HHS/FDA Proposed Deregulations: Recommendations for HIPAA and IRB’s approval and informed consent process

The US Executive Branch’s  Spring 2019 Unified Agenda of Regulatory and Deregulatory Actions is out, and HHS/FDA have identified for deregulation, among other things, the current IRB approval process in order to allow any U.S. clinical site to rely on the approval of just one IRB in order to conduct a study at that site.  All proposed rule changes were made by the agency in response to the Administration’s request for all agencies to identify “ineffective regulations” and propose deregulations to meet the Administration’s objectives to streamline and improve “cost effectiveness” (although it is not clear whether it is HHS that would see economic benefit).  

Institutional Review Board Proposals

  • Title: Institutional Review Boards; Cooperative Research 
    • Abstract: This proposed rule would replace current FDA requirements for cooperative research such that any institution located in the United States (U.S.) participating in multisite cooperative research would need to rely on approval by a single Institutional Review Board (IRB) for that portion of the research that is conducted in the U.S., with some exceptions.  This proposed rule would also establish an IRB recordkeeping requirement for research that takes place at an institution in which IRB oversight is conducted by an IRB that is not operated by the institution.

  • Title: Institutional Review Board Waiver or Alteration of Informed Consent for Minimal Risk Clinical Investigations
    • Abstract: This proposed regulation would permit an Institutional Review Board (IRB) to waive or alter the informed consent requirements under certain conditions for minimal risk clinical investigations. This would facilitate certain minimal risk clinical investigations to support the development of new products to diagnose or treat disease and would harmonize with the HHS Common Rule waiver provision that has been adopted and successfully employed by other agencies. This proposed regulation is intended to aid patient access to new products by facilitating investigators’ ability to conduct studies that may contribute substantially to the development of products to diagnose or treat diseases or conditions, or address unmet medical needs.

Health Insurance Portability and Accountability Act of 1996 (HIPPA) Proposals

Also proposed is the “removal of barriers” created by HIPAA compliance, which is especially interesting in light of the fact that, in 2018, the Office of Civil Rights set an agency record in HIPAA enforcement activity by levying fines totaling $28.7 million (against MD Anderson, Boston Medical Center and Brigham’s and Women’s Hospital and MGH, among others).   All proposed rule changes were made by the agency in response to the Administration’s request for all agencies to identify “ineffective regulations” and propose deregulations to meet the Administration’s objectives to streamline and improve “cost effectiveness” (although it is not clear whether it is HHS that would see economic benefit).

  • Title: HIPAA Privacy; Changes to Support, and Remove Barriers to, Coordinated Care
    • Abstract: This proposed rule would publish for comment proposals to modify provisions of the HIPAA Rules which present barriers that limit or discourage coordinated care and case management (including care coordination challenges arising from the opioid crisis) among hospitals, physicians (and other providers), payors, and patients, or otherwise impose regulatory burdens that may impede the transformation to value-based health care without providing commensurate privacy or security protections for patients’ protected health information (PHI) and while maintaining patients’ ability to control the use or disclosure of their PHI and to access PHI. This proposed rule would subsume the previous 0945-AA09 entry in the Regulatory Agenda.

Other HHS/FDA Proposals

The Office of Management and Budget’s Office of Information and Regulatory Affairs website has a synopsis of each regulation identified for “deregulation” by HHS/FDA, but the links to the meeting minutes for each proposal are inactive and the webpages with proposals under the Fall 2018 Unified Agenda are no longer active on the FDA website; it is not possible at this time to substantively review and compare the data (some of the HHS Spring 2019 proposals are updates to 2018 proposals) via the web.  Below is a list of changes we’ll be tracking as more information is made available as part of the public comment period:

