Attachment A -Public Health Authority and Surveillance Activities

Interpretation of Public Health Authority and Public Health Surveillance Activities,
45 CFR Part 46.102(k), 46.102(l)(2)
Secretary’s Advisory Committee on Human Research Protections, October 20, 2020

Introduction

OHRP is frequently asked to respond to questions from the research community regarding the interpretation and application of 45 CFR part 46.102(k) and (l)(2). While OHRP and other HHS agencies have already considered these questions, OHRP asks SACHRP to independently deliberate the questions below and come to its own objective recommendations. OHRP would be interested in SACHRP’s views even if additional rulemaking were necessary to clarify or modify aspects of the regulations.

The regulatory text is as follows:

45 CFR part 46.102(k)

Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, an Indian tribe, or a foreign government, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

45 CFR part 46.102(l)(2)

Public health surveillance activities, including the collection and testing of information or biospecimens, conducted, supported, requested, ordered, required, or authorized by a public health authority. Such activities are limited to those necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance (including trends, signals, risk factors, patterns in diseases, or increases in injuries from using consumer products). Such activities include those associated with providing timely situational awareness and priority setting during the course of an event or crisis that threatens public health (including natural or man-made disasters).

In the pre-2018 version of the Common Rule, there were a number of categories of exempt research which were presented at 45 CFR part 46.101(b)(1) through (b)(6).  Of note, these are human subjects research, but research that is exempt from the requirements of the Common Rule.  In the revised Common Rule, known as the 2018 Requirements, those exemptions were modified extensively and were moved to 45 CFR part 46.104.  In addition, the definition of research was modified at 45 CFR part 46.102(l) to include four activities which “are deemed not to be research.”  These four activities are commonly referred to as “exclusions,” although that term was not carried over from the NPRM and the Federal Register announcement (Vol. 82, No. 12 /Thursday, January 19, 2017, page 7149) into the 2018 Requirements.  There is some conceptual uncertainty as to whether the four exclusions are not research or alternatively are research that does not require compliance with the 2018 Requirements, similar to the exemptions at 45 CFR part 46.104, but in the end that distinction does not have practical implications and does not need to be resolved in order to apply the exclusions.

Introduction

In this recommendation, SACHRP first answers OHRP’s questions 1 through 8, then provides brief commentary on the draft OHRP guidance “SACHRP Commentary on OHRP draft guidance ‘Activities Deemed Not to Be Research:  Public Health Surveillance 2018 Requirements,’” and third provides an algorithm to apply the exclusion.

SACHRP Opening Comments

SACHRP notes that if a proposed activity does not meet the exclusion provided by 45 CFR part 46.102(l)(2), and it meets the definition of research, then the practical effect is that IRB review will be required unless the activity meets one of the exemptions under 45 CFR part 46.104.  In many cases, if the activity is research, it will be minimal risk (if it has appropriate protections for confidentiality) and may also qualify for a waiver of consent under 45 CFR part 46.116(f).

SACHRP also notes that just because an agency is designated as a public health authority, that does not mean that every activity conducted by the agency is a public health activity, or a public health surveillance activity, or that every department in the agency is conducting public health or public health surveillance activities.  For instance, NIH performs some public health activities, but much of the work NIH does is not a public health activity.

As noted below in various sections, SACRHP recommends that this exclusion be interpreted narrowly.  For instance, this applies to both the definition of public health authority and public health surveillance activity.  If the exclusion is not interpreted narrowly, the effect could be the inappropriate application of the exclusion to research that should be subject to the Common Rule.  

