Abstract
Human specimen and associated clinical data are crucial resources for uncovering new biomarkers as well as identifying factors in the pathogenesis of disease. As tissue banking becomes more widespread in response to increased researcher demand, the need for specific guidance documents and standards to be developed and/or updated becomes more urgent. This article discusses 4 aspects of current regulation and guidance considerations. First is the application of the Common Rule and the Privacy Rule to the Institutional Review Board review process. Second is the honest broker concept, which supports the further protection of donor confidentiality and allows for future updates to data. The third consideration discusses the regulatory approval process. Finally, inconsistencies between regulatory bodies are identified and possible ways to reconcile those inconsistencies are suggested.
Introduction
There are many considerations when developing a biorepository. 5 This second follow-up article to our initial publication 1 provides detailed information on current regulations and guidance and their application to an Institutional Review Board (IRB), the honest broker concept, appropriate levels of IRB review, and various regulatory concerns with suggested solutions. Future follow-up articles will address the following 3 topics: facilities and safety, informatics, and quality control.
Current Regulations and Guidance for IRB Review
The U.S. Department of Health and Human Services (HHS) requires that all human subjects research be reviewed and approved by an IRB before implementation. 6 Thus, biorepository development may be subject to HHS regulations (referred to as the “Common Rule”) and IRB oversight if specimen is collected from living individuals in a manner in which those persons can be identified by investigators who create a biorepository. The U.S. Food and Drug Administration (FDA) has also developed regulations governing certain forms of clinical investigation, namely, research involving investigational drugs or devices. The FDA also requires registration for biorepositories that bank clinical specimens, such as those that process bone, tendons, reproductive tissue, and other human cellular products. Biorepository development would only require FDA oversight in the event that such development involves the use of investigational drugs or devices, or processes specimens that will be used in the clinical setting. Since those circumstances are not a part of the biorepository at our community-based hospital, this essay emphasizes the Common Rule rather than FDA regulations. As subject to the Common Rule, biorepository development would undergo an initial review and approval process by an IRB and oversight throughout the life of the biorepository project. Such oversight includes continuing reviews that must occur at least annually, but an IRB may determine that, given the nature or risk profile of the biorepository, it may be prudent to conduct continuing reviews on a more frequent basis.
While the Common Rule provides 7 basic requirements that must be satisfied before an IRB can approve a human subjects research project, there are no Common Rule regulations specifically governing biorepository development. Risk minimization, data confidentiality, and informed consent are 3 especially pertinent issues that are integral to an IRB's review of biorepository development. Risks will vary depending upon how specimen is procured, types of specimen collected, what data are collected in addition to those specimen, and how those data are both stored within and disseminated by the biorepository. From an IRB's perspective, the risk profile of a biorepository prospectively collecting specimen solely for biorepository development will be different from the risk profile of a biorepository retrospectively collecting specimen originally collected for clinical purposes. If identifiable information is also collected—even if it is later de-identified or otherwise protected by biorepository staff—collection and storage of that identifiable information also poses certain risks that must be adequately addressed by an IRB's review.
The Common Rule also provides 8 basic elements of informed consent to be included in any research project's consent process and documentation, unless the consent requirement can be waived. Because biorepository development is likely considered research activity, any informed consent document presented to potential donors must include those required elements as described in 45 CFR 46.116 (“CFR” refers to the Code of Federal Regulations, the published rules established by federal departments and agencies). However, the ways those required elements apply to biorepository specimen procurement differ from their applicability in other research environments. For example, subjects are to be informed of the duration of their participation in a research study. In many contexts, that duration is a well-defined period of time or events. However, human specimen may be retained in a biorepository indefinitely; donors should be informed of this extended timeframe. Additionally, donors should be informed that their specimen may be used for future research that cannot yet be identified, and that if it is maintained in a de-identified fashion, it may be impossible to withdraw their specific specimen from the biorepository. Because donors may be concerned about the use of their specimen for genetic testing purposes, it may be beneficial to inform potential donors of the Genetic Information Nondiscrimination Act, which prohibits health plans and employers from discriminating against donors based on genetic testing results. 7
After a biorepository has been developed, subsequent research involving human specimen may also be subject to IRB review, and must be considered on a study-by-study basis. For example, if an investigator seeks only anonymous data or specimen (those that contain no identifiable information) or de-identified data or specimen (those in which identifiable information has been removed by a third party and thus unavailable to the investigator), his/her research may not require IRB review. Research involving identifiable information [including protected health information (PHI)], even in the form of a limited data set, or in a “coded” fashion (in which information is de-identified through the use of a linking code, but the investigator is able to re-identify that information by retaining the linking code), may require additional IRB oversight unless the research meets HHS criteria for exemption. Limited data sets include identifiable information such as dates and geographic information (excluding street address) but without 16 direct identifiers. It should be noted that these HHS regulations provide the minimal level of oversight for human subjects research. Individual institutions may have additional policies in place that require any project utilizing biorepository specimen to undergo IRB review, even if those projects fulfill the criteria for exemption from HHS regulations.