  • Title: Definition of the Term “Biological Product” 
    • Abstract: The Food and Drug Administration (FDA) proposes to amend its regulation that defines biological product to conform to the statutory definition (21 U.S.C. 262) adopted in the Biologics Price Competition and Innovation Act of 2009. 
  • Title: ●HHS Policy for the Protection of Human Research Subjects: Update to Subpart E (IRB Registration) 
    • Abstract: This rule would amend subpart E of 45 CFR part 46 (Institutional Review Board (IRB) Registration) to align subpart E with recent amendments to the basic HHS Policy for the Protection of Human Subjects (subpart A of 45 CFR part 46, also known as the Common Rule) and to give effect to one of the policy goals of the subpart A revision (i.e., eliminating unnecessary administrative burden on IRBs and institutions regulated under 45 CFR part 46). The general compliance date of amendments to subpart A of 45 CFR part 46 was January 21, 2019.
  • Title: Part 50 Protection of Human Subjects and Part 56 Institutional Review Boards
    • Abstract: This proposed rule would harmonize, to the extent practicable and consistent with other statutory provisions, several sections certain provisions of FDA’s regulations on human subject protection and institutional review boards with the recently revised “Federal Policy for the Protection of Human Subjects” (the revised Common Rule (45 CFR 46, subpart A)). The rule also proposes minor amendments to related regulatory provisions.
  • Title: Updates to 1974 Privacy Act Regulations
    • Abstract: This rulemaking will update regulations at 45 CFR part 5b, which detail how the Department implements requirements of the Privacy Act of 1974, as amended (5 U.S.C. 552a).

Public Review is Open for Comment: ICH Draft Revision of Guideline on General Trial Design and Conduct

The draft 2020 ICH(E8)R1 is three times the length of the original and is available for Sponsor comment. The ICH has taken its many years of data and identified principles which, among other things, will facilitate the acceptance of sponsor data worldwide, help ensure subject recruitment by involving subjects in study design and placing an emphasis on quality at every step of a trial.

Patient Input into Study Design

Patient organizations have already weighed in the updated Guideline reflects this critical input. Designing a study which fits the patients’ lifestyle (considering their disease state), will ensure that the drug itself will be better tailored to the population that will actually use the drug, post-approval.  From ICH(E8)(R1) 2.3:

“Involving patients at the early stage of study design is likely to increase trust in the study, facilitate recruitment, and promote adherence, which should continue throughout the duration of the study. Patients also provide their perspective of living with a condition, which contributes to the determination of endpoints that are meaningful to patients, selection of the right population, duration of the study, and use of the right comparators.”

Investigator Input into Study Design

ICH(E8)(R1) offers very early-stage study planning guidance and, not unexpectedly, it has found that reliance on just a few key opinion leaders for study design has to be augmented by opening the study to challenge by other subject matter experts: subjects and the potential investigators. From ICG(E8)(R1) 3.3.3:

“Clinical investigators and potential study subjects have valuable insights into the feasibility of enrolling subjects who meet proposed eligibility criteria, whether scheduled study visits and procedures may be overly burdensome and lead to early dropouts, and the general relevance of study endpoints and study settings to the targeted patient population”

Create a Sponsor Culture that Supports Open Dialogue

Interestingly, the ICH has identified a critical Sponsor success factor as “Establishing a Culture that Supports Open Dialogue” [ICH(E8)R1, 3.3] by rewarding team and individual critical thinking and encouraging open dialogue to go beyond “reliance on tools and checklists”. From the Guideline:

“Choose quality measures and performance indicators that are aligned with a proactive approach 169 to design. For example, an overemphasis on minimising the time to first patient enrolled may result in devoting too little time to identifying and preventing errors that matter through careful design.”


“Study designs should be operationally feasible and avoid unnecessary complexity and unnecessary data collection. Patient consultation early in the study design process contributes to these factors and would be likely to result in fewer protocol amendments.”

Deemphasize Factors Such as First-Patient-In

The Guideline suggest that shifting team focus onto high-level quality goals in the planning stages, as opposed to micro-goals tied to enrolment, will contribute to overall study success:

“Choose quality measures and performance indicators that are aligned with a proactive approach to design. For example, an overemphasis on minimising the time to first patient enrolled may result in devoting too little time to identifying and preventing errors that matter through careful design.”


