DAIDS Age and Identity Verification Frequently Asked Questions

CRSs will have approximately three months to develop their SOPs and get them approved by the local IRB/EC. Please make sure to consult with local community groups as to acceptable practices for inclusion in the SOP. Please submit the SOP to the local IRB/EC or other local institutional body and file their approval before implementing the SOP.

No, it does not.

Once finalized, submit to the local IRB/EC or other relevant institutional body for review and approval. This ensures that a local body tasked with the oversight of participant safety and wellbeing is reviewing the procedure and verifying that it is acceptable within the context of local and country laws or regulations. DAIDS provides an introductory letter template which explains the rationale for the requirement and the requested review, and which can be edited to suit the individual needs of CRSs when submitting the SOP for review. Although many sites also use a centralized or single IRB (sIRB) for some studies, we are looking for the approval of the local IRB/EC, which will have knowledge and context regarding the local population and laws that a centralized IRB may not.

The SOP can be implemented at the CRS once final approval of the SOP(s) is received from the IRB/EC or other institutional body. If the IRB/EC or other institutional body has declined to review or approve the SOP, please request documentation of this for filing at the CRS with the SOP. After all approvals and/or documentation are received and on file, CRS staff are to be trained on the SOP prior to its implementation. DAIDS expects all SOPs to be implemented within approximately three months of the CRS awareness of the requirement.

CRS clinical and regulatory staff should develop the SOP in conjunction with community groups/Community Advisory Board (CAB) and any other relevant institutional bodies.

CRSs are not required to use the SOP template provided by DAIDS. However, reviewing the DAIDS-provided template and associated guidance document can provide insight into what an appropriate SOP might include.

If an existing CRS SOP also includes details about how age and identity are verified, the CRS can choose to submit it to the IRB/EC and explain which parts the IRB/EC are being asked to review. However, if an SOP that includes age and identity verification does not already exist, or does not comply with the current requirements, it may be worthwhile to create a separate SOP, just for ease of submitting for IRB/EC review and getting approval. If a new SOP is created because the current one does not meet DAIDS requirements, the CRS will need to address the former SOP by updating it to remove the age and identity verification information or obsoleting it all together. DAIDS will leave it up to each CRS. If the process has not been approved by the IRB/EC, please submit the SOP with a cover letter explaining what the CRS is asking the IRB/EC to review. CRSs that have this process included in other SOPs should be prepared to explain this to monitors and/or regulatory inspectors and show them where the procedure is located, as well as the IRB/EC approval for that procedure/document.

Yes, a CRS can choose to use an overarching CTU SOP, or create its own SOP. This is up to the discretion of the CRS and CTU, and the decision should be based on the populations that each CRS serves. If a CTU SOP is used as a starting point, each CRS must have the opportunity to review and make revisions as required to make sure it fits within their own unique workflow and addresses situations unique to potential participants of the CRS.

The SOP will still need to be approved by each CRS’s local IRB/EC if they use different ones.

The SOP applies to all DAIDS sponsored protocols being conducted by the DAIDS Clinical Trials Networks.

CRSs should plan to implement this SOP for ongoing protocols as soon as it is approved by the IRB/EC or other institutional body. The SOP will need to define how the CRS will implement the procedure for already enrolled participants and new enrollees in ongoing protocols, as well as how this will be implemented for new protocols.

The initial age and identity verification must be done at the first visit, before the person participates in the study. In general, the initial verification happens during the consenting process at screening and enrollment and before any study-related procedures are performed.

It is important to confirm identity at every visit to ensure that the same participant is presenting for each study visit. This guarantees that each study participant receives the correct study intervention and/or procedure (e.g., that the participant is dispensed/administered the assigned study product). Mistakes associated with a participant receiving an incorrect study intervention can pose significant risk to the study participant and have a negative impact on the study’s data integrity. For example, several DAIDS CRSs identified some participants that shared their ID with a non-participant. Another example is when participants were administered the wrong study product because the participant’s identity was not verified before the product was administered. Confirming participant identity at every visit facilitates protocol compliance and mitigates associated risks.

Introduce the concept of confirming ID at every visit to study participants while the SOP is being developed, before you implement the new process. Assure participants of the CRS’s commitment to protecting their safety and wellbeing and educate them on how the new process will strengthen that commitment.

Consult the local CAB for recommendations on how best to communicate any new processes before implementation and seek their assistance in communication efforts.

Assure participants that verifying their age and identity is an important step in ensuring their safety, as well as ensuring that the scientific objectives of a study can be achieved. The IRB/EC-approved consent/assent for screening and study participation may need to be updated to inform the potential participants about this requirement (if required by IRB/EC).

Assure participants that this step is important in ensuring both their safety and the study data integrity. At many CRSs, showing ID is already a normal part of routine procedure. The more this process can be normalized the less stressful it will be. Sharing information with participants on how their data is being used, stored, and protected can also help ease participant apprehension.

