Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, 44512-44531 [2011-18792]

Agencies

• Food and Drug Administration
• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 76, Number 143 (Tuesday, July 26, 2011)]
[Proposed Rules]
[Pages 44512-44531]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-18792]



[[Page 44512]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 46, 160, and 164

Food and Drug Administration

21 CFR Parts 50 and 56


Human Subjects Research Protections: Enhancing Protections for 
Research Subjects and Reducing Burden, Delay, and Ambiguity for 
Investigators

AGENCIES:  The Office of the Secretary, HHS, and the Food and Drug 
Administration, HHS.

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Office of the Secretary of the Department of Health and 
Human Services (HHS) in coordination with the Office of Science and 
Technology Policy (OSTP) is issuing this advance notice of proposed 
rulemaking (ANPRM) to request comment on how current regulations for 
protecting human subjects who participate in research might be 
modernized and revised to be more effective. This ANPRM seeks comment 
on how to better protect human subjects who are involved in research, 
while facilitating valuable research and reducing burden, delay, and 
ambiguity for investigators.
    The current regulations governing human subjects research were 
developed years ago when research was predominantly conducted at 
universities, colleges, and medical institutions, and each study 
generally took place at only a single site. Although the regulations 
have been amended over the years, they have not kept pace with the 
evolving human research enterprise, the proliferation of multi-site 
clinical trials and observational studies, the expansion of health 
services research, research in the social and behavioral sciences, and 
research involving databases, the Internet, and biological specimen 
repositories, and the use of advanced technologies, such as genomics. 
Revisions to the current human subjects regulations are being 
considered because OSTP and HHS believe these changes would strengthen 
protections for research subjects.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on September 26, 
2011.

ADDRESSES: You may submit comments, identified by docket ID number HHS-
OPHS-2011-0005, by one of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Enter the above docket ID number in the ``Enter Keyword or ID'' field 
and click on ``Search.'' On the next Web page, click on ``Submit a 
Comment'' action and follow the instructions.
     Mail/Hand delivery/Courier [For paper, disk, or CD-ROM 
submissions] to: Jerry Menikoff, M.D., J.D., OHRP, 1101 Wootton 
Parkway, Suite 200, Rockville, MD 20852.
    Comments received, including any personal information, will be 
posted without change to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Jerry Menikoff, M.D., J.D., Office for 
Human Research Protections (OHRP), Department of Health and Human 
Services, 1101 Wootton Parkway, Suite 200, Rockville, MD 20852; 
telephone: 240-453-6900 or 1-866-447-4777; facsimile: 301-402-2071; e-
mail: jerry.menikoff@hhs.gov.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Ensuring Risk-Based Protections
III. Streamlining IRB Review of Multi-Site Studies
IV. Improving Informed Consent
V. Strengthening Data Protections To Minimize Information Risks
VI. Data Collection To Enhance System Oversight
VII. Extension of Federal Regulations
VIII. Clarifying and Harmonizing Regulatory Requirements and Agency 
Guidance
IX. Agency Request for Information

I. Background

    U.S. Federal regulations governing the protection of human subjects 
in research have been in existence for more than three decades. Twenty 
years have passed since the ``Common Rule,'' (codified at Subpart A of 
45 CFR part 46) was adopted by 15 U.S. Federal departments and agencies 
in an effort to promote uniformity, understanding, and compliance with 
human subject protections.\1\
    Existing regulations governing the protection of human subjects in 
Food and Drug Administration (FDA)-regulated research (21 CFR parts 50, 
56, 312, and 812) are separate from the Common Rule but include similar 
requirements.
    The history of contemporary human subjects protections began in 
1947 with the Nuremberg Code, developed for the Nuremberg Military 
Tribunal as standards by which to judge the human experimentation 
conducted by the Nazis. The Code captures many of what are now taken to 
be the basic principles governing the ethical conduct of research 
involving human subjects.
    Similar recommendations were made by the World Medical Association 
in its Declaration of Helsinki: Recommendations Guiding Medical Doctors 
in Biomedical Research Involving Human Subjects, first adopted in 1964 
and subsequently revised many times.
    Basic regulations governing the protection of human subjects in 
research supported or conducted by HHS (then the Department of Health, 
Education and Welfare) were first published in 1974. In the United 
States, a series of highly publicized abuses in research led to the 
enactment of the 1974 National Research Act (Pub. L. 93-348), which 
created the National Commission for the Protection of Human Subjects of 
Biomedical and Behavioral Research (National Commission). One of the 
charges to the National Commission was to identify the basic ethical 
principles that should underlie the conduct of biomedical and 
behavioral research involving human subjects and to develop guidelines 
to assure that such research is conducted in accordance with those 
principles. In 1979, the National Commission published ``Ethical 
Principles and Guidelines for the Protection of Human Subjects of 
Research,'' also known as the Belmont Report (https://www.hhs.gov/ohrp/policy/belmont.html) which identified three fundamental ethical 
principles for all human subjects research--respect for persons, 
beneficence, and justice.
    Based on the Belmont Report and other work of the National 
Commission, HHS revised and expanded its regulations for the protection 
of human subjects in the late 1970s and early 1980s. The HHS 
regulations are codified at 45 CFR part 46, subparts A through E. The 
statutory authority for the HHS regulations derives from 5 U.S.C. 301; 
42 U.S.C. 300v-1(b); and 42 U.S.C. 289.
    In 1991, 14 other Federal departments and agencies joined HHS in 
adopting a uniform set of rules for the protection of human subjects, 
the ``Common Rule,'' identical to subpart A of 45 CFR part 46 of the 
HHS regulations.
    The Common Rule requires that Federally funded investigators in 
most instances obtain and document the informed consent of research 
subjects, and describes requirements for institutional review board 
(IRB) membership, function, operations, research review, and 
recordkeeping. The regulations also delineate criteria for, and levels 
of, IRB review. Currently, except for human subjects research that

