Building a new research compliance program: Where do I begin?

By Tracy L. Popp, MBA, CHRC, CCRP, and Lynn E. Smith, JD, CHRC

Tracy L. Popp (tpopp@askclover.com) is an Advisor at A Clover Group in Charlestown, IN, and Lynn E. Smith (lynnsmith@tgh.org) is Director, Research Compliance Officer, at Tampa General Hospital, Tampa, FL.

One of the hallmarks of a high-performing clinical research program is a robust research compliance partner. If you have the opportunity to build a new clinical research program, be sure to include a research compliance office in the design to work hand in hand with the clinical research staff. If you manage a clinical research program that lacks a research compliance partner, or a clinical research program with an ineffective or incomplete research compliance component, it is time to make a case to senior leadership of the importance of having this valuable partner.

The culture of the research compliance office is also of great importance. Research compliance could present itself with a culture of judgment with punitive outcomes, or it could present itself with a culture of collaboration and education. Hopefully, you will agree after reading this article that the latter is the best way to go.

Setting the stage for a new program or enhancing an existing one is the paramount point for a successful research program. The announcement to research team members, physicians, medical staff, and others of an upcoming change to the research program to include updating or building a research compliance program can send a panic through the halls of clinical research. Our daily lives contain a high level of stress; therefore, the steps you take to mitigate a full-out panic are of utmost importance. Many people have limited daily exposure to compliance individuals, the lack of knowledge on the role that compliance plays in research, or may recall a dreadful experience when compliance came to visit them. It is important to recognize this is a very real stress to individuals triggered by an announcement. How does operations fit into the compliance program? Our successful programs depend on compliance being embedded in all that we do each and every day for our patients. The operation leader is responsible to ensure that they set the stage for the success of the new or enhanced research compliance program. The team will look to the operation leader for guidance and assurance.

Let’s examine the critical conversations that need to occur with the teams. The panic of the team members or others will likely induce the following types of questions or comments for the operation leader. By preparing for these comments and questions up front, the operation leader will be able to mitigate the fears proactively.

Research teams ask:

  • What does compliance actually do?

  • Should I be worried that I will lose my job?

  • What did we do wrong?

Research teams may say:

  • Well, we never have had any problems before…

  • Isn’t this what the institutional review board does?

  • Who wanted this program changed or created?

  • I am too busy for this new layer of review.

Addressing the comments and questions will help build a successful foundation for the clinical research program. The building of a research compliance program remains a critical element for any research program regardless of the size of the program. Each site should maintain a level of compliance within the program. The research compliance team can start out as one individual dedicated to compliance review and build the program from there based on the site’s volume, risk, etc. When starting a program, consider the elements needed for a healthy program.

Elements

The elements of a robust research compliance program are well documented in Health Care Compliance Association’s Research Compliance Professional’s Handbook.[1] We will look at these elements in brief detail below and then discuss which of them you might consider implementing first.

Ongoing monitoring program

Not all research compliance programs are going to consist of all the elements discussed here, although the vast majority of them will, or should, have an ongoing monitoring program. This program can be presented as a quality assurance review of ongoing human subject research, or it can be presented as an audit program. In our experience, the monitoring program is received much more positively when it is presented as a quality review process that is intended to be collaborative and educational between research compliance, the investigators, and study teams. Using terminology like “auditing” can seem punitive and create a defensive posture from all parties involved.

Quality review programs for human subject research should evaluate the institution’s research against good clinical practice principles[2] to ensure the safety and well-being of human subjects and research finance/billing compliance to determine whether the research procedures are being properly billed to the sponsor, subject’s insurance, or government payers.[3] Quality review visits can be a complete review of a research protocol, or it can focus on one specific element such as informed consent, eligibility, or billing.

Your ongoing monitoring plan will change over time, but it will serve as a solid go-to plan. When developing your monitoring plan, there are several things to consider. Since you are not going to be able to monitor all studies in your portfolio, you will want to evaluate a good mix of your ongoing studies to get a handle on your overall compliance picture. Some of the criteria to consider when choosing studies for your monitoring plan are: 1) studies with the highest risk; 2) investigators with a track record of noncompliance; and 3) protocols with a high likelihood of being audited by federal or other external agencies, such as protocols with high enrollment, a previous unsuccessful audit, or a high-profile national study.