Each CRS should include in the SOP their procedure if participants refuse to have identity confirmed. Will participants be allowed to continue in the study? How will the refusal be documented? Although this is not ideal, if the local IRB/EC agrees with the CRS’s plan by approving the SOP, this is what the CRS will follow if participant’s refuse.

Starting 2Q2021 Monitoring Contractors will verify that an SOP is in place along with documentation of its approval from the IRB/EC or other institutional body. Monitors attest to the presence of documentation in each participant’s record verifying age and identity before enrollment and at each subsequent visit per the CRS’s SOP.

Every National Institute of Health (NIH)-supported clinical trial is covered under a Certificate of Confidentiality (CoC). A Certificate of Confidentiality (Certificate) protects the privacy of research participants enrolled in biomedical, behavioral, clinical, or another research. With limited exceptions, researchers may not disclose names or any information, documents or biospecimens containing identifiable, sensitive information. The Certificate prohibits disclosure in response to legal demands, such as a subpoena.

Certificates protect names or any information, documents, or biospecimens containing identifiable, sensitive information related to a research participant. This is defined as "covered information" in the Issuing Certificates of Confidentiality policy. In addition, if there is at least a very small risk that information, documents, or biospecimens could be combined with other available data sources to determine the identity of an individual, then they are protected by the certificate.

However, certificates may not be effective for data held in countries outside the U.S. DAIDS recommends that these protections be discussed with local IRB/EC or CRS’s legal counsel to determine if CoCs are effective in the local area, if the local government or law enforcement can compel a CRS to provide any private identifiable information for participants (such as name and photo), and what mechanisms can be employed to protect their privacy and the confidentiality of the data.

More information about CoC can be found on NIH Grants & Funding Frequently Asked Questions.

The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations [45 CFR Parts 160, 162, and 164] provide protections for the privacy and security of Protected Health Information (“PHI”) and regulate the use and disclosure of this information.

45 CFR §160.103

Age, the fact of treatment, and other personal identifiers are part of this PHI. In order to disclose PHI to another CRS or institution for the purpose of co-enrollment prevention, the participant must either authorize such a disclosure, or the disclosure must fall under one of the exclusions provided in the HIPAA regulations. In the context of research, a HIPAA authorization may be included in the study’s informed consent form, or it may be a separate document. The requirements for a HIPAA authorization are provided in 45 CFR §164.508(c). Included are requirements for descriptions of who may use and disclose PHI, who may receive PHI, and the purpose of a disclosure. For example, “The Principal Investigator and research staff will share your PHI with other people and groups to help conduct the study or to provide oversight for the study” is a commonly used phrase in HIPAA authorizations. The regulation requires that such a description be provided, but it is not necessary for it to be specific – the persons can be a class of persons, and the description of the purpose can be very broad, as described above. It is also possible to add an item specifically stating that PHI will be disclosed to other CRSs to monitor co-enrollment.

A disclosure for the purpose of co-enrollment prevention falls under one of the exceptions permitted for the purposes of healthcare operations, e.g., a covered entity may disclose PHI to another covered entity for the purpose of ensuring compliance. 45 CFR §164.506(c)(4(ii). A disclosure made under this exception must be made according to the “minimum necessary” standard of HIPAA –.” the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 

45 CFR §164.502(b)(1)

The impact of HIPAA on age and identity verification will mainly be in the context of HIPAA security. Once this information has been collected in accordance with the requirements of the HIPAA Privacy regulations, it must then be protected in accordance with the requirements of the HIPAA Security regulations. These requirements are found in 45 CFR Part 164 Subpart C. In general, this section mandates that the confidentiality, integrity and availability of PHI must be protected. The particular safeguards will depend on the system an institution uses to collect, maintain, and transmit PHI. The safeguards, categorized as “Administrative”, “Physical”, and “Technical” include everything from locking papers in a file cabinet to managing passwords, to encrypting data, to having a plan in place in the event of a breach. Your institution should have policies and procedures in place to address these issues.

It is very important when determining the applicability of HIPAA to know the HIPAA “Covered Entity” structure of your institution. Typically, a health care facility is a “Covered Entity,” in that HIPAA applies to the activities of all the components of that facility. A university, on the other hand, is frequently a “Hybrid Covered Entity,” and in such cases HIPAA applies only to some of its components. Such an entity is not required to include research as one of its covered components; and so, unless that research includes treatment and billing, HIPAA does not apply. What would otherwise be PHI is treated as personally identifiable information (PII). In most institutions, the HIPAA Security Rule applies to PII in the same way that it applies to PHI.

The IRB, Compliance and Information Technology (IT) websites for the institution will contain policies and procedures, guidance, and forms for addressing these issues at the institution, and members of those offices should be available to help. In case of questions, contact the institution Compliance, IT security, and/or Office of General Counsel, as appropriate.

