification at either the individual or in some cases the
subgroup level. Information that contains direct identifiers of
individuals poses a greater informational risk than does a limited data
set, which in turn poses a greater informational risk than de-
identified information.
As discussed in Section II(A), the majority of unauthorized
disclosures of identifiable health information from investigators occur
due to inadequate data security.\85\ IRB review or oversight of
research posing informational risks may not be the best way to minimize
the informational risks associated with data on human subjects.
Instead, informational risks may be best mitigated through compliance
with stringent standards for data security and information protection
that are effectively enforced through mechanisms such as periodic
random audits.
We are considering three specific requirements that could
strengthen the protections for research studies that pose informational
risks. First, research involving the collection and use of identifiable
data, as well as data in limited data set form, could be required to
adhere to data security standards modeled on the HIPAA Security
Rule.\86\ In particular, for research involving individually
identifiable information, all biospecimens, and limited data sets, data
security standards could require the use of reasonable and appropriate
encryption for data maintained or transmitted in electronic form and
strong physical safeguards for information maintained in paper form,
audit trails, and access controls that allow only authorized personnel
to have access to the information. Further, investigators would be
required to adhere to breach notification standards modeled on those
applied to HIPAA covered entities for breaches of individually
identifiable health information.\87\ For research using limited data
sets or de-identified information, investigators would be strictly
prohibited from attempting to re-identify the subjects of the
information. Requiring that investigators implement and adhere to these
standard data security and information protection measures would lessen
the need for investigators to enter into data use agreements to protect
the limited data set, as is currently required under the HIPAA Privacy
Rule. Because these mandatory protections would apply to all research
studies, it should not be necessary for IRBs to review studies posing
only informational risks or to consider informational risks in studies
involving other risks to human subjects.
Second, data could be considered de-identified or in limited data
set form even if investigators see the identifiers but do not record
them in the permanent research file. To de-identify information or
create limited data sets, many investigators have established complex
procedures for having ``trusted third parties'' remove identifiers
prior to passing on information to an investigator for a study. This
adds another level of complexity and suggests that third parties are
more trusted to protect information than investigators. If
investigators adhere to the standards for data security and information
protection there may be less need for these complex third party
relationships.
Third, to strengthen the enforcement mechanisms under the Common
Rule, we are considering providing for periodic random retrospective
audits, and additional enforcement tools.
Comments and recommendations are requested on any of the above
proposals under consideration and on the following specific questions:
Question 58: Should the new data security and information
protection standards apply not just prospectively to data and
biospecimens that are collected after the implementation of new rules,
but instead to all data and biospecimens? Would the administrative
burden of applying the rule to all data and biospecimens be
substantially greater than applying it only prospectively to newly
collected information and biospecimens? How should the new standards be
enforced?
Question 59: Would study subjects be sufficiently protected from
informational risks if investigators are required to adhere to a strict
set of data security and information protection standards modeled on
the HIPAA Rules? Are such standards appropriate not just for studies
involving health information, but for all types of studies, including
social and behavioral research? Or might a better system employ
different standards for different types of research? (We note that the
HIPAA Rules would allow subjects to authorize researchers to disclose
the subjects' identities, in circumstances where investigators wish to
publicly recognize their subjects in published reports, and the
subjects appreciate that recognition.)
Question 60: Is there a need for additional standardized data
security and information protection requirements that would apply to
the phase of research that involves data gathering through an
interaction or intervention with an individual (e.g. during the
administration of a survey)?
Question 61: Are there additional data security and information
protection standards that should be considered? Should such mandatory
standards be modeled on those used by the Federal government (for
instance, the National Institute of Standards and Technology recently
issued a ``Guide to Protecting the Confidentiality of Personally
Identifiable Information.'')?
Question 62: If investigators are subject to data security and
information protection requirements modeled on the HIPAA Rules, is it
then acceptable for HIPAA covered entities to disclose limited data
sets to investigators for research purposes without obtaining data use
agreements?
Question 63: Given the concerns raised by some that even with the
removal of the 18 HIPAA identifiers, re-identification of de-identified
datasets is possible, should there be an absolute prohibition against
re-identifying de-identified data?
