research compliance: what is it and how … · research compliance: what is it and how do you audit...
TRANSCRIPT
1
RESEARCH COMPLIANCE: WHAT IS IT AND HOW DO YOU AUDIT IT?DO YOU AUDIT IT?TINA R. TYSON, JDCHIEF ETHICS AND COMPLIANCE OFFICERDUKE UNIVERSITY
AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois
www.ahia.org
Goals
What is research compliance?2
p What are the major risks?
How do you prioritize risks and allocate staffing? Work y p gplan development is the time for defining key risks and priorities. Some things may need review every year some can be Some things may need review every year, some can be
spread out.Which issues are a priority and how do you leverage
li t ff ti l ?your compliance resources most effectively?
What are the key focus points to assess in some of the major risk areas?the major risk areas?
Regulating Entitiesg g
There is no more regulated entity than the modern
3
There is no more regulated entity than the modern academic medical center. This is true particularly in the research area. A good compliance program g p p gstrives to assess the institution’s compliance with the complex regulations that govern its enterprise. In research, these include, but are not limited to, regulations from the following:
Regulating Entities (cont’d)g g ( )
Department of Health and Human Service (DHHS)
4
Department of Health and Human Service (DHHS) Office of the Inspector General (OIG) Office of Human Research Protections (OHRP) Office of Human Research Protections (OHRP) Food and Drug Administration (FDA)
N i l I i f H l h (NIH) National Institutes of Health (NIH) Centers for Medicare and Medicaid Services (CMS) Office for Civil Rights (OCR) Office of Research Integrity (ORI)
Regulating Entities (cont’d)g g ( )
Select Agents – Centers for Disease Control (CDC)
5
Select Agents Centers for Disease Control (CDC) Export Controls –
Department of Commerce Department of Commerce Department of State Department of Treasury, Office of Foreign Asset Department of Treasury, Office of Foreign Asset
Controls (OFAS)
International Students and Scholars – Department pof Homeland Security (CIS, CBP, ICE)
Accrediting agencies (AAHRPP, AALAAC)g g ( , )
Regulatory Areasg y6
How Do You Impose Order Over Chaos?
Become Informed7
Become Informed Look at OIG work plan and enforcement priorities
nationally. What have institutions received penalties for and published settlements?
Where is the government’s focus? Look at the risks of your portfolio.
Not all portfolios will be the same. An academic medical center will have to balance many An academic medical center will have to balance many
competing priorities especially in the heavily regulated research realm.
How Do You Impose Order Over Chaos?
What are your most significant institutional 8
What are your most significant institutional risks?
If your entity does enterprise risk management If your entity does enterprise risk management, are there identified significant risks that relate to research?to research?Pair these with national priorities.
Compliance Work Plan Development9
Development of your work plan is a key mechanism to impose order over the chaos and define priorities.p
What is a Work Plan?
Defines the areas (especially audit areas) that 10
Defines the areas (especially audit areas) that the Compliance Office will focus on in the coming year:Communication tool related to priorities Solicit input from key stakeholders in research risk
areas Look at external data (OIG Work Plan,
Enforcement actions related to peer entities)Enforcement actions related to peer entities) Look at internal focus points (previously identified
issues that should be assessed))
What is a Work Plan? (cont’d)( )
Look at Probability of Occurrence and Impact 11
Look at Probability of Occurrence and Impact [A heat map can be a useful tool.]
Look at internal controls in risk area Look at internal controls in risk area When areas are defined, look at prioritization
Some issues are so key that they will be an annual focus point of a work plan in an academic medical centercenter
Other issues can be reviewed cyclically
What is a Work Plan? (cont’d)( )
Assess time required for the review and 12
Assess time required for the review and staffing
Leave capacity to address for cause or Leave capacity to address for cause or directed reviews (estimate to best ability based on volume in past years but leave some based on volume in past years, but leave some flexibility)
Risk Assessment13
Top institutional risks should be part of p pevery annual work plan.