For further guidance on HIPAA issues, see the website of Office of Civil Rights for the Department of Health and Human Services:

• Health Information Privacy
• HIPAA FAQs for Professionals

“PHI” is health information created or received by a healthcare provider, health plan, or healthcare clearinghouse which relates to:

• The past, present or future physical or mental health or condition of an individual.
• The provision of health care to an individual.
• The past, present or future payment for the provision of health care to an individual.
• Information that identifies the individual or creates a reasonable basis to believe that the information can be used to identify the individual.
• Information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any form or media.

PII is generally described as any information that can be used to identify, contact, or locate an individual, either alone or in combination with another source. It is not, however, subject to HIPAA, and is therefore not PHI. Even though the HIPAA Privacy Rule does not apply here, most institutions do protect this information in accordance with the HIPAA Security Rule.

The European Union Data Protection Regulation (“EU GDPR”) applies to the personal data of individuals located in the European Union (actually the European Economic Area (“EEA”) which consists of the European Union and Norway, Lichtenstein, and Iceland). It went into effect on May 25, 2018. The EU GDPR has very broad and very strict protections for all personal data, not just healthcare information. Personal data is defined as “…any information relating to an identified or identifiable natural person (‘data subject’).” Consequently, a “participant” in clinical research would be a “data subject” under the GDPR. The EU GDPR also applies to institutions located outside of the EU if they offer goods or services to or monitor the behavior of, EU data subjects. If the EU GDPR applies to participants, it becomes necessary to obtain affirmative consent, to have EU GDPR policies and procedures in place, and to have an IT infrastructure that meets the requirements of the EU GDPR. In particular, under the GDPR, participants have a wide range of rights to access their personal information under this regulation, including a “right to erasure” or the “right to be forgotten.” The institution Compliance and IT websites will contain policies and procedures, guidance, and forms for addressing these issues at the institution, and members of those offices should be available to help. In case of questions, contact the institution Compliance, IT security, and/or Office of General Counsel, as appropriate.

References:

• EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Biometric data is one of the 18 HIPAA identifiers, and any data collected in this manner is subject to both the HIPAA Privacy Rule and the HIPAA Security Rule. Such data should be maintained (stored) and transmitted in accordance with the provisions of the HIPAA Security Rule. Note, an electronic co-enrollment system that uses biometrics may also be subject to FDA’s regulations for Electronic Records; Electronic Signatures. As this is a relatively new technology, it is important to seek guidance from the Compliance office, the IT department, and any other offices or groups that might be relevant. As of this date, three states have passed specific legislation protecting biometric data (Illinois, Washington, and Texas). Another six states, plus New York City, have pending legislation, and many states have amended their data breach laws to include biometric data. It is extremely important to be aware of the laws in your state.

References:

• 45 CFR §164.308
• 45 CFR §164.310
• 45 CFR §164.312
• 21 CFR Part 11

There are three main issues receiving attention from IRBs/ECs: participant safety, invalidation of study data, and financial loss to an institution. Two more are the potential for damage to the reputation of the researcher and the institution, and investigation by a sponsor and/or government agency.

Participant safety concerns include the following:

• Mixing study drugs from more than one study.
• Providing drugs to a person who is too young.
• Providing study drugs to a person who is not who they say they are.
• Undergoing too many procedures, like blood draws, which can be unsafe.

Concerns about the validity of the data collected include:

• Having to invalidate the data from the entire study.
• Being unable to draw meaningful conclusions from the data collected.
• Possible investigation by sponsor and/or government agency.
• Financial loss and potential damage to reputation.

Institutional concerns may include:

• Regulatory compliance violations.
• Possible investigation by government agency.
• Financial loss.
• Potential damage to reputation.

Finally, many of these can reflect unfavorably on the IRB/EC.

Within each institution, talk to study teams, researchers, the Office of Clinical Research, and any other group that may be knowledgeable about these issues and have opinions to offer. The CRS should explain how the above concerns are mitigated by the CRS’s SOP. This explanation can be in the SOP itself, and also in additional information provided to the IRB/EC with the SOP.

If the IRB/EC has further concerns, a useful approach might be to provide more specific data. How many times have each of these issues arisen in your institution? Geographic area? Topic of particular study? As these issues have become more common, more information has become easily available. Within each institution, talk to study teams, researchers, the Office of Clinical Research, and any other group that may be knowledgeable about these issues and have opinions to offer.

As a first step, be sure that information is obtained using the proper HIPAA authorization process. Then make sure that information is protected according the HIPAA requirements, as described above, and whether the paper is stored as hard copy or electronically. For papers, this is defined as being locked up in a cabinet or drawer, and preferably in a locked cabinet within a locked room of limited access. If the information is stored electronically, the controls described in the HIPAA Security Rule should be used. These procedures should be part of the institutional policies. Be sure that access to this information is limited to those who need to access or use it for this purpose.

Yes. Each CRS would need to determine the approach that works best. One approach would be a code to link back to a record. Consult your IRB/EC and any other institutional office as appropriate.