1. direct application to federally-funded research

By its terms, the Common Rule applies to all non-“exempt” “research” involving “human subjects” that is conducted or funded by any of the 18 federal departments and agencies that are either signatories to the Common Rule or follow those regulations pursuant to presidential Executive Order (hereinafter, Common Rule departments).² Any institution, domestic or foreign, that is “engaged in” non-exempt human subjects research funded by a Common Rule department must submit to the Office for Human Research Protections (OHRP) a Federalwide Assurance (FWA). The FWA is the means by which such an institution provides written assurance to the Common Rule department that it will comply with the Common Rule. The FWA is not study-specific; once executed, it constitutes a promise by the institution (hereinafter an “assured institution”) to apply the Common Rule to all non-exempt human subjects research in which the institution is engaged that is supported by a Common Rule department.

2. proposals to extend and contract direct application to non-federally funded research

For years — but apparently not for much longer (see below) — the FWA form has invited domestic institutions to voluntarily extend the scope of their commitment to cover all non-exempt human subjects research in which the institution is engaged, regardless of the source of funding for the research (if any).³ Among members of the regulated community, this is known as “checking the box” and the large majority of assured institutions have historically done so,^{Reference Meyer4} although with a downward trend over time.⁵ Assured institutions that agree to expand their commitment and are found to be noncompliant are subject to OHRP’s compliance oversight authority and face the same penalties (discussed below), regardless of whether the study in question is funded by a Common Rule department or not. As a result, although checking the box is voluntary, once checked, the Common Rule effectively “applies directly” to all non-exempt human subjects research in which the institution is engaged.

That said, this voluntary policy does not capture non-federally funded research conducted by assured institutions that decline to check the box, as well as all human subjects research conducted by non-assured institutions, such as many non-profits and industry organizations. Over the decades, various commissions and commentators have lamented the fact that the Common Rule applies directly only to research conducted or supported by Common Rule departments.^{Reference Federman, Hanns and Rodriguez6} From the perspective of an individual who might be harmed by research, after all, it hardly matters who funded the harm.

During the years-long process of revising the Common Rule, federal regulators explored a compromise strategy of requiring assured institutions to apply the Common Rule to all non-exempt human subjects research in which they are engaged, regardless of funding. In other words, once an institution accepts any research funds from a Common Rule department, the Common Rule would apply to all non-exempt human subjects research in which that institution was engaged. This proposal was included in a 2011 advance notice of proposed rulemaking (ANPRM),⁷ but officially submitted public comments were generally less than enthusiastic. In particular, many argued that this dramatic expansion of coverage ignored the ANPRM’s stated goal of balancing increased protections of participants with reduced burdens on researchers, since the expansion would apply to both low- and high-risk research. As a result, the proposal was dropped.⁸

Instead, in a 2015 notice of proposed rulemaking (NPRM), regulators proposed extending the Common Rule to a narrower class of non-federally funded research that, at first blush, would seem to include only high-risk research. Specifically, the NPRM proposed that the Common Rule be revised to apply to all “clinical trials” in which domestic assured institutions were engaged, regardless of funding, unless the trials were already subject to FDA regulation.⁹ At the same time, the NPRM announced regulators’ intent to enact a non-regulatory change to the FWA forms: no longer would institutions have the option of checking the box.¹⁰ Thus, the NPRM proposed that assured institutions be required to apply the Common Rule to clinical trials, but, on the other hand, the federal government would no longer have compliance oversight of any other kinds of non-federally funded research. Institutions would remain free to apply the Common Rule to whatever research they liked, and impose whatever penalties for noncompliance they like, as matters of institutional policy (see sections 3 and 4, below).

The NPRM, however, defined “clinical trials” exceptionally broadly to include, essentially, all interventional research.¹¹ Again, the “slim majority” of public comments opposed the proposal.¹² Regulators conceded commenters’ claim that the proposal would have failed to accomplish regulators’ goal of only “cover[ing] the most risky types of research … given [that] the definition of ‘clinical trial’ … encompassed research that would pose no more than minimal risk to subjects.”¹³ Other commenters cast doubt — not without reason¹⁴ — on whether the Common Rule’s enabling statute, the Public Health Service Act, permitted regulators to extend the Common Rule to non-federally funded research at all¹⁵ and argued that any requirement that nonfederally-funded research be regulated must come from Congress.¹⁶

Thus, when regulators announced the final rule in 2017, this narrower proposal, too, had been dropped, at least for the time being.¹⁷ At the same time, however, regulators announced that they still plan to discontinue the portion of the FWA process in which assured institutions are invited to extend the Common Rule (and OHRP oversight) to all of their research.¹⁸ In the near future, then, the only activity to which the Common Rule will directly apply is non-exempt human subjects research funded or conducted by a Common Rule department.

