managing-research-compliance

# Managing Research Compliance

## Why This Skill Exists

Research compliance encompasses the network of federal, state, and institutional regulations that govern human-subjects research in the United States. The regulatory landscape includes the Common Rule (45 CFR 46), FDA regulations (21 CFR Parts 50, 56, 312, 812), HIPAA (45 CFR Parts 160, 164), NIH policies (financial conflict of interest, data sharing, inclusion), and institutional requirements (FWA, IRB policies, conflict of interest). Non-compliance exposes institutions to federal sanctions (suspension of FWA, debarment from federal funding), participants to unacceptable risk, and investigators to personal liability. This skill provides the operational framework for monitoring, maintaining, and auditing research compliance across a clinical research program.

---

## Checkpoint A — Intake and Scoping

### Required Intake Questions
1. What is the scope of this compliance assessment (institutional program, specific study, specific investigator, specific regulatory domain)?
2. What types of research are conducted (FDA-regulated trials, federally funded non-FDA research, industry-sponsored, investigator-initiated)?
3. What is the institution's Federal Wide Assurance (FWA) number and status?
4. Is there an active Institutional Review Board (IRB) with FDA registration, or does the institution rely on an external/commercial IRB?
5. Are there current or recent compliance findings (FDA 483s, OHRP determination letters, NIH audit findings, sponsor audit findings)?
6. What institutional compliance infrastructure exists (research compliance officer, compliance committee, quality-assurance unit)?
7. What electronic systems support compliance tracking (IRB management system, CTMS, COI management system)?
8. Are there active investigations or corrective action plans?
9. What is the institutional training program (CITI, institutional modules)?
10. What is the regulatory inspection history (FDA BIMO, OHRP compliance evaluation, NIH audit)?

### Required Source Documents
- Institutional FWA terms and conditions
- IRB policies and procedures manual
- Institutional COI policy
- HIPAA research policies
- FDA Form 1572s for active IND studies
- FDA Form 3674 (ClinicalTrials.gov registration certification)
- NIH data-sharing agreements and policies
- Recent compliance audit reports and CAPA plans
- Institutional training requirements and completion records
- Active study regulatory binders (sample for audit)

---

## Step 1 — Map the Regulatory Framework

Identify all applicable regulations for the institution's research portfolio:

### Federal Regulations
| Regulation | Scope | Key Requirements |
|------------|-------|------------------|
| 45 CFR 46 (Common Rule) | All federally funded human-subjects research | IRB review, informed consent, vulnerable populations protections, FWA |
| 21 CFR 50 | FDA-regulated research | Informed consent requirements (overlaps with Common Rule but has FDA-specific provisions) |
| 21 CFR 56 | FDA-regulated research | IRB requirements for FDA-regulated studies |
| 21 CFR 312 | Investigational drugs | IND requirements, investigator obligations, sponsor obligations, safety reporting |
| 21 CFR 812 | Investigational devices | IDE requirements, investigator obligations, sponsor obligations |
| 21 CFR 11 | Electronic records | Electronic records and signatures (audit trails, validation, access controls) |
| 21 CFR 54 | FDA-regulated research | Financial disclosure of clinical investigators |
| 45 CFR 160/164 (HIPAA) | All research with PHI | Privacy Rule, Security Rule, research use/disclosure of PHI |
| 42 CFR 93 | PHS-funded research | Research misconduct (fabrication, falsification, plagiarism) |
| 42 CFR 50 Subpart F | PHS-funded research | Financial conflict of interest (FCOI) |
| 45 CFR 46 Subparts B-D | Specific populations | Additional protections for pregnant women, prisoners, children |

### NIH Policies (Non-CFR but Mandatory for NIH-Funded Research)
- NIH Policy on Inclusion of Women, Minorities, and Children
- NIH Data Management and Sharing Policy (2023)
- ClinicalTrials.gov Registration and Results Reporting (FDAAA 801, 42 CFR 11)
- NIH Genomic Data Sharing Policy
- NIH Policy on Clinical Trial Registration (single-IRB mandate for multi-site trials)

