Collaborative Research, Data Ownership, and Security(RCR Week-2 Lecture)

Delia Y. Wolf, MD, JD, MSCI

Assistant Dean, Regulatory Affairs & Research Compliance, Harvard School of Public Health Director, Human Research AdministrationHarvard Longwood Medical Area

Email: dywolf@hsph.harvard.edu

September 13, 2013

Case 1 For his dissertation project in psychology, Antonio is studying new

approaches to strengthen memory. He can apply these techniques to create interactive Web-based instructional modules. He plans to test these modules with students in a general psychology course, for which he is a teaching assistant. He expects that student volunteers who use the modules will subsequently perform better on examinations than other students. He hopes to publish the results in a conference proceeding on research in learning, because he plans to apply for an academic position after he completes the doctorate. Should Antonio seek IRB approval for his project? (Hint: what are the two

questions you would ask in order to determine whether IRB approval is necessary?)

If the answer to question #1 is yes, what type of IRB review would be appropriate?

Can this protocol be exempted? Why or why not? Do student volunteers need to give formal informed consent? If so, what

information needs to be included in the consent document?

2

Case 2 Two weeks into the new semester, the Professor in Mary’s course on Family Health

gives the class a special assignment that was not on the course syllabus. Over the next week, everyone in the class is to talk with three classmates, who are not in the course, about the way their families deal with medical emergencies and chronic illness. Next week they should come to class prepared to report on their interviews. The Professor will then gather information collected by all the students and may write a paper on the topic. The Professor indicates in order to protect classmates’ privacy; no names should be mentioned during discussion.

The assignment makes Mary uneasy. In her Responsible Conduct of Research (RCR) course last semester, she learned about regulations pertaining to the use of human participants in research. Mary believes that the assignment should be reviewed by the IRB. When Mary raises her concerns with the Professor, the Professor assures her that her informal

conversations with classmates are not research and therefore not subject to any regulations. When Mary reminds him that his potential publication may contribute to “generalizable knowledge,” his response is that even if this assignment meets the definition of research, it can be exempt because no names will be recorded, and therefore, no IRB review is necessary.

Is the Professor’s last statement correct? Is this course assignment research? If IRB review is required, should each student submit an application to the IRB? Why or why not? Can this “course assignment” be exempt? If so, under which category? If not, will it meet one of the

categories for expedited review?

3

4

Topics to be Covered

Collaborative Research

Data ownership

Data collection

Data protection

Data sharing

Data management

5

Collaborative Research

Types of collaborative research

Points to consider before, during and

after collaboration

Case studies

Types of Collaborative Research

Within institution

With institutions/hospitals

Multicenter – within the US

Multicenter – transnational

Collaborations with industry

6

Points to Consider Before any work is undertaken

Clear understanding of the nature of the collaboration Roles and responsibilities

Sufficient resources Time, space

Written agreement (between/among collaborators) Who does what Who owns what Criteria to identify and rank contributing authors

Necessary review and approval from institution Grants/contracts Technology transfer IRB/IACUC

7

Points to Consider (cont.) During the course of collaboration

Following research plan/study protocol Communication

Report Progress Share findings Discuss problems

Documentation If it is not documented, it is not done!

Training and supervision Verification Good record keeping

Time and effort

8

Points to Consider (cont.) After the completion of a collaborative

research project Submit final report/closure to relevant

offices at researcher’s institution IRB office

Be aware if record keeping requirements Institutional requirements Sponsor requirements Government agency requirements

9

Case A Amber, Ben and Carol have just received funding from a small

pharmaceutical company to test one of its imaging agent. Amber is a neuro-radiologist at BIDMC, who will be the PI, as

well as the IND holder, Ben is a psychiatrist at MGH, and Carol is a biostatistician at HSPH. All three will serve as co-investigators.

Study is going to be conducted at BIDMC. Both Amber and Ben will be interact with research participants; Carol will not have direct contact with participants, but will have access to participants’ identifiable information. Which office(s) will they have to deal with Do all three need to get IRB approval from each of his/her

institution Do they need an agreement among themselves? If so, what should

be included in the agreement?

10

Case B Dr. D is a biostatistician from HSPH. He is the

PI for a data coordinating center that oversees and analyzes all data collected from a multi-canter clinical trial involving 12 sites in the US and 10 sites outside of the US. What are Dr. D’s responsibilities in terms of meeting

regulatory requirement? Obtaining IRB approval Oversight of research conduct Reporting obligations

11

Case C Dr. M is the overall PI for a multi-center Vitamin

A supplementation clinical trial that is sponsored by NIH. She is a faculty member at HSPH, but no study activities will be conducted in the US. There are a total of three sites in India, Tanzania and Botswana. Does Dr. M need to get HSPH IRB approval to work on

the study? Which country’s rules should be followed for

regulatory oversight? Since she only visits each site once a year, how can

she fulfill her responsibility as a PI?

12

Data Ownership Bayh-Dole Act (Public Law: 96-517)

Sponsored by two senators, Birch Bayh of Indiana and Bob Dole of Kansas

Enacted by the United States Congress on December 12, 1980

Governing intellectual property arising from federal government-funded research

Allows for the transfer of exclusive control over many government funded inventions to universities and businesses for the purpose of further development and commercialization

13

Data Ownership (cont.) Sponsors/funders

Government Grants – the institution receives funds owns and

controls the data Contracts – government owns and controls the

data Private companies – usually seeks to retain

the right to the commercial use of data Charitable organization /foundations – retain

or give away ownership rights depending on their interests.

14

Data Ownership (cont.) Points to consider

Distinguish between grants and contracts Research institutions usually claims ownership

rights over data collected with support awarded to the institution

Be familiar with institutional policies Who owns the data I am collecting? What rights do I have to publish the data? Does collecting these data impose any obligations on

me?

Do not enter into agreements without approval from the institution

15

Ownership of Biological Materials Moore v. Regents of the University of California

Moore was treated for hairy cell leukemia by Dr. Golde at UCLA Medical Center from 1976 and 1983

Test results revealed that Moore’s cells would be useful for genetic research, but Golde did not inform Moore of his plans to use the cells for research

A cell line was established from Moore’s T-lymphocytes sometime before 1979

On January 6, 1983, UCLA applied for a patent on the cell line, listing Gold and Quan as inventors

USPO issued patent on March 20, 1984

16

Ownership of Biological Materials Moore v. Regents of the University of California

In 1983, Moore was given a consent form indicated “I (do, do not) voluntarily grant to the University of California all rights I, or my heirs, may have in any cell line or any other potential product which might be developed from the blood and/or bone marrow obtained from me”

Moore refused to sign the form and eventually turned over to an attorney, who the discovered the patent

After patent was issued in 1984,UCLA and Golde negotiated agreements with Genetic Institute for commercial development, Golde became a paid consultant and acquired 75,000 shares of stock

17

Ownership of Biological Materials Moore v. Regents of the University of California

Moore filed a lawsuit naming Golde, Quan, the Regents, Genetics Institute, and Sandoz Pharmaceuticals as defendants

Moore complaint stated thirteen causes of action, including conversion, lack of informed consent, breach of fiduciary duty and intentional infliction of emotional distress

The court found that Moore had no property rights to his discarded cells or any profits made from them

The court concluded that the researcher did have an obligation to obtain informed consent, and to disclose financial interested in the cells harvested from Moore

18

Ownership of Biological Materials Washington University v. Catalona

Dr. Catalona, highly respected urologist and urologic surgeon, as well as a well-established prostate cancer researcher at Washington University in St. Louis

While at WU, Dr. Catalona was instrumental in establishing the Biorepository for the collection and storage of biological research materials

More than 30,000 research participants enrolled in prostate cancer research

In 2003, Dr. Catalona left for Northwestern University and to continue his prostate cancer research

In February 2003, Dr. Catalona sent a “Medical consent & Authorization” form to about 60,000 research participants

19

Ownership of Biological Materials Washington University v. Catalona

About 6000 recipients signed the form and returned it to Dr. Catalona

The University sought a declaratory judgment that it owned the biological specimens

In March 2006, the District Court concluded that the University owned the research specimens. Dr. Catalona and the eight research participants appealed

The Court held that Wash. U “owns the biological materials and neither Dr. Catalona nor any contributing individual has any ownership or proprietary right in the disputed biological materials.”

20

DHHS Draft Guidance “All future research that uses your samples may

lead to the development of new products, you will not receive any payments for these new products.”

“By agreeing to this use, you are giving up all claims to any money obtained by the researchers from commercial or other use of these specimens.”

“I voluntarily and freely donate any and all blood, urine, and tissue samples to the [name of research institution] and hereby relinquish all property rights, title, and interests I may have in these samples.”

21

Data Collection Reliable methods Accuracy Authorization/Permission

IRB IACUC

Documentation Hard-copy data Electronic data

22

Data Protection Storage Record retention Confidentiality and information security

Data from non-Harvard sources Data use agreement (DUA) that states use limitations

and/or protection requirements Individual researchers do not have the authority to sign

DUA on behalf of the institution

Data from Harvard sources Five data/information security categories Legal requests – contact OGC Certificates of confidentiality

23

Information Security Categories Level 1: De-identified research information

about people and other non-confidential research information

Level 2: Benign information about individually identifiable people

Level 3: Sensitive information about individually identifiable people

Level 4: Very sensitive information about individually identifiable people

Level 5: Extremely sensitive information about individually identifiable people

24

Level 2 Information

Individually identifiable information, disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality

Example: Research participant in a study that was

exempt by the IRB

25

Level 3 Information

Individually identifiable information, if disclosed, could reasonable be expected to be damaging to a person’s reputation or to cause embarrassment

Example: Student record

26

Level 4 Information

Individually identifiable High Risk Confidential Information that if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups

Example: Social security number Individual financial information Medical records

27

Level 5 Information Individually identifiable information that

could cause significant harm to an individual if exposed, including serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group

Example: Certain genetic information

28

Data Protection (cont.) Level 1: no specific University requirements Level 2: Password protection Level 3: Must not be directly accessible from

the Internet (i.e. email) unless the data is encrypted

Level 4: servers must be located only in physically secure facilities under University control

Level 5: information must be stored and used only in physically secured rooms controlled by University. No master keys are allowed

29

Certificates of Confidentiality Issued by the National Institutes of Health (NIH) Protect investigators and institutions from being

compelled to release information that could be used to identify research study participants

Allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil criminal administrative legislative, or other proceeding, whether at the federal,

state, or local level30

Identifying Information

Broadly defined Not just name, address, social

security number, etc. Includes any item or combination of

items that could lead directly or indirectly to the identification of a research participant

31

Eligibility

For IRB-approved research collecting identifying information

If disclosure could have adverse consequences for subjects or damage: financial standing employability insurability, or reputation

NIH or PHS funding not required

32

Examples Collecting genetic information Collecting information on psychological well-

being of subjects Collecting information on sexual attitudes,

preferences or practices Collecting data on substance abuse or other

illegal risk behaviors Studies where participants may be involved in

litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures)

33

Requirements Must tell subjects that Certificate is in effect in

Informed Consent form Must provide fair and clear explanation of

Certificate’s protection, including limitations exceptions 

Must document IRB approval and IRB qualifications

Must provide a copy of the informed consent forms approved by the IRB

PI and Institutional Official must sign application34

Limitations and Exceptions Protects data maintained during any time the

Certificate is in effect Protects those data in perpetuity Does not protect against voluntary disclosure:

child abuse threat of harm to self or others reportable communicable diseases subject’s own disclosure

Must disclose information about subjects for DHHS audit or program evaluation or if required by the Federal Food, Drug, and Cosmetic Act

35

Assurances Agree to protect against compelled disclosure

and to support and defend the authority of the Certificate against legal challenges

Agree to comply with Federal regulations that protect human subjects

Agree to not represent Certificate as endorsement of project by DHHS or NIH or use to coerce participation

Agree to inform subjects about Certificate, its protections and limitations

36

An Important Caveat Certificates of Confidentiality do not obviate

the need for data security Data security is essential to the protection

of research participants’ privacy Researchers should safeguard research

data and findings.   Unauthorized individuals must not access

the research data or learn the identity of research participants

37

Data Sharing NIH believes all data should be considered

for data sharing “Data should be made as widely and freely

available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data

Data sharing plan required for applications requesting >$500,000/year from NIH

38

Data Management Data monitoring plan in each protocol Collected data should be open to scrutiny by

both investigators and the sponsor When possible, statistical analysis should be

conducted by an independent entity Stopping rule should be included in the

protocol Study results and data analysis should be

shared with the principal investigators as soon as they become available

39