Risk Assessment (cont’d)( )
In research these likely would include:14
In research, these likely would include: Human Subject Research Compliance Clinical Trials Billing Compliance Clinical Trials Billing Compliance Allowability and Allocability of charges to federal
grantsg Effort Reporting NIH Salary Cap Other Support Conflict of Interest
Risk Assessment (cont’d)( )
Other heavily regulated risk areas may be cyclical 15
y g y yor every few years: Institutional Review Board
A i l C d W lf C i Animal Care and Welfare Committee Institutional Biosafety Committee Radiation Safety Radiation Safety Environmental regulatory compliance Occupational Health Select Agents Visa compliance for international students and scholars Export Controls Export Controls
Prioritization16
Even within the top risks, the compliance function cannot review everything at one time so risk prioritization and stratification is important.
Human Subject Research Compliance ReviewsReviews
Defined number predicated on staffing 17
Defined number predicated on staffing availability (approximately 50 routine
t l i l f protocol reviews per year plus for cause or directed reviews as needed)
Stratify across substantive areas based on risk factorson risk factors
Selection Criteria for Human Subject Research ReviewsResearch Reviews
Absence of external monitoring or oversight (PI initiated)
18
g g ( ) Phase I/II Studies Investigator initiated Investigational New Drug (IND) or
Investigational Device Exemption (IDE) Sponsor type (federally-funded research) High subject accrual Frequency of protocol deviations/adverse events V l bl l ti ( di t i t d lt Vulnerable populations (pediatrics, pregnant women, adults
with diminished capacity) Allegations of human subjects violations or noncompliance with g j p
Federal regulations
Clinical Trial Billing Compliance Reviews
Paired with Human Subject Research 19
Paired with Human Subject Research Compliance reviews
Leverage thorough knowledge of the protocol and analysis of the schedule of events
Research Financial Compliance Reviews
(Allowability Allocability Effort Reporting 20
(Allowability, Allocability, Effort Reporting, Salary Cap, Other Support, etc.) Review by Departmental Units Goal to have all reviewed within a defined
time period (3-5 yrs.) with re-review timing stratified by risk and results from prior reviews
Conflict of Interest
Cross section of faculty members with 21
Cross section of faculty members with conflict of interest management plans
Huge federal focus – annual sample
Other Heavily Regulated Risk Areasy g
Prioritized – based on enforcement trends 22
Prioritized – based on enforcement trends, OIG Work Plan, Accreditation reviews and
i re-reviews Timed – based on these risk factors, as well as initial review results
How is Compliance Assessed?p
When conducting these reviews what is the 23
When conducting these reviews, what is the scope?
What is able to be assessed by an audit ymethodology?
Human Subject Research Compliance Scope
Regulatory24
g y Protocol (all versions) Investigator Brochure (all versions) Protocol Amendments Protocol Amendments FDA Form 1571/1572 (all versions) Investigator Agreements CVs for PI and Staff CVs for PI and Staff Medical Licenses IND/IDE Documents
E ll /S L Enrollment/Screening Logs Delegation of Authority Log Drug Package Insert (if applicable)
Human Subject Research Compliance Scope
IRB Files2525
Approval Letter for Initial Protocol with Original Consent Form
All Continuing Review Approval Letters and Original All Continuing Review Approval Letters and Original Updated Consent Forms
All Amendment Approvals All Versions of Consent Documents for Screened and All Versions of Consent Documents for Screened and
Enrolled Subjects All Status/Progress Reports for: IRB Approved Renewal(s) IRB Approved Renewal(s) Adverse Events Deaths Study TerminationStudy Termination Final Summary
Human Subject Research Compliance Scope
Correspondence and Phone Logs2626
Correspondence and Phone LogsAll Sponsor CorrespondenceAll CRO Correspondence (if applicable)All CRO Correspondence (if applicable)All FDA CorrespondenceAll IRB CorrespondenceAll IRB CorrespondenceMonitoring and Auditing Logs
Human Subject Research Compliance Scope
Laboratory2727
Laboratory Laboratory Certification and Normal RangesUp-to-date CV of Laboratory Directorp y
Research Test Article AccountabilityyReceipt LogDispensing LogReturn and Destruction LogStorage Temperature Log
Human Subject Research Compliance Scope
Subject Documentation2828
Subject DocumentationComplete Case Report Forms for each subject
enrolled enrolled Complete Source Documents for each subject
enrolledVerification of Inclusion/Exclusion CriteriaWhen did activities occur and were these within When did activities occur and were these within
protocol window?