[[Page 44513]]

is determined to be exempt from the regulations, Federally funded 
research involving human subjects is reviewed by an IRB in one of two 
ways: (1) By a convened IRB, or (2) through an expedited review 
process.
    Since the Common Rule was developed, the landscape of research 
activities has changed dramatically, accompanied by a marked increase 
in the volume of research. It is estimated that total spending on 
health-related research and development by the drug industry and the 
Federal government has tripled since 1990.\2\ While traditional 
biomedical research conducted in academic medical centers continues to 
flourish, many studies are now also conducted at community hospitals, 
outpatient clinics, or physician-based practices. Clinical research is 
regularly conducted at multiple institutions across the U.S. and other 
countries. Recruitment firms, bioinformatics specialists, clinical 
trial coordinating centers, protocol developers, data analysts, 
contract research organizations (CROs), data and safety monitoring 
committees, community-based organizations, and other entities have 
joined investigators and sponsors as part of the clinical research 
enterprise.
    Research has also increased, evolved, and diversified in other 
areas, such as national security, crime and crime prevention, 
economics, education, and the environment, using a wide array of 
methodologies in the social sciences and multidisciplinary studies. The 
application of technologies such as functional magnetic resonance 
imaging in neuroscience has led to substantial advances in the 
understanding of human physiology, cognition, and behavior. The advent 
of sophisticated computer software programs, the Internet, and mobile 
technology have created new areas of research activity, particularly 
within the social and behavioral sciences, exponentially increasing the 
amount of information available to researchers, while providing the 
means to access and analyze that information. In many areas of society, 
researchers are being called upon to provide evidence to more 
effectively guide social policy and practices.
    The rapid growth and expansion of human subjects research has led 
to many questions about whether the current regulatory framework is 
adequate and appropriate for the protection of human subjects in the 
21st century. Furthermore, decades of experience have revealed a great 
deal about the functioning--and limitations--of existing regulations, 
and prompted critical evaluations by the Institute of Medicine 
(IOM),\3\ \4\ the U.S. Government Accountability Office,\5\ \6\ \7\ and 
many scholars.\8\ \9\ \10\ Federal consideration of such revisions to 
the regulatory schema, in addition to the issues that suggest a need 
for revision, is not without precedent. In its 2001 concluding report, 
the National Bioethics Advisory Commission (NBAC) made 30 
recommendations that addressed areas including the scope and structure 
of the oversight system, the level of review applied to research, 
emphasizing the informed consent process, documentation and waiver of 
informed consent, protecting privacy and confidentiality, adverse event 
reporting, and review of cooperative or multi-site research 
studies.\11\ NBAC's recommendations are one source for the revisions in 
the Common Rule currently being considered. Addressing these 
considerations now is timely and consistent with the President's 
Executive Order requiring Federal agencies to review existing 
significant regulations to determine whether they should be modified, 
streamlined, expanded, or repealed to make the agency's regulatory 
program more effective or less burdensome in achieving the regulatory 
objective.\12\
    The concerns about the current Common Rule can roughly be 
categorized into seven areas. First, the system has been criticized as 
not adequately calibrating the review process to the risk of research. 
Critics have raised concerns that some IRBs spend considerable time 
reviewing minimal risk research, and that some IRBs have a tendency to 
overestimate the magnitude and probability of reasonably foreseeable 
risks.\13\ Because significantly more research studies require convened 
IRB review, this greater IRB workload diverts time and resources from 
review of research that poses greater risks, theoretically resulting in 
inadequate attention to research that could seriously harm 
subjects.\14\
    Questions have been raised about the appropriateness of the review 
process for social and behavioral research.\15\ \16\ \17\ \18\ The 
nature of the possible risks to subjects is often significantly 
different in many social and behavioral research studies as compared to 
biomedical research, and critics contend that the difference is not 
adequately reflected in the current rules. While physical risks 
generally are the greatest concern in biomedical research, social and 
behavioral studies rarely pose physical risk but may pose psychological 
or informational risks. Some have argued that, particularly given the 
paucity of information suggesting significant risks to subjects in 
certain types of survey and interview-based research, the current 
system over-regulates such research.\19\ \20\ \21\ Further, many 
critics see little evidence that most IRB review of social and 
behavioral research effectively does much to protect research subjects 
from psychological or informational risks.\22\ Over-regulating social 
and behavioral research in general may serve to distract attention from 
attempts to identify those social and behavioral research studies that 
do pose threats to the welfare of subjects and thus do merit 
significant oversight.
    Second, critics have commented about the inefficiencies of review 
by multiple IRBs for multi-site studies, which add bureaucratic 
complexity to the review process and delay initiation of research 
projects without evidence that multiple reviews provide additional 
protections to subjects.\23\ There also has been a concern that the 
current multiple review system might actually be leading to weaker 
protections for subjects than if there were fewer reviews but greater 
responsibility on the part of the IRBs involved.
    Third, questions have been raised about the extent and quality of 
the protections afforded by current informed consent requirements and 
practices. A variety of critics have highlighted problems with consent 
forms. In some research studies, consent forms have become lengthy and 
are often written in highly technical terms.\24\ \25\ \26\ Many also 
claim that consent forms have evolved to protect institutions rather 
than to actually provide salient information to potential human 
subjects.\27\ This is especially problematic if the forms fail to 
include information that is crucial for making a decision about 
participation, including appropriate information about financial 
relationships between researchers and study sponsors, or are written in 
a way that potential subjects are likely to fail to notice such 
information. At the same time, others raise concerns about the rigid 
application of written consent to all forms of research, especially 
research involving surveys, interviews, focus groups, or other similar 
methodologies.\28\ In these types of research, it has been argued that 
written documentation of consent is unnecessary and that answering 
questions should be sufficient to indicate individual consent to 
participate.\29\
    Fourth, increasing use of genetic information, existing (i.e., 
stored) biospecimens, medical records, and administrative claims data 
in research has changed the nature of the risks and