Question 64: For research involving de-identified data, is the
proposed prohibition against a researcher re-identifying such data a
sufficient protection, or should there in some instances be
requirements preventing the researcher from disclosing the de-
identified data to, for example, third
[[Page 44527]]
parties who might not be subject to these rules?
Question 65: Should registration with the institution be required
for analysis of de-identified datasets, as was proposed in Section
II(B)(3) for Excused research, so as to permit auditing for
unauthorized re-identification?
Question 66: What entity or entities at an institution conducting
research should be given the oversight authority to conduct the audits,
and to make sure that these standards with regard to data security are
being complied with? Should an institution have flexibility to
determine which entity or entities will have this oversight
responsibility for their institution?
Table 1--Proposal for the Excused Category of Research Involving Pre-Existing Information or Biospecimens
----------------------------------------------------------------------------------------------------------------
De-identified
Identifiable Limited data set (as information (as
information and all defined in the HIPAA defined in the HIPAA
biospecimens Privacy Rule) Privacy Rule)
----------------------------------------------------------------------------------------------------------------
Written consent required for future Yes, which could be No consent required.... No consent required.
research with material collected for obtained in connection
non-research purposes?. with the initial
collection.
Consent for future research with Yes. Consent for future Yes. Same rule as for Yes. Same rule as for
material collected for research research typically ``Identifiable ``Identifiable
purposes?. obtained at the same Information and All Information and All
time as consent for Biospecimens''. Biospecimens.''
initial research
(which, for data,
could be oral when
oral consent was
permissible for the
initial collection).
Standardized Data Protections?*...... Yes. Protections would Yes. Same rule as for Yes. Protection would
include encryption, ``Identifiable include prohibition on
use only by authorized Information and All re-identification.
personnel with audit Biospecimens'' plus a
tracing, prompt breach prohibition against re-
notification, and identification.
periodic retrospective
random audits.
Registration of research with IRB or Yes.................... Yes.................... No.
research office?.
Prior Review by IRB or research No, unless No..................... No.
office? investigators plan to
re-contact subjects
with their individual
research results.
----------------------------------------------------------------------------------------------------------------
* These data protections are discussed in the context of secondary research uses of biospecimens and data, which
present mostly informational risks, rather than physical risks, to participants. However, as indicated
elsewhere in this ANPRM, informational risks will always be present where data and biospecimens are collected,
thus requiring these data protections to be applied to any such research.
VI. Data Collection To Enhance System Oversight
Research agencies collect various types of safety data with the
common goal of protecting human subjects. However, individual agency
requirements for reporting such data vary. This has resulted in
variations between agencies regarding their policies and requirements
for the reporting of such data. For example, the Common Rule does not
require investigators to report ``adverse events'', but rather
references ``unanticipated problems involving risks to subjects or
others.'' The relationship of ``unanticipated problems'' to ``adverse
events'' historically has been unclear. Furthermore, there are some
agencies that do require the reporting of many ``adverse events''
beyond those that constitute ``unanticipated problems.'' Those
reporting requirements often utilize variable definitions of what
constitutes such an event and require these reports on different
timeframes and on various templates utilizing inconsistent vocabularies
describing the severity and nature of these events.
The adverse event data collected by each agency are stored and
maintained in separate datasets. The lack of connectivity and
interoperability inhibits the conduct of integrated analyses and
comparative studies about the frequency and severity of adverse events.
Similarly, current policy requirements and current data collection
practices do not foster the collection of data about the numbers of
participants in various areas of research--information that is needed
for characterizing the magnitude and severity of any risks.
We are considering a number of changes to improve the current
system for the real-time prompt collection of such data. These changes
are intended to simplify and consolidate the reporting of information
that is already required to be promptly reported by an investigator,
and not to expand the information that has to be reported. These
changes involve (1) Using a standardized, streamlined set of data
elements that nonetheless are flexible enough to enable customized
safety reporting and compliance with most Federal agency reporting
requirements; (2) implementing a prototype of a Web-based, Federal-wide
portal (already developed by NIH, FDA, and 4 other Federal agencies)
that would build on these data elements and allow investigators to
submit electronically certain pre- and post-market safety data and
automatically have it delivered to appropriate agencies and oversight
bodies; and (3) harmonizing safety reporting guidance across all
Federal agencies, including harmonizing terminology and clarifying the
scope and timing of such reports. In addition to these changes, the
Federal government is also considering creating a central Web-based
repository to house a great deal of the information collected through
the portal.