Clinical Trials Billing Complianceg p
Validate that subjects are accurately captured 29
Validate that subjects are accurately captured and registered in EMR as research subjects identified with studyidentified with study.
Validate grid/grillendar to ensure all items contemplated in protocol’s schedule of events contemplated in protocol s schedule of events are reflected with appropriate pay or with appropriate CPT codesappropriate CPT codes.
Validate accuracy of older sets.
Research Financial Compliance Review ObjectivesObjectives
Institutional compliance with corrective actions from prior review;
30
p p Effort reporting and level of commitment; National Institutes of Health (NIH) salary cap and cost sharing; NIH Career (K) Awardees level of effort and salary;( ) y; Administrative and clerical salaries – charges are not allowable to
federal grants absent specific circumstances justification; Allowability and allocability of charges to federal grants; Allowability and allocability of charges to federal grants; Cost transfers – analysis of whether these transfers are within
allowable time parameters; HIPAA (Health Insurance Portability and Accountability Act) HIPAA (Health Insurance Portability and Accountability Act)
Privacy/IT (Information Technology) Security - assess compliance with privacy regulations;
Endowment Funds - compliance with terms of agreements; and Endowment Funds - compliance with terms of agreements; and Shared resources.
Research Financial Compliance Scopep p
Compliance Training31
Compliance Training Reports from Learning Management System, which
lists individuals who are delinquent in their required lists individuals who are delinquent in their required compliance training.
Audit reports include areas with < 95% total Audit reports include areas with < 95% total compliance and/or employees whose training is expired > 1 year.p y
Expired Fund Codesp
Keeping fund codes open for closed projects 32
Keeping fund codes open for closed projects creates opportunity for incorrect charges.
Ensure close out in timely manner. Ensure close out in timely manner.
Effort Reporting in Internal Systemsp g y
Committed effort, cost shared or otherwise, should be 33
Committed effort, cost shared or otherwise, should be properly reflected in all internal systems (Sponsored Effort System, SAP, Other Support, etc.)y , , pp , )
Salary G/L Accountsy /
Salary G/L accounts should be appropriate for the 34
Salary G/L accounts should be appropriate for the person type (exempt, non-exempt, tenure-track, non-tenure-track, etc.) and activity (administration, , ) y ( ,instruction, research, etc.) being conducted.
NIH and K Award Salary Cap y p
Review their direct charge and cost sharing amounts 35
Review their direct charge and cost sharing amounts at time of award and every time an individual’s salary changes to ensure appropriate charging.y g pp p g g
K Awards are unique in that there are different salary caps set by mechanism (K01, K12, K23, etc.) y p y ( )and IC (NCI, NHLBI, NIDDK, etc.)
The NIH K Kiosk has information on K awards at http://grants.nih.gov/training/careerdevelopmentawards.htm
Other Supportpp
Other Support should reflect the effort as shown in
36
Other Support should reflect the effort as shown in multiple institutional systems.
The current cost distribution in SAP should be The current cost distribution in SAP should be reviewed in conjunction with the Sponsored Effort System for an accurate Other Support document. y pp
Administrative Effort
Unless there is an approved waiver, all cost 37
Unless there is an approved waiver, all cost distributions should have effort charged to an administrative G/L. /
Adequate administrative time for administrative roles committees and proposal writingp p g
Unallowable and/or Miscoded EExpenses
Sample high risk areas on federal projects:38
Sample high risk areas on federal projects: Travel Patient charges Patient charges Plus anything that you would not normally charge a
grant or would require prior approval.
Request justification for questionable items. If not justifiable with appropriate documentation, j pp p ,
charges removed
Travel Expenses on Federal Projectsp j
Any activity related to the travel should benefit the 39
Any activity related to the travel should benefit the federal project involved.
If travel expenses are reimbursed on a federal If travel expenses are reimbursed on a federal project for an individual who is not receiving salary from that project, that individual’s grant-related p j grole must be identified, documented and kept as a part of the travel documentation.
Conflict of Interest
Objective:40
Objective: Disclosure and reporting requirements are
being metbeing met Management plans are being developed for
all identified conflictsall identified conflicts Management plans are being executed and
followed by School of Medicine facultyfollowed by School of Medicine faculty Identified conflicts are being adequately
managed in a timely mannermanaged in a timely manner
Conflict of Interest (cont’d)( )
Other areas where a potential perceived 41
Other areas where a potential, perceived or actual COI could occur (such as nepotism
l t ti d i it employment practices and university purchasing procedures) were included in the review.
