On July 26, 2011, the U.S. Department of Health and Human Services ("DHHS" or the "Department") published an advance notice of proposed rulemaking ("ANPRM") soliciting comments on proposed changes to the "Common Rule." The Common Rule, more formally known as the Federal Policy for the Protection of Human Subjects, is a uniform set of regulations governing the protection of human subjects involved in research that is conducted or supported by certain federal agencies, including, by way of example, DHHS and the Departments of Defense, Education, Agriculture, Commerce, and Veterans Affairs, among others. In addition, many institutions that conduct research under a Federalwide Assurance ("FWA") voluntarily adopt the Common Rule's protection for all research performed at the institution, regardless of funding source, including FDA-regulated research.
Due to the potentially significant consequences of the ANPRM, entities conducting research that is, or may become, subject to the Common Rule should review the ANPRM and consider submitting comments, which are due to Jerry Menikoff, M.D., J.D., of the DHHS Office of Human Research Protection no later than 5 p.m. on October 26, 2011. Comments may be submitted electronically at http://www.regulations.gov/.
In order to address various concerns raised by the Institute of Medicine, the U.S. Government Accountability Office, and others about the Common Rule and, in order to improve the protection of human subjects while reducing regulatory burdens, DHHS is proposing seven broad changes to the Common Rule:
- Refining the regulatory framework to match the level of review to the study's level of risk;
- Streamlining the review of multi-site studies by institutional review boards ("IRBs");
- Improving informed consent;
- Strengthening data security and information protection standards;
- Improving the collection of safety data;
- Extending the scope of regulatory protections to all research conducted at institutions that receive some federal funding from a Common Rule agency; and
- Harmonizing the various regulations and related guidance governing human subject protection.
Each one of these seven changes is addressed briefly below. We also have identified areas that DHHS specifically requested comment on.
- Refining the Regulatory Framework to Match the Level of Review to the Study's Level of Risk
The Common Rule's multitiered approach to the review of research studies has been criticized by stakeholders, such as the Center for Advanced Study, for failing to match the level of review to the level of risk. Concerns also have been raised about the distinctions between review categories being vague.
To address this criticism, DHHS is considering the following changes:
- Eliminating the need for IRBs to review informational risks of research by establishing mandatory data security and information protection standards;
- Eliminating the requirement for continuing review for all minimal risk studies and for other studies once they enter a stage where the only remaining study activities are either (i) data analysis, or (ii) "accessing follow-up clinical data from procedures that subjects would undergo as part of standard care for their condition or disease";
- Requiring mandatory updates to the list of categories of research that may be subject to expedited review and creating streamlined document submission requirements for expedited review; and
- Changing the "exempt" category to a new category of "Excused" studies that would be excused from IRB review requirements but would still be subject to data security and information protection standards and, in some cases, informed consent requirements. Changes to the exempt category may also include expanding the scope of the studies that would be considered excused and requiring written consent for research use of any biospecimens.
In addition to comments on the proposed changes, DHHS is soliciting comments on specific questions:
- Is the current definition of "minimal risk" appropriate?
- Should the rules require an annual continuing review of research that poses more than minimal risk but whose remaining study activities are eligible for expedited review or fall into the revised exempt categories?
- What additional research activities can be used in a study that qualifies for expedited review?
- Should radiological exams performed for research purposes have a certain threshold based on a background level of exposure that qualifies as involving no more than minimal risk?
- What types of studies should qualify for the Excused category?
- Should it be permissible under certain circumstances to waive consent for research involving the collection and study of biospecimens and pre-existing data?
- Should the Common Rule apply to the oversight of quality improvement, program evaluation studies, and public health activities?
- Are certain demonstration projects inappropriately prevented from qualifying for an exemption under category 5 (research and demonstration projects designed to study or evaluate public benefit or service programs)? If so, how can this be fixed?
- Streamlining Review of Multi-Site Studies
To address the inefficiencies placed on multi-site studies due to review by multiple IRBs, DHHS is proposing several changes designed to encourage the use of a centralized IRB process.
The proposed changes include mandating that all domestic sites in a multi-site study rely on a single IRB as the IRB of record for the study. If implemented, this proposed change would not prohibit individual sites from conducting additional internal ethics reviews. The requirement for a single IRB of record would be accompanied by changes to enforcement procedures that would hold external IRBs directly accountable for compliance with regulatory requirements.
In addition to general comments on the proposed changes, DHHS is seeking comments on specific questions, including:
- How should the IRB of record be selected?
- How could "IRB shopping" be prevented?
- Improving Informed Consent
Informed consent forms often are criticized for being lengthy and complex, for failing to include important pieces of information, and for the amount of effort required to obtain IRB approval of an informed consent form. Additionally, current requirements for obtaining waivers of informed consent or waivers of informed consent documentation are confusing and inflexible, leading to inconsistent application.
To address these concerns, DHHS is proposing the following changes:
- Defining the required content with greater specificity;
- Restricting inappropriate content;
- Limiting the length of various sections;
- Prescribing how information should be presented;
- Reducing the use of "boilerplate"; and
- Creating standardized consent form templates.