[[Page 44514]]

benefits of research participation. Risks related to these types of 
research are not physical but informational (e.g., resulting from the 
unauthorized release of information about subjects). The Privacy Rule 
promulgated under the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA) \30\ addresses some of these informational risks by 
imposing restrictions on how certain identifiable health information 
collected by health plans, healthcare clearinghouses, and certain 
healthcare providers (``covered entities'') may be used and disclosed, 
including for research. In addition, the HIPAA Security Rule requires 
that these entities implement certain administrative, physical, and 
technical safeguards to protect this information when in electronic 
form from unauthorized use or disclosure. However, the HIPAA Rules 
apply only to covered entities (and in certain respects to their 
business associates), and not all investigators are part of a covered 
entity (or business associates of a covered entity). Separate from the 
HIPAA Rules, the Privacy Act of 1974, as amended (5 U.S.C. 552a \31\) 
requires Federal agencies to protect personally identifiable 
information in their possession and control. However, it does not apply 
to non-Federal researchers.
    Fifth, the monitoring and evaluation of the current system for 
protecting human subjects has been criticized.\32\ There is concern 
that current regulations do not provide an ideal mechanism for the 
collection of information that would allow evaluation of the 
effectiveness of the research oversight system in protecting human 
subjects.
    Sixth, concerns have been expressed that the current regulatory 
system does not adequately protect all research subjects.\33\ For 
instance, only some research studies funded by certain Federal agencies 
or those that involve the development of products subject to regulation 
by the FDA, are subject to the Common Rule or similar protections. As a 
result, there are many studies that are not subject to any such Federal 
oversight, even though they may involve substantial risks to the 
subjects.
    Seventh, the multiple, differing regulatory requirements that can 
apply to a single research study have been criticized as complex, 
inconsistent, and lacking in clarity, which results in unwarranted 
variability across institutions and their IRBs in how the requirements 
are interpreted and implemented.\34\ For example, Federal agencies that 
have adopted the Common Rule have issued guidance and developed norms 
of implementation that sometimes differ and may, in certain instances, 
even conflict with guidance from other Common Rule agencies. Similarly, 
the overlapping and sometimes, arguably, inconsistent requirements of 
the Common Rule and the HIPAA Privacy Rule have been criticized as 
being overly complex, causing confusion and frustration among 
investigators, IRBs, and others trying to comply with both sets of 
requirements.\35\
    In response to these various criticisms, we propose changes to the 
following seven aspects of the current regulatory framework. The 
fundamental goal is to enhance the effectiveness of the research 
oversight system by improving the protections for human subjects while 
also reducing burdens, delays, and ambiguity for investigators and 
research subjects.
    1. Refinement of the existing risk-based regulatory framework 
(Section II);
    2. Utilization of a single IRB review of record for domestic sites 
of multi-site studies (Section III);
    3. Improvement of consent forms and the consent process (Section 
IV);
    4. Establishment of mandatory data security and information 
protection standards for all studies that involve identifiable or 
potentially identifiable data (Section V);
    5. Establishment of an improved, more systematic approach for the 
collection and analysis of data on unanticipated problems and adverse 
events (Section VI);
    6. Extension of Federal regulatory protections to all research, 
regardless of funding source, conducted at institutions in the U.S. 
that receive some Federal funding from a Common Rule agency for 
research with human subjects (Section VII); and
    7. Improvement in the harmonization of regulations and related 
agency guidance (Section VIII).
    We believe the proposals we are considering uphold and better 
reflect the ethical principles upon which the Common Rule is based. We 
recognize that this ANPRM is both lengthy and detailed. However this 
level of detail reflects the importance and types of changes that have 
been proposed by the Institute of Medicine (IOM), NBAC, and other 
commentators and are now being considered for adoption. Comment is now 
sought on these proposals and on the broader question of how to 
modernize, simplify, and enhance the current system. The intent is to 
revise the Common Rule \36\ recognizing that other laws and 
regulations, such as the other subparts of the HHS human subjects 
protection regulations (Subparts B, C, and D, which deal with 
particular populations of vulnerable subjects, and Subpart E of 45 CFR 
part 46), FDA regulations, and the HIPAA Privacy Rule most likely will 
be affected and will need to be harmonized, as appropriate, with any 
proposed regulatory changes made to the Common Rule.
    As we consider how the current regulations governing human subjects 
research should be revised, we will take into account the deliberations 
of the Presidential Commission for the Study of Bioethical Issues. We 
will also consider the public comments received on the request for 
information that the Commission issued on March 2, 2011, that sought 
public comment on the current Federal and international standards for 
protecting the health and well-being of participants in scientific 
studies supported by the Federal Government.\37\

II. Ensuring Risk-Based Protections

    Currently, the Common Rule provides for several tiers of 
independent review of research studies, as follows:
    1. The highest level of review, applied to most studies involving 
more than minimal risk and to many studies involving no more than 
minimal risk, is review by a convened IRB.
    2. The next level of review is expedited review.\38\ This generally 
involves review by a single IRB member. A study is eligible for 
expedited review if the research appears on a list published by the 
Secretary of HHS of categories of research eligible for such review, 
and the research is found by the reviewer(s) to involve no more than 
minimal risk.
    3. Certain studies are exempt from IRB review.\39\ The regulations 
specify six ``exemption'' categories; a study must fall within one or 
more of these six categories to be exempted from IRB review altogether. 
Although these studies are not subject to the Common Rule, and no 
review is actually required, guidance issued by the Office for Human 
Research Protection (OHRP) recommends that there be some type of review 
by someone other than the investigator to confirm that the study 
qualifies as exempt, and many institutions do indeed impose such a 
requirement.\40\
    There has been criticism about this regulatory framework for 
reviewing research studies. Although it does attempt to match the level 
of review to the type of risks posed by a study, many argue that it 
does so in a less than ideal manner. For instance, many surveys that 
are unlikely to lead to any harm to subjects nonetheless undergo review 
by a convened IRB.\41\ Further, arguments

[[Page 44515]]

