Data security and human subjects research
1 / 17

Data , Security and Human Subjects Research - PowerPoint PPT Presentation

  • Uploaded on

Data , Security and Human Subjects Research. Deborah Barnard, MS. Deb Barnard. Director, Research Compliance and Regulatory Affairs The Children’s Hospital of Philadelphia. The opinions expressed during this presentation are mine. Current Regulatory Oversight. 45 CFR 46

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Data , Security and Human Subjects Research ' - cedric-wilson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Deb barnard
Deb Barnard

  • Director, Research Compliance and Regulatory Affairs

  • The Children’s Hospital of Philadelphia

The opinions expressed during this presentation

are mine.

Current regulatory oversight
Current Regulatory Oversight

45 CFR 46

  • (Common Rule: 15 federal agencies follow these regulations)

    21 CFR 50

    21 CFR 56

    21 CFR 312

    21 CFR 812

  • (the above are FDA regulations)


  • (research involving protected health information)

Common rule fda hipaa
Common Rule, FDA, HIPAA

Common Rule – specifically for federally funded research but most institutions use it for research that does not receive federal funds as well as applying it as intended

FDA regulations for FDA regulated agents

HIPAA - added additional and in some cases identical regulations and requirements – in some cases HIPAA has added links between subjects and their data where previously the IRB had been able to disconnect those links

Risks are inherent in research
Risks are inherent in Research

A fact that is anticipated among the criteria for IRB approval:

 (1) Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes.

Selected additional requirements for approval
Selected additional requirements for approval

(2) Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result…

 (7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.

The Institution, the IRB, the researchers are all equally responsible for the oversight of the research.

Regulations do not prohibit evil doers, bad PIs, or bad IRBs.

In order to approve research
In order to approve research

The IRB must determine that all 7 criteria have been satisfied.

With regard to data security the IRB might consider:

  • Which data need protection?

  • What are the risks related to exposure?

  • From whom are we protecting these data?

Sources for answers about risk
Sources for answers about Risk

The IRB relies to some degree on the Researcher to provide reasonable solutions and also for an assessment of the risk

IRBs can also seek opinions from experts outside the IRB

Institutions review ongoing studies to assure that agreed upon and approved processes are in place.

Data ‘security’ may still be as simple as a password protected excel spreadsheet or as complex as an encrypted data sets

Collaboration across institutions
Collaboration Across Institutions

Different interpretations of the regulatory requirements and related risks are leading to difficulties across institutions.

We have researchers who are stymied because the collaborator’s IRB disagrees with our IRB about the degree of risk in the study, or wants additional safeguards. Likewise, our IRB has had these same issues.

Complex regulatory requirements can lead to different interpretations. Concise guidance documents are needed.

Industry use of clinical trial data
Industry Use of Clinical Trial Data

Drug companies are now demanding future use clauses without subject permission.

Companies say if subjects don’t want to participate in the study because of this issue, then subjects can decline participation.

As a consumer
As a Consumer

I shop on the website for a birthday gift

Later that day I am on to read an article - there is an ad for LEGOs on the NYT webpage.

Shortly after I turned 50, I received a catalog from a place I had never shopped. The catalog featured items for ‘mature women’.

Commercial entities seem to have ever increasing access to our personal information.

Excerpt from nyt article
Excerpt from NYT article

Facebook makes money by selling ad space to companies that want to reach us. Advertisers choose key words or details — like relationship status, location, activities, favorite books and employment — and then Facebook runs the ads for the targeted subset of its 845 million users.


Published: February 4, 2012

Proposed changes to the common rule
Proposed Changes to the Common Rule

Proposal to specify data security protections because IRBs are not capable of doing so.

  • What proof is there that IRBs are not capable?

  • Who decides what’s reasonable?

  • What about relative risk? If these data/specimens exposure the subject to minimal risk – why so much security?

    Proposal to require all future use by consent only – even when there are no identifiers

  • What value are we adding?

Proposed changes to the common rule1
Proposed Changes to the Common Rule

The proposal is to change exemption to require that ‘research that might propose informational risk to subjects should adhere to reasonable data security protections”.

By definition research that proposed such risk would not be eligible for exemption.

Adding complex requirements sets us all up for failure.

Appropriate safeguards exist
Appropriate safeguards exist

The introduction of new and increasing regulations around security do not necessarily minimize risk.

Such rules do not stop evil doers, ‘bad’ IRBs, ‘bad’ PIs.

Adding complexity or additional and complex regulations will continue to promote different interpretation and application of regulations.

We need well considered, well written guidelines.