Finally, SACHRP wants to clarify that “grant of authority” as used in 45 CFR part 46.102(k) is not synonymous with the term “grant,” as used to indicate a decision by an agency such as NIH to support a study.  This is clear in the OHRP draft guidance, “Activities Deemed Not to Be Research:  Public Health Surveillance 2018 Requirements,” which says,

Public health surveillance activities that are supported by a public health authority (e.g., through a grant or cooperative agreement), or that are requested, ordered, required, or authorized by a public health authority, also may be eligible for consideration under this provision, even if they are carried out by an entity that is not a public health authority (e.g., academic institutions, health care organizations, nonprofit entities).  (emphasis added)

Therefore, for the purposes of this recommendation the term “grant of authority” references to the definition of “public health authority” in 45 CFR part 46.102(k).  In contrast, the term “grant” references the situation where a public agency (e.g., NIH) is providing support to a public health authority, and thus references the term “supported” as used in the public health surveillance exclusion at 45 CFR part 46.102(l)(2), which says,

Public health surveillance activities, including the collection and testing of information or biospecimens, conducted, supported, requested, ordered, required, or authorized by a public health authority. (emphasis added)

CDC uses a type of financial assistance mechanism similar to a grant, called a cooperative agreement, which is a type of federal support.  When distinguishing a grant of authority from the federal funding mechanisms, a cooperative agreement references “support” as well.

SACHRP Responses

OHRP Question 1.    What entities should be considered to meet the Common Rule definition of a ‘public health authority’? Note that this definition is largely the same as the HIPAA definition, so please consider past applications of this definition in the HIPAA context as well.

(a) If a Federal agency that is a public health authority engages in a partnership with a private institution to conduct public health surveillance activities, should (or might) the institution be considered to be a ‘public health authority’ in this context?  Please consider providing an explanation as to why or why not the institution should (or might) be considered to be a “public health authority.”

The HIPAA definition is below for convenience.

45 CFR 164.501

Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

SACHRP answer to Question 1

SACHRP supports the harmonization of definitions across HHS, FDA and OCR, as evidenced by the creation of the standing SACHRP Subcommittee on Harmonization.  Therefore, SACHRP encourages reliance on past applications of this definition of a “public health authority” in the HIPAA context. 

The Committee does note one significant difference between the definitions; the Common Rule definition includes an agency or authority of “a foreign government” as well as US agencies and authorities, whereas the HIPAA definition is limited to US agencies and authorities.  SACHRP believes that the extension of this exclusion to a foreign government should be interpreted as narrowly as possible, with the only use being the use of US federal funds to conduct public health surveillance activities in the foreign government’s country only.  It should not be used to allow a foreign government to conduct public health surveillance activities in the United States or in a country other than that of the foreign government.

The definition appears to be quite broad.  A plain reading of the regulation indicates that a person or entity acting under a grant of authority from, or contract with, such public agency is also a public health authority.  Therefore, institutions or private companies could meet the definition.

SACHRP answer to Question 1(a)

If a Federal agency that is a public health authority engages in a partnership with a private institution to conduct public health surveillance activities, the private institution should not be considered to be a ‘public health authority’ solely based on the partnership.  The plain reading of the definition is that a public health authority must be an agency or authority of the US or a foreign government.  A private institution does not meet that definition per se.  However, if the partnership involves a “grant of authority from or contract with such public agency,” then the private institution is a public health authority by the definition. 

SACHRP recommends that the grant of authority be interpreted narrowly when a private institution is designated to become a public health authority.  The grant of authority or contract should be clearly limited to a defined public health surveillance activity.  It should not be allowed to extend to other projects or other activities and still be considered to fall under the exclusion.  Furthermore, as noted in the preamble to the 2018 Requirements, “subsequent research using information collected during a public health surveillance activity, for instance, genetic analysis of biospecimens, would not be removed from the definition” of research. (FR Vol. 82, No. 12, Thursday, January 19, 2017, p. 7176.)