These innovations create the possibility of eliminating much of the
existing multiplicity of different and confusing reporting mechanisms,
and could foster greater uniformity and comparability among the safety
information that gets reported. Consolidation of data reported using
consistent vocabularies and terms would allow for more powerful and
meaningful analyses of safety information across types of research
studies than are possible at present.
Comments and recommendations are requested on any of the above
proposals
[[Page 44528]]
under consideration and on the following specific questions:
Question 67: Is the scope of events that must be reported under
current policies, including the reporting of certain ``unanticipated
problems'' as required under the Common Rule, generally adequate?
Question 68: With regard to data reported to the Federal
government:
a. Should the number of research participants in Federally funded
human subjects research be reported (either to funding agencies or to a
central authority)? If so, how?
b. What additional data, not currently being collected, about
participants in human subjects research should be systematically
collected in order to provide an empirically-based assessment of the
risks of particular areas of research or of human subjects research
more globally?
c. To what types of research should such a requirement apply (e.g.,
interventional studies only; all types of human subjects research,
including behavioral and social science research)? In addition, are
there other strategies and methods that should be implemented for
gathering information on the effectiveness of the human subjects
protection system?
Question 69: There are a variety of possible ways to support an
empiric approach to optimizing human subjects protections. Toward that
end, is it desirable to have all data on adverse events and
unanticipated problems collected in a central database accessible by
all pertinent Federal agencies?
Question 70: Clinical trials assessing the safety and efficacy of
FDA-regulated medical products (i.e., phase II through IV studies) are
generally required to register and, following study completion, report
summary results, including adverse events, in the publicly accessible
database ClinicalTrials.gov. Is the access to information on individual
studies provided by this resource sufficiently comprehensive and timely
for the purposes of informing the public about the overall safety of
all research with human participants?
VII. Extension of Federal Regulations
Currently, an institution engaged in non-exempt human subjects
research conducted or supported by any Federal department or agency
that has adopted the Common Rule is required to hold an OHRP-approved
Federalwide Assurance (FWA) or another assurance of compliance approved
by the department or agency conducting or supporting the research. The
FWA mandates the application of the Common Rule only to certain
Federally funded research projects. Most institutions voluntarily
extend the applicability of their FWAs to all the research conducted at
their institutions, even research not conducted or supported by one of
the Federal departments or agencies that have adopted the Common Rule.
However, such extension is not required.
The IOM and NBAC, among many others, have called for legislation
that would extend the Common Rule protections to all research with
human subjects conducted in the U.S., regardless of funding source.
We are considering an alternative regulatory proposal to partially
fulfill this goal: requiring domestic institutions that receive some
Federal funding from a Common Rule agency for research with human
subjects to extend the Common Rule protections to all research studies
conducted at their institution.
Comments and recommendations are requested on the following:
Question 71: Should the applicability of the Common Rule be
extended to all research that is not Federally funded that is being
conducted at a domestic institution that receives some Federal funding
for research with human subjects from a Common Rule agency?
VIII. Clarifying and Harmonizing Regulatory Requirements and Agency
Guidance
From the outset of the development of the Common Rule, the
importance of consistency across the Federal government has been
recognized. In May 1982, the Chairman of the Federal Coordinating
Council for Science, Engineering, and Technology appointed an Ad Hoc
Committee for the Protection of Human Research Subjects. In
consultation with OSTP and the Office of Management and Budget, the Ad
Hoc Committee agreed that uniformity is desirable among departments and
agencies to eliminate unnecessary regulation and to promote increased
understanding and ease of compliance by institutions that conduct
Federally supported or regulated research involving human subjects. By
1991, 15 Federal departments and agencies had adopted the Common Rule.