have been made that some of the lines drawn between review categories 
are vague and difficult to apply.\42\ Studies have shown that different 
levels of review are sometimes required by different IRBs for the same 
study.43 44
    In response to these concerns, the IOM report on research 
protections recommended revising the current approach: ``The degree of 
scrutiny, the extent of continuing oversight, and the safety monitoring 
procedures for research proposals should be calibrated to a study's 
degree of risk. Minimal risk studies should be handled diligently, but 
expeditiously, while studies involving high risk should receive the 
extra time and attention they require.'' \45\ The IOM surmised that 
this would reduce burdens that do not translate into meaningful 
protections of human subjects and would limit unnecessary drain on 
resources, enabling IRBs to give more attention to high risk studies 
and critical protection activities while improving the efficiency with 
which research projects are reviewed and overseen.
    This ANPRM describes potential refinements to the current review 
framework intended to ensure that protections are commensurate with the 
level of risk of the research study. Five of the most significant 
changes being considered are summarized below, followed by a more 
detailed explanation of the proposals:
    1. Establishing mandatory data security and information protection 
standards for identifiable information and rules protecting against the 
inappropriate re-identification of de-identified information that is 
collected or generated as part of a research study to minimize 
informational risks and thereby eliminate the need for IRBs to review 
informational risks of the research. For purposes of the Common Rule, 
we are considering adopting the HIPAA standards regarding what 
constitutes individually identifiable information, a limited data set, 
and de-identified information, in order to harmonize these definitions 
and concepts. Since this provision would cover studies currently 
considered ``exempt'' from the current regulations, a change in 
terminology would need to be considered (see Section B(3), below).
    2. Revising the rules for continuing review. Continuing review 
would be eliminated for all minimal risk studies that undergo expedited 
review, unless the reviewer explicitly justifies why continuing review 
would enhance protection of research subjects. For studies initially 
reviewed by a convened IRB, continuing review would not be required, 
unless specifically mandated by the IRB, after the study reaches the 
stage where procedures are limited to either (i) analyzing data (even 
if it is identifiable), or (ii) accessing follow-up clinical data from 
procedures that subjects would undergo as part of standard care for 
their medical condition or disease (such as periodic CT scans to 
monitor whether the subjects' cancers have recurred or progressed).
    3. Revising the regulations regarding expedited review to provide 
for mandatory regular updating of the list of categories of research 
that may be reviewed under this mechanism, creating a presumption that 
studies utilizing only research activities that appear on that list are 
indeed minimal risk, and providing for streamlined document submission 
requirements for review.
    4. Revising the regulations regarding studies currently considered 
exempt to, among other things:
    i. Require that researchers file with the IRB a brief form 
(approximately one page) to register their exempt studies, but 
generally allow the research to commence after the filing;
    ii. Clarify that routine review by an IRB staff member or some 
other person of such minimal risk exempt studies is neither required 
nor even recommended;
    iii. Expand the current category 2 exemption (45 CFR 46.101(b)(2)) 
to include all studies involving educational tests, surveys, 
interviews, and similar procedures so long as the subjects are 
competent adults, without any further qualifications (but subject to 
the data security and information protection standards discussed 
above);
    iv. Add a new category for certain types of behavioral and social 
science research that goes beyond using only survey methodology, but 
nonetheless involves only specified minimal risk procedures, so long as 
the subjects are competent adults (but subject to the data security and 
information protection standards discussed above);
    v. Expand the current category 4 exemption (regarding the 
collection or study of existing data, documents, records and 
biospecimens) (45 CFR 46.101(b)(4)) to include all secondary research 
use of identifiable data and biospecimens that have been collected for 
purposes other than the currently proposed research, provided that 
specified new consent requirements are satisfied. This expanded 
category 4 exemption would apply to the secondary use of identifiable 
data and biospecimens even if such data or biospecimens have not yet 
been collected at the time of the research proposal, and even if 
identifiers are retained by the researcher (instead of requiring at 
least expedited review, as is currently the case); and
    vi. Require random retrospective audits of a sample of exempt 
studies to assess whether the exemptions were being appropriately 
applied.
    5. Generally requiring written consent for research use of any 
biospecimens collected for clinical purposes after the effective date 
of the new rules (such as research with excess pathological specimens). 
Such consent could be obtained by use of a brief standard consent form 
agreeing to generally permit future research. This brief consent could 
be broad enough to cover all biospecimens to be collected related to a 
particular set of encounters with an institution (e.g. hospitalization) 
or even to any biospecimens to be collected at any time by that 
institution. These studies using biospecimens collected for clinical 
purposes would also fall under the expanded and revised exempt 
categories described in (4), above, and thus would not require IRB 
review or any routine administrative review but would be subject to the 
data security and information protection standards discussed above. 
This change would conform the rules for research use of clinically-
collected biospecimens with the rules for biospecimens collected for 
research purposes. The general rule would be that a person needs to 
give consent, in writing, for research use of their biospecimens, 
though that consent need not be study-specific, and could cover open-
ended future research.
    Each of these five proposals and other proposed changes are 
discussed below. We seek comments and recommendations on the specific 
changes being considered.

A. A New Mechanism for Protecting Subjects From Informational Risks

    Most research risks to the individual can be categorized into one 
of three types: physical, psychological, and informational risks. 
(Although there are other harms, such as legal, social, and economic 
harms, these can usually be viewed as variations on those core 
categories.) Physical risks are the most straightforward to 
understand--they are characterized by short term or long term damage to 
the body such as pain, bruising, infection, worsening current disease 
states, long-term symptoms, or even death. Psychological risks can 
include unintentional anxiety and stress including feelings of sadness 
or even depression, feelings of betrayal, and exacerbation of 
underlying psychiatric conditions such as post traumatic stress 
disorder. Psychological risks are not

[[Page 44516]]

necessarily restricted to psychiatric or social and behavioral 
research.
    Informational risks derive from inappropriate use or disclosure of 
information, which could be harmful to the study subjects or groups. 
For instance, disclosure of illegal behavior, substance abuse, or 
chronic illness might jeopardize current or future employment, or cause 
emotional or social harm. In general, informational risks are 
correlated with the nature of the information and the degree of 
identifiability of the information. The majority of unauthorized 
disclosures of identifiable health information from investigators occur 
due to inadequate data security.\46\
    Currently, IRBs evaluate all three categories of risk. IRB review 
or oversight of research posing informational risks may not be the best 
way to minimize the informational risks associated with data on human 
subjects. It is not clear that members have appropriate expertise 
regarding data protections. The current assumption that IRBs are 
responsible for reviewing and adequately addressing informational risks 
appears to lead to inconsistent protections and some cases in which 
there are inadequate protections for the information.\47\ Furthermore, 
review of informational risk is an inefficient use of an IRB's time. 
Standardized data protections, rather than IRB review, may be a more 
effective way to minimize informational risks.
    Accordingly, we are considering mandatory standards for data 
security and information protection whenever data are collected, 
generated, stored, or used. The level of protection required by these 
standards would be calibrated to the level of identifiability of the 
information, which would be based on the standards of identifiability 
under the HIPAA Privacy Rule. (These standards are discussed in detail 
in Section V.) With these standards in place to minimize the 
inappropriate use or disclosure of research information, the criteria 
for IRB approval of studies would be modified so that an IRB would no 
longer be responsible for assessing the adequacy of a study's 
procedures for protecting against informational risks. This change 
would not alter the IRB's role in assuring that the ethical principles 
of respect for persons, beneficence and justice are adequately 
fulfilled.