DHHS is soliciting comments on those proposed changes and answers to specific questions, including:
- Should investigators be required to assess the subject's comprehension of the information presented before allowing the subject to sign?
- Do changes to the Common Rule's informed consent requirements mean that changes also need to be made to the authorization requirements of the HIPAA Privacy Rule?
- How can the criteria for waiver of informed consent be clarified, and are there additional circumstances under which it should be allowable to waive the informed consent and documentation requirements?
- Under what circumstances should informed consent be required when using data initially collected for non-research purposes in future research, and should research on biospecimens that have been collected outside of a research study be conducted without informed consent so long as the investigator does not learn the subject's identity?
- Should the new consent rules apply to biospecimens collected prior to the effective date of the new rules?
- Strengthening Data Security and Information Protection Standards 
As an alternative to requiring IRBs to evaluate informational risks, DHHS is considering mandating that data security and information protection standards apply to all identifiable or potentially identifiable information that is collected, stored, or used in research, regardless of whether the study is conducted by a HIPAA-covered entity. Accordingly, the Department is considering applying HIPAA Privacy Rule standards regarding "what constitutes individually identifiable information, a limited data set, and de-identified information" to the Common Rule.
Notably, to address concerns that the extraction of DNA from biospecimens may allow for the identification of individuals, DHHS is considering categorizing research involving the collection, storage, and analysis of biospecimens to be research involving identifiable information. However, the Department may limit such categorization to prospective collections of biospecimens and related data.
DHHS also may require research involving the collection and use of identifiable data and limited data sets to adhere to certain HIPAA security rule standards, including breach notification standards. Additionally, DHHS is considering strengthening oversight mechanisms under the Common Rule, including conducting random retrospective audits and implementing other enforcement tools.
In addition to seeking input on the considerations regarding strengthening data security and information protection standards, DHHS is seeking answers to specific questions, including:
- Would applying data security and information protection standards based on HIPAA provide sufficient safeguards to study subjects?
- Are HIPAA standards appropriate for use in all types of research studies, including social and behavioral studies?
- Should a human biospecimen be considered identifiable in and of itself?
- Should some types of genomic data be considered identifiable?
- If investigators are subject to data security and information protection requirements modeled on HIPAA, would it be acceptable for a HIPAA-covered entity to disclose limited data sets for research purposes without the need for data use agreements?
- Improving Collection of Safety Data
To address the concern that DHHS does not collect adequate data to evaluate the effectiveness of research oversight activities, DHHS is considering making several changes to improve the collection of safety data. Although the prompt reporting of safety information is already required, DHHS wishes to simplify and consolidate such reporting by:
- Using a standardized and flexible set of data elements;
- Establishing a web-based, federal-wide portal that would allow the electronic submission of certain safety data and automatic distribution to the appropriate agencies and oversight bodies; and
- Harmonizing safety reporting guidance from various agencies.
In addition to seeking general comments on these proposals, DHHS is seeking answers to specific questions, including:
- Are current policies adequate as to the scope of events that must be reported?
- Is a central database that houses all data on adverse events and unanticipated problems desirable?
- Is the information on individual studies available at ClinicalTrials.gov sufficient to inform the public about the safety of research with human participants?
- Extending the Scope of Regulatory Protections 
Concerns have been raised that the Common Rule does not adequately protect all human research subjects because it only applies to some research funded by certain federal agencies. To address this debate, DHHS is proposing to extend the Common Rule protections to all research studies involving human subjects that are conducted at domestic institutions that receive some federal funding from a Common Rule agency. DHHS is asking for comments on this proposed change.
- Harmonizing Various Regulations and Related Guidance 
While the Common Rule was designed to ensure uniformity in the protection of human subjects involved in research, each agency that has adopted the Common Rule is allowed to issue its own guidance regarding the protection of human subjects. In addition, FDA-regulated research is subject to similar, but not identical, human research subject protections. Additionally, other federal laws governing the protection of human subjects have been enacted, including the research provisions of the HIPAA Privacy Rule. The combination of these factors has led to research involving human subjects being subject to inconsistent and sometimes contradictory regulations. Therefore, DHHS seeks to create more consistency across federal departments and agencies regarding guidance on human subject protection, while also recognizing that it may be beneficial to have specific requirements tailored to certain types of research.
DHHS is requesting comments on whether a uniform set of guidance would facilitate research and adequately protect subjects across the various research contexts.
Through the publication of the ANPRM, DHHS is proposing broad and significant changes to the Common Rule that potentially could have far-reaching effects on pharmaceutical and medical device companies, hospitals, academic medical centers, contract research organizations, and other stakeholders. We have summarized many of the significant issues for which DHHS is seeking comment from the public. Submitting comments could help shape and define the new rules for improving the protection of human research subjects without compromising medical research.
Brandon Ge, formerly a Summer Associate (not admitted to the practice of law) in Epstein Becker Green's Washington, DC, office, contributed significantly to the preparation of this alert.