Operations buy-in (for monitoring program)

When the research compliance team is ready for the initial review on the research program, we recommend having a discussion with the research operations/clinical leaders to determine the investigator, study, or site to complete a validation review. By engaging the clinical team prior to engaging the principal investigator, the operations and compliance team will be able to eliminate any kinks in the review. The research clinical team is a valuable resource to assist with understanding institutional culture and empowers this team to be able to address any questions that the principal investigator has during a review, therefore building a relationship of trust and partnership. The reviews are a joint effort to build a strong program, not searching for a laundry list of punitive marks.

Conflict of interest

The research compliance program should be identifying and managing conflicts of interest (COIs) of investigators and study staff as well as the institution. COIs can manifest as equity in or compensation from industry sponsors. Policies and procedures should clearly indicate the thresholds set by the institution for such interests and ensure they are in line with regulatory agencies’ requirements.[4] Some institutions allow separate thresholds for various regulatory agencies, others set the bar at the most conservative requirement for all research, and yet others have a zero tolerance for conflicts and require disclosure for conflicting interests of any amount. In addition to equity and compensation, there are also conflicts of commitment. In addition to the research compliance office, conflicts of commitment may also need to be managed by the medical staff office, dean’s office, or human resources.

Research compliance should have a process to develop and monitor management plans for investigators who have conflicting interests. This process is typically separate from the annual disclosure required by most universities and healthcare systems. Some institutions use software systems to manage research COIs, while some track these conflicts using a spreadsheet that gets updated frequently. Many institutions also assign a COI officer and/or a COI management committee that will make decisions about the management of COIs.

In addition to investigator and study team COIs, there is also institutional COI. Institutional COI can come in the form of start-up companies supported by the institution or financial interests related to patents, tech transfer, license agreements, investments in companies conducting research at the institution, or gifts to the organization when the donor has an interest in the research. The COI officer/committee will need to be kept up to date with institutional interests to identify and manage these types of interests.

Scientific misconduct

If your institution is receiving federal grant(s) for research, the Public Health Service regulations require that you have policies and procedures for management of scientific misconduct that meets their requirements.[5] The Office of Research Integrity offers templates for these policies and procedures on its website.[6] These policies and procedures must include a process to deal with allegations of misconduct, a process to conduct an inquiry, and a process for a formal investigation. Annual reporting of scientific misconduct to the Office of Research Integrity is required from any institution that is a direct awardee or a subawardee of federal grant funds.

Privacy and security

As with any medical encounter or procedure, research procedures are subject to HIPAA Privacy and Security rules, and there are special considerations when research is involved.[7] A privacy board must review requests for waivers of HIPAA authorization when a protocol calls for the capture of private health information without the subject’s consent. While some institutions have a separate privacy board, most institutions have the institutional review board, whether internal or external, serve as the privacy board. Other considerations include the use of limited data sets and data use agreements.

Research compliance will need to ensure that the standards of the Security Rule are met, which includes administrative safeguards (policies and procedures, education and training, disciplinary procedures, audits and monitoring); physical safeguards (barriers, computer and physical protections, encrypted files, locked files and doors); and technical safeguards (account provisioning, passwords, logging out, information services audits). Much of this can be reviewed for compliance during a quality review visit.

Biosafety

The biosafety program manages the risks associated with: 1) infectious agents and toxins from natural sources or clinical isolates, 2) biological toxins manufactured for clinical or research purposes, 3) recombinant and synthetic nucleic acid molecules, 4) genetically modified microbes or animals, and 5) human gene transfer products.[8] Some institutions have their own biosafety program and committee, while others outsource this responsibility to an external committee.

Research compliance should ensure that the institution either has policies and procedures and an adequate program for this area or a documented plan to outsource this responsibility.

