Regulatory Framework for Research with Mobile Applications
The following information was drawn in large part from the CITI Program’s module titled “Mobile Apps and Human Subject Research.” The content of this module is copyright. Uconn Health obtained permission to use this module from the CITI Program.
A mobile application (mobile app or app) is a type of application software designed to run on a mobile device, such as a smartphone or tablet computer. Medical mobile apps (MMAs) are medical devices that are mobile apps, meet the definition of a medical device and are an accessory to a regulated medical device or transform a mobile platform into a regulated medical device.
Research with apps may be subject to multiple federal regulations such as 45 CRF 46 (The Common Rule), the U.S. Food and Drug Administration (FDA) regulations (including 21 CFR 11), and the Health Insurance Portability and Accountability Act (HIPAA) rule. Specifically, the FDA regulates mobile health technologies that meet the definition of a medical device. When a covered entities or business associates use software and mobile applications store or transmit protected Health information (PHI) this falls within the jurisdiction of the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS). Researchers may use the information provided on the FDA website to determine if an app meets the definition of a medical device regulated by the FDA. Researchers may use the interactive tool developed by the Federal Trade Commission (FTC), in conjunction with HHS, the Office of the National Coordinator for Health Information Technology, the OCR, and the FDA to determine which laws apply to mobile health applications
When using apps in research investigators should consider the following points:
- If Consent occurs via an app the investigator should be aware that the consent document must contains all the required elements required by the Common Rule. The risk of hacking posed by the electronic consent is to be described in the consent document.
- The requirements of the IRB for an electronic informed consent process are described in the IRB Policy # 2011-008.1.pdf – Informed Consent – Process –page 4.
- Ample time to contemplate participation and ask questions will also be applicable to electronic consent, therefore app-based consent should contain a functionality to satisfy this requirement described in the IRB Policy # 2011-008.5.pdf – Informed Consent – Providing and Obtaining Informed Consent
- Because mobile apps may use, collect, store, and share data, researchers should communicate the risks of the mobile device security to the subjects and the measures in place to minimize the chance of a breach of confidentiality. If a mobile app is being used to collect protected health information the researcher must obtain an assessment from UConn Health’s I.T. department that the app is HIPAA compliant.
- The “Terms of Services” (TOS) and/or “End-User License Agreements” (EULAs) associated with the mobile apps, and devices are between the user and the service/provider, not the user and the researchers. Agreeing to TOS/EULA is different from consenting to participation in research. These agreements may require review by the IRB because they are materials for the subjects, and may include information that would affect a subjects’ decision to enroll in a study. Differences between these documents and the consent form should be communicated to the subject.
- When the research may result in collection of incidental data (e.g. use of a mobile fitness app), the researchers must indicate to the IRB what incidental data they may collect, and if this data will be disclosed to subjects. In addition, investigator should clarify whether they will keep that data and if so provide the plans to protect that data.
UConn Health Institutional Policy for Mobile Devices & Consequences of Non-Compliance with HIPAA Rules
According to UConn Health Institutional Policy # 2008-03 – Mobile Computing Devices (MCD) Security, confidential or restricted data is not authorized to be stored on either a UConn Health or non-UConn Health Mobile Computing Devices ( MCDs) unless all the criteria below are met:
- The device stores only the minimum data necessary to perform the function necessitating storage on the device.
- Information is stored only for the time needed to perform the function.
- The device requires a password for access and is encrypted using methods authorized by the UConn Health IT Department.
In addition, users may not bypass or disable UConn Health required security mechanisms, and unauthorized physical access, tampering, loss or theft of an MCD must be reported to UConn Health Public Safety.
Failure to adhere to this institutional policy and associated procedures may result in sanctions as per applicable UConn Health policy. Failure to adhere to this policy could also lead to monetary fines imposed by the Office of Civil Rights should a breach occur. For example, the University of Rochester Medical Center ( URMC) filed a breach reports with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) in 2013 and 2017 following its discovery that protected health information (PHI) was impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. To settle the violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, the URMC agreed to pay $3 million to the Office for Civil Rights and follow a corrective action plan. A description of their corrective action plan and the two years of compliance monitoring have been posted in the HHS website.
To learn the provisions/controls defined by UConn Health IT Security when using institutionally owned devices or personally owned devices and the MCD’ user responsibilities, please review the Mobile Computing Devices (MCD) Security Institutional Policy # 2008-03.
Clarifying the CDA Process: A Researcher’s Guide to Handling Confidentiality Agreements
By Dr. Cherron Payne, Esq.
The administration of a research study may be an arduous process for researchers and staff. Moreover, the legal aspect concerning research agreements may also be equally perplexing. Thus, this article is intended to clarify the proper procedure for handling confidentiality agreements.
The nomenclature of confidentiality agreements is varied; some agreements are called confidential disclosure agreements, non-disclosure agreements or NDAs, and mutual disclosure agreements. Although the title of the agreement may vary, the agreement serves the general purpose of protecting the confidential information that is disclosed by research sponsors. Confidentiality agreements will hereafter be referred to as a “CDA”.