However, each of the departments and agencies that have adopted the
Common Rule may issue its own guidance regarding the protection of
human subjects. Consequently, there are variations in the guidances
issued.
In addition, other Federal laws and regulations have been enacted
that relate to the protection of human subjects, most prominently, the
research provisions of the HIPAA Privacy Rule. However, since the HIPAA
regulations were developed mainly for the clinical context,\88\ the
rules are inconsistent with the Common Rule in certain areas. As noted
above, one such inconsistency is the definition of identifiable data
and another is the manner in which the two rules treat consent for
future research.
Currently, there are multiple efforts to address such variation in
guidance across the Federal government. The Common Rule departments and
agencies have procedures for sharing proposed guidance before it is
adopted. FDA and OHRP have been working closely on enhancing
harmonization of guidance.
As the label of the Common Rule suggests, there seems to be a
compelling case for consistency across Federal departments and agencies
regarding guidance on the protections of human subjects. Nevertheless,
there are arguments in favor of some departments or agencies imposing
specific requirements, apart from the Common Rule, that are tailored to
certain types of research. The various agencies that oversee the
protection of human subjects range from regulatory agencies, to those
agencies and departments that conduct research, to those that support
and sponsor research. In addition, in some cases, statutory differences
among the agencies have resulted in different regulatory requirements
and agency guidances. Not only do the agencies have different
relationships to the research, they oversee very different types and
phases of research and thus there may be reasonable justifications for
differences in guidance. Moreover, achieving consensus across the
entire Federal government may be arduous, preventing timely issuance of
guidance.
Comments and recommendations are requested on the following:
Question 72: To what extent do the differences in guidance on
research protections from different agencies either strengthen or
weaken protections for human subjects?
Question 73: To what extent do the existing differences in guidance
on research protections from different agencies either facilitate or
inhibit the conduct of research domestically and internationally? What
are the most important such differences influencing the conduct of
research?
Question 74: If all Common Rule agencies issued one set of
guidance, would research be facilitated both domestically and
internationally? Would a single set of guidance be able to adequately
address human subjects protections in diverse populations and
[[Page 44529]]
contexts, and across the broad range of research contexts (including
biomedical, national security, education and other types of social and
behavioral research)?
IX. Agency Request for Information
When submitting responses to the specific questions asked in this
notice, please cite the specific question by number.
In addition to the specific solicitation of comments throughout
this ANPRM, general comment is invited on the current system of
protections for human research subjects as implemented through the
Common Rule, the HIPAA Privacy and Security Rules, and any other rules,
regulations or guidance documents. In particular, comments are sought
not only on ways to improve the efficiency of the current system, but
about circumstances in which the protections provided by the current
system might be inadequate and in need of supplementation or change in
order to make sure that subjects are receiving appropriate protections.
Dated: July 20, 2011.
John Holdren,
Director, Office of Science Technology and Policy.
Kathleen Sebelius,
Secretary, HHS.
\1\ The Federal Policy for the Protection of Human Subjects or
the ``Common Rule'' was published in 1991 and codified in separate
regulations by 15 Federal departments and agencies, as listed below
(each agency includes in its chapter of the Code of Federal
Regulations [CFR] section numbers and language that are identical to
those of 45 CFR part 46, subpart A).
These agencies included the Department of Agriculture (7 CFR
part 1c), Department of Commerce (15 CFR part 27), Department of
Defense (32 CFR part 219), Department of Education (34 CFR part 97),
Department of Energy (10 CFR part 745), Department of Health and
Human Services (45 CFR part 46 subpart A), Department of Housing and
Urban Development (24 CFR part 60), Department of Justice (28 CFR
part 46), Department of Veterans Affairs (38 CFR part 16),
Department of Transportation (49 CFR part 11), Consumer Product
Safety Commission (16 CFR part 1028), Environmental Protection
Agency (40 CFR part 26), Agency for International Development (22
CFR part 225), National Aeronautics and Space Administration (14 CFR
part 1230), National Science Foundation (45 CFR part 690).