Export controls

Institutions that conduct or collaborate in research with foreign individuals/entities must comply with export control regulations. This includes export of oral, written, electronic, or visual disclosure or shipment, transfer, or transmission of goods, technology, services, or information to anyone outside of the US, a non-US entity, or a non-US individual (regardless of location).[9] Export controls apply not only to the shipping or personal delivery of technology, information, or funds outside of the US, but also to the deemed export or disclosure of technology or information to a foreign entity or foreign national on US soil. Examples of “deemed exports” include: 1) tours of laboratory spaces, 2) research involvement, 3) hosting observers or other types of visitors in laboratory or research space, or 4) through discussions or lectures of sensitive research.

Export controls are governed by the U.S. Department of Commerce’s Export Administration Regulations,[10] U.S. Department of State’s International Traffic in Arms Regulations,[11] and U.S. Department of the Treasury Office of Foreign Assets Control.[12]

Research compliance should ensure that the institution has adequate policies, procedures, and processes to manage compliance with export control regulations.

Animal research

Institutions that have an animal research program are governed by four main laws/requirements: 1) U.S. Government Principles for the Utilization and Care of Vertebrate Animals Used in Testing, Research, and Training,[13] 2) Animal Welfare Act,[14] 3) Public Health Service Policy on Humane Care and Use of Laboratory Animals,[15] and 4) Guide for the Care and Use of Laboratory Animals.[16] Institutions that conduct animal research must have an institutional animal care and use committee. This is the committee that reviews and approves, or denies, animal research protocols submitted for review.

Research compliance should ensure that the institution has an adequate program for the review and conduct of animal research protocols and that all facilities and procedures meet the regulatory requirements for animal research.

What should you implement first?

When building a program, the lead component is determining ownership. How does the program fit into the institution’s hierarchy? We recommend the compliance program report directly the board or owner of the site. This permits the compliance team to have a direct relationship to senior leaders and/or board members. From a clinical research operations perspective, the beginning of the research compliance program may be the operations leader—the initial leader to get the program established. This is what we experienced at our site when starting a research compliance program. The initial responsibility was assigned to the operations leader and an executive research leader. We had the responsibility to kick off the program and hire the appropriate research compliance leader. Our goal, after the research compliance leader was in place, was to move the program to a reporting structure under the hospital compliance team.

The next step is developing the job description or enhancing an existing one for the research compliance leader. The foundation for a research compliance program starts with a strong leader. When building a research compliance program from the beginning, we recommend having a leader with a diverse leadership background, including exposure to operations and compliance. The compliance leader builds the foundational layers needed for the program to thrive in the future.

When the new leader joins the program, the list is extensive for where they need to start. It will be overwhelming for a new hire. We followed these steps when setting up our program: Focus first on any identified problem area(s), then start with your monitoring program. This will identify areas that are vulnerable and in need of attention. Next, build/review your research privacy program to ensure an effective mechanism exists to address HIPAA requirements. Following that, implement/review your COI process to ensure you have a mechanism to track and manage investigator, study team, and institutional COIs. If your institution receives federal funds, develop/review your scientific misconduct program to ensure you have the appropriate policies and procedures to address any allegations of scientific misconduct. Then, to the extent they are applicable to your program, develop/review the program to monitor for biosafety, export controls, and animal research.

Training and education

The goal of research compliance should be to partner with investigators and study teams to conduct compliant research. As each component of the program is rolled out, train the research community on the component and the impact to the research community. The ongoing monitoring program will uncover many issues specific to the institution and the researchers, which can translate into an effective training program.

A few items to consider when developing the research compliance training program at the institution/site:

  • Consider making the sessions mandatory for the enterprise-wide research team.

  • Ensure times/days are flexible to meet needs of the stakeholders.

  • Record sessions for future use in training sessions (this also creates documentation of training).

  • Log attendance with a sign-in list, testing at end of session, and/or another tracking mechanism for the site.

A combination of training formats should be used at the institution/site. The two formats that our site found to be extremely effective are town halls and a brown-bag series.

The town hall format brings the research enterprise and institution/site together quarterly or semiannually—a successful training method. This format allows multiple areas to engage in research and learn more about the requirements that may affect someone in a clinical setting at the bedside located at your institution/site. The town hall can focus on a variety of topics to include trends at the site or upcoming regulation changes.

