GAO-09-448T, Human Subjects Research: Undercover Tests Show the Institutional Review Board System Is Vulnerable to Unethical Manipulation


This is the accessible text file for GAO report number GAO-09-448T 
entitled 'Human Subjects Research: Undercover Tests Show the 
Institutional Review Board System is Vulnerable to Unethical 
Manipulation' which was released on March 26, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Subcommittee on Oversight and Investigations, Committee on 
Energy and Commerce, House of Representatives: 

United States Government Accountability Office: 

GAO: 

For Release on Delivery Expected at 10:00 a.m. EDT: 

Thursday, March 26, 2009: 

Human Subjects Research: 

Undercover Tests Show the Institutional Review Board System Is 
Vulnerable to Unethical Manipulation: 

Statement of Gregory D. Kutz, Managing Director Forensic Audits and 
Special Investigations: 

GAO-09-448T: 

Mr. Chairman and Members of the Subcommittee: 

Thank you for the opportunity to discuss our investigation of 
vulnerabilities in the institutional review board (IRB) system. An IRB 
is an entity formally designated to review and monitor biomedical and 
behavioral research in clinical trials involving human subjects, with 
the intended purpose of protecting the rights and welfare of the 
research subjects. Each year, millions of Americans enroll in clinical 
trials of experimental drugs and medical devices conducted in over 
350,000 locations throughout the United States. Many of these clinical 
trials are meant to demonstrate that products are safe and effective, 
and are sometimes conducted or sponsored by private pharmaceutical and 
medical device manufacturers. Although research subjects are required 
to give consent prior to their participation in these studies, a 
patient has the expectation that the product being tested presents a 
risk that is reasonable in relation to any anticipated benefits, and 
that all risks are fully disclosed. The Department of Health and Human 
Services' (HHS) Office for Human Research Protections (OHRP) and the 
Food and Drug Administration (FDA) are responsible for overseeing 
aspects of the system of IRBs. 

Unfortunately the IRB system sometimes fails to protect research 
subjects. For example, in 2002, a 47-year-old man died after his heart 
stopped beating while participating in an experimental trial of 
antipsychotic medication at a Texas research center. Before his death, 
the man spent 22 days suffering from fever, severe diarrhea, a rapid 
heartbeat, and kidney failure while under the care of researchers. The 
warning label for the experimental medication listed some of these 
serious side-effects and other signs of heart failure, but the IRB 
failed to ensure the risks were communicated to participants at the 
outset of the trial. During the clinical trial, the lead researcher 
continually delegated control of the clinical trial to a man who was 
unlicensed to practice medicine in the United States. In its follow-up 
investigation after the death, the FDA noted that the IRB repeatedly 
violated regulations governing the proper conduct of clinical trials 
and did not adequately supervise the clinical trial. 

Most IRBs were historically located at academic institutions. However, 
independent IRBs are playing an increasingly prominent role in the 
protection of human research subjects.[Footnote 1] Questions have been 
raised as to whether all of these independent IRBs exercise effective 
due diligence in reviewing research protocols. Given the importance of 
IRBs in protecting human health and safety, you asked us to perform 
undercover tests to find out whether the IRB system is vulnerable to 
unethical manipulation. Specifically, we investigated three key aspects 
of the IRB system: (1) the process for establishing an IRB, (2) the 
process through which researchers who wish to apply for federal funding 
assure HHS that their activities related to human subjects are guided 
by ethical principles and federal regulations, and (3) the process that 
medical research companies follow to get approval for conducting 
research on human subjects. 

To investigate the process for establishing an IRB, we created a 
fictitious IRB with phony company officials and only a mailbox for a 
business location. We then registered our fictitious IRB with HHS using 
its online registration form. We created a Web site that resembled 
those of other actual IRBs. We also advertised the services of our 
bogus IRB in various media, such as Web sites dedicated to the clinical 
trials industry and newspapers, in an attempt to persuade legitimate 
medical researchers to send protocols to our bogus IRB. In our 
advertisements, we stated that we were "HHS approved," in reference to 
our bogus IRB's registration with HHS. In addition, we emphasized the 
speed of our review process ("Fast Approval!"), customer service, and 
flexibility to customer needs in order to make our IRB look as 
attractive as possible.[Footnote 2] 

To investigate the process through which human subjects researchers who 
wish to apply for federal funding assure HHS that their activities 
related to human subjects are guided by ethical principles and federal 
regulations, we attempted to file a Federalwide Assurance for the 
Protection of Human Subjects for Institutions Within the United States 
(assurance) application using HHS's online application form, under the 
guise of a fictitious medical device company. We created a fictitious 
medical device company with phony company officials and only a mailbox 
for a business location, claiming that this mailbox was the facility 
where we intended to conduct our human subjects testing. As part of 
filing for an assurance, we were required to submit information about 
the IRB that would be reviewing our research protocol, for which we 
listed our fictitious IRB. 

