New HHS rule updates the Common Rule for medical research

A final rule from the Department of Health and Human Services and 15 other departments and agencies will update provisions for protecting individuals participating in medical research.

In essence, the rule updates the Common Rule provisions of protection that have been in force since 1991.

“This final rule is intended to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay and ambiguity for investigations,” according to the rule. “These revisions are an effort to modernize, simplify and enhance the current system of oversight.”

The rule recognizes major changes in the past two decades in how research is conducted, with evolving technologies that include advanced medical imaging, mobile technology, a huge growth in computing power, use of the Internet, and a range of data mining, collection, analysis and sharing activities.

“The sheer volume of data that can be generated in research, the ease of which it can be shared and the ways it can be used to identify individuals were simply not possible, or even imaginable, when the Common Rule was first adopted,” it notes.

Also See: Project Data Sphere enables wide use of clinical trial data

The regulations in place under the Common Rule were developed when research was mostly done at universities and hospitals, and each study took place at a single site, HHS notes in the rule. “Since then, research with human participants has grown in scale and become more diverse and data has become digital.”

Further, much of medical research has moved into clinical settings beyond hospitals, such as physician practices and other healthcare sites, and the scientific community has recognized the value of data sharing and open source resources.

A major goal of the rule is to help patients and their families better understand research processes and in particular to revamp consent forms to be consumer-friendly. The form would include a concise explanation at the beginning of the purpose of the research, risks and benefits and any appropriate alternative treatments.

“Over the years, many have argued that consent forms have become these incredibly lengthy and complex documents that are designed to protect institutions from lawsuits, rather than providing potential research subjects with the information they need in order to make an informed choice about whether to participate in a research study,” Jerry Menikoff, MD, director of the HHS Office for Human Research Protections, says.

Also See: Gartner’s top 10 strategic technology trends for 2017

The rule, covering federally funded clinical trials, enables researchers to continue to use non-identified bio-specimens that are not subject to the Common Rule without having to obtain consent for using such bio-specimens. In general, the new rule enables them to keep using these bio-specimens in the way they currently use them. In most respects, the rule retains current privacy standards.

Rule writers note that while the industry has largely become digitized, research oversight hasn’t changed much. Sophisticated analytics to study bio-specimens have been incorporated, as well as “the growing use of electronic health data and other digital records to enable very large datasets to be rapidly analyzed and combined in novel ways,” according to the rule.

Yet, these developments have not been accompanied by major change in the human subjects research oversight system, which has remained largely unaltered over the past two decades. Now, provisions in the rule are designed to ensure that patients and families participating in medical research better understand how research processes work and their rights and obligations.

Tom Walsh, president of the healthcare security consultancy tw-Security, was surprised that 16 federal agencies play a role in the protection of human subjects in medical research. But he liked that the rule was written in generic language and its provisions will be reviewed following the first year of enactment, which allows flexibility to make changes deemed to be necessary. Walsh also was encouraged by the inclusion of improved governance processes for institutional review boards and a better patient consent process.

What concerns Walsh is the lack of clear mandates to secure data via encryption. Researchers still have to comply with HIPAA, he notes, “but the rule removed security controls that need to be in place.”

The rule is available here.

For reprint and licensing requests for this article, click here.