Also, SACHRP notes that the preamble describes certain research activities that do not fall under the exclusion.  As noted in the preamble:

“This clarification of current interpretation would not remove the following activities from the definition of “research”: exploratory studies designed to better understand risk factors for chronic diseases, including genetic predisposition, for chronic diseases; exploratory studies designed to elucidate the relationships between biomarkers of exposure and biomarkers of disease; and exploratory studies of potential relationships between behavioral factors (e.g., diet) and indicators of environmental exposures. These types of activities would be considered research because they would not be conducted solely for the purposes described in §__.102(l)(2), and thus would be covered by the Common Rule if they involved human subjects, even if conducted by a federal agency with a public health mandate. Again, they might fall within an exemption, depending on how they are carried out.” (FR Vol. 82, No. 12, Thursday, January 19, 2017, p. 7176)

Finally, SACHRP recommends the grant of authority should be clearly documented in a legal document, which can take several forms, such as an MOU, contract, purchase order or letter.  It should clearly cite to a federal or state law or regulation.  Both the Office of Civil Rights (OCR) and the Centers for Disease Control (CDC) has given examples of such grants.

In the preamble to the Privacy Rule, OCR said:

In some circumstances, a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases, the covered entity is required to verify the requestor’s identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence includes a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency’s authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.  65 FR 82462, 82547 (Dec. 28, 2000). 

CDC has also addressed this issue in its guidance entitled “HIPAA Privacy Rule and Public Health: CDC Guidance (April 11, 2003),” which says:

Public health agencies often conduct their authorized public health activities with other entities by using different mechanisms (e.g., contracts and memoranda or letters of agreement). These other entities are public health authorities under the Privacy Rule with respect to the activities they conduct under a grant of authority from such a public health agency. A covered entity may disclose PHI to public health authorities and to these designated entities pursuant to the public health provisions of the Privacy Rule. https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm.

For transparency, the grant of authority should be publicly available and easy for the public to locate, as public health surveillance activities involve issues of privacy.

OHRP Question 2.    How should the exclusion operate when the public health surveillance activities will be wholly carried out by an entity outside of the Federal, State, or local government?  Consider whether there is a distinction if the activities are carried out by a contractor (in which activities are directed by the awarding governmental agency through the terms of the contract, and will provide data back to the awarding agency) versus a grantee (in which activities are proposed by the grantee and are not directed by the awarding governmental agency, and which may or may not result in data being provided back to the awarding agency) versus through a public-private partnership that does not involve an award of funds.  Please specifically consider the following language of the exclusion in these contexts:  “The activity must be limited to that necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance…” (emphasis added).

SACHRP answer to Question 2

First, we note that a plain reading of the regulation is that the definition of a public health authority includes “a person or entity acting under a grant of authority from or contract with such public agency.”  Therefore, it appears that a person or private entity becomes a public health authority when such a grant of authority or contract is in place.  Thus, a government agency or authority can designate a person or private entity to perform all of the functions of the agency or authority, even if that person or private entity does not provide the information back to the agency, because the person or private entity becomes a public health authority. 

Question 2 also asks whether there should be distinctions when the public health surveillance activities are wholly carried out by an entity outside of the Federal, State, or local government, in particular a contractor versus a grantee versus a public-private partnership that does not involve an award of funds. There are distinctions between contractors and grantees that receive support, in that contractors are obligated to fulfill the terms of the contract, which in the case of public health surveillance activities could include a wide variety of responsibilities and requirements.  Recipients of grants (support) for public health surveillance activities are not required to satisfy contractual terms, but are required to meet the regulatory conditions for receiving the grant, and thus generally have more latitude.  It is difficult to make an assessment of public-private partnerships in a similar fashion, as such partnerships can vary greatly in structure and details.  Many will include a contract between the public and private participants, but that is not a legal requirement.  OHPR also asks that SACHRP consider these legal mechanisms in light of the regulatory requirement that the activity “must be limited to that necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance…”   Clearly, the Federal, State, or local government has more ability to ensure the activity is limited to that necessary when a contract is in place, as requirements can be included as terms of the contract. 

OHRP also asks “how should the exclusion operate?” (emphasis added.)  SACHRP believes that to the extent possible, mechanisms should be in place to help ensure that the activity is limited to that necessary to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance.  However, these mechanisms will vary depending on the legal nature of the relationship.

