Data , Security and Human Subjects Research. Deborah Barnard, MS. Deb Barnard. Director, Research Compliance and Regulatory Affairs The Children’s Hospital of Philadelphia. The opinions expressed during this presentation are mine. Current Regulatory Oversight. 45 CFR 46
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Deborah Barnard, MS
The opinions expressed during this presentation
45 CFR 46
21 CFR 50
21 CFR 56
21 CFR 312
21 CFR 812
Common Rule – specifically for federally funded research but most institutions use it for research that does not receive federal funds as well as applying it as intended
FDA regulations for FDA regulated agents
HIPAA - added additional and in some cases identical regulations and requirements – in some cases HIPAA has added links between subjects and their data where previously the IRB had been able to disconnect those links
A fact that is anticipated among the criteria for IRB approval:
(1) Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.
(2) Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result…
(7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.
The Institution, the IRB, the researchers are all equally responsible for the oversight of the research.
Regulations do not prohibit evil doers, bad PIs, or bad IRBs.
The IRB must determine that all 7 criteria have been satisfied.
With regard to data security the IRB might consider:
The IRB relies to some degree on the Researcher to provide reasonable solutions and also for an assessment of the risk
IRBs can also seek opinions from experts outside the IRB
Institutions review ongoing studies to assure that agreed upon and approved processes are in place.
Data ‘security’ may still be as simple as a password protected excel spreadsheet or as complex as an encrypted data sets
Different interpretations of the regulatory requirements and related risks are leading to difficulties across institutions.
We have researchers who are stymied because the collaborator’s IRB disagrees with our IRB about the degree of risk in the study, or wants additional safeguards. Likewise, our IRB has had these same issues.
Complex regulatory requirements can lead to different interpretations. Concise guidance documents are needed.
Drug companies are now demanding future use clauses without subject permission.
Companies say if subjects don’t want to participate in the study because of this issue, then subjects can decline participation.
I shop on the website Lego.com for a birthday gift
Later that day I am on NYT.com to read an article - there is an ad for LEGOs on the NYT webpage.
Shortly after I turned 50, I received a catalog from a place I had never shopped. The catalog featured items for ‘mature women’.
Commercial entities seem to have ever increasing access to our personal information.
Facebook makes money by selling ad space to companies that want to reach us. Advertisers choose key words or details — like relationship status, location, activities, favorite books and employment — and then Facebook runs the ads for the targeted subset of its 845 million users.
NYT By LORI ANDREWS
Published: February 4, 2012
Proposal to specify data security protections because IRBs are not capable of doing so.
Proposal to require all future use by consent only – even when there are no identifiers
The proposal is to change exemption to require that ‘research that might propose informational risk to subjects should adhere to reasonable data security protections”.
By definition research that proposed such risk would not be eligible for exemption.
Adding complex requirements sets us all up for failure.
The introduction of new and increasing regulations around security do not necessarily minimize risk.
Such rules do not stop evil doers, ‘bad’ IRBs, ‘bad’ PIs.
Adding complexity or additional and complex regulations will continue to promote different interpretation and application of regulations.
We need well considered, well written guidelines.