To investigate the process that medical research companies follow to 
get approval for conducting research on human subjects, we created a 
research protocol for a fictitious medical device with no proven test 
history and bogus specifications, using information publicly available 
on the Internet. We designed our protocol so that it would contain 
vague information about certain aspects of our proposed study. Our 
fictitious device was a post-surgical healing device for women that 
matched multiple examples of "significant risk[Footnote 3]" devices 
provided in publicly available FDA guidance. Our bogus medical device 
company then approached three actual, independent IRBs with information 
about our device and indicated that we wanted to submit our protocol 
for review and approval to conduct human testing. We selected these 
three IRBs by conducting a search online to identify independent IRBs, 
and then choosing three that we determined had less burdensome initial 
paperwork requirements than other IRBs for protocol submission. We 
fabricated additional documents requested by the IRBs for their initial 
review of our protocol, such as a curriculum vitae (CV) detailing our 
fictitious researcher's educational and professional 
experience[Footnote 4], and a medical license for our fictitious 
researcher. We created these counterfeit documents by using information 
found online and with commercially available hardware, software, and 
materials. After concluding the undercover portion of our 
investigation, we contacted two of the three IRBs to obtain information 
about their review process. 

We performed this investigation from January 2008 to March 2009 in 
accordance with quality standards for investigations prescribed by the 
President's Council for Integrity and Efficiency. 

Summary: 

Our investigation shows that the IRB system is vulnerable to unethical 
manipulation, particularly by companies or individuals who intend to 
abuse the system or to commit fraud, or who lack the aptitude or 
qualifications to conduct and oversee clinical trials. This 
vulnerability elevates the risk that experimental products are approved 
for human subjects testing with little or no substantive due diligence. 
We investigated three key aspects of the IRB system using fictitious 
companies, phony company officials, counterfeit documents, and a 
fictitious medical device. All communications and information 
submissions were conducted through the Internet or by fax. As a result, 
our investigators were never exposed to real-time activities, such as 
telephone conversations, face-to-face meetings, or site inspections, 
which would have revealed their lack of expertise, lack of an actual 
facility, and other fraudulent representations. The results of our 
investigation are as follows: 

* Our bogus IRB received a research protocol and related materials from 
a real company that was seeking our IRB's approval to add one of its 
clinics as a new test site for ongoing human trials involving invasive 
surgery. Our bogus IRB could have authorized human subjects testing to 
begin at this new test site without needing to register with any 
federal agency, since the transaction involved a company conducting 
privately funded research and did not involve any FDA-regulated 
products.[Footnote 5] We also registered our bogus IRB with HHS, after 
which HHS provided us with a registration number and listed our bogus 
IRB in its online directory of registered IRBs that review federally 
funded research. Our only communication with HHS as part of registering 
our IRB was through an online registration form, with no human 
interaction. The IRB registration process is meant to collect data that 
HHS uses during the subsequent assurance approval process. As such, HHS 
is not required to verify the information it receives during the IRB 
registration process. 

* HHS approved our application for an assurance, submitted by a 
fictitious medical device company. An assurance is required for 
researchers to receive federal funding from HHS for research involving 
human subjects testing, and is also used by other federal agencies in 
their funding approval process. To obtain an assurance, HHS requires 
researchers to designate, among other things, one or more IRBs to 
review the research covered by the assurance. We successfully used our 
bogus IRB to obtain HHS approval for an assurance on behalf of our 
fictitious medical device company, which would have allowed our 
fictitious medical device company to apply for federal funding for 
human subjects research. HHS provided us with an assurance number and 
listed our bogus company in its online directory of approved 
assurances, thereby helping our fictitious medical device company 
appear legitimate when we submitted a bogus research protocol to real 
IRBs, as described below. All contact with HHS was performed through an 
online application form or by fax. 

