HHS provided an Advanced Notice of Proposed Rule Making (ANPRM) on July 22, 2011, to enhance protections for medical research subjects. The ANPRM seeks comments on how better to protect human research subjects while facilitating valuable research. The current Common Rule was developed over twenty years ago and does not reflect changes in how medical research is conducted today or the advanced technology used to facilitate the research.

The stated intent of the proposed rule is to modernize and streamline processes and reduce administrative burden. However, research institutions may see an increased burden in complying with the privacy and information security protections and informed consent requirements. The proposed rule also will be designed to harmonize the various regulations, guidance and interpretations from sources that currently govern human subjects. HHS expects to simplify the expedited approval process and eliminate the need for continued review for studies that are considered "minimal risk." However, how this will be accomplished if the study is later deemed to fall outside the minimal risk category is uncertain, as the study already may have been started before Institutional Review Board (IRB) approval. It further seeks to greatly expand the categories of research that may qualify as exempt to include retrospective studies, among others. Further, the ANPRM seeks comments on streamlining the multi-site research review process with multiple IRBs overseeing the studies. However, with only requiring one IRB review, institutions may "forum shop" for the more lenient or less cumbersome IRB to oversee a multi-site study.

A significant change contemplated in the ANPRM is related to informed consent and waiver rules. Specifically, informed consent requirements such as the consent form's content and presentation, the length of the consent form and prohibition of legalese are suggested. While this may streamline the informed consent process, it does not take into account research-specific issues that may need to be included, special settings such as pediatrics and state informed consent requirements.

Focus on Research Privacy

HHS acknowledges concerns with the current Common Rule and the increasing use of genetic information, biospecimens, medical and research records and administrative data. The risks related to these types of research are considered informational risks, such as the unauthorized release of information about the research subject. The HIPAA Privacy Rule addresses some of these risks by imposing restrictions on how protected health information may be used and disclosed, including for research. The HIPAA Security Rule protects subjects by requiring covered entities and their business associates to have physical, administrative and technical safeguards to protect information in electronic form. However, not all research investigators are subject to HIPAA. Too, the Privacy Act of 1974 does not apply to nonfederal researchers. Further, HHS acknowledges the Common Rule and the HIPAA Privacy Rule can be inconsistent, which makes it difficult for researchers to comply with both. Current privacy regulations do not take into account the genetic and information technologies that make complete de-identification of biospecimens impossible and re-identification of sensitive health data easier.

HHS proposes establishing mandatory data security and information protection standards for all research studies that involve identifiable and potentially identifiable data and where data is collected, stored, analyzed or otherwise reused. HHS also anticipates creating rules to protect against the inappropriate re-identification of de-identified information that is collected as part of a research study. The ANPRM advocates for adopting the HIPAA standards around de-identification and pulling in those investigators who are not covered entities or business associates. With these new rules, HHS expects to streamline the IRB process and no longer require the IRB to assess the adequacy of the protections against informational risks. In addition to adopting the HIPAA Privacy Rule, HHS further proposes the following: (1) research involving identifiable data would be required to adhere to the HIPAA Security Rule, including the breach notification standards; (2) data could be considered de-identified or in a limited data set if the investigator sees the identifiers but does not record them in a permanent research file; and (3) retrospective audits and additional enforcement tools.