“Consider whether nonessential activities may be eliminated from the study to simplify conduct, improve study efficiency, and target resources to critical areas.” [ICH(E8)(R1) 3.3.2]

Guidance on Operational Criteria

The Guideline provides Sponsor guidance to help achieve another critical success factor:  proactive, routine communication of changing study priorities and ongoing risks mitigation activities to its study sites, as site understanding of priorities and necessary resource allocation will enhance the correct implementation of a study protocol (ICH E8(R1). One possible solution would be implementation of sub-program management team, with an emphasis on crafting routine communication to update investigators on the changing study priorities (outside of the Protocol) and any operational issues such as drug availably, delays in safety reporting by other study sites and whatever else a sponsor may think a site needs to know to increase its investigators knowledge of the drug.

The draft is currently under public consultation. Stakeholders may submit comments or questions to step2comments@ich.org

Read the draft guideline here: https://bit.ly/2Jyzzjl


Clinical Trial Data Transfer In The Aftermath Of No Deal Brexit

Quick Refresher: As established by the EU GDPR when it first took effect in May 2018, any company that handles the data of any EU citizens – whether or not that company is based in the EU – must adhere to stringent GDPR regulations regarding data privacy and protection.  Data can include anything from name, email address, medical information or biospecimens. But now that the UK is withdrawing from the EU and no longer covered by the GDPR as an EU Member State, what does that mean for data privacy and the flow of clinical study data, such as adverse events reports, samples and central lab data?

What Happens to Data Protection Services and Appointment of UK Entities as Sponsor Representatives under GDPR?

Amidst the many uncertainties raised by a hard Brexit, questions exist as to what steps US sponsors should take to ensure their study data continues to move across borders without interruption – in particular, whether the current data representative services agreements with their CROs will be, well, moot or functional after Brexit. We at CA have noticed that many of the CROs party to our client’s data representative services agreements (agreements by which one engages a CRO to perform a sponsor’s EU data controller obligations and appoints the CRO to be its EU DPR under the GDPR) enter into them using their UK entities. Questions about the validity of these agreements will not be definitively answered until after the UK strikes a deal with the EU, or, alternatively, the UK crashes out of the EU with no deal. For now, the sponsor can only attempt to prepare and plan for any possible Brexit outcome as the future is unknown.  It is clear that no US sponsor study data can be processed in the EU without a validly appointed data protection representative (again, this appointment is a longstanding EU and now a GDPR requirement for US sponsors with no EU presence), but it is not clear whether or not the remaining EU member states will accept or recognize the appointment of a UK CRO.

Remember, the UK will still need to comply with GDPR, even though it’s no longer a member state of the EU due to GDPR’s extraterritorial reach. However, in the absence of a Brexit deal, the UK will become a “third country” and will be tasked with proving to the EU that its data protection laws (the UK Data Protection Act, more below) are “adequate”, or compliant with GDPR standards to allow for seamless data transfers to the UK from the EU.

A best practice for companies would be to carefully track the impact of Brexit on processing data of EU citizens in the next 50 or so days. The UK Information Commissioner’s office has published some helpful information. If it seems like the company’s data flows might be negatively impacted by a no-deal Brexit or the UK’s status as a third country with no adequacy rating, then the company should consider implementing contract-based mechanisms that would help mitigate any interruptions in data sharing. In some instances – but not all – certain contractual clauses could be drafted to allow data transfers from the EU to the UK. The EU model contact clauses, which can be used to amend existing agreements to ensure adequate, can be found on the European Commission website.

How does the UK Data Protection Act Differ from the EU GDPR?