* One of three IRBs approved our bogus research protocol for human 
subjects testing after only minor edits to our submission materials, 
even though we were a bogus company with falsified credentials and an 
unproven medical device. When we provided the IRB (IRB 1) with bogus 
information that FDA had already cleared our device for marketing, it 
did not attempt to verify this information. A search of FDA's online 
database would have shown no evidence that FDA ever cleared the device 
for marketing. The remaining two IRBs (IRB 2 and IRB 3) provided us 
with such thorough comments on our testing protocol and submission 
materials that we determined we did not have the technical expertise or 
resources to address their questions and gain approval. For example, 
IRB 2 noticed that our fictitious protocol mentioned previous testing 
of the device performed on animals, and requested that we provide a 
copy of the results from the fictitious animal testing. IRB 3 requested 
that we send it a copy of the diagram that our bogus researcher would 
use to record incision lines he made as part of the surgery involved in 
our fictitious study. All of our communications with the IRBs during 
their review of our protocol were done by e-mail or fax. After 
submitting the protocols, we obtained meeting minutes for IRB 1 that 
showed its board members thought our bogus protocol was "probably very 
safe" and voted unanimously to approve it. However, in follow-up calls 
to the two other IRBs, an employee of IRB 2 said the protocol was 
"awful" and called it "junk." A board member of IRB 3 said it was the 
"riskiest thing I've ever seen on this board" and indicated that IRB 
3's board voted unanimously to reject the protocol. If we had been a 
real medical device company, we could have used the IRB approval we 
received to test our device on human subjects even though our research 
staff had falsified credentials and no research experience.[Footnote 6] 
We also could have used our bogus IRB mentioned above to approve our 
fictitious protocol, which shows the potential for unethical 
manipulation in the IRB system. 

We briefed HHS officials on the results of our investigation. They told 
us that HHS does not review IRB registrations or assurance applications 
to assess whether the information submitted is factual. Moreover, 
although HHS is required by law to consider the adequacy of IRBs listed 
on assurance applications when reviewing applications,[Footnote 7] the 
director of OHRP stated that his office would require more staff to do 
so. HHS officials also stated that the assurance process is not a 
meaningful protection against unethical manipulation. The director of 
OHRP acknowledged, however, that an HHS-approved assurance can lend 
credibility to a company because it means that HHS has recognized that 
company. 

Background: 

The Secretary of HHS has issued regulations that form the "Federal 
Policy for the Protection of Human Subjects."[Footnote 8] This policy 
is often referred to as the "Common Rule" because 17 other federal 
agencies that conduct, support, or regulate human subjects testing now 
follow some form of the policy.[Footnote 9] The Common Rule lays out 
the basic policies that should govern any research involving human 
subjects that is approved, funded, or conducted by the agencies that 
follow the Common Rule, as well as by all entities that need these 
agencies' approval of their human subjects research. 

Much of the Common Rule focuses on the role of IRBs in the testing 
process, as IRBs are the primary oversight mechanism for human testing. 
For example, the policy specifies that there must be at least five 
members of an IRB, with varying backgrounds, who are sufficiently 
qualified through experience, expertise, and diversity. The IRB must 
include members who have the professional competence to review the 
specific research activities being considered, as well as members with 
an understanding of a testing entity's internal protocols, the 
applicable law, and standards of professional conduct. Furthermore, 
among other requirements, the IRB should have members of mixed gender 
and mixed professions; should include at least one member with a 
scientific background and one with a nonscientific background; and 
should not have any members with a conflict of interest with the 
project being reviewed. 

