In this special topics module, we'll be looking at regulatory compliance. So things that we may need to consider in special circumstances when we're managing data for clinical and translational research studies. Specifically, we're going to look at high level regulatory considerations when managing data. And also high level regulatory considerations for those systems that are managing data. I wanted to start with a few preliminary thoughts The first of those is, we're all in the data management domain. A lot of times individuals have access to lots of records. They have access to multiple data sources. there, there is this power that goes along with that. So the first preliminary thought would be just because you can, doesn't mean you should. It takes a long time to earn the trust of of, of our researchers. It took, takes a long time to, to earn the trust of regulatory and ethics groups around campus or within networks. Their trust is hard to earn and it requires self-governance. And so, all of the principles that we'll talk about going for or our mandated principles typically in the, in the regulatory environments. But it takes, a fair amount of self governance to just make sure that your, your, your, ethical antenna are up. And that you're, you're always looking to do the right thing. the third principle there would be Some of the information that we'll provide, particularly around some U.S based regulations. And they may not apply to everyone. It may not apply even in the U.S to all studies or even many studies. But I've always found that it's useful to sort of look at the requirements, ev, even if they're not required for a particular study. Or scenario, look for those elements that are good idea anyway. They're all rooted in very sound principles. And so we want to always sort of keep our eyes open. And make sure that we're looking for to implement best practices whether or not we have to. So, first thing I'll say about regulatory compliance is, is it requires learning a lot of new acronyms. So, I've listed five acronyms there. And these are the ones I probably think about on a, on a weekly basis at least. But again, my context is here in the United States. A lot of NIH funded trials. A lot of work with the federal government, and And so, you know, this is my context. Depending on where you live and your certain circumstances. There might be other regulatory components and so you'd need to learn a few other acronyms. But I'm going to go through these five. Because I think they're applicable to many. And even those that they are not applicable to directly, there's some really good lessons to learn there. The first one is IRB. We've mentioned this in a, in a previous module. But it's important to think up front. Not only as a, as a data management group but as a study team. That all human subjects, research must be approved by the Institution Review Board. That is absolutely mandatory, it is something that you should wake up thinking about on the first day of, of considering your study. seek their advice and guidance early. seek it often and, and absolutely seek it before data collection. And study procedures begin. I found through, through a long history of working in research studies. that if, if you do that and you do that every single time, you'll gain a lot of trust and you'll you, you'll really make good colleagues from the IRB. And those individuals that [INAUDIBLE] whose job it is to wake up in the morning and protect human subjects for either your institution or your network. IRB guiding principles or human subjects, guiding principles really fall in three categories. Respect for persons. which, which includes personal dignity, autonomy of individuals and, and especially informed consent. Beneficence which mean that a researcher should always have the welfare of the research participants in mind. And there should always be an assessment of the risk benefit for the research. Making sure that the individual or a typically the societal benefit for the research that you're conducting is worth the investment. Or the risk on the part of the research participants. And then finally Justice, here categories like subjects need to be fairly selected. you know, one instance of that would be. making sure that the study population is similar to those that would be benefiting from the outcome of the study. That way you have this, this justice and, and the individuals that you're studying they or people people in the same. social, economic or, or whatever stratification you choose population. Those are also the ones that are going to be benefiting. HIPAA. HIPAA is, is definitely one of those US certric regulations. But, it stands for Health Insurance Portability and Accountability Act. HIPPA came came about several years ago. Uh,first in 1996 with a privacy rule and then later on with a security rule. How do we deal with data when we're collecting it electronically. There's a lot of great information on the the HHS. Health and Human Services website about HIPAA. What it is how, how you know that you're in compliance. And, and when it applies to you Again, I mentioned the Privacy Rule. Privacy rule typically you know [INAUDIBLE], summarized is that rule that gives patients an array of rights with respect to their own data. Or their own, personal information or study data that are being collected. I should mention that HIPAA is not just for research. In fact it's really more for clinical care or was enacted more for clinical taught, taught collection than research. But, it's a good idea for research as well. And so I'll, I'll tend to tailor my discussion of it there. Security rule deals with the, the fact that if you're collecting data on on individuals. in, in many cases you'll have sensitive data that are being collected. And so the security rule rea, really was enacted to make sure when data collected that there's an administrative, physical and technical safeguards in place. So that you don't have a breach. so, so that those, those data and those information that belong to the, to the patients in the research that collected them, tha, tha, they're being protected. And so again, [INAUDIBLE] minimizing risk for human subjects. So, again, I won't go into great detail about HIPPA. Or really any of the other pieces. We're going to keep it very high level. But I will say again that your the main components that individuals need to think about are the privacy rule. the Health and Human Services