170 likes | 178 Views
This presentation discusses the current regulatory oversight for human subjects research, including 45 CFR 46, HIPAA, and FDA regulations. It explores the risks inherent in research and the responsibilities of institutions, IRBs, and researchers in ensuring data security. Collaboration issues and industry use of clinical trial data are also addressed.
E N D
Data , Security and Human Subjects Research Deborah Barnard, MS
Deb Barnard • Director, Research Compliance and Regulatory Affairs • The Children’s Hospital of Philadelphia The opinions expressed during this presentation are mine.
Current Regulatory Oversight 45 CFR 46 • (Common Rule: 15 federal agencies follow these regulations) 21 CFR 50 21 CFR 56 21 CFR 312 21 CFR 812 • (the above are FDA regulations) HIPAA • (research involving protected health information)
Common Rule, FDA, HIPAA Common Rule – specifically for federally funded research but most institutions use it for research that does not receive federal funds as well as applying it as intended FDA regulations for FDA regulated agents HIPAA - added additional and in some cases identical regulations and requirements – in some cases HIPAA has added links between subjects and their data where previously the IRB had been able to disconnect those links
Risks are inherent in Research A fact that is anticipated among the criteria for IRB approval: (1) Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.
Selected additional requirements for approval (2) Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result… (7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. The Institution, the IRB, the researchers are all equally responsible for the oversight of the research. Regulations do not prohibit evil doers, bad PIs, or bad IRBs.
In order to approve research The IRB must determine that all 7 criteria have been satisfied. With regard to data security the IRB might consider: • Which data need protection? • What are the risks related to exposure? • From whom are we protecting these data?
Sources for answers about Risk The IRB relies to some degree on the Researcher to provide reasonable solutions and also for an assessment of the risk IRBs can also seek opinions from experts outside the IRB Institutions review ongoing studies to assure that agreed upon and approved processes are in place. Data ‘security’ may still be as simple as a password protected excel spreadsheet or as complex as an encrypted data sets
Collaboration Across Institutions Different interpretations of the regulatory requirements and related risks are leading to difficulties across institutions. We have researchers who are stymied because the collaborator’s IRB disagrees with our IRB about the degree of risk in the study, or wants additional safeguards. Likewise, our IRB has had these same issues. Complex regulatory requirements can lead to different interpretations. Concise guidance documents are needed.
Industry Use of Clinical Trial Data Drug companies are now demanding future use clauses without subject permission. Companies say if subjects don’t want to participate in the study because of this issue, then subjects can decline participation.
As a Consumer I shop on the website Lego.com for a birthday gift Later that day I am on NYT.com to read an article - there is an ad for LEGOs on the NYT webpage. Shortly after I turned 50, I received a catalog from a place I had never shopped. The catalog featured items for ‘mature women’. Commercial entities seem to have ever increasing access to our personal information.
Excerpt from NYT article Facebook makes money by selling ad space to companies that want to reach us. Advertisers choose key words or details — like relationship status, location, activities, favorite books and employment — and then Facebook runs the ads for the targeted subset of its 845 million users. NYT By LORI ANDREWS Published: February 4, 2012
Proposed Changes to the Common Rule Proposal to specify data security protections because IRBs are not capable of doing so. • What proof is there that IRBs are not capable? • Who decides what’s reasonable? • What about relative risk? If these data/specimens exposure the subject to minimal risk – why so much security? Proposal to require all future use by consent only – even when there are no identifiers • What value are we adding?
Proposed Changes to the Common Rule The proposal is to change exemption to require that ‘research that might propose informational risk to subjects should adhere to reasonable data security protections”. By definition research that proposed such risk would not be eligible for exemption. Adding complex requirements sets us all up for failure.
Appropriate safeguards exist The introduction of new and increasing regulations around security do not necessarily minimize risk. Such rules do not stop evil doers, ‘bad’ IRBs, ‘bad’ PIs. Adding complexity or additional and complex regulations will continue to promote different interpretation and application of regulations. We need well considered, well written guidelines.