B. Calibrating the Levels of Review to the Level of Risk

    To improve the link between the type of review and the level of 
risk posed by research studies, we are considering the changes 
described below. Since there would be new mandatory standards for data 
security and information protection to address informational risks, 
only non-informational risks would be considered in determining the 
level of risk posed by research studies.
1. Full Convened IRB Review
    The requirement that research involving greater than minimal risk 
be reviewed by a convened IRB would not be changed from the current 
system. Other changes considered in this ANPRM, such as improvements in 
the ability of IRBs to require better consent forms, may enhance the 
effectiveness of such review.
    With regard to continuing review of such studies, we are 
considering one change. Where the remaining activities in a study are 
limited to either (i) data analysis (even if identifiers are retained) 
or (ii) accessing follow-up clinical data from procedures that subjects 
would undergo as part of standard care for their medical problems (such 
as periodic CT scans to monitor whether the subjects' cancers have 
recurred or progressed), the default would be that no continuing review 
by an IRB would be required. The IRB would have the option to make a 
determination that overrides this default. Researchers would still have 
the current obligations to report various developments (such as 
unanticipated problems, or proposed changes to the study) to the IRB. 
This would be a change from the current rules, which require at least 
expedited IRB review of the activities described in (i) and (ii) 
directly above. By eliminating the requirement for continuing review of 
these activities, this change would allow for more effective use of 
IRBs' time by enabling the IRB to focus on reviewing information that 
is necessary to ensure protections of research subjects.
2. Revise Approach to Expedited Review
    Under the Common Rule, a new research study can receive expedited 
review if the research activities to be conducted appear on the list of 
activities published by the Secretary of HHS that are eligible for such 
review (https://www.hhs.gov/ohrp/policy/expedited98.html), and is found 
by the reviewer(s) to involve no more than minimal risk. For research 
that will receive expedited review, three changes are being considered: 
(1) Revising the criteria that make research studies eligible for 
expedited review, (2) eliminating the requirement of routine annual 
continuing review of expedited studies, and (3) streamlining submission 
requirements.
(a) Eligibility for Expedited Review
    Currently, a reviewer must determine that the study includes only 
research activities that appear in the list promulgated by the 
Secretary as eligible for expedited review, that the study as a whole 
involves no more than minimal risk, and that all of the criteria listed 
in 45 CFR 46.111 are met. We are considering changes in each of these 
three areas:
i. List of Research Activities That Qualify a Study for Expedited 
Review
    We are considering initially updating the current list of research 
activities, which was last updated in 1998. We also are considering 
mandating that a standing Federal panel periodically (such as every 
year or every two years) review and update the list, based on a 
systematic, empirical assessment of the levels of risk. This would 
provide greater clarity about what would be considered to constitute 
minimal risk, and create a process that allows for routinely 
reassessing and updating the list of research activities that would 
qualify as minimal risk.
ii. Determination That the Study Involves No More Than Minimal Risk
    As noted, currently a study can undergo expedited review if all of 
the activities involved appear on the list of eligible research 
activities and the study is found to be minimal risk. The current 
definition of minimal risk encompasses research activities where ``the 
probability and magnitude of harm or discomfort anticipated in the 
research are not greater in and of themselves than those ordinarily 
encountered in daily life or during the performance of routine physical 
or psychological examinations or tests.'' \48\ Since the listed 
activities are ones with which there is a great deal of experience, and 
their risks are well known, it should be a rare instance in which a 
study that uses only the listed activities will, as a whole, pose more 
than minimal risk. Yet many studies which use only those activities--
particularly those in the social and behavioral field--are frequently 
required to undergo review by a convened IRB.\49\ We are accordingly 
considering providing a default presumption in the regulations that a 
study which includes only activities on the list is a minimal risk 
study and should receive expedited review. A reviewer would have the 
option of determining that the study should be reviewed by a convened 
IRB, when that

[[Page 44517]]