OHRP Question 3.    What types of activities should be considered to be “public health surveillance activities” for purposes of this exclusion?  Note that this term is used in the Common Rule but is not defined in the Common Rule.  Please consider developing a rubric for analyzing planned activities, including specific rationale as to why certain types of activities should or should not be considered to be “public health surveillance.”  For example, should the purpose of the surveillance activity be solely to inform the decisions or actions that must be made by a public health authority, or to apply study findings to public health practice? Should activities that do not meet this exclusion include disseminating findings to stimulate public health action by others, but not informing the public health authority of actions that it would take to improve public health? 

(a) Please also consider developing illustrative case studies that describe the creation of a repository as the primary study, as well as a repository embedded within a trial. For example, consider whether establishment of a repository containing individually identifiable private information or individually identifiable biospecimens could fall within this exclusion, and what other facts would need to be known in order to address this question. For example, is it relevant if the planned uses of the repository information:

  • Are unknown?
  • Would only constitute non-exempt human subjects research?
  • Would only constitute public surveillance activities that would also meet the conditions of the exclusion?
  • Would require an additional assessment to determine whether they met all the conditions of the exclusion?

SACHRP answer to Question 3

Both the exclusion itself and the preamble include activities that should be considered “public health surveillance activities.”  The exclusion says that such activities are:

  • Those necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance (including trends, signals, risk factors, patterns in diseases, or increases in injuries from using consumer products); and
  • Those associated with providing timely situational awareness and priority setting during the course of an event or crisis that threatens public health (including natural or man-made disasters).

The preamble says that such activities include:

  • Collecting, analyzing, and using data to target public health and disease prevention;
  • Surveillance uses data from a variety of sources, including mandatory reporting of certain conditions, routine monitoring, vital records, medical billing records, and public health investigations.
  • Safety and injury surveillance activities designed to enable a public health authority to identify, monitor, assess, and investigate potential safety signals for a specific product or class of products (for example, the surveillance activities of the FDA’s Adverse Event Reporting System, the Vaccine Adverse Event Reporting System, Manufacturer and User Facility Device Experience database, the Medical Product Safety Network, and the Sentinel Initiative);
  • Surveillance activities designed to enable a public health authority to identify unexpected changes in the incidence or prevalence of a certain disease in a defined geographic region where specific public health concerns have been raised (e.g., the U.S. influenza surveillance system…;
  • Surveillance activities designed to enable a public health authority to identify the prevalence of known risk factors associated with a health problem in the context of a domestic or international public health emergency; 
  • Surveillance activities designed to enable a public health authority to identify the prevalence of known risk factors associated with a health problem in the context of a domestic or international public health emergency; and,
  • Surveillance activities designed to enable a public health authority to detect the onset of disease outbreaks or provide timely situational awareness during the course of an event or crisis that threatens the public health, such as a natural or man-made disaster, and Surveillance activities designed to enable a public health authority to identify the prevalence of a condition of public health importance, known risk factors associated with a condition of public health importance, or behaviors or medical practices related to prevalence of a known condition of public health importance (e.g., surveillance of the prevalence of:  tobacco use, exposure to secondhand smoke, lung cancer, or use of smoking cessation treatments).

SACHRP suggests the following additions to this list.  Public Health Surveillance activities may be categorized as either passive or active. Passive surveillance systems involve the routine submission of data into data repositories that are used for ongoing analysis and assessment of public health issues. These systems rely upon awareness of the existence of these systems, and the initiative of individuals to file appropriate reports. Examples include FAERS and VAERS (maintained by the FDA), which are used to monitor the safety of licensed drugs and vaccines, respectively. Another example is the notifiable disease reporting system, which is used to track trends in the number of cases of certain infectious diseases (maintained by the CDC). Passive surveillance systems are typically conducted indefinitely. In contrast, active surveillance systems are typically fit for purpose activities that involve the active solicitation of reports by those conducting the surveillance activities. These are generally more labor-intensive, shorter in duration, and may be used for a range of activities, from disease detection to assessing the impact of public health policy. Examples include the Active Bacterial Core  System  (CDC), used to characterize vaccine effectiveness, the Gonococcal Isolate Surveillance Project (CDC), used to monitor trends in antimicrobial susceptibility of Neisseria gonorrhea isolates and inform treatment recommendations, and the National Immunization Survey, used to characterize the susceptibility of the population to vaccine-preventable diseases, and to inform policy.