As noted above, Common Rule regulations are binding on all research activities that meet the Common Rule definition of human subjects research. However, biorepository development and maintenance pose unique ethical challenges not adequately addressed by Common Rule regulations. As a result, several entities have created nonbinding guidance documents that include “best practice” recommendations to guide biorepository development, maintenance, and use, and to address some of those unique challenges. Guidance documents and reports from the International Society for Biological and Environmental Repositories (ISBER), the National Cancer Institute (NCI), and Public Responsibility in Medicine and Research (PRIM&R) are particularly detailed and provide helpful information for investigators attempting to establish biorepositories and navigate the ethical challenges posed by those biorepositories.
Health Insurance Portability and Accountability Act (HIPAA)
If a biorepository is part of a covered entity, its development may be considered a research activity under the Privacy Rule. 8 The Privacy Rule governs the use or disclosure of PHI created or maintained by covered entities. If future research projects using established biorepository specimen require the use of PHI, those research activities will also be subject to Privacy Rule requirements. 9 Some research activities may use limited data sets. In such instances, Privacy Rule regulations are still applicable; however, the limited data set may be released outside the covered entity without patient authorization. The Privacy Rule also does not require the covered entity to do an accounting of disclosures when a limited data set has been utilized. Other regulations, such as the Common Rule, may be applicable depending upon the nature and design of a particular research project.
For the prospective collection of specimen and data for biorepository development, a potential donor may grant researchers access to his/her PHI by signing a document referred to as a HIPAA Authorization. Ideally, this written Authorization should be reviewed and approved by a covered entity's legal team, compliance office, or someone else within the covered entity possessing sufficient expertise to ensure that the Authorization is compliant with the Privacy Rule. For research using specimen obtained from an established biorepository, it may be impracticable for investigators to contact donors in order to obtain their written Authorization. In such cases, the Privacy Rule still allows for PHI use and disclosure through a waiver or alteration of the Authorization requirement. These waivers or alterations must first be approved by the covered entity's IRB or Privacy Board. A Privacy Board reviews requests for waivers or alterations to the HIPAA Authorization requirement. See Figure 1 for the required criteria in order for an IRB or Privacy Board to grant a waiver or alteration of the HIPAA Authorization requirement.
HIPAA authorization flow chart.
One significant difference between the Common Rule regulations governing human subjects research and Privacy Rule requirements concerns applicability. The Common Rule applies to living individuals only, whereas the Privacy Rule also applies to the use and disclosure of the PHI of deceased persons. As such, biorepository development and subsequent research activities using specimen from deceased individuals are still subject to Privacy Rule regulations, particularly those requirements located in 45 CFR 164.512(i)(1)(ii) and 45 CFR 164.512(i)(1)(iii). It is also required that an investigator attests that the use or disclosure of a decedent's PHI is necessary for research purposes.
The Honest Broker Concept
“The honest broker is an individual/organization/system which acts on, or on the behalf of, the tissue/databank. The role of the honest broker is to collect and provide health information to research investigators in such a manner whereby it would not be reasonably possible for the investigators, or other individuals, to identify the subjects directly or indirectly.” 10 The honest broker acts on behalf of the covered entity as the gatekeeper to ensure a 1-way flow of confidential information. The honest broker serves as the intermediary and does not participate in the research.
The honest broker concept has been in existence for over a decade and has evolved to comply with the requirements put forth by regulation and guidance such as, but not limited to, the Privacy Rule, the Common Rule, and ISBER Best Practices.8,6,11 These requirements establish the need for ways to identify and remove PHI from research in a way that protects the privacy and confidentiality of donors.
The scale to which each repository utilizes the role of the honest broker and puts the concept into practice is primarily based on the size and focus of the repository or institution. In this midsized community-based hospital, we are initially focusing on 4 core areas for research; therefore, implementation of the honest broker model was designed to fit the smaller, more focused scope of the repository. Financially, this requires 1 full-time and 1 part-time staff in the honest broker office with basic office equipment. The purchase of an honest broker software program is not necessary for the size of our honest broker office since an already available spreadsheet program will suffice.