In addition, the Central Intelligence Agency must comply with
all subparts of 45 CFR part 46 under Executive Order 12333, and in
accordance with the Intelligence Reform and Terrorism Protection Act
of 2004 (Pub. L. 108-458, Section 8306), the Department of Homeland
Security adopted policies implementing the protections for human
research subjects under 45 CFR part 46 for research it conducts or
supports.
For all participating departments and agencies the Common Rule
outlines the basic provisions for IRBs, informed consent, and
Assurances of Compliance. HHS has developed additional regulations
for the human subjects research it conducts or supports that apply
to particular special populations: 45 CFR part 46 subparts B-D apply
to research involving pregnant women, human fetuses, and neonates
(subpart B), prisoners (subpart C), and children (subpart D).
\2\ Congressional Budget Office. Research and Development in the
Pharmaceutical Industry. October 2006.
\3\ Federman DD, Hanna KE, Rodriguez LL, eds. Responsible
Research: A Systems Approach to Protecting Research Participants.
Washington, DC: National Academies Press; 2002.
\4\ Nass SJ, Levit LA, Gostin LO, eds. Beyond the HIPAA Privacy
Rule: Enhancing Privacy, Improving Health Through Research.
Washington, DC: National Academies Press; 2009.
\5\ Human Subjects Research: HHS Takes Steps to Strengthen
Protections, But Concerns Remain. GAO-01-775T, May 23, 2001.
\6\ Scientific Research: Continued Vigilance Critical to
Protecting Human Subjects. T-HEHS-96-102, Mar 12, 1996
\7\ Scientific Research: Continued Vigilance Critical to
Protecting Human Subjects. HEHS-96-72, Mar 8, 1996.
\8\ Kim S, Ubel P, De Vries R. Pruning the regulatory tree: For
human-subjects research, maximum regulation does not mean maximum
protection. Nature 2009;457:534-535.
\9\ Emanuel EJ, Wood A, Fleischman A, et al. Oversight of human
participants research: Identifying problems to evaluate reform
proposals. Ann Int Med 2004;141(4):282-291.
\10\ Lynn J, Baily MA, Bottrell M, et al. The ethics of using
quality improvement methods in health care. Ann Int Med
2007;146(9):666-673.
\11\ National Bioethics Advisory Commission, Ethical and Policy
Issues in Research Involving Human Participants. Bethesda, MD; 2001.
\12\ Executive Order, Improving Regulation and Regulatory
Review. January 18, 2011.
\13\ Wendler D, Varma S. Minimal risk in pediatric research. J
Peds 2006;149:855-861.
\14\ Kim S, Ubel P, De Vries R. Pruning the regulatory tree: For
human-subjects research, maximum regulation does not mean maximum
protection. Nature 2009;457:534-535.
\15\ Center for Advanced Study. The Illinois White Paper:
Improving the System for Protecting Human Subjects: Counteracting
IRB ``Mission Creep.'' 2005.
\16\ American Association of University Professors. Academic
Freedom and the Institutional Review Board. 2006.
\17\ Kim S, Ubel P, De Vries R. Pruning the regulatory tree: For
human-subjects research, maximum regulation does not mean maximum
protection. Nature 2009;457:534-535.
\18\ National Research Council, Protecting Participants and
Facilitating Social and Behavioral Sciences Research. Washington,
DC: National Academies Press; 2003.
\19\ Center for Advanced Study. The Illinois White Paper:
Improving the System for Protecting Human Subjects: Counteracting
IRB ``Mission Creep.'' 2005.
\20\ Schrag Z. Ethical Imperialism. Baltimore, MD: Johns Hopkins
University Press; 2010.
\21\ Schrag ZM. How talking became human subjects research: The
federal regulation of the social sciences. J Policy History
2009;21(01):3.
\22\ Bledsoe CH, Sherin B, Galinsky AG, et al. Regulating
creativity: Research and survival in the IRB iron cage. Northwestern
U L Rev 2007;101:593-641.
\23\ Emanuel EJ, Wood A, Fleischman A, et al. Oversight of human
participants research: Identifying problems to evaluate reform
proposals. Ann Int Med 2004;141(4):282-291.