conclusion is supported by the specific circumstances of the study.
iii. Determination That the Study Meets All of the 45 CFR 46.111 
Criteria
    Given that a study is eligible for expedited review only if it 
involves minimal risk, and only if its activities are limited to those 
that appear on the published list, it is not clear that the study 
should be required to meet all of the criteria for IRB approval at 45 
CFR 46.111. Currently, before an IRB may approve a research study, 
including research that is being reviewed under an expedited procedure, 
the IRB must find that the following criteria have been satisfied as 
required by 45 CFR 46.111:
    1. Risks to subjects are minimized: (i) By using procedures which 
are consistent with sound research design and which do not 
unnecessarily expose subjects to risk, and (ii) whenever appropriate, 
by using procedures already being performed on the subjects for 
diagnostic or treatment purposes.
    2. Risks to subjects are reasonable in relation to anticipated 
benefits, if any, to subjects, and the importance of the knowledge that 
may reasonably be expected to result. In evaluating risks and benefits, 
the IRB should consider only those risks and benefits that may result 
from the research (as distinguished from risks and benefits of 
therapies subjects would receive even if not participating in the 
research). The IRB should not consider possible long-range effects of 
applying knowledge gained in the research (for example, the possible 
effects of the research on public policy) as among those research risks 
that fall within the purview of its responsibility.
    3. Selection of subjects is equitable. In making this assessment 
the IRB should take into account the purposes of the research and the 
setting in which the research will be conducted and should be 
particularly cognizant of the special problems of research involving 
vulnerable populations, such as children, prisoners, pregnant women, 
mentally disabled persons, or economically or educationally 
disadvantaged persons.
    4. Informed consent will be sought from each prospective subject or 
the subject's legally authorized representative, in accordance with, 
and to the extent required by Sec.  46.116.
    5. Informed consent will be appropriately documented, in accordance 
with, and to the extent required by Sec.  46.117.
    6. When appropriate, the research plan makes adequate provision for 
monitoring the data collected to ensure the safety of subjects.
    7. When appropriate, there are adequate provisions to protect the 
privacy of subjects and to maintain the confidentiality of data.
    8. When some or all of the subjects are likely to be vulnerable to 
coercion or undue influence, such as children, prisoners, pregnant 
women, mentally disabled persons, or economically or educationally 
disadvantaged persons, additional safeguards have been included in the 
study to protect the rights and welfare of these subjects.
    Accordingly, we are considering whether all of those criteria 
should still be required for approval of studies that qualify for 
expedited review, and if not, which ones should not be required.
(b) Eliminating Continuing Review of Expedited Studies
    We believe that annual continuing review of research studies 
involving only activities that are already well-documented to generally 
involve no more than minimal risk may provide little if any added 
protection to subjects, and that it may be preferable for IRB resources 
to be devoted to research that poses greater than minimal risk.
    Accordingly, we are considering changing the default to require no 
continuing review for studies that qualify for expedited review. 
Researchers would still be obligated to obtain IRB approval for changes 
to a study and to report to the IRB unanticipated problems and other 
similar items that are currently required to be reported.
    For any specific study, the reviewer would have the authority to 
make a specific determination and provide a justification about why 
continuing review is appropriate for that minimal risk study, and to 
specify how frequently such review would be required.
(c) Streamlining Documentation Requirements for Expedited Studies
    Under the current Federal regulations, researchers typically must 
submit the same documents including a detailed protocol, informed 
consent documents, and any other supporting documents, regardless of 
whether the study will be reviewed by a convened IRB or be approved by 
the expedited review process. Although it is important to document why 
research qualifies for expedited review, it is unclear whether the time 
and effort expended in such preparation activities result in increased 
benefit in terms of protecting subjects.
    Ideally, standard templates for protocols and consent forms and 
sample versions of those documents that are specifically designed for 
use in the most common types of studies would facilitate expedited 
review. Such forms would need to be carefully designed to eliminate 
those elements that are of relevance only in studies that pose greater 
than minimal risks and to substantially reduce the current burden of 
researchers involved in producing these documents and of the IRB 
members who review them.
    Comments and recommendations are requested on any of the above 
proposals under consideration and on the following specific questions:
    Question 1: Is the current definition of ``minimal risk'' in the 
regulations (45 CFR 46.102(i)--research activities where ``the 
probability and magnitude of harm or discomfort anticipated in the 
research are not greater in and of themselves than those ordinarily 
encountered in daily life or during the performance of routine physical 
or psychological examinations or tests'')--appropriate? If not, how 
should it be changed?
    Question 2: Would the proposals regarding continuing review for 
research that poses no more than minimal risk and qualifies for 
expedited review assure that subjects are adequately protected? What 
specific criteria should be used by IRBs in determining that a study 
that qualifies for expedited initial review should undergo continuing 
review?
    Question 3: For research that poses greater than minimal risk, 
should annual continuing review be required if the remaining study 
activities only include those that could have been approved under 
expedited review or would fall under the revised exempt (Excused) 
category described in section 3, below (e.g., a study in which a 
physical intervention occurred in the first year, all subjects have 
completed that intervention, and only annual written surveys are 
completed for the next five years)?
    Question 4: Should the regulations be changed to indicate that IRBs 
should only consider ``reasonably foreseeable risks or discomforts''?
    Question 5: What criteria can or should be used to determine with 
specificity whether a study's psychological risks or other nonphysical, 
non-information risks, are greater than or less than minimal?
    Question 6: Are there survey instruments or specific types of 
questions that should be classified as greater than minimal risk? How 
should the characteristics of the study population (e.g. mental health 
patients) be taken into consideration in the risk assessment?
    Question 7: What research activities, if any, should be added to 
the published

[[Page 44518]]