3. indirect application

Although the Common Rule has limited direct application, there are several other ways in which it meaningfully applies indirectly. First, some states have laws that impose some or all of the Common Rule on some or all human subjects research conducted in their jurisdiction.^{Reference Tovino19}

Second, virtually all academic institutions apply the Common Rule to all human subjects research in which they are engaged as a matter of institutional policy, even if they do not officially check the box.²⁰ Such institutional policy is often incorporated by reference into employment contracts, making compliance a matter of employment law.

Third, non-academic research institutions (e.g., nonprofits, industry) sometimes submit their human subjects research to independent IRBs for review, either as a matter of institutional policy or on an ad hoc basis. For instance, at least some of the research conducted by 23andMe, Fitbit, and Microsoft are reviewed by independent IRBs.^{Reference Hernandez and Seetharaman21} Companies including Facebook, Google, Microsoft, and Fitbit have instead — or in addition — established their own internal review bodies,^{Reference Jackman, Kanerva, De Mooy and Yuen22} although, among those bodies, some look more like a Common Rule IRB than others and some apply rules and norms that adhere more closely to the Common Rule than others.^{Reference Meyer, Selinger, Polonetsky and Tene23} The Consumer Privacy Protection Act of 2015²⁴ similarly would have protected consumer data while permitting research and other non-contextual uses of consumer data if a “privacy review board” reviewed the proposed use and determined that it met certain criteria,²⁵ but the bill did not make it out of the Senate Committee on the Judiciary.

Finally, sometimes gatekeepers downstream from the conduct of research make something valuable to researchers conditional on IRB oversight. For instance, journals often require researchers who wish to publish their results to indicate that an IRB either reviewed the reported research or determined that it was exempt or constituted non-human subjects research.²⁶ Similarly, Apple requires that apps conducting “health-related human subject research” be “approv[ed by] an independent ethics review board” and evidence of this review must be made available on request.²⁷ Apple also requires that such apps “must obtain consent from participants or, in the case of minors, their parent or guardian,” and the company specifies several elements of information that must be disclosed in the consent that resemble the Common Rule elements.²⁸

4. the consequences of direct versus indirect application of the common rule

Whether one wishes to deem research to which the Common Rule indirectly applies “unregulated”^{Reference Rothstein29} depends on what aspects of regulation, and what non-regulatory incentives, one finds meaningful. The penalties for noncompliance when the Common Rule merely indirectly applies might be more than one might imagine, while those for noncompliance when the Common Rule does directly apply might be less, for several reasons.

First, the Common Rule affords no private right of action for research participants who suffer any form of research-related injury — whether a physical injury or a “dignitary harm” from being enrolled in research without voluntary, informed consent — even when the research is conducted or supported by a Common Rule department (i.e., when the Common Rule applies directly).³⁰

Instead, enforcement of compliance with the Common Rule rests with OHRP, which has the statutory responsibility for developing a process for receiving allegations of noncompliance and “taking appropriate action.”³¹ Pursuant to that authority, when OHRP receives “substantive written allegations or indications of noncompliance” with respect to research under its jurisdiction — i.e., non-exempt human subjects research to which the Common Rule directly applies or in which an assured institution that checked the box is engaged — it may, in its discretion, open a for-cause investigation.³² OHRP may also, instead, “choose to use other mechanisms” to respond to such allegations.³³ When OHRP does open noncompliance investigations, they are primarily “paper investigations”: OHRP and the relevant institution exchange a series of letters in which OHRP describes the allegations and the institution provides written responses. On-site visits are relatively uncommon with for-cause investigations. OHRP then issues one or more determination letters specifying any instances of noncompliance. A finding of noncompliance can trigger (sometimes with input from other agencies) any of several responses (in increasing order of severity):

• Corrective action plan: the institution is required to develop and implement a corrective action plan, such as providing additional education or training of IRB members or staff)^{Reference Ramnath34};