\24\ Albala I, Doyle M, Appelbaum PS. The evolution of consent
forms for research: A quarter century of changes. IRB: Ethics &
Human Research 2010;32(3):7-11.
\25\ Paasche-Orlow MK, Taylor HA, Brancati F. Readability
standards for informed-consent forms as compared with actual
readability. N Engl J Med 2003;348:721-726.
\26\ Sharp MS. Consent documents for oncology trials: Does
anybody read these things? Am J Clin Onc 2004;27:570-575.
\27\ Levine RJ. Informed consent: Some challenges to the
universal validity of the western model. J Law Med Ethics 1991;19(3-
4):207-213.
\28\ Cribb R. Ethical regulation and humanities research in
Australia: Problems and consequences. Monash Bioethics Rev
2004;23(3):39-57.
\29\ Wertz DC. Public Perceptions: Surveys of Attitudes Toward
Biotechnology. In: Murray TH, Mehlman MJ, eds. Encyclopedia of
Ethical, Legal and Policy Issues in Biotechnology. John Wiley &
Sons; 2002.
\30\ 45 CFR part 160 and 45 CFR part 164, subparts A and E.
\31\ http://www.justice.gov/opcl/privstat.htm; and http://www.justice.gov/opcl/1974privacyact-overview.htm.
\32\ Coleman CH, Bou[euml]sseau MC. How do we know that research
ethics committees are really working? The neglected role of outcomes
assessment in research ethics review. BMC Med Ethics 2008;9:6.
\33\ Steinbrook R. Improving protection for research subjects. N
Engl J Med 2002;346:1425-1430.
\34\ Nass SJ, Levit LA, Gostin LO, eds. Beyond the HIPAA Privacy
Rule: Enhancing Privacy, Improving Health Through Research.
Washington, DC: National Academies Press; 2009.
\35\ Pritts JL. The Importance and Value of Protecting the
Privacy of Health Information: The Roles of the HIPAA Privacy Rule
and the Common Rule in Health Research. 2008. http://www.iom.edu/~/
media/Files/Activity%20Files/Research/HIPAAandResearch/
PrittsPrivacyFinalDraftweb.ashx.
\36\ Any references in this notice to the ``Common Rule,''
unless otherwise specified, should be understood as including the
relevant portions of the FDA regulations.
\37\ 76 FR 11482, March 2, 2011.
\38\ 45 CFR 46.110.
\39\ 45 CFR 46.101(b).
[[Page 44530]]
\40\ http://answers.hhs.gov/ohrp/categories/1564.
\41\ Cann CI, Rothman KJ. IRBs and epidemiological research: How
inappropriate restrictions hamper studies. IRB 1984;6(4):5-7.
\42\ Silverman H, Hull SC, Sugarman J. Variability among
institutional review boards' decisions within the context of a
multicenter trial. Crit Care Med.2001;29:235-241.
\43\ Dziak K, Anderson R, Sevick MA, Weisman CS, Levine DW,
Scholle SH. Variations among institutional review board reviews in a
multisite health services research study. Health Services Res
2005;40:279-290.
\44\ Hirshon JM, Krugman SD, Witting MD et al. Variability in
institutional review board assessment of minimal-risk research. Acad
Emerg Med 2002;9:1417-1420.
\45\ Federman DD, Hanna KE, Rodriguez LL, eds. Responsible
Research: A Systems Approach to Protecting Research Participants.
Washington, DC: National Academies Press; 2002.
\46\ Nass SJ, Levit LA, Gostin LO, eds. Beyond the HIPAA Privacy
Rule: Enhancing Privacy, Improving Health Through Research.
Washington, DC: National Academies Press; 2009.
\47\ Green LA, Lowery JC, Kowalski CP, Wyszewianski L. Impact of
institutional review board practice variation on observational
health services research. Health Serv Res 2006;41:214-230.
\48\ 45 CFR 46.102(i).
\49\ Hirshon JM, Krugman SD, Witting MD et al. Variability in
institutional review board assessment of minimal-risk research. Acad
Emerg Med 2002;9:1417-1420.
