Department of Veterans Affairs Policy# PI-13-1010 (00)

VANew Jersey Health Care System October 1, 2010

RESEARCH COMPLIANCE PROGRAM

1.PURPOSE:

  1. The purpose of this Policy is to describe the general principles and foundation of the auditing program and the broader research compliance program. (Specific methodologies for conducting the various audits are maintained within the research compliance office as standard operating procedures [SOPs]).

2.POLICY:

  1. It is the policy of the VA New Jersey Health Care System (VANJHCS) that a research auditing program be designed and conducted for assurance of protection of human subjects, animal welfare, employee safety and adherence to accreditation, regulatory and local requirements.
  2. It is the policy of the VANJHCS that the auditing program adjusts to changing requirements for adherence to VHA regulations and guidance from the Office of Research Oversight.
  3. It is the policy of the VANJHCS that the research auditing program takes place within a broader research compliance program for which Research Compliance Officers (RCOs) provide leadership, expertise, and strategic direction.

3.ACTION:

  1. Research Compliance Program Description

(1)Research compliance auditing takes place within the general research compliance program.

(2)Many individuals and entities within the VANJHCS (VA New Jersey Health Care System) are concerned with compliance with regulations, accreditation standards, ethical conduct, human subjects protection, animal welfare, employee safety and security.

(3)Compliance reviews conducted by the Information Security Officer and Privacy Officer are discussed in this policy. Audits conducted by RCOswill be described briefly. Research Compliance Officer audits are describedin greater detail in Standard Operating Procedures (SOPs) that are posted on the Research website:

(4)Description of the RCO’s role in the research compliance program

  1. Research compliance is organizationally part of the Facility Director’s Office and the Research Compliance Officers report directly to the Facility Director.
  2. The RCOs evaluate compliance with federal and VA requirements for the conduct of research, which include requirements in: the protection of human research subjects, laboratory animal welfare, and research safety and security. RCOs are also concerned with research information security, research privacy, conflict of interest in research, training of research personnel, research program accreditation, research misconduct, and/or other research compliance activities consistent with VHA requirements.
  3. RCOs provide leadership, expertise, and strategic direction for the facility’s research compliance program, and are responsible for developing, implementing, and maintaining compliance oversight activities. RCOs work closely with the Facility Director, Chief of Staff (COS), Associate Chief of Staff for Research (ACOS/R), and Administrative Officer for Research (AO/R) to provide guidance and counsel on incorporating research compliance activities into the day-to-day operations of the facility.
  4. RCOs perform ongoing research monitoring and auditing consistent with VHA research monitoring and auditing requirements.RCOs require the ability to conduct in-depth review and analysis of research, clinical, and training records relevant to the assigned areas of responsibility. Monitoring and auditing reports are timely, accurate, and complete and are provided to facility leadership and others by the RCOs in accordance with VHA requirements.
  5. RCOs develop and maintain strong working relationships with the facility Information Security Officer (ISO) and other individuals relevant to the assigned areas of responsibility, such as the facility Privacy Officer (PO); the Chairpersons of the facility’s Institutional Review Board (IRB), Institutional Care and Use Committee (IACUC), and/or Subcommittee on Research Safety; Veterinary Medical Officer; Safety Officers; etc. Routine reports are provided to the Facility Director and others (e.g., COS, ACOS/R) in accordance with VHA and facility requirements.
  6. The RCOs ensure that relevant regulatory and policy updates are disseminated to research administrators, research oversight committees, research investigators, other research personnel, and facility leadership in a timely manner. The RCOs serve as the primary local resource for regulations, policies, memoranda, alerts, and other federal requirements in research compliance and work with research personnel on a day-to-day basis to maintain current and open communication regarding research compliance issues.
  7. The RCOs serve as nonvoting consultants to the Research and Development Committee (R&DC), as well as the R&DC subcommittees.
  8. The RCOs conduct routine and “for cause” audits and other performance improvement activities to promote compliance, reduce violations of regulations and standards, identify unsatisfactory trends and conditions, and correct factors that may contribute to non-compliance.
  9. The RCOs provide education regarding research compliance to the research community including, investigators, study staff, Research Service staff, IRB, IACUC, Subcommittee on Research Safety, R&DC and medical center management.
  10. Research Compliance Officer auditing methodologies are described in the Research Compliance Auditing Standard Operating Procedure (SOP) document available on the website of the VANJHCS research non-profit organization: Veterans Biomedical Research Institute New Jersey (VBRI)
  1. Research Compliance Auditing