• Restricted FWA: OHRP restricts or places conditions on the institution’s approved Federalwide Assurance, such as requiring quarterly reports to OHRP, requiring prior OHRP approval of some or all research subject to the FWA, or suspending a particular study until corrective actions have been taken;

• Suspended FWA: all research conducted under the FWA is suspended until the FWA is reinstated;

• Suspended institution or investigator: an institution or an investigator is temporarily suspended or permanently removed from participation in specific studies, or grant study sections are notified of an institution’s or an investigator’s past noncompliance prior to review of new grants;

• Government-wide debarment: in order to protect the public interest, the institution or one or more of its investigators is debarred from receiving any federal research funds.³⁵

Final determination letters are published on OHRP’s website.³⁶ OHRP also conducts an average of two or three not-for-cause oversight evaluations of institutional human research protection programs (HRPPs) per year, selecting institutions on the basis of a variety of factors.³⁷

Although very serious sanctions for noncompliance with the Common Rule — such as temporarily suspending all FWA-covered research at an institution and government-wide debarment — are possible, by all appearances, by far the most common responses to noncompliance investigations are corrective action plans, which often amount to revision of an institution’s standard operating procedures or remedial education or training of investigators or IRB staff.

Moreover, as noted above, when presented with written allegations of noncompliance, OHRP retains discretion whether to even open an investigation or not. Between 2000 and 2015, OHRP received an average of 123 complaints per year, but while it conducted 60 compliance evaluations in 2000, it conducted only an average of 5 evaluations per year from 2010 to 2015.³⁸ That trend has continued to the current date.³⁹ Similarly, assured institutions are required by regulation to report certain incidents, such as adverse events, to OHRP. Those incidents tripled between 2000 and 2015, but of the several hundred per year OHRP reviewed, it responded by initiating a compliance evaluation in “only a few cases,” such as when a research participant died.⁴⁰

It is not possible to know whether the relatively low number of opened investigations reflects a lax view of compliance oversight by OHRP without reviewing the allegations the agency receives, which are not public.⁴¹ However, OHRP has provided other reasons for this decline, including its practice of formally investigating only the lead institution in multiple-site studies and its use of alternative mechanisms, such an informally resolving complaints and approving of corrective actions without opening an investigation or issuing a determination letter.⁴² Moreover, in recent years, OHRP has come to view itself as more of a policy body than a compliance body, with any compliance evaluations that are conducted and the resulting published determination letters seen as educational opportunities for the research community at large to improve research oversight.⁴³ As a result, OHRP has decided “to initiate fewer compliance evaluations both to better leverage its limited resources and to focus the evaluations on broad policy issues in protections for human subjects.”⁴⁴ Still, influential commenters and bodies have argued that OHRP’s compliance efforts are subpar and in fact do not provide meaningful protection to research participants.^{Reference Delfino45}

Conversely, sanctions for noncompliance with the Common Rule, even when it applies only indirectly, can be substantial and have a significant deterrent effect. HRPPs can and do impose on researchers most of the sanctions that OHRP is authorized to impose, including requiring investigators to develop and implement corrective action plans and placing additional constraints on, or suspending, particular studies or investigators. Institutions have no power to literally issue government-wide debarments, of course, but they do have the power to remove an investigator’s ability to apply for any external research grants or to conduct any human subjects research, which has more or less the same effect, and, unlike OHRP, they have the authority to terminate the employment of a repeat offender.

As for journals’ common requirement of IRB review or determination regarding submitted work, publications, too, are of obvious importance to researchers who work in academic settings; indeed, they are the coin of that realm. But they are also important to, e.g., data scientists who work in industry but often have careers that span academia and industry. And all app developers aim to distribute their apps to iOS users via Apple’s App Store.

In any case, to determine whether the Common Rule applies — whether directly or indirectly — both the actor and the activity must be covered.

1. actors who “engage” common rule institutions

As explained above, the FWA is a contract between the federal government and an institution, not an individual researcher.⁴⁶ In particular, it is a contract between the government and an institution that is “engaged in research” by virtue of what its employees or agents do.⁴⁷ Even when the Common Rule applies only indirectly (i.e., a research study is not federally funded), most IRBs consider themselves to have jurisdiction over the study only if the institution is “engaged;” that is, they adopt the Common Rule’s jurisdictional provision. For the Common Rule to “apply,” then, a non-exempt human subjects research study generally must have a sufficient nexus to at least one institution that has committed to the regulations (directly or indirectly).

The Common Rule does not define what it means for an institution to be “engaged in research.” However, OHRP guidance provides a non-exhaustive list of research-related activities that an institution’s employees or agents may participate in without thereby “engaging” that institution in research.⁴⁸ Human subjects research involves a trajectory of activities, from conception of the research question(s) and study design to (sometimes) consenting participants and data collection to dissemination of results, and all of this activity is often fragmented across multiple sites. Under OHRP guidance, employees or agents of one “Common Rule institution” can participate in some aspects of that trajectory without triggering their IRB’s jurisdiction.

For example, recruiting prospective participants (but stopping short of facilitating the consent process) does not, itself, engage one’s institution in research.⁴⁹ Nor does an employee who releases identifiable, private data to a researcher elsewhere engage her own institution in research (receiving such data, on the other hand, will tend to engage that institution in research).⁵⁰ Nor does co-authoring a paper reporting the results of a study, without more, engage the co-author’s institution in that research.⁵¹ To be clear, this fragmentation only goes so far; for any research study, at least one institution must be engaged. But that institution might be one that has not committed to the Common Rule, directly or indirectly. And so it is possible that an employee of a Common Rule institution can participate in — indeed, accelerate, legitimate, and be a but-for cause of — non-exempt mHealth (or other) research without the Common Rule ever being triggered.^{Reference Meyer and Meyer52}

2. citizen scientists and self-experimenters

On the other hand, the Common Rule does (potentially) apply to some actors whom one might think would escape its scope. Citizen scientists are — almost by definition — unaffiliated with traditional research institutions and not historically recognized by traditional funders. For that reason, the Common Rule is unlikely to apply to their research directly. Nor would voluntary adoption of the Common Rule by a group of citizen scientists carry the same sanctions as when the Common Rule indirectly applies in an academic or even corporate setting. However, assuming that a citizen scientist or a citizen scientist organization wanted to adopt the Common Rule, it would, in fact, almost certainly cover typical citizen science projects such as N of 1. This includes N of 1 studies (including but not limited to “self-experimentation”) and studies in which the research “subjects” are all also researchers.

Although the Common Rule is silent about scenarios in which researchers study themselves, there is little reason to believe that self-study per se falls outside of the Common Rule. The regulations provide a definition of “human subject” (discussed below) and no part of that definition hinges on the relationship of the researcher to the participant, the presence or absence of power or information asymmetries, or the parties’ identities. All of these things can, of course, affect whether research participants are “vulnerable” and in need of additional protections under the Common Rule or the additional Subparts of Part 46 of the Code of Federal Regulations,⁵³ but not whether they meet the Common Rule’s basic definition of “human subject,” which is a threshold criterion. Indeed, several IRBs have explicit policies clarifying that researchers are indeed required to obtain IRB approval before studying themselves.^{Reference Meyer54}

1. “research”

In order to be covered by the Common Rule, an activity must constitute “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”⁵⁶ The Common Rule unhelpfully provides no definitions of, or further clarification about, terms such as “systematic,” “investigation,” and “generalizable knowledge,” which can be understood in different ways.

This ambiguous definition of research from the late 1970s has not fared well under the burden of the modern learning health system, which, although itself not crisply defined, broadly seeks to routinely embed various “learning activities” (including data collection and analysis and both observational and experimental methods) into the practices of medicine and health care delivery in order to continuously improve those practices.^{Reference Smith, Faden, Beauchamp, Kass, Horwitz, Kuznetsova and Jones57} The Common Rule’s definition of “research” was explicitly meant to be distinguished from “practice” (which is not defined in the Common Rule). But the modern learning health system explicitly seeks to integrate learning and practice, making it unclear how — or whether — the Common Rule applies to various learning activities.^{Reference Beauchamp and Saghai58} As one prominent research ethicist described the current state of affairs: “Nobody knows, anymore, what is permitted, forbidden, required, or optional. There is serious debate going on about what should be permitted and what should not.”⁵⁹

OHRP has posted FAQs to its website on various subjects which “provide guidance that represents OHRP’s current thinking ont [sic] hese [sic] topics and should be viewed as recommendations, unless specific regulatory requiremtns [sic] are cited.”⁶⁰ An FAQ on quality improvement (QI) activities states that “most quality improvement efforts are not research subject to the [Common Rule]. However, in some cases quality improvement activities are designed to accomplish a research purpose as well as the purpose of improving the quality of care, and in these cases the [Common Rule] may apply.”⁶¹ Specifically, the FAQs restate the Common Rule’s jurisdictional provision that if an activity constitutes non-exempt human subjects research in which an assured institution is engaged, the Common Rule applies. In those cases, however, the FAQs notes that “the regulations provide great flexibility in how the regulated community can comply.”⁶²

The OHRP FAQs do attempt to distinguish “pure” QI activities from those that include elements of non-exempt human subjects research, but the FAQs are controversial.⁶³ In any case, the FAQs are not binding, even when an institution is committed, directly or indirectly, to the Common Rule. At least some IRBs have determined that rigorous learning health system activities constitute quality improvement activities rather than human subjects research to which the Common Rule might otherwise apply (directly or indirectly). For instance, employees of NYU Langone Health recently described, in the pages of The New England Journal, ten “randomized quality-improvement projects” conducted under the auspices of “turn[ing]” the system “into a learning health system.”⁶⁴ These field experiments or A/B tests, which were registered at Clinical-Trials.gov, “fall[] squarely into the challenging gray zone of quality improvement versus research.”⁶⁵ They were ultimately conducted without IRB review, following an IRB determination that they constituted QI rather than human subjects research. That determination was apparently made because the QI activities:

Nor were patients or providers permitted to opt out of these projects, “because this is largely not feasible for wholesale systems interventions, nor is it ethically required for quality-improvement work.”^{Reference Baily67}

Importantly, health systems are not the only entities to take advantage of how cheap and easy — and, arguably, often ethically imperative⁶⁸ — it has become to collect and analyze data or to use A/B testing to ensure that existing or contemplated policies and practices work as intended. Mobile health app owners, for instance, might engage in a variety of “learning activities” designed to improve or assure the quality of their app (rather than to contribute to generalizable knowledge) that an IRB could find falls outside the scope of the Common Rule, even if those regulations would otherwise directly or indirectly apply to the app owner.

2. “human subjects”

Even if an activity constitutes “research” under the Common Rule, it must also involve at least one “human subject,” who is “a living individual about whom an investigator”:

• Obtains information … through intervention or interaction with the individual, and uses, studies, or analyzes the information …; or

• Obtains, uses, studies, analyzes, or generates identifiable private information … ⁶⁹

“Intervention” is not limited to physical procedures through which data are collected but, of relevance to mHealth, also includes “manipulations of the subject or the subject’s environment that are performed for research purposes.”⁷⁰ Examples of interventional research involving mHealth include (but are not limited to): randomly assigning participants either to use or not use an app; A/B tests of various aspects of the app conducted on some or all users, which involves researchers intervening in the user’s “app environment”; and exercises that an mHealth app might ask a user to perform for research purposes, such as finger tapping, cognitive games, or pacing up and down a hallway in order to measure gait.

“Interaction” includes “communication or interpersonal contact between investigator and subject.”⁷¹ Traditional forms of research interactions include surveys, focus groups, and interviews. In the mHealth context, research interactions might again include surveys or other solicitation of user information for research purposes (e.g., phenotype surveys), but also a variety of researcher-to-user communications (e.g., reminders or motivational messages).

It is certainly possible for an mHealth app to be involved in human subjects research without there being any research intervention or interaction. This is most likely when the original purpose of the app is for something other than research. For instance, imagine a non-research health or lifestyle app that allows users to track the timing and symptoms of their menstrual periods. Assume that any interactions (e.g., reminders to the user pushed out through the app to log in that day, reminders that they should expect their next period soon, or invitations to the user to enter symptoms experienced during that cycle) or suggested interventions (e.g., admonitions to the user who reports symptoms to take a hot bath, apply a warm compress, or take a pain reliever) are built into the app to facilitate those health or lifestyle purposes, and not for research purposes.