website, shown here that you can access as well. Has great information on all kinds of different category, categorical topics for the privacy rule. similarly they have a great array of topics on the security rule. So it's very easy to find information on HIPPA. There is a new set of regulatory components coming out. came out in 2013. Really this one's geared more around high tech. And some of the new work being done in the electronic medical records space. And just sort of extending HIPPA out a little bit more because it's getting a little bit dated and there's some new cases. And, and really some further requirements and, and needs there. So, so that's a brand new one. few quick thoughts about HIPAA. main thing I want to point out about HIPAA. Is that even if it doesn't apply to you, even if you are living in a country where HIPAA doesn't apply. And maybe you have other regulations. Or maybe you haven't thought about other regulations for the security aspect of it. That, that storage and maintaining and protecting and creating audit trails. And all of those different things that are in that security rule. They're a good idea anyway. You know, as I think back on when that security rule came into effect. That's actually when we started thinking about the need to give research teams an easy way to do the right thing. so th, so that they didn't have t, to become informaticians to comply with some of these rules. But, but by buying in and sort of using and leveraging an institutional system designed to support research across the whole enterprise. By, by using that system, we could build in those assurances that we were doing the right things on the security rule. So, HIPPA is again one of those, sort of ti, time points. Or, or events that happened in the U.S at least, back in the early 2000s. That it's hard to imagine that we ever did business ever treated data, ever dealt with data, in a way. Other than what was what was formulated and, and what was required through HIPPA. So, even if you don't have to comply with this one. I really recommend that you, you take a look at the rules and regulations. And that you, you treat it as a this is what we should be doing anyway type use case. Another acronym is FISMA. FISMA stands for the Federal Information Security Management Act. This one's a little bit different. Uh,this one again is a US centric set, set of guidelines and requirements. And sorry, I wanted to point, point out that like HIPPA. There are many, many, resources out there on the web related to FISMA. And, you'll find those on the, NIST site, as you can see here in it's reference down in the left, left corner of the slide. this was interesting because it was enacted, really, around agencies. And so, government agencies are required by law. To, comply with FISMA regulations. And, basically, again, it's all about, requiring each federal agency to develop document. And implement agency wide programs to provide information security for the information. And information systems that support the operations and the assets of the agency. So if it's important enough to be government data. It's important to be [INAUDIBLE] important enough to be protected under FISMA. But here's the kicker. It also applies for, for data managed by another agency or contractor. Or other source on behalf of the federal government or those same agencies. And so it gets a little bit tricky. what is FISMA, what, what requires FISMA compliance. And what does not require FISMA compliance. Obviously, if you're working inside the federal government. If you're working for the federal government, all, all of the things you do have to be in compliance with FISMA. If you're not inside the federal gov, but you're collecting data on behalf of Health and Human Services or the [INAUDIBLE] CDC. Or another agency and it's a contract type arrangement then you also have to comply with FISMA rules and regulations. If you're just doing a grant or a study. that, that might be funded through a grant mechanism. And, and it's not collecting on behalf of the government. Then, then there is no typical physical requirements. So again, I've mentioned earlier that a lot of documentation around FISMA. What it is how to, how to know whether it, it applies to you and even within that FISMA space. If it applies to you information about you know, tiered level co, co, compliance requirements. for instance, if you're only, only working on de-identified data sets that might be a tier one or a FISMA law. Whereas, if you're dealing with identifiers and typical study type data, that might be a FISMA moderate. And so the rules and regulations for complying with FISMA really are somewhat dependent on the agency. They're also somewhat dependent on the study. So, so here, I would say that in the space of FISMA obviously you need to have your have, have your radar up and know when it applies. anytime you're doing work on behalf of the federal government or anytime you, you're doing any type of work where the, the contract. Or the agreement says that you must be FISMA compliant. That's when you need to get real serious about it. I can tell you that it is very expensive to in some cases to move a system into FISMA compliance. It has a lot to do with documenting the fact that access controls in, in, and a lot of validation. You're really documenting the security around systems. It is again one of those areas where you should be doing this sort of work anyway. And most most groups that are doing the type of work, data management that we're talking about. They are dealing in these sorts of things. But just the documentation and the, the back and forth communication with agencies can be quite cumbersome and quite expensive. So, so my recommendation would be certainly to know about FISMA. it would be certainly to, to keep your eyes open for when you need to to, to, to comply. When you need to sort of do that. my recommendation would be seek clarification if there are any questions about that. And to to never go into a study that require FISMA compliants with, in a, in a naive fashion. Really make sure that you're talking with the sponsor. Make sure you're talking with the agency that's requiring it, getting some detail on what really will be required. What is the action for getting authority to operate etcetera? Before you enter, enter into an a agreement again noting that the requirements can be quite cumbersome. Okay, so we'll stop there and we'll pick up next time with GCP.