Conflict of Interest (cont’d)( )
Compliance with the major changes that the National 42
p j gInstitutes of Health (NIH) made to the 1995 Conflict of Interest Regulations: Change in the de minimis limit from $10 000 to Change in the de minimis limit from $10,000 to
$5,000; Halting draw-down of PHS funds unless all of the key
l d h b l d f personnel on an award have been cleared from a COI perspective;
Individuals with a PHS-funded research grant are Individuals with a PHS funded research grant are now required to disclose all reimbursed or sponsored travel if the investigator and the travel both meet certain criteria;certain criteria;
Conflict of Interest (cont’d)( )
A process to handle information requests 43
p qregarding faculty/staff extramural relationships;
A more stringent review of sub recipients; Additional information required for the eRA
C l dCommons uploads; A re-evaluation of the conflict and an upload
of a new report at every progress report due of a new report at every progress report due date; and
Conflict of Interest (COI) training. Conflict of Interest (COI) training.
HIPAA
CRS and CTQA review HIPAA Compliance by verifying:44
p y y g Authorization of use of Protected Health Information
(PHI)IRB d i d t d if li bl IRB approved waivers are documented if applicable
HIPAA training record completeness Research space walk-through to assess compliance Research space walk through to assess compliance
with the privacy regulations Secure Systems Usage Memos Subject Reimbursement IT Security (in partnership with the Office of Internal
Audits)Audits)
Physical Safeguards of PHIy g
Paper Records45
p Paper records must be stored or filed in such a way as to avoid
access by unauthorized persons. Some type of physical barrier (locked door, cabinet, file drawer, etc.) must be used to protect paper records from unauthorized access.
Paper records on desks or counters must be placed face down or concealed to avoid access by unauthorized persons.
The theft or loss of any paper record should be reported immediately to the SOM Compliance Office.
When not in use by authorized personnel or after business hours, documents or items containing PHI should be kept in a locked desk documents or items containing PHI should be kept in a locked desk, locked cabinet, or other locked location.
Limit the number of keys given to employees. Provide keys to areas and locked cabinets to only those employees whose job and locked cabinets to only those employees whose job responsibilities require access to the areas or cabinets where PHI is stored or located.
Physical Safeguards of PHIy g
Destruction of PHI46
Destruction of PHI Paper, images, and other printed materials containing PHI
should be destroyed by shredding or striking out (redacting) the PHI so that it cannot be read or reconstructed.
Computer Work Stations Computer monitors must be positioned away from common
i t b i t ll d t t areas, or a privacy screen must be installed to prevent unauthorized access or observation.
Physical Safeguards of PHIy g
Faxes47
Confirm the fax number before faxing. Only the PHI necessary to meet the requester’s needs may be faxed. A completed and signed authorization must be obtained before A completed and signed authorization must be obtained before
releasing PHI to third parties for purposes other than treatment, payment, or health care operations.
PHI may be faxed to an individual if the individual requests access y qto his/her own PHI.
All faxes containing PHI must be accompanied by a cover sheet that includes a confidentiality notice. See the DUHS Electronic C i i P li Communication Policy.
Fax machines must be located in secure areas not readily available to the public. I i f i i PHI b l f i i h Incoming faxes containing PHI must not be left sitting on or near the machine for extended periods of time.
Physical Safeguards of PHIy g
Email48
Email Providers should not initiate any email communication that
contains sensitive information. PHI CANNOT be included in the email subject line because the
subject line is not encrypted. Emails that contain PHI should contain the HIPAA disclosure
statement. See the DUHS Electronic Communication Policy.
Questions?49
Compliance Office Contact Informationp
Tina R. Tyson, JD, Chief Compliance Officer, [email protected]
50
y , , p , y @
CTQA d Billi C liCTQA and Billing ComplianceMargaret Groves, Director, [email protected]
Compliance Review ServicesTom M. Davis, Jr., Director, [email protected]
Compliance Integrity Line 1Compliance Integrity Line 1--800800--826826--81098109
Save the DateS b 2 2 2September 21-24, 2014
33rd Annual Conference Austin, Texas
51