If non-exempt research involves no intervention or interpersonal interaction, it will involve “human subjects” (and, hence, fall within the Common Rule’s scope) only if it involves the collection, analysis, or other use of data that are both “identifiable” and “private.”

a. “Identifiable” information. Consider, first, the requirement that data be identifiable. Some people reject any meaningful distinction between research with identifiable and non-identifiable data.⁷² Privacy, after all, does not exhaust the interests that someone can have in data about them; they may also have autonomy interests in controlling how data they contributed (wittingly or not) are used.^{Reference Meyer73} Moreover, many have argued that the distinctions between identifiable and non-identifiable data (or, in HIPAA terms, between identified and de-identified data) is illusory. A series of “re-identification attacks” by privacy researchers has demonstrated that, under certain circumstances, a variety of anonymous or pseudonymous data can be re-identified, including geolocation data, genomic data, other biometric data, Internet search data, and consumer data.^{Reference Meyer74} Yet the applicability of the Common Rule not only hinges on whether information is identifiable or not; the Common Rule’s bar for rendering data non-identifiable is fairly low.

Information is “identifiable” under the Common Rule if “the identity of the subject is or may readily be ascertained by the investigator or associated with the information.”⁷⁵ Although the Common Rule does not define “readily ascertainable,” and therefore it is left to individual IRBs to interpret and apply that standard, few of the aforementioned re-identification methods would seem to qualify as rendering a data source’s identity “readily ascertainable.” OHRP guidance moreover suggests that information are not individually identifiable “when they cannot be linked to specific individuals by the investigator(s)[,] either directly or indirectly through coding systems.”⁷⁶ To prevent coded data from being indirectly (re)identifiable under OHRP’s guidance, “the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased,” and no IRB needs to review that agreement.⁷⁷ Thus, if an mHealth app company has a research arm, the business arm of the company could obtain individual-level data via the app, as usual, then replace identifiers with codes, and provide the coded dataset to the research arm under an agreement that the research arm will never obtain the key to the code — all without ever triggering the Common Rule, even if it directly applied.

Federal regulators are not unaware of either these emerging re-identification techniques or the autonomy interests that research participants might have in even non-identifiable data. To the contrary, during the several years-long process of revising the Common Rule, regulators cited both factors in proposing that the Common Rule’s jurisdiction be expanded to cover research with all biospecimens, whether or not those biospecimens were identifiable.⁷⁸ Inexplicably, regulators did not propose to expand jurisdiction over non-identifiable data, even though the privacy and autonomy interests are largely the same.^{Reference Lynch, Bierer and Cohen79} In any event, the proposals failed. Instead, the 2018 Common Rule requires Common Rule agencies, within one year of the revised regulations going into effect and at least every four years thereafter, to (a) reconsider the Common Rule’s definition of “identifiable” and (b) consider whether any analytic technologies or techniques (such as whole genome sequencing) that should be considered to necessarily produce identifiable data. In the near term, regulatory efforts to tighten up the Common Rule’s definition of identifiability are likely to focus, once again, on biospecimens rather than data.^{Reference Lynch and Meyer80}

b. “Private” information. Even if data are identifiable under the Common Rule’s relatively weak current definition, for data analysis to constitute human subjects research, the data must also be “private.” “Private,” here, does not refer to the extent to which data are or are not sensitive. Under the Common Rule, “private” information “includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (e.g., a medical record).”⁸¹ This is less a definition of “private information” than it is a listing of two kinds of private data.

With respect to the first kind — “information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place” — it will be hard to argue that mHealth app users have a reasonable expectation that “no” observation or recording of their in-app behavior, for any reason, is taking place.

The second example of private information — “information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (e.g., a medical record)” — is difficult to parse, but seems more likely to apply to mHealth research. In the case of secondary research use of mHealth data, for instance, the user provides data for specific purposes (e.g., to be able to track her menstrual cycle) and does not expect that information to be “made public.” (Although research use of data is not usually synonymous with making data public, the Common Rule seems to use the latter as an odd proxy for the former.) Similarly, if a user of an mHealth research app knowingly provides data to the app developer for the specific purpose of research, she maintains a reasonable expectation that her data will not be made public, which renders those data “private” under the Common Rule.

3. “exempt” human subjects research

Finally, an activity can meet the definitions of “research” and “human subjects” and take place in a Common Rule environment and still fall outside the scope of the Common Rule: “research activities in which the only involvement of human subjects will be in one or more of [8 specified] categories” are (more or less) “exempt” from the Common Rule.⁸² Under the 2018 Common Rule, the qualifier “more or less” exempt is necessary because some “exempt” human subjects research nevertheless requires “limited IRB review” for things like an appropriate data security plan or confirmation that secondary research use of existing data collected under broad consent fall within the scope of that consent.⁸³

The Common Rule is silent about who must or should make exemption determinations, but OHRP guidance “recommends that, because of the potential for conflict of interest, investigators not be given the authority to make an independent determination that human subjects research is exempt.”⁸⁴ During the Common Rule revision process, regulators proposed to develop a “decision tool” by which investigators would be permitted to make and certify exemption determinations by entering accurate answers to questions. Because the tool had not been developed and therefore the public could not comment on it sufficiently, this proposal did not become part of the 2018 Common Rule, but regulators have said that they will continue to explore this option.⁸⁵ Some IRBs already use such a tool.⁸⁶

One exemption concerns studies that involve only surveys and/or educational tests (such as cognitive or aptitude tests, which are sometimes used in mHealth research). Such studies are exempt from the Common Rule so long as one of the following three conditions is met: (1) the information is recorded by the investigator in a non-identifiable way; (2) the data are identifiable but not sensitive (i.e., disclosure of the data outside the research “would not reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability, educational advancement, or reputation”); (3) or the data are identifiable (and, presumably, sensitive) and an IRB conducts a “limited IRB review” to ensure that appropriate data security measures are in place.⁸⁷ That limited IRB review does not involve risk-benefit assessment, nor do the Common Rule’s elaborate informed consent provisions apply. In short, one way or another, all research involving surveys and educational tests is exempt from the Common Rule.

Research involving non-deceptive “benign behavioral interventions” — which are “brief in duration, harmless, painless, not physically invasive, not likely to have a significant adverse lasting impact on the subjects, and [not likely to be] offensive or embarrassing” — is also exempt if the participant prospectively consents to the intervention and at least one of the same three criteria described above is met.⁸⁸ mHealth research that only involves such interventions as finger tapping, pacing, Stroop tests, games, puzzles, and the like (or other exempt research activities) are likely to be exempt from IRB review.

Note, however, that although some of these interventions are benign themselves, return of the individual results of these tasks might not be. Consider, for instance, an mHealth app designed to track symptoms of Parkinson’s (whether for ostensibly healthy individuals volunteering as controls, those at-risk for Parkinson’s, or those with an existing diagnosis) via finger tapping and pacing tasks.⁸⁹ Those tasks in and of themselves are benign. But if participants’ results suggest onset or progression of symptoms (or are merely interpreted that way by participants), those results — but not the interventions — could (at least in theory⁹⁰) have “a significant adverse lasting impact on” participants.

It is not entirely clear how return of results might affect such a study’s exempt status. The revised Common Rule clearly perceives return of individual results to be a source of potential harm to participants and to sometimes merit IRB review. For instance, secondary research on identifiable data that were collected under broad consent is exempt if, among other things, “[t] he investigator does not include returning individual research results to subjects as part of the study plan.”⁹¹ No such qualification is made for the exemption pertaining to benign behavioral interventions, however. Moreover, the Common Rule provides that “research activities in which the only involvement of human subjects will be in one or more of [8 specified] categories” are exempt. But investigators might wish to return individual results for a number of reasons unrelated to research purposes. For instance, instead of returning individual results in order to study how participants react to this information, investigators might return results in order to comply with the HIPAA Privacy Rule’s right of access or to express gratitude to participants or because the investigator believes participants have a right to individual research results.^{Reference Evans, Wolf, Bobe, Meyer and Church92} It is possible that an IRB could find that returning results under such circumstances does not constitute a “research activity” and therefore is no barrier to an exemption determination.⁹³

Another important exemption is “secondary research for which consent is not required.” Recall that research with non-identifiable and/or non-private data does not (without more, i.e., intervention or interaction) involve human subjects and so falls outside the Common Rule. Although research with identifiable private data is covered by the Common Rule, it is nevertheless exempt if those data are either (a) “publicly available” or (b) “recorded by the investigator in such a manner that the identity of the human subjects cannot readily be ascertained directly or through identifiers linked to the subjects” (and the investigator neither contacts nor attempts to re-identify the participants). The Common Rule does not define any of the important terms in this exemption, including “publicly available” and “recorded.” The line between public and private spaces, and hence between data that are and are not publicly available, is not sharp.^{Reference Meyer94} As for the second option under this exemption, the general idea is that data that were collected for any purpose other than the present research study — whether that be clinical purposes, consumer purposes, administrative purposes, or for another research project — may be used in new, unrelated research with consent or IRB review, so long as identifiers are separated from the data before the remainder is used in research.⁹⁵