### State Regulations
- State human-subjects protections (may exceed federal requirements)
- State privacy laws (e.g., California CCPA/CPRA, state genetic-information laws)
- State laws on legally authorized representatives

---

## Step 2 — Audit the Institutional Compliance Infrastructure

Assess the structural elements required for compliance:

### Institutional Assurance (FWA)
- Verify FWA is active and covers all applicable research
- Confirm IRB(s) are registered with OHRP and FDA
- Verify the Institutional Official understands their obligations under the FWA

### IRB Operations
- IRB composition meets regulatory requirements (at least 5 members, one non-scientist, one non-affiliated, diversity in background)
- Quorum and voting procedures comply with 45 CFR 46.108
- Review turnaround times meet institutional benchmarks
- Continuing-review cycles are current (no lapses in approval)
- IRB records are complete and retained per institutional policy

### Conflict of Interest Management
- FCOI policy complies with 42 CFR 50 Subpart F (for PHS-funded research) and 21 CFR 54 (for FDA-regulated research)
- All investigators disclose financial interests before research begins and annually
- FCOI management plans are in place for identified conflicts
- COI training is completed within required timeframes

### Training Program
- All research personnel complete required training before engaging in research activities
- Training includes GCP (ICH-GCP E6(R2)), human-subjects protection (CITI or equivalent), HIPAA, COI
- Training is renewed per institutional policy (typically every 2-3 years)
- Training records are centrally maintained and auditable

---

## Step 3 — Conduct Compliance Monitoring

Implement ongoing monitoring across key compliance domains:

### Protocol Compliance
- Monitor protocol deviation rates by study and site
- Classify deviations as major (affecting safety, rights, or data integrity) or minor
- Track CAPA implementation for recurring deviations
- Report major deviations to IRB, sponsor, and FDA (if applicable) per reporting requirements

### Informed Consent Compliance
- Audit consent forms for completeness (signatures, dates, correct version, all pages)
- Verify consent process (adequate time, appropriate setting, qualified personnel)
- Confirm re-consent for protocol amendments and new safety information
- Monitor consent deviations (enrolled without consent, wrong version, expired consent)

### ClinicalTrials.gov Compliance
- Verify registration within 21 days of first enrollment (FDAAA 801 requirement)
- Verify results posting within 12 months of primary completion date
- Monitor for data accuracy (enrollment numbers, status updates, results completeness)
- Non-compliance carries civil monetary penalties of up to $11,569 per day per 42 CFR 11

### Data Integrity Compliance
- Audit 21 CFR Part 11 compliance for electronic systems
- Verify ALCOA+ principles in source documents and CRFs
- Monitor for research misconduct indicators (fabrication, falsification, plagiarism)
- Ensure data are retained for the required period (2 years after NDA approval per 21 CFR 312.62; or per institutional policy if longer)

### Financial Compliance
- Verify clinical-trial invoicing matches contracted activities
- Ensure no billing of research costs to participant insurance
- Monitor investigator compensation against fair-market-value benchmarks
- Audit grant expenditures against approved budgets and allowable costs

---

## Step 4 — Manage Regulatory Inspections

Prepare for and manage FDA, OHRP, and sponsor inspections:

### Pre-Inspection Preparation
1. Maintain inspection-ready documentation at all times (do not rely on pre-inspection scrambles)
2. Conduct mock inspections annually
3. Ensure all regulatory binders are current and organized
4. Verify all essential documents are in the TMF
5. Identify an inspection point-of-contact and escort

### During Inspection
1. Cooperate fully and transparently
2. Provide requested documents promptly
3. Answer questions truthfully — do not speculate; "I'll need to verify that and get back to you" is an acceptable answer
4. Take notes on all observations and questions
5. Do not volunteer information beyond what is requested