The honest broker model enables covered entities to keep donor identity from the researcher and key personnel by de-identifying medical and demographical data and replacing it with a code. This unique code is not related to the donor in any way, meaning that it does not contain any names, medical record numbers, or surgical pathology numbers; in essence, the code is completely independent of the donor. Coding the data provides a means for re-identification that allows the honest broker access back to the donor's medical record for obtaining additional follow-up medical information such as treatment, outcomes, and status updates whenever necessary. If further information outside what is provided in the limited data set is requested by the researcher, IRB review of the protocol is required. Once IRB approval is obtained, the honest broker would cull this additional data from the donor's medical record, code the data, and then forward the data to the researcher (Fig. 2). Further, in the event that the donor wishes to revoke access to his or her medical record, the code that allows the honest broker office to identify the donor with its corresponding specimen and medical information will be destroyed. With the destruction of this code, there is no further access to the donor's medical record.
Flow of medical information from donor through honest broker to researcher. Identifiable donated specimen is received by the honest broker. It is here that specimen is de-identified and assigned a unique code before being placed in the biorepository. Upon request, de-identified specimen may be released to a researcher with the limited data set maintained by the biorepository. If additional data elements beyond what is provided in the limited data set are needed by the researcher, he/she must first obtain Institutional Review Board (IRB) approval to receive those elements. Upon receipt of IRB approval, the honest broker can access the code to cull this additional data from the donor's medical record, code the new data, and then forward the data to the researcher.
The honest broker office is the only place where the donor's identifiable information and the correlating code are retained. All information held by the honest broker is kept in a password-protected database. This database is restricted only to the honest broker office. Once the honest broker has de-identified and coded the initial data, the coded, de-identified information is then given to the biorepository staff for long-term storage in a separate database. Keeping these 2 functions separate and maintaining 2 separate databases allows the biorepository to achieve a robust level of confidentiality for donors and provides the honest broker with a way to access follow-up information for researchers. The honest broker concept represents a direct intention and sincere effort to keep donor identity and confidentiality a predominant focus for the biorepository.
Our IRB Review and Institutional Process
The IRB process for review and approval of our biorepository began with the initial submission of the standard operating procedures, donor consent document, and other supporting documents to the IRB. After working with the IRB staff for 2 months, the submission was reviewed at a full board meeting. The IRB had a number of questions about the biorepository as this was a new area of review for this IRB.
With respect to the overall structure of the biorepository, the IRB suggested obtaining a Certificate of Confidentiality from the National Institutes of Health (NIH). Certificates of Confidentiality are issued by the NIH to protect the privacy of research subjects by protecting investigators and institutions from being compelled to release information that could be used to identify subjects in a research project. Certificates of Confidentiality are issued to institutions where the research is conducted to allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level. By protecting investigators and institutions from being compelled to disclose information that would identify research participants, Certificates of Confidentiality help achieve the research objectives and promote participation in studies by assuring privacy to subjects. 12
The consent process was carefully scrutinized. This process should ensure that potential donors understand not only that the donation of their specimen will be used in future research, but also that access to their medical records will be maintained by the honest broker office. We began with a consent document giving potential donors multiple options with respect to the permissions they were granting the biorepository. We were able to condense the consent form as the multiple options for donors to choose during the consent process were eliminated. Our institution felt that the risk level was greatly decreased by stating very clearly that specimen would be donated forever, but that at any time donors could revoke their permission to future access to their medical record. A HIPAA Authorization was also combined with the consent document in its final version. External legal counsel with regulatory expertise in biobanking worked diligently with the local IRB to clarify the consent process as well as other safety and confidentiality concerns such as offering a limited data set with an accompanying data use agreement.
The IRB requested additional information on informatics issues ranging from the security of the server to how updates to donor medical information would be received. Having a dedicated server that houses the biorepository database as well as the honest broker database provided a high level of security. The 2 databases were also set up with permission identifications that limit access to only those authorized. Updates are conducted by the honest broker when a specimen is requested by a researcher. The honest broker will run a predefined and IRB-approved query on the donor medical record to find any updates. This information will be de-identified by the honest broker before being entered into the biorepository database by the data manager.
The method to determine which researchers receive specimen was a fundamental consideration. It is important to base decisions pertaining to specimen utilization on study design and feasibility, and this decision should be made by a committee who is impartial to the researchers. If the researcher is requesting more data elements than is provided by the biorepository in the limited data set, he/she must submit to the IRB for review and approval of the additional data points.
Part of becoming HIPAA compliant is ensuring that the PHI from patients consenting to donate specimen is protected. We developed forms such as a material transfer agreement and data use agreement that may accompany the researchers request for specimen and/or data. A template for each form was reviewed by legal counsel and submitted to the IRB. After much diligence on the part of the IRB and legal counsel, approval for the biorepository was received 3 months after initial submission was made.