The preamble also provides a list of research activities that do not fall under the exclusion, because they would not be conducted solely for the purposes described in §.102(l)(2).  These are:

  • exploratory studies designed to better understand risk factors for chronic diseases, including genetic predisposition, for chronic diseases;
  • exploratory studies designed to elucidate the relationships between biomarkers of exposure and biomarkers of disease; and
  • exploratory studies of potential relationships between behavioral factors (e.g., diet) and indicators of environmental exposures.

SACHRP does not have any suggested additions to this list.

OHRP question 3 also asks,

For example, should the purpose of the surveillance activity be solely to inform the decisions or actions that must be made by a public health authority, or to apply study findings to public health practice? Should activities that do not meet this exclusion include disseminating findings to stimulate public health action by others, but not informing the public health authority of actions that it would take to improve public health?

SACHRP recommends that the definition of public health surveillance activity be narrowly interpreted, and therefore should not include application of study findings to public health practice or disseminating findings to stimulate public health action by others (for instance, to wear masks during the COVID-19 pandemic).  While these practices should not be considered public health surveillance activities, they may or may not meet the definition of research.  That is a separate analysis.

SACHRP answer to Question 3(a)

Question 3(a) asks whether establishment of a repository containing individually identifiable private information or individually identifiable biospecimens could fall within this exclusion, and asks SACHRP to consider two scenarios, the creation of a repository as the primary study, as well as the creation of a repository embedded within a trial.

Regarding the creation of a repository as the primary study, SACHPR believes that if the use of the data or samples from the repository is clearly going to be for a public health surveillance activity or activities, then that use of the repository would qualify for the exclusion.   

Question 3a asks whether it is relevant if the planned uses of the repository information:

  • Are unknown?
  • Would only constitute non-exempt human subjects research?
  • Would only constitute public surveillance activities that would also meet the conditions of the exclusion?
  • Would require an additional assessment to determine whether they met all the conditions of the exclusion?

SACHRP believes that the exclusion should be applied narrowly, and that in order for this exclusion to apply to the creation of a repository, there would have to be adequate description of the project to allow an application of the public health surveillance activities.  If the uses were unknown, or would constitute non-exempt research, then the exclusion should not apply.  If the planned uses only constitute public health surveillance activities, the exclusion should apply.  As noted previously, any secondary uses of the data or samples would need to be analyzed to determine whether they meet the definition of a public health surveillance activity.

Regarding the creation of a repository embedded within a trial, and whether it might qualify for the exclusion, SACHRP notes that OHRP addressed this issue in the OHRP draft guidance “Activities Deemed Not to Be Research:  Public Health Surveillance 2018 Requirements.”  The draft guidance says, “If an activity is composed of multiple components, some of which are not public health surveillance, OHRP’s view is that only those components that serve to enable a public health authority to carry out one or more public health surveillance objectives should be considered potentially eligible for the public health surveillance activity exclusion under 45 CFR 46.102(l)(2).”

SACHRP agrees with this position, which effectively allows public health surveillance activities that are part of a project that also has research activities to be carved out from application of the Common Rule.  Therefore, if a repository is embedded in a clinical trial, and the use of the data or samples from the repository is clearly going to be public health surveillance activities, then those uses of the repository qualify for the exclusion.  SACHRP also notes that this is a distinct approach from the traditional approach to the issue of exempt activities that are embedded within a trial, which has been that if any part of a project qualifies as research, then the exempt parts must also receive IRB review.  SACHRP recommends that this distinction is clearly highlighted in any guidance on this issue.

OHRP Question 4.    The regulatory language of the exclusion provides that “[t]he activity must be conducted, supported, requested, ordered, required, or authorized by a public health authority.”  What do each of these actions entail, and how do they differ? Please consider developing suggested examples illustrating each of these scenarios.

SACHRP answer to Question 4

  • “Conducted” means the activity is performed by the public health authority.
  • “Supported” means that the public health authority provides funding or other resources, but a different entity is involved in conducting the activity. 
  • “Requested” means that the public health authority has asked a different entity to conduct the activity, but the entity can decline to do so without consequence
  • “Ordered” means that the public health authority has the legal authority to require the entity to conduct the activity.
  • “Required” is substantively similar to “ordered,” but might take a different form.  For instance, the requirement might be included in the charter of an organization. 
  • “Authorized by” means that that public health authority has given permission for the entity to conduct the activity.   

SACHRP notes that “supported” and “requested” could potentially allow for more flexibility than the other terms. We believe that these terms should be interpreted narrowly.

OHRP Question 5.    While this exclusion clearly may apply in the context of a public health emergency, it is not limited to the emergency context.  What are the pros and cons involved in broad application of this exclusion?  Please consider outlining such considerations from the perspective of a government agency acting as a public health authority, a non-governmental institution conducting a public health surveillance activity, and the individuals whose data and biospecimens will be used in the public health surveillance activity.

SACHRP answer to Question 5

A positive of allowing a broad application or interpretation of this exclusion is that it provides Public Health Authorities, both public and private, with more flexibility in the conduct of public health surveillance activities, and can reduce administrative burden and the need to consider whether informed consent meeting human subject protection regulations is necessary.  A negative is that a broad application may harm public trust if it is applied to activities for which IRB review and informed consent meeting human subject protection regulations would otherwise be required.  The use of the exclusion should be transparent and used with a narrow application outside of a public health emergency.  During a public health emergency, a broader application may be appropriate in order to allow Public Health Authorities to take appropriate and timely action to accomplish public health surveillance activities that are pressing and of wide concern. 

OHRP Question 6.    What entity or involved individual may or should decide whether a planned activity meets the requirements of this exclusion?  Are there any recommended considerations involved with this decision, and do they differ depending on what entity or individual might be making this decision?

SACHRP answer to Question 6

SACHRP recommends that determinations that an activity meets the exclusion as a public health surveillance activity be clearly documented and readily available to the public to ensure transparency.   Providing the criteria or rationale for the determination, rather than just the final determination itself, will also aid transparency.  Public health surveillance activities often involve many institutions and may involve gathering information outside of institutional settings, and in such cases it will likely be most practical for the involved agency to make the determination.  When this occurs, involved institutions should have a mechanism to review the decision and confirm agreement with the decision, particularly if some activities in a project may not meet the exclusion.  In cases where the activity is limited to one or more institutions, it may be appropriate to have an institutional mechanism for making the determination, similar to exempt determinations.  This could include entities such as an IRB administrator, a research office, or an institutional official.  In any case, the determination should not be made by the party or parties who are offered the grant or contract to do the public health surveillance activities.

OHRP Question 7.    Should documentation be recommended or required regarding each of the decision points involved with this exclusion?  If so, please consider providing specific suggestions as to documentation and how entities or individuals should accomplish this.

SACHRP answer to Question 7

Yes.  SACHRP believes that documentation of the decision that an activity is a public health surveillance activity should be documented with specific reference to how it meets 45 CFR 46.102(l).  This documentation should be publicly available, and easily accessible.

OHRP Question 8.    This exclusion will not apply to activities dually regulated by FDA and OHRP.  Are there any useful recommendations for involved institutions and individuals in such circumstances? (If not, feel free not to further consider this point.)

SACHRP answer to Question 8

SACHRP does not agree that it is universally true that “this exclusion will not apply to activities dually regulated by FDA and OHRP.”  For instance, if a public health authority used HHS funding to conduct or support a surveillance program that involved return of COVID-19 test results to subjects, it seems that the project would meet the exclusion at 45 CFR 46.102(l)(2) and simultaneously require FDA review  under 21 CFR 812 as an investigational diagnostic device. 

