research compliance: what is it and how … · research compliance: what is it and how do you audit...

1

RESEARCH COMPLIANCE: WHAT IS IT AND HOW DO YOU AUDIT IT?DO YOU AUDIT IT?TINA R. TYSON, JDCHIEF ETHICS AND COMPLIANCE OFFICERDUKE UNIVERSITY

AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois

www.ahia.org

Goals

What is research compliance?2

p What are the major risks?

How do you prioritize risks and allocate staffing? Work y p gplan development is the time for defining key risks and priorities. Some things may need review every year some can be Some things may need review every year, some can be

spread out.Which issues are a priority and how do you leverage

li t ff ti l ?your compliance resources most effectively?

What are the key focus points to assess in some of the major risk areas?the major risk areas?

Regulating Entitiesg g

There is no more regulated entity than the modern

3

There is no more regulated entity than the modern academic medical center. This is true particularly in the research area. A good compliance program g p p gstrives to assess the institution’s compliance with the complex regulations that govern its enterprise. In research, these include, but are not limited to, regulations from the following:

Regulating Entities (cont’d)g g ( )

Department of Health and Human Service (DHHS)

4

Department of Health and Human Service (DHHS) Office of the Inspector General (OIG) Office of Human Research Protections (OHRP) Office of Human Research Protections (OHRP) Food and Drug Administration (FDA)

N i l I i f H l h (NIH) National Institutes of Health (NIH) Centers for Medicare and Medicaid Services (CMS) Office for Civil Rights (OCR) Office of Research Integrity (ORI)

Regulating Entities (cont’d)g g ( )

Select Agents – Centers for Disease Control (CDC)

5

Select Agents Centers for Disease Control (CDC) Export Controls –

Department of Commerce Department of Commerce Department of State Department of Treasury, Office of Foreign Asset Department of Treasury, Office of Foreign Asset

Controls (OFAS)

International Students and Scholars – Department pof Homeland Security (CIS, CBP, ICE)

Accrediting agencies (AAHRPP, AALAAC)g g ( , )

Regulatory Areasg y6

How Do You Impose Order Over Chaos?

Become Informed7

Become Informed Look at OIG work plan and enforcement priorities

nationally. What have institutions received penalties for and published settlements?

Where is the government’s focus? Look at the risks of your portfolio.

Not all portfolios will be the same. An academic medical center will have to balance many An academic medical center will have to balance many

competing priorities especially in the heavily regulated research realm.

How Do You Impose Order Over Chaos?

What are your most significant institutional 8

What are your most significant institutional risks?

If your entity does enterprise risk management If your entity does enterprise risk management, are there identified significant risks that relate to research?to research?Pair these with national priorities.

Compliance Work Plan Development9

Development of your work plan is a key mechanism to impose order over the chaos and define priorities.p

What is a Work Plan?

Defines the areas (especially audit areas) that 10

Defines the areas (especially audit areas) that the Compliance Office will focus on in the coming year:Communication tool related to priorities Solicit input from key stakeholders in research risk

areas Look at external data (OIG Work Plan,

Enforcement actions related to peer entities)Enforcement actions related to peer entities) Look at internal focus points (previously identified

issues that should be assessed))

What is a Work Plan? (cont’d)( )

Look at Probability of Occurrence and Impact 11

Look at Probability of Occurrence and Impact [A heat map can be a useful tool.]

Look at internal controls in risk area Look at internal controls in risk area When areas are defined, look at prioritization

Some issues are so key that they will be an annual focus point of a work plan in an academic medical centercenter

Other issues can be reviewed cyclically

What is a Work Plan? (cont’d)( )

Assess time required for the review and 12

Assess time required for the review and staffing

Leave capacity to address for cause or Leave capacity to address for cause or directed reviews (estimate to best ability based on volume in past years but leave some based on volume in past years, but leave some flexibility)

Risk Assessment13

Top institutional risks should be part of p pevery annual work plan.