Regulatory Inconsistency and Reconciliation
1. Differing requirements between the Common Rule and the Privacy Rule lead to confusion when using specimen and PHI for research.
a. Instance 1: The Privacy Rule requires that covered entities obtain an authorization that is study specific, whereas the Common Rule, which requires informed consent, allows for future, unspecified research. Both allow for a waiver of consent or authorization, but not under the same conditions. This creates a confusing and inequitable situation for covered entities vs. noncovered entities that have biorepositories.
b. Instance 2: There are differences in the Privacy Rule and Common Rule definitions of what is considered to be “de-identified” information. The Privacy Rule is specific in their definition, which considers information de-identified if the 18 identifiers are coded in such a manner that the individual cannot reasonably be identified. The Privacy Rule also states that the covered entity may not use or disclose this code other than for the intended re-identification purposes, and researchers cannot have access to the code. The Privacy Rule is very specific, whereas Common Rule vaguely states that the investigator must not be able to reasonably determine the identity of the donor. Adding to the complication is the “limited data set” that is allowed for research by the Privacy Rule. The limited data set may include information that is not a direct identifier but could possibly be used to identify a person. The covered entity must enter into a data use agreement with the recipient of a limited data set. The Privacy Rule doesn't require an authorization or waiver for accessing a limited data set, but IRB review may be required since data may be considered identifiable by the Common Rule.
Possible solution: A regulatory change would be required for the Privacy Rule and Common Rule to be in alignment. If the various types of research that may be conducted could be described in an authorization instead of having to be protocol specific, then the Privacy Rule would be consistent with the Common Rule. The Privacy Rule would also need to adopt the same conditions for a waiver of authorization that are allowed by the Common Rule for a waiver of consent. PRIM&R also recommends the Privacy Rule be modified to exempt research that is subject to the Common Rule because the Common Rule provides appropriate and equivalent protections. 13
2. There needs to be a conceptual change between how regulatory agencies, as well as IRBs, view research subjects and specimen donors. The Common Rule only applies to federally funded research and may not apply to the research at all if it is considered exempt (if the specimens used are anonymous, existing, and publicly available). However, human specimen may be treated as property under the law. The law is not clear on if an individual has the right to own and control his/her specimen once removed from the body.
Possible solution: The use of “donor” instead of “subject” in biorepository documents may help to further define that the specimen is viewed as a donation under property law. Acknowledgement that a donation is being made, who it is being made to, and whether there are any conditions attached to the donation must be very specific. Numerous controversies over proper use of human specimen suggest that human specimen donation is ready for its own set of regulations and guidance instead of those borrowed from the research realm. 14 A handful of cases dealing with ownership of human tissue may be used as a springboard from which to develop much needed guidelines on the use of human specimen in research.15–17 Until these guidelines are developed, institutions should look at steps that could be taken to protect their interest in donated specimen. Steps such as including a statement of ownership of intellectual and tangible property used or created during research projects in an intellectual property policy, storing donated samples in a centralized biorepository established and maintained by the institution, and confirming consent and authorization documents are clear as to the use of the specimen.
The law is clear on one point: an individual has the right to control what happens to their specimen when it is still attached to the body; however, once a specimen is removed from the body the individual has no control over what happens to it or any rights to the possible future profits that arise from use of that specimen. The key to the above statement is “when it is still attached to the body.” As shown with Ted Slavin, if you are aware of the value of the specimens in your body before they are removed, you can make sure to retain control of them once removed and benefit from future profits.
3. The scope of protection provided by a Certificate of Confidentiality should be clearly defined. While the authority of Certificates of Confidentiality for individual research projects has been upheld in court, 18 if and how this applies to biorepositories is not yet clear. Therefore, further examination of whether it only protects against release of information regarding illegal activity, or if it protects against release of any information held by the institution holding the Certificate of Confidentiality is warranted.
Conclusion
Navigating the multiple regulations governing human subjects research is never an easy task. In the case of biorepository development, those regulations sometimes conflict and often fail to attend to the unique challenges of this task. Regulations like the Common Rule were designed to address a specific form of what constitutes human subjects research, but biorepository development does not always conform to that paradigm. As a result, new and more responsive standards with a formalized, statutory approach to specimen donation may be beneficial to both donors and biorepositories. This process of change would need to be initiated by working groups or lobbyists within the human subject protection and biobanking communities. Discussions on the potential changes, and benefits these changes would have should commence with groups such as PRIM&R and ISBER, in conjunction with officials at the Department of HHS. Until new standards are developed, researchers must work within the confines of regulations like the Common Rule and Privacy Rule. Within our biorepository, the use of the honest broker model allows for data acquisition and future data accrual while protecting the confidentiality of donors. From a functional perspective, the honest broker can benefit researchers by obtaining specimen and corresponding data in a more efficient manner, thereby promoting research using biorepository specimen.
Footnotes
Acknowledgment
The authors wish to thank Annette Fudge for assisting with the editing of this article.
Author Disclosure Statement
No competing financial interests exist.