The IRB review process is intended to assure, both in advance and by 
periodic review, that appropriate steps are taken to protect the rights 
and welfare of humans participating as subjects in the research. IRBs 
have the authority to approve, require modifications in, or disapprove 
proposed research. Figure 1 below provides a simplified illustration of 
the IRB approval process for human subjects research protocols. By law, 
clinical trials of experimental medical devices and drugs involving 
human subjects cannot begin until an IRB has approved the research 
protocol and any changes requested by the IRB have been made. To 
approve a research proposal, IRBs must determine that the following 
requirements are satisfied: 

* risks to research participants are minimized; 

* risks to research participants are reasonable in relation to any 
anticipated benefits, and to the importance of the knowledge that the 
research might produce; 

* informed consent will be sought from each prospective study 
participant or the participant's authorized representative; and: 

* there are adequate provisions in place to protect research 
participants' privacy and to maintain the confidentiality of research 
data.[Footnote 10] 

Figure 1: IRB Approval Process for Research Protocols Involving Human 
Subjects (Simplified): 

[Refer to PDF for image: flowchart] 

Device or drug submission: Medical research company submits item 
protocols and documentation to IRB for review process; 

Protocol and document review: IRB reviews protocols and documentation; 

Protocol and document approval: IRB approaches protocols and 
documentation; 

Human trials: Human subjects testing begins; 

Source: GAO. 

Note: FDA may have oversight functions in this process, depending on 
the risk level of the device or drug under review and other factors. 
However, the graphic is intended to provide a simplified illustration 
of the interaction between an IRB and a medical research company 
seeking to obtain the IRB's approval for an experimental drug or d

[End of figure] 

When seeking to obtain research participants' informed consent to 
participate in a study, researchers must make sure they offer the 
potential participants sufficient opportunity to consider whether or 
not to participate without undue influence or possibility of coercion. 
In addition, consent forms must contain language that is easily 
understood, and cannot contain any language that causes or appears to 
cause the participants to waive their legal rights, or that minimizes 
or appears to minimize the liability for negligence of the researcher 
and the sponsors of the research. In addition to reviewing proposed 
research protocols, IRBs are responsible for conducting continuing 
review of research at least once a year, or more frequently if the 
research represents a higher degree of risk to the human research 
subjects. 

IRBs also play a central role in the process by which entities apply 
for federal funding for human subjects research. An entity must have an 
approved assurance in order to receive federal funding for research 
involving human subjects testing from HHS and other federal agencies. 
An assurance is basically a declaration submitted by an entity engaged 
in human subjects research that it will comply with the requirements 
for the protection of human subjects under 45 C.F.R. Part 46. HHS has 
jurisdiction over human subjects research that is supported through 
federal funding, and approves assurances for federalwide use.[Footnote 
11] As such, other federal agencies that have adopted the Common Rule 
may rely on an assurance from HHS for any human subjects research they 
sponsor. To obtain an assurance, HHS requires an entity to declare to 
HHS that its activities related to human subjects are guided by ethical 
principles and federal regulations--the Common Rule--and to designate 
one or more IRBs to review the research covered by the assurance. In 
order for the application for assurance to be approved by HHS, all IRBs 
listed on the application are required to be registered with HHS. IRB 
registration involves providing HHS with basic information about the 
IRB, such as the name and contact information for the organization 
operating the IRB and for its head official, and the names and 
qualifications of its board members. In evaluating an application to 
determine whether or not to approve an assurance, HHS is required to 
consider, among other things, the adequacy of the proposed IRB in 
relation to the research activities of the entity that submitted the 
assurance.[Footnote 12] 

Results of Investigation: 

Establishing an IRB: 

We succeeded in getting a real company to send a research protocol and 
related materials to our bogus IRB for its review. As mentioned above, 
we created a Web site for our bogus IRB that resembled those of actual 
IRBs, and then advertised the services of our bogus IRB online and in 
newspapers to attempt to persuade legitimate medical researchers to 
send protocols to us. In our advertisements, we stated that we were 
"HHS approved," in reference to our bogus IRB's registration with HHS. 
We also sought to make our IRB look as attractive as possible by 
emphasizing the speed of our review process ("Fast Approval!") and 
flexibility to customer needs. The company that sent materials to us 
was seeking our bogus IRB's approval to add one of the company's 
clinics as a new test site for ongoing human trials involving invasive 
surgery. Our bogus IRB could have authorized human subjects testing to 
begin at this new test site--even though it was a fictitious IRB, with 
no medical research expertise whatsoever. Moreover, because this 
transaction involved a company conducting private (i.e., not federally 
funded) research, and did not involve any FDA-regulated products, our 
bogus IRB could have approved the research to begin without needing to 
register with any federal agency.[Footnote 13] We also received 
inquiries from five other real companies, which expressed interest in 
our bogus IRB's services. However, none of these five companies 
submitted any materials for us to review. 