\50\ Gawande A. A Lifesaving Checklist. New York Times, December
30, 2007.
\51\ Lynn J, Baily MA, Bottrell M, et al. The ethics of using
quality improvement methods in health care. Ann Int Med
2007;146(9):666-673.
\52\ Kimmelman J. Valuing risk: The ethical review of clinical
trial safety. Kennedy Inst Ethics J 2004;14:369-93.
\53\ Schrag Z. Ethical Imperialism. Baltimore, MD: Johns Hopkins
University Press; 2010:45-46, 70-71.
\54\ Dziak K, Anderson R, Sevick MA, Weisman CS, Levine DW,
Scholle SH. Variations among institutional review board reviews in a
multisite health services research study. Health Services Res
2005;40:279-290.
\55\ Emanuel EJ, Wood A, Fleischman A, et al. Oversight of human
participants research: Identifying problems to evaluate reform
proposals. Ann Int Med 2004;141(4):282-291.
\56\ Jansen LA. Local IRBs, multicenter trials, and the ethics
of internal amendments. IRB,2005;27(4):7-11.
\57\ https://www.aamc.org/initiatives/clinicalresearch/irbreview/.
\58\ Infectious Disease Society of America. Grinding to a halt:
The effects of the increasing regulatory burden on research and
quality improvement efforts. Clin Infect Dis 2009;49:328-35.
\59\ http://www.fda.gov/downloads/RegulatoryInformation/Guidances/UCM127013.pdf.
\60\ For general requirements for informed consent see 45 CFR
46.116 and 21 CFR 50.25. There are provisions under 45 CFR part 46,
subpart A, that allow for the waiver of some or all of the elements
of informed consent. (See Sec. Sec. 46.116(c) and 46.116.(d)).
FDA's statute limits the circumstances under which informed consent
can be waived. Thus, FDA regulations contain only two exceptions
from informed consent under 21 CFR 50.23 and 50.24.
\61\ Menikoff J, Richards E. What the Doctor Didn't Say: The
Hidden Truth about Medical Research. New York, NY: Oxford University
Press; 2006:113-123.
\62\ Menikoff J, Richards E. What the Doctor Didn't Say: The
Hidden Truth about Medical Research. New York, NY: Oxford University
Press; 2006:113-123.
\63\ Albala I, Doyle M, Appelbaum PS. The evolution of consent
forms for research: A quarter century of changes. IRB 2010;32(3):7-
11.
\64\ Schneider CE. The Hydra. Hastings Center Rep 2010;40(4):9-
11.
\65\ Paasche-Orlow MK, Taylor HA, Brancati F. Readability
standards for informed-consent forms as compared with actual
readability. N Engl J Med 2003;348:721-726.
\66\ Goldstein AO, Frasier P, Curtis P, Reid A, Kreher NE.
Consent form readability in university-sponsored research. J Fam
Pract 1996;42:606-611.
\67\ Philipson SJ, Doyle MA, Gabram SG, Nightingale C, Philipson
EH. Informed consent for research: a study to evaluate readability
and processability to effect change. J Investig Med 1995;43:459-467.
\68\ Green LA, Lowery JC, Kowalski CP, Wyszewianski L. Impact of
institutional review board practice variation on observational
health services research. Health Serv Res 2006;41:214-230.
\69\ Under 45 CFR 46.116(c), an IRB may approve a consent
procedure which does not include, or which alters, some or all of
the elements of informed consent otherwise required under 45 CFR
part 46, or waive the requirement to obtain informed consent
provided the IRB finds and documents that: (1) The research or
demonstration project is to be conducted by or subject to the
approval of state or local government officials and is designed to
study, evaluate, or otherwise examine: (i) public benefit or service
programs; (ii) procedures for obtaining benefits or services under
those programs; (iii) possible changes in or alternatives to those
programs or procedures; or (iv) possible changes in methods or
levels of payment for benefits or services under those programs; and
(2) The research could not practicably be carried out without the
waiver or alteration.