### Post-Inspection Response
1. FDA Form 483: Respond within 15 business days with CAPA plan for each observation
2. OHRP determination letter: Respond per the timeline specified in the letter
3. Track all CAPA commitments to completion
4. Implement systemic changes to prevent recurrence
5. Document effectiveness checks for each CAPA

---

## Step 5 — Manage Non-Compliance Events

When non-compliance is identified:

1. **Assessment**: Determine scope (isolated incident vs. systemic), severity (participant safety impact, data integrity impact), and regulatory-reporting obligations
2. **Immediate actions**: If participant safety is at risk, take immediate protective action (suspend enrollment, notify participants, provide medical care)
3. **Reporting**: Report to IRB (unanticipated problem, protocol deviation, non-compliance); report to sponsor; report to FDA (if IND safety reporting criteria met); report to OHRP (if serious or continuing non-compliance per 45 CFR 46.108(a)(4))
4. **Investigation**: Conduct root-cause analysis; interview personnel; review documentation; determine contributing factors
5. **CAPA**: Develop corrective actions (immediate fixes) and preventive actions (systemic changes); assign responsibility and timeline
6. **Follow-up**: Monitor CAPA implementation; verify effectiveness; close out with documentation

---

## Checkpoint B — Compliance Review

1. [ ] All applicable regulations are identified and mapped to institutional activities
2. [ ] FWA is active and IRB registrations are current
3. [ ] COI disclosures are complete and management plans are in place
4. [ ] Training records are current for all research personnel
5. [ ] ClinicalTrials.gov registrations and results postings are current
6. [ ] Protocol deviation rates are monitored and trended
7. [ ] Informed consent compliance is audited regularly
8. [ ] 21 CFR Part 11 compliance is documented for all electronic systems
9. [ ] Inspection-readiness assessment has been conducted within the past 12 months
10. [ ] All open CAPA plans are tracked and progressing toward completion

---

## Quality Audit

- [ ] Regulatory-framework mapping is complete and current (including recent rule changes)
- [ ] No lapsed IRB approvals exist for active studies
- [ ] Financial disclosures are reconciled with institutional COI records
- [ ] ClinicalTrials.gov registration dates comply with the 21-day requirement
- [ ] Data-retention policies meet the longest applicable requirement across all regulations
- [ ] HIPAA authorization or waiver documentation is on file for every study using PHI
- [ ] Research misconduct reporting procedures are documented and personnel are trained
- [ ] Compliance metrics (deviation rates, audit findings, training completion) are reported to institutional leadership
- [ ] All [VERIFY] flags have been resolved or escalated

---

## Guidelines

1. Compliance is a floor, not a ceiling — meeting regulatory minimums is necessary but not sufficient for research excellence
2. Non-compliance reporting is mandatory and time-sensitive — delayed reporting compounds the violation and regulatory response
3. Maintain a culture of compliance: train personnel to report concerns without fear of retaliation; implement reporting mechanisms (hotline, anonymous reporting)
4. Proactive self-assessment (internal audits, mock inspections) is far preferable to reactive responses to external findings
5. ClinicalTrials.gov non-compliance now carries substantial financial penalties — treat registration and results reporting as mandatory obligations, not administrative tasks
6. The 2018 Common Rule revisions introduced significant changes (single-IRB mandate, broad-consent provisions, exempt-category changes) — ensure institutional policies reflect the current rule
7. FDA BIMO inspections are unannounced for cause-based inspections — inspection readiness must be continuous
8. Research misconduct (fabrication, falsification, plagiarism) has the most severe consequences — zero-tolerance policy and clear reporting procedures are essential
9. Mark any compliance gap that may require regulatory notification with [VERIFY] for institutional compliance officer and legal counsel review
10. This skill produces compliance management frameworks — compliance determinations, regulatory notifications, and inspection responses require qualified research-compliance professionals and institutional legal counsel