A brown-bag series is an effective method to train or boost the relationship between compliance and operations along with the research enterprise. The schedule may vary for this type of training, which is helpful to researchers. The sessions are short and recorded. Our site introduced this program with a variety of topics to include hot trends in research, wellness of researchers, how COVID-19 is affecting a site, etc. The topics include an element of compliance while building and enhancing an ongoing relationship.

A strong relationship between operations and compliance is critical for your research program

In today’s climate, a research compliance program is expected as part of a comprehensive research program. It establishes a trust with vendors, sponsors, and the clinical team. The research compliance program provides the needed structure for continuous quality improvement, research integrity, and sets up the site for high-quality data for sponsors, investigators, and clinical research organizations.

The stigma surrounding compliance programs can easily be addressed within the clinical research realm. The research program affects all aspects within an institution/site, affecting all healthcare providers. The operations team is embedded in all the programs and can facilitate the crucial conversations on why the institution is establishing a new program or revamping an existing one.

Operations working alongside the research compliance leader and team will lead to a successful and powerful compliance program. The operations team collaboration starts with the study team leaders, as well as the regulatory, financial, and clinical teams. Reach out to these teams to garner their feedback and understanding of the research compliance program. Engaging the key players will lead to trust among the teams.

No clinical research compliance program performs the same at all institution. It must meet the unique needs of each.

Takeaways

  • Determine the organizational compliance hierarchy for your institution.

  • Define terminology for branding of research compliance program.

  • Remove the fear and set expectations through educational sessions.

  • Review the elements required for a compliance program to develop the plan for implementation.

  • Collaboration with compliance and operations is a must to help build a robust research compliance partnership at the institution/site.

 
1 Health Care Compliance Association, Research Compliance Professional’s Handbook, 3rd Edition (Minneapolis: Health Care Compliance Association, 2019), https://bit.ly/2Od8Mdt.
2 U.S. Department of Health & Human Services Food and Drug Administration, E6(R2) Good Clinical Practice: Integrated Addendum to ICH E6(R1): Guidance for Industry, March 2018, https://www.fda.gov/media/93884/download.
321 C.F.R. §§ 312.50–312.70 .
421 C.F.R. § 54 ; 42 C.F.R. § 50 .
542 C.F.R. § 93 .
6 “Sample Policy & Procedures for Responding to Research Misconduct Allegations,” Office of Research Integrity, accessed August 16, 2021, https://bit.ly/2XwkAj5.
745 C.F.R. §§ 164.501, 164.508, 164.512(i), 164.514(e), 164.528, 164.532 .
8 Health Care Compliance Association, Research Compliance Professional’s Handbook, 3rd Edition, 47.
9 Health Care Compliance Association, Research Compliance Professional’s Handbook, 3rd Edition, 173.
10 “Export Administration Regulations,” Regulations, Bureau of Industry and Security, U.S. Department of Commerce, accessed August 16, 2021, https://bit.ly/3g4jySB.
11 “The International Traffic in Arms Regulations (ITAR),” Directorate of Defense Trade Controls, U.S. Department of State, accessed August 16, 2021, https://bit.ly/3CUo4w6.
12 Federal Financial Institutions Examination Council, “Office of Foreign Assets Control — Overview,” Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination Manual, February 27, 2015, https://bit.ly/3g41wPm.
13 “U.S. Government Principles for the Utilization and Care of Vertebrate Animals Used in Testing, Research, and Training,” Office of Laboratory Animal Welfare, National Institutes of Health, last updated March 30, 2018, https://olaw.nih.gov/policies-laws/gov-principles.htm.
14 “Animal Welfare Act,” National Agricultural Library, U.S. Department of Agriculture, accessed August 16, 2021, https://www.nal.usda.gov/awic/animal-welfare-act.
15 U.S. Department of Health & Human Services National Institutes of Health, Public Health Service Policy on Humane Care and Use of Laboratory Animals, 2015, https://grants.nih.gov/grants/olaw/references/phspolicylabanimals.pdf.
16 National Research Council of the National Academies, Guide for the Care and Use of Laboratory Animals, Eighth Edition (Washington, DC: National Academies Press, 2011).
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings