Proposed Rule Would Amend Federal “Common Rule” Requirements

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, availablehere, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct secondary research using collected data.

The most significant changes in the proposal include:

  • Revisions to informed consent rules, including new requirements related to consent forms;
  • Requiring informed consent for secondary research with a human biospecimen, such as a blood sample, even if the specimen is not individually identifiable. Such consent would not be required for every secondary research purpose but could be obtained through a broad consent to unspecified future research.
  • Tailoring the level of required administrative or Institutional Review Board (IRB) review to the potential risk to research subjects, for example by excluding some research from the scope of the Common Rule altogether and by exempting other categories of research; and
  • Setting uniform privacy and security standards by such methods as deeming investigators complying with current Health Insurance Portability and Accountability Act (HIPAA) rules to be in compliance with Common Rule privacy and security requirements.

Of note for researchers conducting secondary research using previously collected data, the proposed rule would establish categories of “exclusions” from the Common Rule and would modify the current Rule’s categories of “exemptions.” Excluded activities would not need to satisfy any Common Rule requirements and, unlike current law “exemptions,” would not need to undergo administrative or IRB review to determine if they qualify as excluded. Exempted activities would be required to satisfy varying levels of Common Rule requirements, depending on their level of risk. Federal agencies would develop “exemption determination tools,” the use of which would provide researchers with a safe harbor in determining whether a study is exempt.

The proposed exclusions include activities that are not considered “research” or that are research but are part of “inherently governmental functions” and are “crucial to the public welfare.” They also exclude research activities that do not involve physical risk and are “non-intrusive, either in themselves or because they are subject to policies that provide oversight independent of the Common Rule.” Among the activities that would be excluded are:

  • Use of information that has been or will be collected if the sources are publicly available or the data are recorded in a way that subjects cannot be directly or indirectly identified;
  • Research conducted by a federal agency using government-generated or collected data obtained for non-research purposes, provided certain conditions are met; and
  • Research involving the use of protected health information by a HIPAA covered entity for “health care operations,” “research,” or “public health activities” as defined under HIPAA.

The proposed rule also establishes certain exemptions that would be subject only to the requirement that the researcher keep a record of the determination that the study was exempt from the Common Rule. Keeping the output of the exemption decision tool would fulfill the requirement. Other exemptions would be subject to the same documentation requirement and to new privacy standards. This category would include secondary research using identifiable information collected for non-research purposes so long as prior notice was given that the information may be used in research. In support of this exemption, the proposed rule notes that “[t]echnological developments and the creation of large databases have significantly increased the potential benefits of secondary research analysis.”

The proposal can be accessed at the link above or by searching for Docket Number HHS-OPHS-2015-0008 athttp://www.regulations.gov. Comments regarding the proposed rule are due by 5 pm on December 7, 2015, and can be submitted through regulations.gov.

This post was originally published oninsideprivacy.comon September 15, 2015.