FDA does conduct some public health surveillance activities such as the Sentinel project, and the FAERS and VEARS reporting systems.  As an HHS agency, FDA can utilize the exclusion for the public health surveillance activities that FDA itself conducts or supports. However, the FDA drug, biologic and device regulations do not include this exclusion at this time, and any clinical investigation of FDA regulated medical products must follow those regulations, even if there are aspects of public health surveillance activities included in the project.

We note that CLIA is also not subject to the exclusion, and CLIA must be separately followed when it is applicable.

SACHRP Commentary on OHRP draft guidance “Activities Deemed Not to Be Research:  Public Health Surveillance 2018 Requirements”

SACHRP has reviewed the OHRP draft guidance, and in general agrees with the draft guidance as written.  SACHRP believes that several of the points bear repeating in this recommendation. 

The draft guidance notes, “This explicit exclusion of public health surveillance activities from the definition of research does not mean that other public health activities that do not constitute public health surveillance activities, as described in 45 CFR 46.102(l)(2), are necessarily research subject to 45 CFR part 46.”

Also, the draft guidance states, “Research activities that do not constitute public health surveillance, such as a secondary research analysis of data for some other scientific purpose using information collected as part of a public health surveillance activity, can be carried out in tandem with a public health surveillance activity. In such a circumstance, the non-public health surveillance activity (in the example above, the secondary research analysis) should be reviewed to determine whether the 2018 requirements apply.”

Algorithm:

SACHRP has developed the following algorithm to help with the analysis of projects.

  1. Is the project conducted, supported, requested, ordered, required, or authorized by a public health authority?
    • If yes, proceed to question 2
    • If no, it does not meet the exclusion
  2. Does the project involve public health surveillance activities, including the collection and testing of information or biospecimens?
    • If yes, proceed to question 3
    • If no, it does not meet the exclusion.
  3. Does the project involve only public health surveillance activities?
    • If yes, proceed to question 4
    • If no, the parts of the project that are not public health surveillance activities must be assessed separately to determine whether they are research, meet another exclusion, meet an exemption, or require IRB review.
  4. Are the public health surveillance activities limited to those necessary to allow a public health authority to identify, monitor, assess, or investigate potential public health signals, onsets of disease outbreaks, or conditions of public health importance (including trends, signals, risk factors, patterns in diseases, or increases in injuries from using consumer products)?  Such activities include those associated with providing timely situational awareness and priority setting during the course of an event or crisis that threatens public health (including natural or man-made disasters).

    The OHRP draft guidance “Activities Deemed Not to Be Research:  Public Health Surveillance 2018 Requirements” contains the following definitions of terms:
    • Identify generally refers to activities that are undertaken to detect potential signals, onsets of disease outbreaks, or conditions of public health importance that had not previously been recognized.
    • Monitor generally refers to activities that are undertaken to maintain situational awareness of an identified signal, outbreak, or condition, in order to detect changes that warrant further public health action.
    • Assess generally refers to activities that are undertaken to evaluate the characteristics of a signal, outbreak, or condition, including its magnitude, prevalence or incidence, and the context in which a signal, outbreak, or condition occurs or has been detected, in order to inform public health action.
    • Investigate generally refers to the range of activities that are undertaken in response to an identified or perceived threat to public health, to determine the magnitude of the problem, identify cases, or determine the cause, and to inform appropriate control measures. The problem under investigation might be a signal, an outbreak, or any other occurrence that warrants action.
    • Provide situational awareness refers to assembling the critical information that is needed to respond to a disease outbreak or other public health emergency.
    • Potential public health signals, onsets of disease outbreaks, and conditions of public health importance generally include conditions affecting health and safety, such as infectious and chronic diseases, injury, including those related to medical products, and mental health.
    • If yes, the exclusion for public health surveillance activities at 45 CFR 46.102(l)(2) is met
    • If no, the exclusion is not met
Content created by Office for Human Research Protections (OHRP)
Content last reviewed