list of activities that can be used in a study that qualifies for 
expedited review? Should any of the existing activities on that list be 
removed or revised? For instance, should the following be included as 
minimal risk research activities:
     Allergy skin testing.
     Skin punch biopsy (limited to two per protocol).
     Additional biopsy during a clinical test (e.g., performing 
an extra colonic biopsy in the course of performing a routine 
colonoscopy).
     Glucose tolerance testing among adults.
    Question 8: Should some threshold for radiological exams performed 
for research purposes, that is calibrated to this background level of 
exposure, be identified as involving no more than minimal risk?
    Question 9: How frequently should a mandatory review and update of 
the list of research activities that can qualify for expedited review 
take place? Should the list be revised once a year, every two years, or 
less frequently?
    Question 10: Which, if any, of the current criteria for IRB 
approval under 45 CFR 46.111 should not apply to a study that qualifies 
for expedited review?
    Question 11: What are the advantages of requiring that expedited 
review be conducted by an IRB member? Would it be appropriate to 
instead allow such review to be done by an appropriately trained 
individual, such as the manager of the IRB office, who need not be a 
member of the IRB? If not, what are the disadvantages of relying on a 
non-IRB member to conduct expedited review? If so, what would qualify 
as being ``appropriately trained''? Would the effort to make sure that 
such persons are appropriately trained outweigh the benefits from 
making this change?
    Question 12: Are there other specific changes that could be made to 
reduce the burden imposed on researchers and their staffs in terms of 
meeting the requirements to submit documents to an IRB, without 
decreasing protections to subjects? Are there specific elements that 
can be appropriately eliminated from protocols or consent forms? Which 
other documents that are currently required to be submitted to IRBs can 
be shortened or perhaps appropriately eliminated? Conversely, are there 
specific additions to protocols or consent forms beyond those 
identified in this notice that would meaningfully add to the protection 
of subjects? What entity or organization should develop and disseminate 
such standardized document formats?
    Question 13: Given the problems with the current system regarding 
wide variations in the substance of IRB reviews, would it be 
appropriate to require IRBs to submit periodic reports to OHRP in the 
instances in which they choose to override the defaults described in 
Sections B(1), B(2)(a)(ii), and B(2)(b) above? Should IRBs have to 
report instances in which they require continuing review or convened 
IRB review of a study which involves only activities identified as 
being on the list of those eligible for expedited review? If an IRB 
that chose to override these defaults was required to submit a report 
to OHRP, would this provide useful information about any lack of 
appropriate consistency among IRBs so that clarifying guidance could be 
provided as needed, or provide useful information to OHRP about the 
possible need to revise the expedited review list or the continuing 
review requirements?
3. Moving Away From the Concept of Exempt
    We are considering revising the category of exempt research in ways 
that would both increase protections and broaden the types of studies 
covered. Specifically, although still not subject to IRB review, these 
studies would be subject to the new data security and information 
protection standards described in Section V, and in some cases, 
informed consent would be required as described in Section (c) below. 
Given that these studies would no longer be fully exempt from the 
regulations, they could more accurately be described as ``Excused'' 
from being required to undergo some form of IRB review (which 
terminology we will use hereafter in this ANPRM). (Note: FDA's statute 
requires IRB review and approval of any clinical device investigation. 
21 U.S.C. 360j(g)(3)(A) and (B). Therefore, FDA-regulated studies 
involving specimens will not be eligible for the new Excused category 
and will remain subject to IRB oversight.) The new data security and 
information protection standards make it possible to increase the 
coverage of the Excused category, thereby reducing the burden on 
researchers conducting minimal risk studies, while actually increasing 
the protections for participants.
    Some specific aspects of these changes are described here:
(a) Types of Research Studies That Qualify for the Excused Category
    The existing six exemption categories would be retained as part of 
the new Excused category. The current criteria for defining those 
categories would be reviewed and revised appropriately so that they are 
clear enough that researchers could readily determine whether a study 
qualified to be in these categories. In addition, the following 
significant expansions of the current categories are being considered:
    1. Limitations specified in the current exempt category 2 (research 
involving educational tests, surveys, focus groups, interviews, and 
similar procedures) would no longer be necessary when these studies are 
conducted with competent adults. The current exemption 2 under 45 CFR 
46.101(b)(2) states: ``Research involving the use of educational tests 
(cognitive, diagnostic, aptitude, achievement), survey procedures, 
interview procedures or observation of public behavior, unless: (i) 
Information obtained is recorded in such a manner that human subjects 
can be identified, directly or through identifiers linked to the 
subjects; and (ii) any disclosure of the human subjects' responses 
outside the research could reasonably place the subjects at risk of 
criminal or civil liability or be damaging to the subjects' financial 
standing, employability, or reputation.'' Specifically it is proposed 
that the language that appears after the word ``unless'' in provisions 
(i) and (ii) would be deleted. Thus, research conducted with competent 
adults, that involve educational tests, surveys, focus groups, 
interviews, and similar procedures would qualify for the new Excused 
category, regardless of the nature of the information being collected, 
and regardless of whether data is recorded in such a manner that 
subjects can be identified. It is proposed that the limitations on the 
current category 2 be eliminated since these studies would be conducted 
with competent adults and because these studies would now be subject to 
standard data security and information protection standards. The term 
``competent'' as used here and throughout this ANPRM refers to adults 
who would be able to provide ``legally effective informed consent,'' as 
currently required by 45 CFR 46.116. This concept has been included in 
the Common Rule for decades, and is routinely implemented by 
researchers, generally with little difficulty. For example, researchers 
who currently conduct non-exempt surveys must make determinations 
regarding which subjects to include in their studies, and we are not 
aware of any evidence that suggests making such determinations has been 
a problem.
    2. We are considering whether to include on the list of Excused 
studies certain types of social and behavioral research, conducted with 
competent

[[Page 44519]]

adults, that would involve specified types of benign interventions 
beyond educational tests, surveys, focus groups, interviews, and 
similar procedures, that are commonly used in social and behavioral 
research, that are known to involve virtually no risk to subjects, and 
for which prior review does little to increase protections to subjects. 
These would be methodologies which are very familiar to people in 
everyday life and in which verbal or similar responses would be the 
research data being collected. For example, a researcher might ask 
subjects to watch a video, or read a paragraph or solve puzzles, and 
then ask them some questions to elicit word associations or time 
performance of activities. The specific methodologies might be spelled 
out in regulations, or they might be promulgated via a periodic 
mechanism to announce and update lists similar to the list that is 
published for activities that allow a study to be expedited.
    3. Limitations specified in the current exempt category 4 (research 
involving the use of existing information or biospecimens) would be 
eliminated. The current exemption 4 under 45 CFR 46.101(b)(4) states: 
``Research involving the collection or study of existing data, 
documents, records, pathological specimens, or diagnostic specimens, if 
these sources are publicly available or if the information is recorded 
by the investigator in such a manner that subjects cannot be 
identified, directly or through identifiers linked to the subjects.'' 
Specifically, it is proposed that the category would be revised to 
clarify that the word ``existing'' means collected for purposes other 
than the proposed research and not that all of the data or biospecimens 
need exist at the time the study commenced. In addition, the limitation 
that the researcher cannot record and retain information that 
identifies the subjects would be eliminated. In other words, research 
that only involves the use of data or biospecimens collected for other 
purposes, even if the researcher intends to retain identifiers, would 
now come within the new Excused category, unless there are plans to 
provide individual results back to the subjects. Studies that include a 
plan to provide to subjects individual results from the analysis of 
their biospecimens or data would not qualify for this proposed Excused 
category.
    As described below in Section (c), it is contemplated that certain 
relatively flexible consent requirements would be imposed on some of 
these studies. (See Table 1 at the end of Section V for a summary of 
this proposal.)
(b) Tracking and Auditing Excused Research
    We are considering a mechanism to track Excused research, and to 
audit only a small but appropriate portion of such research, because it 
would still be subject to other regulatory protections, such as the 
proposed data security and information protection standards and certain 
consent requirements. In addition, such a mechanism to track and audit 
Excused research will also enable institutions to assure that the 
research does indeed meet the criteria for inclusion in the Excused 
category. (That is all that an audit would in most cases involve: a 
brief review of the registration form, similar to what many 
institutions currently do when they determine whether a study is 
exempt.) Key to this would be a requirement that researchers register 
their study with an institutional office by completing a brief form. 
This would make the institution aware of the research and identify the 
study's principal investigator. In addition the institution could 
choose to review some of the submissions at the time they are filed 
(and we contemplate that this would only be done in a relatively small 
percentage of the filings) and if deemed appropriate, require that the 
study be sent for expedited review or, in exceptionally rare cases, 
convened IRB review.
    The proposed auditing requirement is intended to encourage 
institutions to use the regulatory flexibility proposed for the Excused 
category of research. Rather than maintaining many institutions' 
current practice of routinely requiring that research that meets the 
current exemption categories undergo some type of review before it is 
permitted to proceed, the proposed auditing requirement would provide 
institutions with information needed to assess their compliance with 
the new Excused category without unnecessarily subjecting all such 
research to either prospective review, or even routine review sometime 
after the study is begun.
(c) Consent Rules for Excused Research
    We are contemplating that the consent practices for studies 
currently designated as exempt would remain in most respects unchanged 
for research falling within the new Excused category, even if some of 
those practices are clarified. For example, oral consent without 
written documentation would continue to be acceptable for many research 
studies involving educational tests, surveys, focus groups, interviews, 
and similar procedures.
    However, we are considering the following revisions to the consent 
rules for the category of Excused research that involves the use of 
pre-existing data or biospecimens as described in Section 3(a)(3) 
above.
    First, written general consent (as described below) would be 
required for the research use of such biospecimens. This would be a 
change from the current rules which allow research without consent when 
a biospecimen is used for research under conditions where the 
researcher does not possess information that would allow them to 
identify the person whose biospecimen is being studied.
    Second, with regard to the researchers' use of pre-existing data 
(i.e. data that were previously collected for purposes other than the 
currently proposed research study):
    a. If the data was originally collected for non-research purposes, 
then, as is currently the rule, written consent would only be required 
if the researcher obtains information that identifies the subjects. 
There would accordingly be no change in the current ability of 
researchers to conduct such research using de-identified data or a 
limited data set, as such terms are used in the HIPAA Rules (see 
Section V), without obtaining consent.
    b. If the data was originally collected for research purposes, then 
consent would be required regardless of whether the researcher obtains 
identifiers. Note that this would be a change with regard to the 
current interpretation of the Common Rule in the case where the 
researcher does not obtain any identifiers. That is, the allowable 
current practice of telling the subjects, during the initial research 
consent, that the data they are providing will be used for one purpose, 
and then after stripping identifiers, allowing it to be used for a new 
purpose to which the subjects never consented, would not be allowed.
    In most instances, the consent requirements described above would 
have been met at the time that the biospecimens or data were initially 
collected, when the subject would have signed a standard, brief general 
consent form allowing for broad, future research. This brief consent 
could be broad enough to cover all data and biospecimens to be 
collected related to a particular set of encounters with an institution 
(e.g. hospitalization) or to any data or biospecimens to be collected 
at anytime by the institution. Importantly, this standardized general 
consent form would permit the subject to say no to all future research. 
In addition, there are likely to be a handful of special categories of 
research with