All IRBs that review federally funded human subjects research are 
required to be registered with HHS.[Footnote 14] After we registered 
our bogus IRB with HHS, HHS provided us with a registration number and 
listed our bogus IRB in its online directory of registered IRBs that 
review federally funded research. Our only communication with HHS as 
part of registering our IRB was through an online registration form, 
with no human interaction. The IRB registration process is meant to 
collect data that HHS uses during the subsequent assurance approval 
process. As such, HHS is not required to verify the information it 
receives during the IRB registration process. However, our 
investigation of the assurance process, as described below, shows the 
importance of IRB registration data as they relate to HHS's evaluation 
of assurance applications. Moreover, if our bogus IRB had been an 
actual IRB that did not intend to review federally funded human 
subjects research, it would not have been required to submit any 
registration information. IRBs that intend to review privately funded 
human subjects research are not currently required to register with HHS 
or any other federal agency, although recently implemented regulations 
will change this as of July 2009.[Footnote 15] 

HHS's Federalwide Assurance Process: 

We found that the process for obtaining HHS approval for an assurance 
lacks effective controls. As mentioned above, we formed a fictitious 
medical device company with phony company officials and a mailbox for 
its business location--where human subjects research would supposedly 
be conducted. We then submitted an application to HHS for its approval 
of an assurance on behalf of our fictitious medical device company. As 
part of the application, we named our bogus IRB as the IRB responsible 
for reviewing the research covered by the assurance. HHS approved our 
assurance application, provided us with an assurance approval number, 
and listed our bogus medical device company in its online directory of 
approved assurances. Our only communication with HHS as part of this 
application was through an online application form and a faxed 
signature to complete the application. We did not have any real-time 
contact with HHS, whether by telephone, in person, or through a site 
visit. 

We do not know what verification HHS performed, if any, in its review 
of our assurance application. However, if HHS had performed basic 
screening of the assurance application, HHS would have found 
discrepancies that would have warranted further investigation, such as 
the fact that we used only a mailbox as our business location. As 
mentioned above, in evaluating an application to determine whether or 
not to approve an assurance, HHS is required to consider the adequacy 
of any IRB designated on the application, as the IRB will be 
responsible for overseeing the research activities of the entity that 
submitted the assurance application. By approving our assurance 
application, HHS essentially deemed our bogus IRB as adequate to 
oversee human subjects research, as conducted by our fictitious medical 
device company. Moreover, by obtaining an approved assurance from HHS, 
our fictitious medical device company can apply for federal research 
funding from HHS or other federal agencies.[Footnote 16] In addition, 
we used the assurance approval to boost the credibility of our 
fictitious medical device company by posting our assurance number on 
the fictitious medical device company's Web site. 

The IRB that approved our fictitious medical device protocol, as 
discussed below, is listed on HHS's Web site as being involved in more 
than 70 assurances on behalf of actual medical researchers. Each of 
these assurances is a first step for the medical researcher to apply 
for federal funding for human subjects research, with this IRB formally 
designated to oversee the research. 

IRBs' Research Protocol Approval Process: 

We were able to get an actual IRB to approve a fictitious protocol for 
human subjects research, which raises concerns that other IRBs may 
conduct protocol reviews without exercising due diligence, thereby 
exposing research volunteers to significant risk. For this test, we 
created a research protocol for a fictitious medical device with no 
proven test history and bogus specifications, and sent the protocol to 
three actual, independent IRBs under the guise of the medical device 
company we created for obtaining an assurance from HHS in our second 
test, as mentioned above. Our protocol offered only vague information 
about certain aspects of our proposed study and was designed using 
information publicly available on the Internet. As mentioned above, our 
fictitious device was a post-surgical healing device for women that 
matched multiple examples of "significant risk" devices provided in FDA 
guidance. In addition, we fabricated additional documents we needed to 
submit along with our protocol, such as a CV detailing the educational 
and professional experience of a fictitious researcher at our company, 
and a bogus medical license for the researcher. We succeeded in getting 
our fictitious protocol approved by an IRB, even though we were a bogus 
company with falsified credentials and an unproven medical device. If 
we had been a real medical device company, we could have begun testing 
our "significant risk" experimental device on actual human subjects. We 
also could have used our bogus IRB mentioned above to approve our 
fictitious protocol. This shows the potential for unethical 
manipulation in the IRB system. 