The EU GDPR expressly allowed/encouraged the member states to pass local data protection legislation that augmented and worked in tandem with GDPR standards. Germany and the UK were two of the member states that had their local legislation at the ready and right away, the UK Data Protection Act of 2018 was passed. The UK DPA of 2018 Chapter 2 expressly adopts all GDPR definitions and supplements it, and Chapter 3 applies to certain types of “…personal data to which the GDPR does not apply (see Section 21), and makes provision for a regime broadly equivalent to the GDPR for such processing.”

Is the UK ready to amend its legislation to allow uninterrupted transfer of personal data after March 29, 2019?

Yes. The UK government has an existing Department for Digital, Culture, Media and Sport (we have nothing like this in the US, but we should!) and they have a legislative amendment ready to go. It seems as if the UK domestic law will preserve GDPR standards, by amending the UK DPA of 2018 so that “obligations and rights that organisations and data subjects have become familiar with will stay the same”.  It also appears likely that the UK will deem all EU Member States and EEA countries as “adequate” – a rating meaning that the territory employs an appropriate or “adequate” level of data protection safeguards – with the hope that the data flows between the UK and the EU and EEA countries will continue with minimal disruption.

The new legislation is called the “EU (Withdrawal) Act of 2018 (EUWA) and it will retain the GDPR in UK law and make changes necessary to ensure that the UK obtains the “adequacy decisions” its businesses and its government (law enforcement and security agencies need to transfer data too) will need to continue to function after March 29, 2018. EUWA is not final but the technical notice it filed in September 2018 was encouraging in that it anticipates “no deal” and therefore could actually be functioning on Day 1. See, “Data Protection if there’s no Brexit deal”.

Contracts Associates is prepared to help your company successfully navigate the possibility of a no deal Brexit. Our team of attorneys will work to help your company uphold its legal duties and obligations to EU sites and vendors by drafting new contract template terms as needed. We encourage you to contact our office with any questions at 781-598-8000 or by emailing our CEO, Colleen Sproul, at cms@contractsassociates.com


Thanks To ExL For Another Great Due Diligence Summit!

Day 1 of the Summit was informative and the speaker line up was impressive.  I would especially like to thank Jack Swig from North Shore InnoVentures Incubator for inviting me to run his workshop with him. I’ll be blogging about some of the data from the other presenters that I found most interesting and include a link to my own presentation below.

Legal and Contracting Strategies That Maximize Partnerships and Ensure a Successful Due Diligence Process: Contracts Associates eXl Due Diligence Seminar 2015

One “contracting strategy” that is worth mentioning here, but was not part of my presentation, was Astra Zeneca’s Carl Jessop’s plea to innovator companies: “Please, never sign long-term contracts with your suppliers!” Apparently AZ has its own suppliers, thank you anyway.

The Affordable Care Act – In One Act

We have been asked what might the effect of the US Supreme Court’s upcoming decision on the Patient Protection Affordable Care Act of 2010 (PPACA), might be on our clients. The sections of the law that most impact clinical site and vendor agreements are: 1) Section 6002 which requires industry to report to CMS any payments or other transfers of value they furnish to physicians and teaching hospitals, and 2) the Medicare Secondary Payer Rule for reporting payments for treatment of study subject injuries.  As an industry, we have no way of knowing what effect the outcome of the SCOTUS decision will be but we’ll be paying attention to the impact it will have on these two requirements, specifically.

The US Health and Human Services website has a nice snapshot of PPACA, as it exists today, and I am including it here, as any discussion ultimately devolves into a jumbled dialogue of sorts, that is really just a bunch of talking points that we counter to the best of our knowledge. This is very high level but the full law can be viewed here. Despite the “buzz”, in my opinion, the law is easy to understand. One may fundamentally disagree with certain of its terms but it is an easy read for any native English speaker.

From HHS:

About the Law

The Affordable Care Act puts consumers back in charge of their health care. Under the law, a new “Patient’s Bill of Rights” gives the American people the stability and flexibility they need to make informed choices about their health. View Key Features of the Affordable Care Act or read a year-by-year overview of features.




