Data , Security and Human Subjects Research

Deborah Barnard, MS

Deb Barnard• Director, Research Compliance and Regulatory Affairs

• The Children’s Hospital of Philadelphia

The opinions expressed during this presentation are mine.

Current Regulatory Oversight

•45 CFR 46 • (Common Rule: 15 federal agencies follow these regulations)

•21 CFR 50•21 CFR 56•21 CFR 312•21 CFR 812

• (the above are FDA regulations)

•HIPAA• (research involving protected health information)

Common Rule, FDA, HIPAA

•Common Rule – specifically for federally funded research but most institutions use it for research that does not receive federal funds as well as applying it as intended

•FDA regulations for FDA regulated agents

•HIPAA - added additional and in some cases identical regulations and requirements – in some cases HIPAA has added links between subjects and their data where previously the IRB had been able to disconnect those links

A fact that is anticipated among the criteria for IRB approval: (1) Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.

Risks are inherent in Research

Selected additional requirements for approval

 (2) Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result…

 (7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.

The Institution, the IRB, the researchers are all equally responsible for the oversight of the research.

Regulations do not prohibit evil doers, bad PIs, or bad IRBs.

In order to approve research

The IRB must determine that all 7 criteria have been satisfied.

With regard to data security the IRB might consider:• Which data need protection?• What are the risks related to exposure?• From whom are we protecting these data?

Sources for answers about RiskThe IRB relies to some degree on the Researcher to provide reasonable solutions and also for an assessment of the risk

IRBs can also seek opinions from experts outside the IRB

Institutions review ongoing studies to assure that agreed upon and approved processes are in place.

Data ‘security’ may still be as simple as a password protected excel spreadsheet or as complex as an encrypted data sets

Collaboration Across InstitutionsDifferent interpretations of the regulatory requirements and related risks are leading to difficulties across institutions.

We have researchers who are stymied because the collaborator’s IRB disagrees with our IRB about the degree of risk in the study, or wants additional safeguards. Likewise, our IRB has had these same issues.

Complex regulatory requirements can lead to different interpretations. Concise guidance documents are needed.

Industry Use of Clinical Trial Data

Drug companies are now demanding future use clauses without subject permission.

Companies say if subjects don’t want to participate in the study because of this issue, then subjects can decline participation.

As a Consumer

I shop on the website Lego.com for a birthday giftLater that day I am on NYT.com to read an article - there is an ad for LEGOs on the NYT webpage.

Shortly after I turned 50, I received a catalog from a place I had never shopped. The catalog featured items for ‘mature women’.

Commercial entities seem to have ever increasing access to our personal information.

Data Brokers

For a few dollars you can get a lot

Excerpt from NYT article

Facebook makes money by selling ad space to companies that want to reach us. Advertisers choose key words or details — like relationship status, location, activities, favorite books and employment — and then Facebook runs the ads for the targeted subset of its 845 million users.

NYT By LORI ANDREWS

Published: February 4, 2012

Proposed Changes to the Common RuleProposal to specify data security protections because IRBs are not capable of doing so.

• What proof is there that IRBs are not capable?• Who decides what’s reasonable?• What about relative risk? If these

data/specimens exposure the subject to minimal risk – why so much security?

Proposal to require all future use by consent only – even when there are no identifiers

• What value are we adding?

Proposed Changes to the Common Rule•The proposal is to change exemption to require that ‘research that might propose informational risk to subjects should adhere to reasonable data security protections”.

•By definition research that proposed such risk would not be eligible for exemption.

•Adding complex requirements sets us all up for failure.

Appropriate safeguards exist

The introduction of new and increasing regulations around security do not necessarily minimize risk.

Such rules do not stop evil doers, ‘bad’ IRBs, ‘bad’ PIs.

Adding complexity or additional and complex regulations will continue to promote different interpretation and application of regulations.

We need well considered, well written guidelines.