[[Page 44520]]

biospecimens that, given the unique concerns they might raise for a 
significant segment of the public, would be dealt with by check-off 
boxes allowing subjects to separately say yes or no to that particular 
type of research (e.g., perhaps creating a cell line, or reproductive 
research). Participation in a research study (such as a clinical trial) 
could not be conditioned on agreeing to allow future open-ended 
research using a biospecimen. With regard to the secondary research use 
of pre-existing data, on those occasions when oral consent was 
acceptable under the regulations for the initial data collection, it is 
envisioned that subjects would have typically provided their oral 
consent for future research at the time of the initial data collection; 
a written consent form would not have to be signed in that 
circumstance. Table 1 at the end of Section V illustrates the consent 
requirements for pre-existing data in the context of the data security 
and information protection requirements which would also apply.
    Third, these changes would only be applied prospectively, not 
retrospectively. In other words, they would only apply to biospecimens 
and data that are collected after the effective date of the new rules.
    And fourth, there would be rules (to be determined) that would 
allow for waiver of consent under specified circumstances, though those 
conditions would not necessarily be the same as those for other types 
of research.
(d) Overall Consequences for Current Review Practices
    The proposal for changes described in sections (a) through (c) 
above would eliminate the current practice of not allowing researchers 
to begin conducting such minimal risk studies until a reviewer has 
determined the study does indeed meet the criteria for being exempt. 
Such delay is not currently required by the Common Rule, and appears to 
slow research without adding significant protection to subjects. 
Instead, under the plan being considered, researchers would file with 
their institution or IRB a brief registration form (about one page 
long) that provides essential information about the study, including, 
for example, information about who will be the principal investigator, 
and the purpose of the study. The researchers would then be authorized 
to begin conducting the study after the filing (unless the institution 
chose to review that filing and determined that the research did not 
qualify as Excused). It would be made clear that the regulations would 
not require, and in fact, would discourage, having each of these 
registration forms undergo a comprehensive administrative review prior 
to commencing the study or even afterward.
    Comments and recommendations are requested on any of the above 
proposals under consideration and on the following specific questions:
    Question 14: Are these expansions in the types of studies that 
would qualify for this Excused category appropriate? Would these 
changes be likely to discourage individuals from participating in 
research? Might these changes result in inappropriately reduced 
protections for research subjects, or diminished attention to the 
principles of respect for persons, beneficence, and justice?
    Question 15: Beyond the expansions under consideration, are there 
other types of research studies that should qualify for the Excused 
category? Are there specific types of studies that are being considered 
for inclusion in these expansions, that should not be included because 
they should undergo prospective review for ethical or other reasons 
before a researcher is allowed to commence the research?
    Question 16: Should research involving surveys and related 
methodologies qualify for the Excused category only if they do not 
involve topics that are emotionally charged, such as sexual or physical 
abuse? If so, what entity should be responsible for determining whether 
a topic is or is not emotionally charged?
    Question 17: What specific social and behavioral research 
methodologies should fall within the Excused category? Under what 
circumstances, if any, should a study qualify for the Excused category 
if the study involves a form of deception (and if so, how should 
``deception'' be defined)?
    Question 18: Currently some IRBs make determinations regarding 
whether clinical results should be returned to study participants. How 
should such determinations be made if the study now fits in the Excused 
category? Can standard algorithms be developed for when test results 
should be provided to participants and when they should not (e.g., if 
they can be clinically interpreted, they must be given to the 
participants?).
    Question 19: Regarding the Excused category, should there be a 
brief waiting period (e.g. one week) before a researcher may commence 
research after submitting the one-page registration form, to allow 
institutions to look at the forms an