Under 45 CFR 46.116(d), an IRB may approve a consent procedure
which does not include, or which alters, some or all of the elements
of informed consent otherwise required under 45 CFR part 46, or
waive the requirements to obtain informed consent provided the IRB
finds and documents that: (1) The research involves no more than
minimal risk to the subjects; (2) The waiver or alteration will not
adversely affect the rights and welfare of the subjects; (3) The
research could not practicably be carried out without the waiver or
alteration; and (4) Whenever appropriate, the subjects will be
provided with additional pertinent information after participation.
\70\ Green LA, Lowery JC, Kowalski CP, Wyszewianski L. Impact of
institutional review board practice variation on observational
health services research. Health Serv Res 2006;41:214-230.
\71\ Sanders AB, Hiller K, Duldner J. Researchers' understanding
of the federal guidelines for waiver of and exception from informed
consent. Acad Emerg Med 2005;12:1045-1049.
\72\ http://www.dhhs.gov/ohrp/sachrp/sachrpletter013108.html.
\73\ Nass SJ, Levit LA, Gostin LO, eds. Beyond the HIPAA Privacy
Rule: Enhancing Privacy, Improving Health Through Research.
Washington, DC: National Academies Press; 2009.
\74\ Skloot R. The Immortal Life of Henrietta Lacks. New York:
Crown Publishers; 2010.
\75\ Furness PN. One-time general consent for research on
biological samples: Good idea, but will it happen? BMJ
2006;332(7542):665.
\76\ Anderlik M. Commercial biobanks and genetic research:
ethical and legal issues. Am J Pharmacogenomics. 2003;3:203-215.
\77\ Hansson MG, Dillner J, Bartram CR, Carlson JA, Helgesson
G.Should donors be allowed to give broad consent to future biobank
research?. Lancet Oncol 2006;7:266-269.
\78\ Wendler D. One-time general consent for research on
biological samples: is it compatible with the health insurance
portability and accountability act? Arch Intern Med.2006;166:1449-
1452.
\79\ Murphy J, Scott J, Kaufman D, Geller G, LeRoy L, Hudson K.
Public perspectives on informed consent for biobanking. Am J Public
Health 2009;99:2128-2134.
\80\ Kaufman DJ, Murphy-Bollinger J, Scott J, Hudson KL. Public
opinion about the importance of privacy in biobank research, Am J
Human Genet 2009;85:643-654.
\81\ Secretary's Advisory Committee on Human Research
Protections. SACHRP letter to HHS Secretary. January 31, 2008.
http://www.dhhs.gov/ohrp/sachrp/sachrpletter013108.html.
\82\ Privacy Act of 1974, as amended. http://www.justice.gov/opcl/privstat.htm; and Department of Justice, Office of Privacy and
Civil Liberties. Overview of the Privacy Act of 1974. http://www.justice.gov/opcl/1974privacyact-overview.htm.
\83\ Pub. L. 107-347. http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/cipsea/cipsea_statute.pdf and Office
of Management and Budget. Implementation Guidance for Title V of the
E-Government Act, Confidential Information Protection and
Statistical Efficiency Act of 2002. http://www.whitehouse.gov/sites/default/files/omb/assets/omb/fedreg/2007/061507_cipsea_guidance.pdf.
\84\ 45 CFR 46.102(f).
\85\ Nass SJ, Levit LA, Gostin LO, eds. Beyond the HIPAA Privacy
Rule: Enhancing Privacy, Improving Health Through Research.
Washington, DC: National Academies Press; 2009.
\86\ 45 CFR part 160 and 45 CFR part 164, subparts A and C.
[[Page 44531]]
\87\ 45 CFR part 160 and 45 CFR part 164, subparts A and D.
\88\ The Common Rule evolved from a long series of measures
designed to protect individual research subjects from physical and
mental harm. In contrast, the HIPAA Privacy Rule evolved from data
protection standards such as the Fair Information Practices. See
Pritts JL (2008). The Importance and Value of Protecting the Privacy
of Health Information: The Roles of the HIPAA Privacy Rule and the
Common Rule in Health Research.
[FR Doc. 2011-18792 Filed 7-22-11; 11:15 am]
BILLING CODE 4150-28-P