Risk Assessment (cont’d)( )

In research these likely would include:14

In research, these likely would include: Human Subject Research Compliance Clinical Trials Billing Compliance Clinical Trials Billing Compliance Allowability and Allocability of charges to federal

grantsg Effort Reporting NIH Salary Cap Other Support Conflict of Interest

Risk Assessment (cont’d)( )

Other heavily regulated risk areas may be cyclical 15

y g y yor every few years: Institutional Review Board

A i l C d W lf C i Animal Care and Welfare Committee Institutional Biosafety Committee Radiation Safety Radiation Safety Environmental regulatory compliance Occupational Health Select Agents Visa compliance for international students and scholars Export Controls Export Controls

Prioritization16

Even within the top risks, the compliance function cannot review everything at one time so risk prioritization and stratification is important.

Human Subject Research Compliance ReviewsReviews

Defined number predicated on staffing 17

Defined number predicated on staffing availability (approximately 50 routine

t l i l f protocol reviews per year plus for cause or directed reviews as needed)

Stratify across substantive areas based on risk factorson risk factors

Selection Criteria for Human Subject Research ReviewsResearch Reviews

Absence of external monitoring or oversight (PI initiated)

18

g g ( ) Phase I/II Studies Investigator initiated Investigational New Drug (IND) or

Investigational Device Exemption (IDE) Sponsor type (federally-funded research) High subject accrual Frequency of protocol deviations/adverse events V l bl l ti ( di t i t d lt Vulnerable populations (pediatrics, pregnant women, adults

with diminished capacity) Allegations of human subjects violations or noncompliance with g j p

Federal regulations

Clinical Trial Billing Compliance Reviews

Paired with Human Subject Research 19

Paired with Human Subject Research Compliance reviews

Leverage thorough knowledge of the protocol and analysis of the schedule of events

Research Financial Compliance Reviews

(Allowability Allocability Effort Reporting 20

(Allowability, Allocability, Effort Reporting, Salary Cap, Other Support, etc.) Review by Departmental Units Goal to have all reviewed within a defined

time period (3-5 yrs.) with re-review timing stratified by risk and results from prior reviews

Conflict of Interest

Cross section of faculty members with 21

Cross section of faculty members with conflict of interest management plans

Huge federal focus – annual sample

Other Heavily Regulated Risk Areasy g

Prioritized – based on enforcement trends 22

Prioritized – based on enforcement trends, OIG Work Plan, Accreditation reviews and

i re-reviews Timed – based on these risk factors, as well as initial review results

How is Compliance Assessed?p

When conducting these reviews what is the 23

When conducting these reviews, what is the scope?

What is able to be assessed by an audit ymethodology?

Human Subject Research Compliance Scope

Regulatory24

g y Protocol (all versions) Investigator Brochure (all versions) Protocol Amendments Protocol Amendments FDA Form 1571/1572 (all versions) Investigator Agreements CVs for PI and Staff CVs for PI and Staff Medical Licenses IND/IDE Documents

E ll /S L Enrollment/Screening Logs Delegation of Authority Log Drug Package Insert (if applicable)


IRB Files2525

Approval Letter for Initial Protocol with Original Consent Form

All Continuing Review Approval Letters and Original All Continuing Review Approval Letters and Original Updated Consent Forms

All Amendment Approvals All Versions of Consent Documents for Screened and All Versions of Consent Documents for Screened and

Enrolled Subjects All Status/Progress Reports for: IRB Approved Renewal(s) IRB Approved Renewal(s) Adverse Events Deaths Study TerminationStudy Termination Final Summary


Correspondence and Phone Logs2626

Correspondence and Phone LogsAll Sponsor CorrespondenceAll CRO Correspondence (if applicable)All CRO Correspondence (if applicable)All FDA CorrespondenceAll IRB CorrespondenceAll IRB CorrespondenceMonitoring and Auditing Logs


Laboratory2727

Laboratory Laboratory Certification and Normal RangesUp-to-date CV of Laboratory Directorp y

Research Test Article AccountabilityyReceipt LogDispensing LogReturn and Destruction LogStorage Temperature Log


Subject Documentation2828

Subject DocumentationComplete Case Report Forms for each subject

enrolled enrolled Complete Source Documents for each subject

enrolledVerification of Inclusion/Exclusion CriteriaWhen did activities occur and were these within When did activities occur and were these within

protocol window?

Clinical Trials Billing Complianceg p

Validate that subjects are accurately captured 29

Validate that subjects are accurately captured and registered in EMR as research subjects identified with studyidentified with study.

Validate grid/grillendar to ensure all items contemplated in protocol’s schedule of events contemplated in protocol s schedule of events are reflected with appropriate pay or with appropriate CPT codesappropriate CPT codes.

Validate accuracy of older sets.

Research Financial Compliance Review ObjectivesObjectives

Institutional compliance with corrective actions from prior review;

30

p p Effort reporting and level of commitment; National Institutes of Health (NIH) salary cap and cost sharing; NIH Career (K) Awardees level of effort and salary;( ) y; Administrative and clerical salaries – charges are not allowable to

federal grants absent specific circumstances justification; Allowability and allocability of charges to federal grants; Allowability and allocability of charges to federal grants; Cost transfers – analysis of whether these transfers are within

allowable time parameters; HIPAA (Health Insurance Portability and Accountability Act) HIPAA (Health Insurance Portability and Accountability Act)

Privacy/IT (Information Technology) Security - assess compliance with privacy regulations;

Endowment Funds - compliance with terms of agreements; and Endowment Funds - compliance with terms of agreements; and Shared resources.

Research Financial Compliance Scopep p

Compliance Training31

Compliance Training Reports from Learning Management System, which

lists individuals who are delinquent in their required lists individuals who are delinquent in their required compliance training.

Audit reports include areas with < 95% total Audit reports include areas with < 95% total compliance and/or employees whose training is expired > 1 year.p y

Expired Fund Codesp

Keeping fund codes open for closed projects 32

Keeping fund codes open for closed projects creates opportunity for incorrect charges.

Ensure close out in timely manner. Ensure close out in timely manner.

Effort Reporting in Internal Systemsp g y

Committed effort, cost shared or otherwise, should be 33

Committed effort, cost shared or otherwise, should be properly reflected in all internal systems (Sponsored Effort System, SAP, Other Support, etc.)y , , pp , )

Salary G/L Accountsy /

Salary G/L accounts should be appropriate for the 34

Salary G/L accounts should be appropriate for the person type (exempt, non-exempt, tenure-track, non-tenure-track, etc.) and activity (administration, , ) y ( ,instruction, research, etc.) being conducted.

NIH and K Award Salary Cap y p

Review their direct charge and cost sharing amounts 35

Review their direct charge and cost sharing amounts at time of award and every time an individual’s salary changes to ensure appropriate charging.y g pp p g g

K Awards are unique in that there are different salary caps set by mechanism (K01, K12, K23, etc.) y p y ( )and IC (NCI, NHLBI, NIDDK, etc.)

The NIH K Kiosk has information on K awards at http://grants.nih.gov/training/careerdevelopmentawards.htm

Other Supportpp

Other Support should reflect the effort as shown in

36

Other Support should reflect the effort as shown in multiple institutional systems.

The current cost distribution in SAP should be The current cost distribution in SAP should be reviewed in conjunction with the Sponsored Effort System for an accurate Other Support document. y pp

Administrative Effort

Unless there is an approved waiver, all cost 37

Unless there is an approved waiver, all cost distributions should have effort charged to an administrative G/L. /

Adequate administrative time for administrative roles committees and proposal writingp p g

Unallowable and/or Miscoded EExpenses

Sample high risk areas on federal projects:38

Sample high risk areas on federal projects: Travel Patient charges Patient charges Plus anything that you would not normally charge a

grant or would require prior approval.

Request justification for questionable items. If not justifiable with appropriate documentation, j pp p ,

charges removed

Travel Expenses on Federal Projectsp j

Any activity related to the travel should benefit the 39

Any activity related to the travel should benefit the federal project involved.

If travel expenses are reimbursed on a federal If travel expenses are reimbursed on a federal project for an individual who is not receiving salary from that project, that individual’s grant-related p j grole must be identified, documented and kept as a part of the travel documentation.

Conflict of Interest

Objective:40

Objective: Disclosure and reporting requirements are

being metbeing met Management plans are being developed for

all identified conflictsall identified conflicts Management plans are being executed and

followed by School of Medicine facultyfollowed by School of Medicine faculty Identified conflicts are being adequately

managed in a timely mannermanaged in a timely manner

Conflict of Interest (cont’d)( )

Other areas where a potential perceived 41

Other areas where a potential, perceived or actual COI could occur (such as nepotism

l t ti d i it employment practices and university purchasing procedures) were included in the review.


Compliance with the major changes that the National 42

p j gInstitutes of Health (NIH) made to the 1995 Conflict of Interest Regulations: Change in the de minimis limit from $10 000 to Change in the de minimis limit from $10,000 to

$5,000; Halting draw-down of PHS funds unless all of the key

l d h b l d f personnel on an award have been cleared from a COI perspective;

Individuals with a PHS-funded research grant are Individuals with a PHS funded research grant are now required to disclose all reimbursed or sponsored travel if the investigator and the travel both meet certain criteria;certain criteria;


A process to handle information requests 43

p qregarding faculty/staff extramural relationships;

A more stringent review of sub recipients; Additional information required for the eRA

C l dCommons uploads; A re-evaluation of the conflict and an upload

of a new report at every progress report due of a new report at every progress report due date; and

Conflict of Interest (COI) training. Conflict of Interest (COI) training.

HIPAA

CRS and CTQA review HIPAA Compliance by verifying:44

p y y g Authorization of use of Protected Health Information

(PHI)IRB d i d t d if li bl IRB approved waivers are documented if applicable

HIPAA training record completeness Research space walk-through to assess compliance Research space walk through to assess compliance

with the privacy regulations Secure Systems Usage Memos Subject Reimbursement IT Security (in partnership with the Office of Internal

Audits)Audits)

Physical Safeguards of PHIy g

Paper Records45

p Paper records must be stored or filed in such a way as to avoid

access by unauthorized persons. Some type of physical barrier (locked door, cabinet, file drawer, etc.) must be used to protect paper records from unauthorized access.

Paper records on desks or counters must be placed face down or concealed to avoid access by unauthorized persons.

The theft or loss of any paper record should be reported immediately to the SOM Compliance Office.

When not in use by authorized personnel or after business hours, documents or items containing PHI should be kept in a locked desk documents or items containing PHI should be kept in a locked desk, locked cabinet, or other locked location.

Limit the number of keys given to employees. Provide keys to areas and locked cabinets to only those employees whose job and locked cabinets to only those employees whose job responsibilities require access to the areas or cabinets where PHI is stored or located.


Destruction of PHI46

Destruction of PHI Paper, images, and other printed materials containing PHI

should be destroyed by shredding or striking out (redacting) the PHI so that it cannot be read or reconstructed.

Computer Work Stations Computer monitors must be positioned away from common

i t b i t ll d t t areas, or a privacy screen must be installed to prevent unauthorized access or observation.


Faxes47

Confirm the fax number before faxing. Only the PHI necessary to meet the requester’s needs may be faxed. A completed and signed authorization must be obtained before A completed and signed authorization must be obtained before

releasing PHI to third parties for purposes other than treatment, payment, or health care operations.

PHI may be faxed to an individual if the individual requests access y qto his/her own PHI.

All faxes containing PHI must be accompanied by a cover sheet that includes a confidentiality notice. See the DUHS Electronic C i i P li Communication Policy.

Fax machines must be located in secure areas not readily available to the public. I i f i i PHI b l f i i h Incoming faxes containing PHI must not be left sitting on or near the machine for extended periods of time.


Email48

Email Providers should not initiate any email communication that

contains sensitive information. PHI CANNOT be included in the email subject line because the

subject line is not encrypted. Emails that contain PHI should contain the HIPAA disclosure

statement. See the DUHS Electronic Communication Policy.

Questions?49

Compliance Office Contact Informationp

Tina R. Tyson, JD, Chief Compliance Officer, [email protected]

50

y , , p , y @

CTQA d Billi C liCTQA and Billing ComplianceMargaret Groves, Director, [email protected]

Compliance Review ServicesTom M. Davis, Jr., Director, [email protected]

Compliance Integrity Line 1Compliance Integrity Line 1--800800--826826--81098109

Save the DateS b 2 2 2September 21-24, 2014

33rd Annual Conference Austin, Texas

51