(1)Areas to be audited:

  1. Human Research Protection
  2. Animal Welfare
  3. Employee Safety
  4. Privacy and Confidentiality
  5. Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant authorization
  6. Waiver of HIPAA compliant authorization and the required documentation by the IRB or Privacy Board; SOP research service Privacy & post privacy review
  7. Data security and data use
  8. Adequacy of HRPP processes, examples of HRPP process that might be audited:

1The effectiveness of communication with all applicable committees, persons, and officials

2The documentation of compliance with VA and other requirements

(2)Types of Audits

  1. Routine

1Informed Consent Documentation

2Research Related Complaints and Allegations of Non-compliance with Regulations and Ethical Practices

3Human Research Scope of Practice and Privileges Review

4Audit of IRB Minutes

5Institutional Responsibilities, Human Research Protection Review

6IRB File Audit

7Research Participant Outreach Program Audit

8Privacy Review (by Privacy Officer)

9Security of Data and Compliance with All Data Security Requirements (reviewed by ISO)

  1. Triennial/Regulatory

1GCP/Human Research Protection

2Animal Welfare

3Employee Safety and Security

  1. For Cause

(3) Audit Descriptions.

  1. Routine Auditsof Research Conductedby RCOs ((2)a.1-7 above)
  2. Triennial/Regulatory ((2)b. 1-3 above)
  3. For Cause (c. above)

1See Research Compliance Officer Auditing SOP for detailed description

(4)Audits performed as part of the compliance program (not conducted by the RCO)

  1. PRIVACY REVIEW

1PRIVACY REVIEW( (2) a-8 above) Audit of privacy issues including HIPAA Authorization and Waiver of HIPAA Authorization decisions and documentation takes place at three levels:

aPrivacy review during the IRB review process (IRB meetings or Expedited)

bPrivacy Officer Review and signature on HIPAA Waiver requests

cPost IRB Approval Privacy Review.

2Privacy review during the IRB review process (IRB meetings or Expedited)

aThe Privacy/FOIA Officer receives member packets of information for studies under review by the IRB.

bThe Privacy/FOIA Officer’s role is to provide the IRB with any findings that require action or modification related to privacy issues including recruitment, use and disclosure of private information, HIPPA Authorizations and HIPAA waivers.

cHIPAA Authorizations are reviewed by the Privacy Officer and Information Security Officer as part of the IRB approval process. HIPAA Authorizations are re-reviewed during the Post IRB Approval Privacy Review.

3HIPAA Waiver requests (Memorandum To Institutional Review Board Requesting a Waiver of Authorization to Release Medical Records or Health Information) are reviewed and signed (when appropriate) by the FOIA/Privacy Officer as part of the Post IRB Approval Privacy Review.

4Post IRB Approval Privacy Review (described in Human Research SOP: Privacy of Subjects and Confidentiality of Data) available on the VBRI website:

aEach protocol undergoes Privacy Review by the Privacy Officer (PO) after approval by the IRB.

bThese reviews are conducted on a weekly basis.

cThe completed Privacy Review assessment tool is filed in the IRB protocol file.

dFinal approval documents are only issued after Privacy Review approval.

eThe following exceptions will not require post IRB approval Privacy Review:

(1)Amendments that do not involve a HIPAA Authorization or HIPAA Waiver of Authorization

(2)Projects that are closed to enrollment of new subjects

(3)Studies that are in follow-up only (data collection, enrollment, interventions and treatment is complete)

(4)Studies that are in data analysis only (data collection, enrollment, interventions, treatment, and follow-up are complete)

  1. SECURITY OF THE DATA and COMPLIANCE WITH ALL DATA SECURITY REQUIREMENTS ((2) a-9above)

1As a non-voting member of the IRB, the ISO reviews all initial applications to conduct human research for information security compliance prior to final approval by the IRB

2Data Use– ISO reviews the protocol to determine how VA sensitive data, paper-based or electronic, will be used and to determine if it will leave VA protected environment. ISO determines if a Data Use Agreement (DUA) is required before the data can leave VA protected environment

3Access to Research Data – ISO is responsible for ensuring that all study personnel have a valid VA appointment. In addition, when study personnel are no longer part of the research team, ISO reviews the protocol to ensure that the Principal Investigator (PI) acknowledges the removal of access to VA research data.

4Data Storage – ISO reviews the protocol to ensure the location of the research data, electronic or paper-based, is clearly identified, i.e., site, server name, network folder, mobile storage device, building, room, etc. If data is stored on a mobile device, the device must be encrypted and the encryption must be FIPS 140-2 validated.

5Data Transmission – ISO reviews the protocol to determine if VA data will be transmitted outside VA protected environment. The transmission of this data must be identified in the protocol and the PI must complete and Electronic Computer Access Request (ECAR).

6VA data transmitted outside VA protected environment must be sent via a delivery service with a chain of custody.

7VA data transmitted electronically and via a removable storage medium must be transmitted using VA-approved solution such as FIPS 140-2 validated encryption

8Data Destruction – ISO reviews the protocol to ensure that current VA destruction language is included in the protocol. If information is not to be returned to the VA, the protocol must state how and when that information will be destroyed.

9Incident Reporting – ISO reviews the protocols to ensure that the principal investigator (PI) has acknowledged that the PI and study team member are aware of when and to whom to report information security incidents.

10Information Security Training – ISO reviews protocol to ensure that all study members have up to date Information Security Awareness/Rules of Behavior training.

4.Reporting:

(1)Content of the reports

  1. RCO report format will vary depending on the report. (see RCO Auditing SOP for detailed description)
  2. Privacy Officer Reports addressdisclosures to subjects, HIPAA Authorization, Waiver of HIPAA Authorization, Informed Consent Waivers and issues related to privacy and security of research records.
  3. Information Security Officer (ISO) reports address disclosures to subjects, electronic data security, sharing of data outside the institution.
  4. The content of reports ofapparent serious or continuing noncompliance identified in a formal RCO consent or regulatory audit follow VHA Handbook 1058.01guidelines.

(2)Persons, officials, or committees that must receive and review reports

  1. Reports will be provided to the applicable research review committees. ACOS/R and R&D Committee will receive copies.
  2. Reports of apparent serious noncompliance will be reported to the Director and others as specified in the VHA Handbook 1058.01.

(3)Timeframe for reporting

  1. The Research Compliance Officer’s Auditing SOP provides methodologies for RCO routine reports that describe the time frames for reporting.
  2. Reports from the Privacy Officer and ISO are provided to the IRB with their reviews of research studies at each IRB meeting, expedited review and Post IRB Approval Privacy Review, as applicable.
  3. The VANJHCS research review committees, study sponsor, Principal Investigator (PI), VHA administration (ORD, ORO), Facility Director, ACOS/R&D, RCO, etc., can require more frequent audits then the established frequency. Focused audits of 1 or more aspects of the study can also be required.
  4. Time frames for reporting apparent serious or continuing noncompliance identified in a formal RCO consent or regulatory audit will follow VHA Handbook 1058.01 timeframes.

(4)Evaluating Corrective Actions

  1. For corrective actions imposed by the IRB, R&D Committee, or other appropriate entity in response to an RCO audit; RCOS will evaluate and report to the applicableentity regarding compliance with the required corrective actions
  2. Corrective actions provided by the PI to the RCO after an audit (for issues that are not serious or continuing noncompliance) are evaluated by the RCO and included in a report to the appropriate committees.

1The audit remains open until all corrective actions have been implemented by PIs.

aExamples: Document in IRB file but not in study record, Lapsed training

(5)Corrective actions regarding information provided by the ISO, Privacy Officer, Investigator or sources other than the RCO are evaluated by the appropriate review committee.

5.RESPONSIBILITY:

  1. VANJHCS Director is responsible for:

(1)Appointment of Research Compliance Officers

(2)Assuring that the RCO has sufficient expertise to conduct audits based on experience, knowledge (including data collection and analysis), and understanding of regulations.

  1. Applicable experience may include previous responsible positions in clinical care, performance improvement and research.
  2. Knowledge and understanding may be demonstrated through participation at Human Research Protection conferences, Certified IRB Professional certification and training as a research data manager, research monitor, research coordinator, etc.

(3)Evaluating the effectiveness of the auditing program, at least annually.

  1. Delegated to the Research Compliance Officer with review by R&D Committee.

(4)Ensuring that adequate resources and personnel are made available to achieve the objectives of this policy, as describe in Policy section 2.

  1. The Information Security Officer is responsible for:

(1)Reviewing requests to remove or transfer data and removable electronic media

(2)Reviewing all initial applications to conduct human subjects research for information security compliance prior to final IRB approval

  1. The Privacy Officer is responsible for:

(1)Conducting Reviews (audits) of all human research studies regarding privacy issues including HIPAA Authorization and Waiver of HIPAA Authorization decisions. The Privacy Officer is responsible to conduct reviews at three levels:

  1. IRB meetings and Expedited reviews (outside of meeting)
  2. Privacy Officer review and signature on HIPAA Waiver requests
  3. Post IRB Approval Privacy Review
  1. The Research Compliance Officer is responsible for:

(1)Developing the policy and the accompanying standard operating procedure (SOP) for the auditing program. The policy and SOP address the:

  1. Expertise required for conducting the audits
  2. Frequency of the audits beyond the minimal required frequency
  3. Time frame for selecting studies for regulatory audit per ORO guidance

(2)Developing the methodologies for the audits in the program

(3)Conducting audits (including related training, pursuing corrective actions and making recommendations)

(4)Documenting and reporting results to the Research and Development Committee and its subcommittees (as applicable), ACOS R&D and the Director

  1. Apparent serious noncompliance (when found in a formal RCO regulatory or consent) is reported to the Director
  2. RCO will facilitate reporting to outside agencies by the Director as specified in VHA HB 1058.01

(5)Annual report to R&D Committee on the effectiveness of the human research auditing program to include:

  1. Audits Conducted
  2. Corrective Actions Taken
  3. Strengths and weaknesses of the audit program and suggestions for improvement

(6)Assuring that individuals assisting in conducting audits have sufficient training to carry out their duties

(7)Participating in research review committee meetings as a consultant

(8)Planning and managing research compliance program per 3.A.(4) RCO’s role in research compliance program

  1. The Associate Chief of Staff for Research and Development (ACOS R&D) (15) is responsible for reviewing human research compliance audit reports and providing feedback on the human research audit program’s effectiveness.
  2. The Chairperson of the IRB as well as the IRB members are responsible for reviewing human research compliance audit reports and providing feedback on the human research audit program’s effectiveness.
  3. The Chairperson of the R&D Committee as well as the R&D Committee members are responsible for reviewing human research compliance audit reports and providing feedback on the human research audit program’s effectiveness.
  4. The Chairpersons of the IACUC and Subcommittee on Research Safety (SRS) as well as the committee members are responsible for reviewing pertinent compliance audit reports and providing feedback on the audit program’s effectiveness.
  5. The Research Service Administrative Officer is responsible to conduct an annual evaluation of resources for the HRPP and to prepare a report for the R&D Committee. In this manner resources for the human research auditing program are evaluated and reported.

6.RESCISSION: Policy MCM # PI-13-0708 (127), dated July 1, 2008, Auditing Of Human Research To Determine Compliance With Applicable Laws, Regulations And Policies

7.REFERENCES:

  1. VANJHCS, Research & Development (Committee) Standard Operating Procedures
  2. VHA Directive 2008-064, October 16, 2008, Research Compliance Officers And The Auditing Of VHA Human Subjects Research To Determine Compliance With Applicable Laws, Regulations, And Policies
  3. Document from Office of Research Oversight with sample PD and Functional Statement: Requirement for Research Compliance Officers, Due by End of Quarter 1, FY 2009, Guidance
  4. VHA Handbook 1058.01, May 21, 2010, Research Compliance Reporting Requirements
  5. Memorandum, June 9, 2009, from Chief Officer, Office of Research Oversight (ORO)(10R), Subject: Clarification of RCO Research Audit Requirements for 2009 and 2010
  6. VHA Triennial Regulatory Compliance Audit, Animal Welfare Audit Tool, May 2010
  7. VHA Triennial Regulatory Compliance Audit, Research Safety Audit Tool, May 2010
  8. VHA Triennial Regulatory Compliance Audit, Good Clinical Practice & Human Research Protection ProgramAudit Work Sheet, May 2010

8.EXPIRATION DATE: October 31, 2013

9.ATTACHMENTS: None

KENNETH H. MIZRACH

Director

(For Web Versions of this policy)

SIGNATURE OF DIRECTOR IS ON FILE

1 of 11