Proposed Common Rule updates focus on consent, definitions, streamlined IRB review, data protection
Monday, October 31, 2011
A 20-year-old federal policy for protecting human subjects known as the Common Rule is soon to be updated in ways that could modernize how the industry approaches the ethics, safety and oversight of human research.
This summer, the U.S. Department of Health and Human Services (HSS), which oversees and enforces the Common Rule, put out an Advanced Notice of Proposed Rulemaking (ANPRM) called Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators (45 CFR Parts 46, 160, and 164; 21 CFR Parts 50 and 56), asking those governed by the rule to provide input on proposed changes.
Comments have been numerous, as the potential alterations to the rule are big. They include streamlining IRB review of multi-site studies, improving informed consent and strengthening data protections to minimize information risks—all areas of significant concern and delay in the industry.
“These changes could have a massive impact on how trials are conducted,” said Doug Peddicord, executive director of CRO trade group the Association of Clinical Research Organizations (ACRO), which represents nine of the 10 biggest CROs in the industry.
Explained Peddicord, the Common Rule typically governs federally conducted or sponsored research, meaning academic or investigator-initiated studies, as well as any research conducted in any academic medical institution that receives federal funding. FDA regulations, not the Common Rule, cover commercially funded research. But there is meaningful overlap. Said Peddicord, when a sponsor or CRO works on federally supported research and/or with an academic medical center, the Common Rule applies to the actions of the sponsor or CRO. Often, both regulations apply.
One area in which this has caused problems is in definitions used during the course of research. In short, said Peddicord, the Common Rule definitions are different than those of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to which those in the commercial industry must adhere. This creates ambiguity and extra work for those working on trials governed by both.
An example, he said, is de-identified data. HIPAA’s definition of de-identified data is different from that of the Common Rule’s. “Once I de-identify data under HIPAA, and I have no way to re-identify you, then I am free to use your data for research purposes,” said Peddicord. “The Common Rule is much less clear about that.”
The de-identification of data wasn’t a pressing concern when both rules were originally written and applied to then mostly separate sectors of the research world. But today, with electronic medical records, electronic data capture and other technologies for gathering data increasing in use over hand-written data, along with the commercial and academic sectors frequently working together, having different definitions causes unnecessary disruption.
Explained Peddicord, “If a CRO or sponsor says, ‘We would like you, a biostatistician working at university X, to do the following analysis on this data set,’ once we transfer that data to them, they are governed by the Common Rule. If we have sent them data that has been de-identified according to HIPAA rules and not by the Common Rule, then the researcher has to figure out how to get consent for each piece of data.” In this world of electronic data, as well as massive data sets, that can be nearly impossible, he said.
“This is where the complications have been,” said Peddicord. “We have figured out how to live with HIPAA; it’s much more our colleagues that we send work to not being held to the same definitions that is a problem.”
The concept of harmonized definitions, including de-identification of data, leads to another part of the rule likely to be updated: Proposing new consent requirements for de-identifying data, limited data sets and biospecimens.
HHS plans to update safety standards that all—be they small or large CRO or sponsor, or small or large academic medical center—can adhere to in handling electronic data on study participants and patients. At this point, large CROs and sponsors are ahead of the game in this respect, said Peddicord.
“Certainly, global CROs and sponsors are very sophisticated in terms of safeguarding data, very attuned to data-security issues,” he said. “But in academia, researchers doing only federally funded research and not research governed by HIPAA may or may not be up to those standards.”
Another big, proposed change to the Common Rule involves mandating the use of a single IRB for all domestic sites in multi-site studies. This could greatly streamline the way research currently is handled, potentially speeding up trials, said Peddicord, explaining that when the rule was established, most research was done at single sites, so each site using its own IRB made sense. But that’s definitely not the case anymore.
“What happens today is that we have studies with maybe 150 research sites in the U.S., and maybe half of those are institutions that have an IRB and the other half are private physician’s offices or community physicians,” said Peddicord. A central IRB may review the study for the 75 sites without an IRB, and the other 75 sites each use their own IRBs.
“It’s highly inefficient,” he said. “And there’s very little evidence that this provides increased protection for the participants or patients. Instead, it just seems to delay the initiation of the trial.”
ACRO’s John Lewis added that a recent survey of ACRO members showed that each large CRO worked with an average of 1,400 IRBs per year.
HHS’s proposed change doesn’t specify whether the lead IRB should be academic or commercial. Peddicord, though, pointed out that while many commercial or central IRBs can approve trials in about 30 days, many academic medical institution IRB approvals can take a year. “We have struggled with the impact of that,” he said.