The IRB that approved our bogus research protocol (IRB 1) required only 
minor edits to our submission materials, and did not verify that the 
information contained in our protocol and related materials was correct 
or authentic, or even that our medical device company actually existed. 
For example, we provided IRB 1 with bogus information that FDA had 
already cleared our device for marketing because our device was found 
to be substantially equivalent to an existing, legally marketed 
device.[Footnote 17] IRB 1 did not attempt to verify this information 
even though a quick check of FDA's online database would have shown no 
evidence that FDA had ever cleared our device. By taking advantage of 
this lapse, our investigators--who lacked technical expertise in this 
subject--bypassed any requirement to develop a risk assessment for a 
device that, under normal circumstances, would be considered 
"significant risk" according to FDA guidance. Meeting minutes from IRB 
1's board meeting show that it accepted the bogus information about FDA 
clearance of our device as evidence that our device did not require any 
further risk assessment. See figure 2 below. 

Figure 2: Excerpts from IRB 1's Board Meeting Minutes, during Review of 
Fictitious Medical Device Protocol: 

[Refer to PDF for image: Meeting Minutes] 

Source: IRB 1. 

[End of figure] 

IRB 1 "conditionally approved" our protocol after a full board review, 
but requested that we modify our informed consent form for study 
participation in order to make the language understandable at a fifth- 
grade reading level. We modified our informed consent form as requested 
by using medical information found on the Internet, after which the 
board members of IRB 1 voted unanimously to approve our fictitious 
medical device protocol (see fig. 2 above). IRB 1 approved our 
fictitious protocol, thereby authorizing us to begin human testing, 
after only contacting us by e-mail or fax, and never by telephone or in 
person. IRB 1's board meeting minutes indicate that it believed our 
device was "probably very safe," as shown in figure 2 above. Although 
our protocol mentioned fictitious animal studies that we conducted on 
our device to ensure its safety, IRB 1 approved our protocol without 
ever seeing proof of these studies or any other evidence that our 
device was reasonably safe for use in human subjects. On its Web site, 
IRB 1 advertises the speed of its reviews and states that it performs a 
"triple check" for quality. IRB 1 has approved research protocols for 
experimental drugs tested by major pharmaceutical companies. 

The remaining two IRBs (IRB 2 and IRB 3) provided feedback on our 
protocol that was so extensive we determined we did not have the 
technical expertise or resources to gain approval. The extensive nature 
of the feedback IRB 2 and IRB 3 provided on our initial submission 
materials indicated that they follow a much more thorough review 
process than IRB 1, which approved our protocol. For example, IRB 2 
noticed that our fictitious protocol mentioned previous testing of the 
device performed on animals, and requested that we provide a copy of 
the results from the fictitious animal testing. In addition, IRB 3 
requested that we send it a copy of the diagram that our bogus 
researcher would use to record incision lines he made as part of the 
surgery involved in our study, and raised a number of questions about 
the timing and locations involved in our fictitious testing. The 
documents and information that IRB 2 and IRB 3 requested would have 
taken extensive time and research to fabricate, and demanded a level of 
technical expertise that we did not possess. IRB 1 approved our 
protocol without obtaining any of the additional information requested 
by IRB 2 and IRB 3.[Footnote 18] Our contacts with IRB 2 and IRB 3, 
during their review of our protocol, were done entirely by e-mail. 

We later interviewed representatives from IRB 2 and IRB 3 to obtain 
additional details about why they did not approve our protocol. 
Representatives from both IRBs expressed concern that our protocol did 
not contain adequate information about the safety of our fictitious 
medical device. For example, the manager of IRB 2 said that she worried 
that our device could cause infection in patients, or possibly even 
cause patients to develop sepsis.[Footnote 19] In addition, a board 
member from IRB 3, who claimed to have 15 years of experience reviewing 
research protocols with this IRB, stated that our protocol lacked any 
evidence that our bogus medical device was actually safe for 
implantation into a human body.[Footnote 20] He also said that IRB 3's 
board voted unanimously to reject our bogus protocol. Figure 3, below, 
shows additional examples of IRB 2's and IRB 3's comments on our 
fictitious medical device and protocol. 

