Common Rule Compliance Confusion Could Pit Institutions Against Oversight Teams

By fits and starts, and not without a few bumps along the way, the Common Rule, a federal policy regarding human subjects protection that applies to 17 federal agencies and offices, including the U.S. Food and Drug Administration (FDA) and Department of Health and Human Services, went into effect January 22, 2019.

The main elements of the Common Rule include:

  • Requirements for assuring compliance by research institutions
  • Requirements for researchers regarding obtaining and documenting informed consent
  • Requirements for institutional review board (IRB) membership, function, operations, review of research, and record keeping

Still, while the FDA and the calendar may say the Common Rule is ready for prime time, some experts warn clinical trial professionals to take time to understand the “new normal.”

“I think there are lots of unanswered questions,” says Marti Arvin, vice president of audit strategy at CynergisTek. “I don’t think this is something that a lot of folks in the research realm have really been thinking about,” she adds.

The intent of the Common Rule is to reduce the burden on researchers by harmonizing requirements. So far so good. But for Arvin, it’s not that simple. Where the new rule removes some oversight requirements, Arvin said, institutions may not want to allow the researcher to “self-certify,” even though the regulations might permit it.

Institutions may require steps to help ensure privacy that will no longer be legally required by the revised Common Rule, but may be required by research institutions because of ethical concerns. “That can then create some tension between the researchers and those parties with different oversight activity,” Arvin suggests.

Regulatory and Legal Changes, the Common Rule, and GDPR: How They Can Impact Study Data Flow Based on Real and Perceived Changes to the Privacy of Information.

Join Marti Arvin at ACRP 2019 this April and learn how to identify and anticipate compliance issues associated with privacy concerns around the revised Common Rule. Understand the reasons why institutions may require steps to ensure privacy that will no longer be legally required but may be required by research institutions because of ethical concerns. This session will also provide information in the privacy concerns to anticipate when research involves or could involve data covered by GDPR.

View Session Details

Arvin’s example: A privacy officer may push to not allow the researcher to self-certify, even though the regulations would permit it because of concerns around researchers not adequately understanding the rules and a lack of understanding of how the Health Insurance Portability and Accountability Act ties into research and the Common Rule.

“If the researcher is self-certifying, then you’re relying on [his or her honesty] that their research meets that criteria, and it means that there is no oversight, if you will, for privacy protections necessarily if the

research never goes in front of the IRB,” Arvin says. It can get more complicated if the IRB is acting as the privacy board. “The IRB may still need to review the research project in its role as the privacy board, but not necessarily in its role as an IRB,” she says.

While that disconnect is nothing new, Arvin is concerned about the new landscape, saying, “One of the big pieces of confusion has been around expedited and exempt research. And I think the revised Common Rule is only going to potentially add to that continuing confusion.”

Author: Michael Causey