Content created by Assist. Sec./Public Affairs – Digital Communications Division Content last reviewed on November 14, 2014


MA BIO CRO Symposium

Looking forward to re-connecting with some of our clients and other industry colleagues on Monday, May 5th at the MA BIO CRO Symposium. I will be facilitating one of the Roundtable discussions: “Legal and Contracting Strategies That Maximize CRO Partnerships and Ensure Success”.  Please stop by to say “hi” if you are attending.

Boston Strong

Thank you Diana!

I cannot thank Diana S. (one of our clients) enough for sending us our own copy of the Sports Illustrated Boston Marathon retrospective! We were working on a project together that fateful week and, although her office is in New Jersey, I really felt as if we were experiencing the bombing, manhunt and lockdown together.

For those of you who do not live in Boston, this may not seem like a big deal but copies of this SI edition flew off of the shelves and, as much as I wanted to have one, I could not find one. Luckily, Diana’s husband works for SI; proving once again that it is good to have friends with connections!




Not so fast: NY’s highest court rules that “lost profits can sometimes be general (or direct) damages”

Whether or not it makes sense to waive all indirect and consequential damages in a services agreement is a question for another day (we think it is not, by the way) but a recent ruling in Biotronik v. Conor Medsystems Ireland calls into question a contract term that we thought was enforceable: a limitation of liability clause that precludes consequential damages.

Before we get into this ruling, it is worth mentioning that Contracts Associates prefers to exclude limitation of liability provisions from contracts in order to preserve the availability of all types of damages permitted under law for claims our clients may against the other party. It just does not seem like sound practice to advise one not to avail oneself of remedies provided by contract law that has carved out adequate remedies for centuries.

Back to the ruling: As contract attorneys, we advise our clients what is means to agree to a clause that precludes recovery for consequential damages which are generally  accepted to be: damages for business interruption, loss of use, data, revenue or profit, whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damages were foreseeable and whether or not the breaching party was advised of the possibility of such damages.

Here is a synopsis of the case:

Biotronik (the distributor), agreed to purchase stents manufactured Conor, for resale and paid Conor a transfer price for each stent, calculated as a percentage of Biotronik’s net sales. In 2007, Conor recalled its stents from the market and paid Biotronik in accordance with the “Recall” section of the contract. Despite the fact that the contract had a provision restricting the parties to general damages and prohibiting either from obtaining “any indirect, special consequential, incidental or punitive damage”, from the other, Biotronik sued under a theory of breach of contract and sought as its sole damages $100 million in profits it claimed it would have made reselling the stents over the remaining term of the agreement.

Lower courts relied on the contract’s limitation of liability clause but a divided Court of Appeals reversed, and held that, under this particular contract, Biotronik’s lost profits were general (direct), not consequential, damages, and therefore not barred under limitation of liability clause in the parties’ agreement.   

The twist here is that the Court of Appeals made the distinction between lost profits of the non-breaching party that flow from collateral transactions—separate agreements with third parties (which remain firmly on the side of being “consequential”) and lost profits that flow from a provision in the agreement between the two parties themselves 9in this case, the pricing terms). The Court ruling appears to allow lost profits to be considered direct damages only where the profits at issue flow directly from the parties’ relationship under the contract.

Put another way, the Court found that because the whole point of the contract (the “essence of the contract”) was to resell the stents and the manufacturer agreed to use the distributor’s resale price as a benchmark for the dollar amount it would receive from the distributor,  the lost profits suffered by the distributor after the recall flowed directly from the transfer price (paid to the manufacturer) and were therefore direct/general and by definition, recoverable damages. This is surely a $100 million surprise to the manufacturer.

We have clients that sell kits and other goods to distributors and we are currently working on drafting contract terms to protect them. As always, we are here to help our clients navigate these issues. Call us at 617.275.8080 if we can be of any assistance.