Before a study commences, the sponsor needs to disclose information for the researcher to evaluate his or her interest in the study. The disclosed information is often confidential because it contains proprietary information or trade secrets often in the form of models, prototypes, notes, diagrams, documents, reports, memoranda, and other forms of intellectual property. Therefore, it is imperative that researchers manage confidential information in accordance with the terms and expectations of the CDA. A researcher’s failure to properly safeguard confidential information may impose serious legal ramifications upon UConn Health. Moreover, breaching the terms of a CDA, or improperly disclosing confidential information, may also cause study sponsors to cease sponsoring UConn Health’s research.
Procedural Steps for Researchers
In order to avoid legal pitfalls, there are specific steps that a researcher or principal investigator “PI” must follow when a confidentiality agreement is received.
- The PI should first e-mail the CDA to the proper contract specialist. The PI should also e-mail the research sponsor’s contact information to the contract specialist. If the researcher is uncertain as to the appropriate contract specialist, then the researcher may contact Sponsored Program Services at 860-679-4040, by e-mail at email@example.com, or by reviewing the website of the Office of the Vice President for Research at https://ovpr.uchc.edu. The PI should never sign a CDA or agree to its terms without a contract specialist negotiating the agreement.
- If a PI receives a research study agreement without receiving a CDA, the researcher should (a) ask the study sponsor to send a CDA or (b) ask the contract specialist to request the CDA. The study agreement should not be negotiated before the CDA has been negotiated and signed.
- While negotiating the CDA, the contract specialist may have questions for the researcher or may require additional information. Researchers must furnish said information in a timely manner to avoid a delay in the negotiation.
- After the CDA has been negotiated, it is sent to the principal investigator for signature. The PI should read the agreement before signing, in order to be cognizant of the CDA terms and to properly safeguard confidential information. If there are any questions regarding the terms of the agreement, a PI may ask the following contacts for clarification: (a) the contract specialist, (b) the Director of Sponsored Program Services at firstname.lastname@example.org, or (c) the Executive Director, Sponsored Program Services and Faculty Services at email@example.com.
- After the CDA has been reviewed, the researcher signs the agreement and promptly returns it to the contract specialist.
When the contract specialist receives the fully executed CDA, a copy will be returned to the researcher or the research staff. A fully executed copy of the CDA should be retained by the researcher to ensure compliance with the agreement.
Recent Articles Published by Central IRBs
Reporting to the IRB: What NOT to Report: This article provides an overview of what the regulations do and do not say about IRB reporting requirements.
Should Social Media Be Part of Your Research Toolbox? This article discuss the benefits, the risk and the applicable regulatory requirement when using social media for recruitment and retention:
Western IRB (WCG):
An Overview of the Recent SACHRP Recommendations Around Payments in Clinical Research The U.S Department of Health and Human Services Secretary’s Advisory Committee on Human Research Protections (SACHRP) has approved two sets of recommendations regarding payments in research. The first set of recommendations identified a number of considerations for IRBs when evaluating the acceptability of incentives payments. The second set of recommendations addresses those studies that ask potential research participants to bear some or all of the cost of the research. SACHRP’s issued several questions prospective subjects and IRBs should ask when participants are required to pay for access to the experimental intervention.
How to Mitigate Placebo Response, Test, Train and Control Expectations in Analgesic clinical trials This article discusses the importance of training patients to be able to report their symptoms more accurately and the importance of staff training.
IRB Forms – Update
The Pharmacy section of Appendix A.to the application and the application checklists have been revised to reflect the change in pharmacy contact to Jennifer Czerwinski, 860-679-2085, firstname.lastname@example.org
The HIPAA Request for Alteration or Waiver of Authorization.doc was modified to allow a brief description of the PHI to be used/accessed with reference made to documents within the submission that describe the information in more detail.
The HIPAA authorization form was revised to delete reference to the Office of Research Compliance as it is no longer a stand-alone office and to change reference to John Dempsey Hospital to UConn Health and to change HSPO to HSPP.
The Human Subject Research Determination form was revised to provide more instruction regarding the attachment of documents related to the funding source of a project.
The instructions for reliance on ADVARRA IRB were revised to reflect changes to the consent language template and the instructions for reliance upon WIRB were revised to add reference to the site number assigned to UConn Health.
Why should I register my study on ClinicalTrials.gov?
- If you wish to comply with the ICMJE policy (followed by the BMJ, JAMA and many others journals) requiring registration as a condition of consideration for publication, you may voluntarily register your study with ClinicalTrials.gov. You must register prior to subject enrollment.
- If your clinical trial is NIH funded, in whole or in part, you are required to register the study and report results on ClinicalTrials.gov.
- If your clinical trial is funded by a Federal department or agency, the Revised Common Rule requires that your consent form be posted on a public platform, like ClinicalTrials.gov, after the trial is closed to recruitment, and no later than 60 days after the last subject visit.
- If your clinical trial evaluates at least one drug, biological, or device product regulated by the FDA (See this decision checklist for more details), regardless of funder, you are required to register and post results on ClinicalTrials.gov.
For assistance with ClinicalTrials.gov, see our webpages and contact UConn Health’s ClinicalTrials.gov Administrator, Ellen Ciesielski (860.679.6004) in Research Integrity and Compliance Services.
All methods and materials to recruit participants for research require IRB review prior to implementation. Please be sure all recruitment materials (e.g., text of announcement) are IRB-approved before submitting an announcement for publication. Announcements must include IRB# and name of approving IRB (if not the UConn Health IRB). For guidance, visit: UConn Health IRB and Guidelines for submitting recruitment announcements