Proposed IRB Regulations: Implications for Personal Health Data Research

Proposed HHS Regulations may affect the use of Personal Health Data for research. Here Matthew Bietz outlines three specific proposals and discusses their potential impacts.

The U.S. Department of Health and Human Services has released a proposal for revisions to the regulations that apply to research with human subjects. While there are a number of significant changes proposed, a few of them have a specific impact on research using personal data.

More and more data relevant to health are also being captured passively as people communicate with one another on social networks, shop, work, or do any number of activities that leave “digital footprints.” Self-tracking data can provide better measures of everyday behavior and lifestyle and can fill in gaps in more traditional clinical or public health data collection, giving us a more complete picture of health. Using these kinds of data for research raises particular ethical and regulatory concerns. Here, I will outline this new form of research might be affected by the proposed regulations.

Background: Human Subjects Regulations

The United States the government has a set of regulations known as “[tippy title=”The Common Rule” href=””]The Common Rule is a federal policy regarding Human Subjects Protection in biomedical and behavioral research that applies to 17 United States Federal agencies and offices.
from US Dept. of HHS[/tippy]” that are aimed at protecting human research subjects. These regulations, which date from the mid 1970s and early 1980s, were developed in response to a variety of concerns about the ethical treatment of individuals by researchers, including some high profile cases like the Tuskegee syphilis experiments and the Stanford Prison Experiment. These are the regulations that created Institutional Review Boards (IRBs) whose mandate is to oversee federally-funded research. However, the regulations have not kept up with changes in the research landscape, and now there is a proposal to update them:

The U.S. Department of Health and Human Services and fifteen other Federal Departments and Agencies have announced proposed revisions to the regulations for protection of human subjects in research. A Notice of Proposed Rulemaking (NPRM) was published in the Federal Register on September 8, 2015. The NPRM seeks comment on proposals to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.


This is not a radical overhaul of the IRB system. Some have called for a complete rethinking of how we regulate research (e.g. Schneider’s The Censor’s Hand). The goal of the proposed regulations seems to be more modest: to make adjustments that will lessen the regulatory burden of IRBs while maintaining or improving protections for human research subjects.

Health and Human Services (HHS) is asking for public comments on the proposed changes until December 7, 2015. These regulations have not been significantly revised since 1991. This is an important and rare opportunity to shape the rules that govern the ways we do human subjects research.

There has been a lot written about the NPRM and its proposed changes (some more general resources that address the whole document are included in the sidebar).

Here, my goal will be to walk through three proposals in the NPRM that I see as having a direct impact on the [tippy title=”Health Data Exploration Network” href=””]The Health Data Exploration Network brings together innovators in personal health data (PHD) to catalyze the use of personal data for the public good. This Network will bring together companies, researchers, and strategic partners to strategize, coordinate, and experiment with using PHD to understand health.[/tippy] members and the use of [tippy title=”personal health data”]Individuals are tracking a variety of health-related data via a growing number of wearable devices and smartphone apps. More and more data relevant to health are also being captured passively as people communicate with one another on social networks, shop, work, or do any number of activities that leave “digital footprints.” Self-tracking data can provide better measures of everyday behavior and lifestyle and can fill in gaps in more traditional clinical or public health data collection, giving us a more complete picture of health.[/tippy] for public good research. Specifically:

  • Broad consent for secondary use of identifiable private information
  • Increased scrutiny for research that returns results to participants
  • Expanded scope of “clinical trial” review

Issue #1: Broad Consent for Secondary Use of Data

[tippy title=”Secondary use of data”]Secondary use refers to the use of research data for a purpose other than originally intended.[/tippy] is an important concern for researchers who use personal health data. We can learn a lot from data originally collected by commercial devices and apps for personal, non-research reasons (step counts, sleep data, food diaries, etc.). We also want to be able to make the best use of our data resources, so sharing and reusing datasets is key.

It has become clear that current regulations don’t work for this kind of research. Obtaining consent for each new use of the data (as is currently required) is impractical, and its not clear that it really improves participant safety. At the same time, IRBs know this and have allowed a large number of waivers of informed consent for secondary data use, which may also not be ideal. A set of proposals in the NPRM are aimed at better accommodating secondary use of identifiable private information within the regulatory context.

The NPRM proposes to create specific [tippy title=”exemptions”]The proposed regulations create two categories of research which do not require full review. “Excluded” research does not meet the definition of human subjects research and so is not regulated by this statute. “Exempt” research is subject to the provisions of the statute, but because it is considered low risk, does not require IRB review and approval.[/tippy] from IRB review for secondary data use. The first exemption would cover secondary use of research data where broad consent has been obtained. In other words, researchers wouldn’t need to get IRB approval (and would not require additional consent) to use data where the original researchers had obtained broad consent for future research. Another exemption would apply for secondary use of identifiable private information collected “as part of a non-research activity, where notice of such possible use was given.” The examples in the NPRM focus on government data, but my reading is that this exemption would cover, for example, studies that use data obtained by commercial devices or services if the potential research use of the data was included in the terms of service or other communication with consumers.

The goal of these changes is to reduce the effort required for IRB approval for low-risk secondary use research while still maintaining ethical safeguards (e.g. respect for persons).

Click below to view the full text of the questions that the NPRM asks about the proposed changes regarding Secondary Research Use of Identifiable Private Information.

Click to View NPRM Questions

49. Public comment is sought on the types of research that should fall under the proposed exemption. Should the proposed exemption be available to all types of research using identifiable data collected for non-research purposes or should the exemption be available only to a more limited subset of research? For example, should the proposed exemption apply only for research using records and information already subject to comprehensive privacy and other protections in other Federal laws (e.g., records held by the Federal Government subject to the Federal Privacy Act, or records governed by HIPAA or FERPA)?

Depending upon the scope of the exemption, the relationship between this exemption and the exemption proposed at §__.104(f)(2) would need to be clarified. Since a major justification for including this exemption is to reduce burden on IRBs, should the proposed exemption apply only to research for which IRBs typically waive informed consent, that is, where the research could not practicably be carried out without a waiver of informed consent, and the rights and welfare of subjects will not be adversely affected by the waiver? Finally, is there a sufficient need for this exemption at all given the other proposed exclusions and exemptions?

50. Public comment is sought regarding whether the proposed exemption should be limited to research in which individuals had been informed of the potential future research use of their information, and given the opportunity to opt out of having their identifiable private information used for research. If the proposed exemption should be limited in this way, what information should be included in the opportunity to opt out? If the opportunity to opt out is made a condition of the exemption category how should it be structured (e.g., how long and under what circumstances should it remain in effect) and what, if any, impact should the opt out have on other provisions of the rule, such as the ability of an IRB to waive informed consent for a subsequent research study using the individual’s information? Are there other or alternative mechanisms that should be required to respect individuals’ autonomy and other interests?

51. Public comment is sought regarding what should constitute notice for purposes of this exemption category. Given the many different types of data that would be covered by this provision (e.g., data from private entities used for social or behavioral science research, government records for which laws already establish standards for notice, and data publicly available for harvesting from the internet), would it be possible to develop a uniform “notice” requirement? What type of notice, in terms of its dissemination and scope, should be considered to meet this requirement of the proposed exemption? With regard to the dissemination of the notice, should the notice requirement be permitted to be fulfilled through a general public notice, not specifically directed to individuals who are potential research subjects, such as the notice allowable under the Privacy Act? Would a prominent notice posted in all clinics or other relevant public places where information will be collected be acceptable? Should each individual whose data could be used receive their own notice, such as is required of direct treatment providers covered by the HIPAA Privacy Rule? With regard to the content of the notice required by this proposed exemption, what kind of information should be included in the notice, such as the types of research that might be conducted, privacy safeguards, contact information, etc.?

52. Public comment is sought on whether, on the other hand, prior notice is necessary. Is the notice requirement proposed for this exemption a meaningful and important measure to respect individual autonomy, particularly if the notice requirement could be fulfilled through a general public posting? Current practices suggest that IRBs will frequently waive informed consent for studies involving the secondary use of identifiable private information collected for non-research purposes. If the exemption were to exclude the notice requirement, but continue to require application of the data security and privacy safeguards of §__.105 and restrict the use of identifiable private information to only purposes of the specific research for which the investigator obtained the information, would the exemption better strike a reasonable balance between respect for persons and beneficence, while eliminating the current requirement for IRB review?


Issue #2: Returning Research Results

Returning research results to participants is a big issue for many researchers using personal health data. Discussions about whether researchers should share findings frequently focus on what to do when a study uncovers a disease, condition, or other impactful finding about an individual. More recently, however, members of citizen science movements (like the Quantified Self) argue that researchers have a responsibility to return individual-level results. Sometimes this is characterized as a quid pro quo arrangement—research results are the cost of getting access to personal data. Broader arguments come from organizations like the Open Humans Project, which promotes a new model of research that places patients at the center, a [tippy title=”model that relies on researchers returning results to participants”]”A good example of this when researchers use our member’s data they must also agree to return any new data that results from their research back to the original participant. This decentralization of data is a key component of our design. No single person, researchers, or study has all the data.”


The NPRM, focusing primarily on the potential for incidental findings, characterizes return of research results as a high-risk activity. It proposes that studies that return individual research results will not be eligible for exemptions and must be reviewed by the IRB.

Unlike most other common rule regulations, this restriction does not appear to include a consideration of the anticipated level of risk. Thus, research that returns a visualization of activity levels from a fitness tracker or provides a metric of social network strength on Facebook will be subject to the same level of review as a study that potentially discovers a brain tumor while reviewing fMRI data.

While the discussion in the NPRM document focuses primarily on medical and genetic examples, the proposed regulation is written quite broadly. It seems that there may be unanticipated impacts for HDE Network members and others engaging in more participatory forms of research.

Click below to view the full text of the questions that the NPRM asks about the return of research results:

Click to View NPRM Questions

55. Public comment is sought on whether and how the provision regarding the return of research results in the proposed exemption §__.104(f)(2) should be revised.

81. What should IRBs consider when reviewing the plans for returning research results, for example, what ethical, scientific, or clinical concerns?


Issue #3: Clinical Trial Review

The NPRM proposes to increase the scope of coverage for clinical trials. At present, only studies funded by federal agencies are required to adhere to the Common Rule (although many universities have voluntarily extended IRB review to all their human subjects research). The NPRM will change this so that any institution that accepts federal research funding must follow the common rule for all clinical trials (with some exceptions). The NPRM’s goal is to ensure that the highest-risk research is covered by the Common Rule. While this probably won’t have much impact on universities, it could have an impact for non-federally-funded research at non-profits and companies.

In order to enact this provision, the NPRM creates a new definition of “clinical trial” that (to the best of my knowledge) has not previously appeared in the common rule regulations (although the FDA and NIH have their own definitions). The definition states:

Clinical trial means a research study in which one or more human subjects are prospectively assigned to one or more interventions (which may include placebo or other control) to evaluate the effects of the interventions on biomedical or behavioral health-related outcomes.

This definition is quite broad, and the NPRM specifically recognizes that “clinical trials may occur outside of the biomedical context.” A reasonable interpretation of this definition would include A/B testing of an activity visualization aimed at increasing step counts as a “clinical trial.” While the NPRM’s stated goal is to ensure that the highest-risk research is covered, it is possible that a variety of low-risk forms of research would fall into this “clinical trials” category.

Click below to view the full text of the questions that the NPRM asks about the proposed changes regarding the Proposal to Extend the Common Rule to All Clinical Trials:

Click to View NPRM Questions

85. Public comment is sought on whether there might be unintended consequences from the clinical trials expansion proposed in the NPRM in §__.101(a)(2)(i)). Unintended consequences may include an increase in burden or costs, or an inappropriate redistribution of costs.

86. Public comment is sought as to whether the criterion that the policy extends to all clinical trials conducted at an institution that receives federal support (see the NPRM at §__.101(a)(2)(i)) should be further clarified in some way. For example, should it specify a timeframe for support (e.g., within the past number of years), or a minimum monetary threshold value?

87. Public comment is sought on whether the definition of clinical trial (NPRM at §__.102(b)) should include additional explanation of what is encompassed by the term behavioral health- related outcomes.


Help Shape the Policy: Comment By December 7

We’ve focused here only on those proposed changes to the Common Rule that will have the most impact on “personal health data” research. Whether you find the changes positive or negative or think they need further revision, there is a way to have an impact on the final policy: submit a comment. HHS is accepting comments until December 7.

If you have other thoughts you’d like to share about the NPRM or this analysis, please comment below!


Photo credit: Random Number Multiples by Jer Thorp

Recent Posts