Figure 3: Examples of Statements by IRB 2 and IRB 3 Regarding Our Bogus 
Medical Device and Protocol: 

[Refer to PDF for image: flowchart] 

IRB #2: Protocol was �awful� and a �piece of junk� �Did somebody else 
approve it [the protocol]? Oh, boy...� 

IRB #3: Protocol was the �riskiest thing I�ve ever seen on this 
board�Protocol was the �worst I�ve seen � too risky�

Source: GAO. 

[End of figure] 

None of the three IRBs questioned us about the authenticity of our 
bogus CV and counterfeit medical license. As mentioned above, we 
fabricated these documents by using information found online and with 
commercially available hardware, software, and materials. Our bogus CV 
contained information on our fictitious researcher's human subjects 
research background, which we created by using phony drug and device 
names and with information that we accessed on the Internet. Our 
counterfeit medical license contained a bogus license number with a 
similar format to real license numbers used by the state we claimed our 
license was from. 

Briefing with HHS: 

We briefed HHS officials on the results of our investigation. They 
stated that HHS receives around 300 IRB registrations and 300 assurance 
applications every month, and that OHRP currently has three employees 
who review all registrations and applications. According to HHS 
officials, the department does not review IRB registrations or 
assurance applications to assess whether the information submitted is 
factual. HHS officials said that the department reviews assurance 
applications to ensure that applicants have submitted all of the 
necessary information and meet minimum standards. Moreover, although 
HHS is required by law to consider the adequacy of IRBs listed on 
assurance applications when reviewing applications,[Footnote 21] the 
director of OHRP stated that his office would require more staff to do 
so. However, HHS officials added that they would not consider 
additional evaluation of IRB registrations or assurance applications to 
be worthwhile even if the office had increased resources. 

HHS officials stated that the assurance process is not a meaningful 
protection against unethical manipulation. They stated their belief 
that anyone submitting false or misleading information as part of the 
assurance application process would likely be detected during the 
subsequent process of applying for federal funding for human subjects 
research. However, our work shows that an unethical company could 
leverage an HHS assurance for purposes unrelated to the federal funding 
application process. For example, representatives from one of the IRBs 
that rejected our protocol stated that the HHS assurance number listed 
on our bogus medical device company's Web site gave our company 
credibility because it meant that HHS had recognized our company. When 
we discussed this with HHS, the director of OHRP acknowledged that an 
HHS-approved assurance is meaningful in this regard. 

Mr. Chairman, this concludes our statement. We would be pleased to 
answer any questions that you or other members of the subcommittee may 
have at this time. 

Contacts and Acknowledgments: 

For further information about this testimony, please contact Gregory D. 
Kutz at (202) 512-6722 or kutzg@gao.gov. Contacts points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this testimony. GAO staff who made major contributions 
to this testimony include Matthew D. Harris, Assistant Director; 
Matthew Valenta, Assistant Director; Timothy Persons, Chief Scientist; 
Christopher W. Backley; Ryan Geach; Ken Hill; Jason Kelly; Barbara 
Lewis; Andrew McIntosh; Sandra Moore; James Murphy; and Seong B. Park. 

[End of section] 

Footnotes: 

[1] For the purposes of this testimony, we define an independent IRB as 
a private IRB that is not part of the same organization as the entity 
whose research is under the IRB's review. 

[2] Concerns about the speed of IRB reviews go back more than a decade. 
We noted in a 1996 report that some IRBs spent only 1 or 2 minutes on 
each review, often focusing mostly on reviewing the proposed research 
study's informed consent forms. See GAO, Scientific Research: Continued 
Vigilance Critical to Protecting Human Subjects, GAO/HEHS-96-72 
(Washington, D.C.: Mar. 8, 1996). In addition, the HHS Office of 
Inspector General noted in 1998 that IRBs reviewed too many research 
protocols too quickly. See Department of Health and Human Services, 
Office of Inspector General, Institutional Review Boards: A Time for 
Reform, OEI-01-97-00193 (Washington, D.C.: Department of Health and 
Human Services, Jun. 1998). 

[3] The FDA draws a distinction between "significant risk" and 
"nonsignificant risk" medical devices. A significant risk device, 
defined in 21 C.F.R. � 812.3(m), is one that "presents a potential for 
serious risk to the health, safety, or welfare of a subject"; a 
nonsignificant risk device does not present such a danger. For a 
significant risk device, the sponsor must submit an Investigational 
Device Exemption application to the FDA for approval before beginning 
clinical trials. For a nonsignificant risk device, the clinical trial 
must be approved by an IRB before it begins, but FDA approval is not 
necessary. 

[4] A curriculum vitae generally provides information on a person's 
education, employment experience, professional memberships, 
publications, and other qualifications for employment. 

[5] After we received the protocol and related materials from the real 
medical research company, we notified it that we were unable to serve 
its business needs and destroyed the documents it sent us. 

[6] We voluntarily withdrew our protocol from consideration by the two 
IRBs that rejected our initial proposal, before they conducted any 
additional review. 

[7] 45 C.F.R. � 46.103(d). 

[8] 56 Fed. Reg. 28003 (Jun. 18, 1991). 

[9] These other agencies are: Department of Agriculture, Department of 
Energy, National Aeronautics and Space Administration, Department of 
Commerce, Consumer Product Safety Commission, U.S. Agency for 
International Development, Department of Housing and Urban Development, 
Department of Justice, Department of Defense, Department of Education, 
Department of Veterans Affairs, Environmental Protection Agency, 
National Science Foundation, Department of Transportation, Central 
Intelligence Agency, Social Security Administration, and Department of 
Homeland Security. 

[10] 45 C.F.R. � 46.111, for HHS research, and 21 C.F.R. � 56.111, for 
FDA-regulated product research, describe these and other requirements 
for IRB approval of proposed research. 

[11] Federal funding includes grants, contracts, or cooperative 
agreements under the Public Health Service Act (codified as amended in 
scattered sections of 42 U.S.C. chapter 6A). 

[12] 45 C.F.R. � 46.103(d). 

[13] As mentioned above, after we received the protocol and related 
materials from the real medical research company, we notified it that 
we were unable to serve its business needs and destroyed the documents 
it sent us. 

[14] While the registration requirement is currently only HHS policy, 
HHS recently issued a final rule that will require registration by 
formal regulation. This regulation, effective July 14, 2009, also 
expands the amount of data an IRB is required to provide during the 
registration process. 74 Fed. Reg. 2399 (Jan. 15, 2009). 

[15] FDA regulations cover some human subjects research that involves 
experimental drugs or medical devices, even though IRBs reviewing the 
research are not required to register with any agency. However, FDA 
does not currently maintain a comprehensive list of all IRBs involved 
in testing experimental drugs or devices on human subjects. On January 
15, 2009, FDA issued a final rule that requires all IRBs reviewing 
products that fall under FDA regulations to register with HHS. This 
rule is effective on July 14, 2009. 74 Fed. Reg. 2358 (Jan. 15, 2009). 

[16] Although assurance approval from HHS allows us to apply for 
federal funding for our research, it does not necessarily mean that we 
would have been awarded such funding. However, as our investigation was 
designed to test HHS's controls during its process for evaluating 
assurance applications, we determined that the actual process of 
applying for federal funding for human subjects research was beyond the 
scope of our investigation. 

[17] FDA's 510(k) premarket notification process includes a 
determination of whether each new device (1) has the same intended use 
as an existing, legally marketed device, and (2) the new device has the 
same technological characteristics as the existing, legally marketed 
device, or has different technological characteristics and submitted 
information shows that the new device is as safe and effective as the 
existing device. If FDA determines that the new device is substantially 
equivalent to a legally marketed device, the manufacturer may market it 
immediately. For more information about the 510(k) process and the more 
stringent premarket approval process, see GAO, Medical Devices: FDA 
Should Take Steps to Ensure That High-Risk Device Types Are Approved 
through the Most Stringent Premarket Review Process, GAO-09-190 
(Washington, D.C.: Jan. 15, 2009). 

[18] As mentioned above, we voluntarily withdrew our protocol from 
consideration by the two IRBs that rejected our initial proposal, 
before they conducted any additional review. 

[19] Sepsis is a life-threatening illness caused by a human immune 
system's overreaction to bacterial infection, which may lead to organ 
failure and death. 

[20] We did not verify the accuracy of the claims from IRB 2 and IRB 3 
about the health risk posed by our fictitious medical device. 

[21] 5 C.F.R. � 46.103(d). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO�s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO�s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: