On Research Podcast – Research Compliance

Justin Osborne: Hello, and welcome to the second season of On Research with CITI Program. I’m your new host, Justin Osborne. This season, we’ll meet with a research expert every month to discuss different aspects of the research industry. The discussions we have are meant to drive further conversations at your own organization. Hopefully we can all learn a little more about research together. And here we are. I’m excited for our first guest in 2024, Kate Cohen, Chief Compliance Officer at SIU Medicine in Illinois. Kate has held multiple roles at different organizations in general healthcare compliance and privacy, as well as research compliance, and even at a local IRB at a research hospital. So we welcome Kate to the podcast as our research compliance expert.

As a reminder, this podcast is for educational purposes only. It is not designed to provide legal advice or legal guidance. You should consult with your organization’s attorneys if you have questions or concerns about the relevant laws and regulations that may be discussed in this podcast. In addition, the views expressed in this podcast are solely those of our guests. So let’s jump into my conversation with Kate. Hello, Kate. Thank you for joining. Thanks for taking the time.

Kate Cohen: Yeah, thanks for inviting me.

Justin Osborne: Yes. So to start us off here in talking about research compliance, tell us how you got into research, your background a little bit and how you came to be the Chief Compliance Officer at SIU.

Kate Cohen: Sure. Well, I am an attorney by training. I was practicing law. I happened to be practicing law within a hospital setting and running a project within a hospital. And they put me in the suite, the office suite with all the risk management folks and where the compliance people sat when they were on site. And I just got to know them and became friendly with them. I got to see what they were doing every day and the in-house aspect of the hospital and some of those regulatory functions. And one day they were like, “Hey, would you be interested in a compliance job we’re opening?” And I said, “Well, maybe. What does that look like?” And I stumbled into that. I was ready for change and didn’t really know what I was getting into. I’m not sure if I knew what I was getting into, but I went and jumped as high as I did.

But I stumbled into compliance, like most people stumble into healthcare compliance. And while I was doing that job within the hospital, there was an effort being undertaken to centralize research functions. There was a lot of research places or a lot of health systems or other places that do research experience, a siloed set-up. And so they brought somebody in to centralize that. That person said, “We really need a research compliance dedicated person.” And she called me one day in my office and said, “Would you be interested in this?” And I said, “Okay, yeah, maybe. Sure.” So I also stumbled into research. I always joke that the week before I started the job, she called me and said, “I had to add the IRB to your job. So you’re going to be running the IRB now.” And I said, “Great, no problem.” And Googled what is an IRB?

And that was how I got my first IRB focused job also. So I pulled into all these places. It’s not intentional at all. But once I went in research and in research compliance, it was so clear to me that I liked it so much more than the rest of compliance. And I liked it more than any other job I had had and certainly better than practicing law and went down the research rabbit hole after that. And here I am is still a research nerd many, many, many years later.

Justin Osborne: And here we are. Well, thank you. Thank you. And it’s nice to have this kind of expertise. It’s also nice to hear that you enjoy what you’re doing in this sector. Can you define research compliance?

Kate Cohen: Well, that’s a super loaded question. Can anyone define compliance generally? The thing about compliance, whether it’s research compliance or general compliance, is then it looks different at every organization, right? Every organization scopes out what that function is going to be for them. But as a general statement, compliance is the process that an institution undergoes to try to meet or exceed all the rules, the regulations, the standards that apply to them as an organization. For every organization that looks different, different sets of rules depending on what you’re doing. The compliance function is supposed to be identifying risks for the organization, helping to prioritize risks, mitigate that risk, generally create any culture of compliance.

A compliance program is supposed to be preventing and detecting anyone’s misconduct. We’re lucky in the compliance sense that the federal government tells us what the compliance program is supposed to look like. And that’s centered around what’s called the seven elements. No matter what sector you’re in, most compliance program guidance or enforcement guidance centers around those seven elements. So no matter what you’ve scoped it out to be at your organization, we know what the compliance program is supposed to generally do and look like. And for research compliance specifically, it’s all of those things dedicated to your research program, whatever that is.

Justin Osborne: So speaking of the seven elements, just for those listening that don’t know too much about this space, are you able to rattle off the seven elements?

Kate Cohen: Sure. So I’m going to use the seven elements that were most recently updated in the HHS-OIG general compliance program guidance. You’ll see variations of the seven elements in different guidance documents, but this is the one I’m going to use as the most recent OIG list. First element is going to be written policies and procedures. The first sub elements of that is the code of conduct and then policies and procedures. The second element is compliance, leadership and oversight. So guidance documents talk about we got to have a compliance officer. You’ve got to have a compliance committee. Your governing board should have some oversight over the compliance program. Number three is training and education. How do we inform people about their obligations and different compliance topics? Number four is effective lines of communication with the compliance officer and with disclosure programs. So how do people report things to you? Do you have a hotline? How do you communicate that information out to outside of the organizations when disclosures are required?

Number five is what’s referred to as enforcing standards. So making sure that when you do have individuals who are violating compliance standards or standards set by the organization that there are consequences. Most recently, it’s been added to look at incentives for being compliant as part of enforcing standards. Number six is risk assessment, auditing and monitoring. So you’re expected to do some sort of risk assessment process every year and also engage in auditing and monitoring activities. And then number seven is how you respond to detected offenses and making sure you have corrective action plans developed. So how do you investigate potential violations, how you report those things when they’re required to be reported, how you develop and implement and monitor corrective action.

So those seven are what you would build your program around. And we’re lucky that federal government has issued various guidance documents that give us some insight into how they evaluate these things so you can compare that to your program and evaluate effectiveness. And for research, these things also stand. This is not just for general compliance, even though I’m naming them out of the general compliance program guidance document. Research compliance programs, especially in a healthcare setting, but certainly in other settings should be built around these seven elements as well.

Justin Osborne: Well, thank you. That’s a big undertaking to build a program like that. So in your experience, what does a successful research compliance program look like?

Kate Cohen: Well, a successful research compliance program is one that from the outset is built around that program specific risk. So you can build a compliance program. I could take my research compliance program and plop it into somebody else’s facility, no problem. That’s easy, right? But if they’re doing different types of research, if they’re doing certain regulated research that I’m not doing, that’s not going to translate. The number one thing is really a program that is built around what your risk is. And the only way to do that is to know your research program, know your research portfolio, know what your strengths and weaknesses are, know what kind of regulations apply to you, and then do a risk assessment. What does that mean? How does that translate to the research you’re doing, the staffing that you have, the types of controls you already have in place to mitigate some of that risk and build that work plan for your research program around the risk assessment to test those controls to identify where there aren’t controls, things like that.

So a successful research compliance program is always going to be built on the foundation of what kind of research do you do, what are your risks? And then after that, as I’ve already said, it’s going to look different for every organization, where the compliance officer sits, how much they get involved in things like operational matters. I tend to think from a structure perspective, and this is the world according Kate, lots of people are going to disagree with me and say, “Absolutely not. I think the opposite or she’s totally wrong.” But having lived in programs where research compliance sits with research and then having also lived in programs where research compliance sits within the larger compliance structure, I always tend to think it works better when research compliance is part of a larger compliance infrastructure of the organization for a lot of reasons, but primarily because you have the benefit of the resources of that compliance group.

You’re plugged into what’s going on in the rest of the organization, the compliance risks, some of the challenges, you have a good idea of what some of the other compliance activities that are happening in the organization are, and you can help your program translate those for research. You can align some of your goals with what the corporate compliance program is. And to some extent, it conveys authority that sometimes a program that sits alone in research doesn’t have. So that’s just me. That’s my opinion. And I’ve enjoyed working mostly in programs that are sitting within the corporate compliance structure, but you’ve seen one research compliance program and you’ve seen one research compliance program. They’re always going to look different. And what works for one organization might not work for the next one.

Justin Osborne: Yeah. Well, and that makes sense with the authority piece that you were talking about. So just to throw it out there for you because obviously you’ve been in compliance so you’re probably used to this, but for those of us that have worked at organizations, nobody wants a call from their compliance department. People usually try to avoid this group in general. So how do you bridge that gap and make sure that people understand that you’re not there to be punitive only?

Kate Cohen: Yeah, stigma is real. [inaudible 00:12:01] it literally does. No matter how you approach things, no matter what kind of relationships you build, there is just people who are going to be cringing when you walk down the hall or when your name shows up on the caller ID or across the email. I think it’s all about in the approach. And I think that the most successful compliance programs, you mentioned that we don’t always only up for the punitive, I think that the approach to compliance should always be that you are there as a partner, you’re there as a strategic partner to help the organization understand risks, understand best practices, understand how to mitigate certain risks, and you are a partner to helping them do what it is they want to do, right? Research compliance is an integral part of helping the research business team do more research, do better research, do different new innovative research, right?

You want to be on the front line of changing clinical care. You want to have investigator initiated studies that included INDs or IDEs or new technology. You’ve got to have your compliance person at the table who is there to help you figure out these are the minefields you’re going to be walking through, and here’s how you avoid some of these challenges. And not everybody approaches compliance that way. And I think it’s easy to say and it’s harder in practice because there’s plenty of times where I in my career have said to leadership, “Hey, we really got to think about this a different way because here are some of the concerns that I have based on the risk that this presents.” And they’re like, “Yeah, thanks. We’re doing it anyway, exactly like this.” And that’s super frustrating.

But as long as you’re understanding that your role is to advise them, it’s not to make those decisions, it’s not to dictate what they’re doing. It really is to help them work through those things and to be there to help work through when things go south, right? When something goes wrong, I always want the first call to be to me, not because they think they have to call me, but because they know I’ll help them. They know I’ll step in. They know that I’ll be able to help immediately mitigate some of those risks. So there’s always going to be people who have a negative feeling about compliance, and that’s okay. Slowly but surely, we’ll change hearts and minds.

Justin Osborne: That’s right.

Kate Cohen: The individual people, the approach, the philosophy is really important. And then reinforcing that every interaction you have with people. I say this to my kids too, you can have 10 positive interactions with somebody, but the one negative one erases the other 10. And so the same is true for us in a professional setting. Every single interaction that you have with people has to reinforce that and to know I’m the chief compliance officer of a healthcare organization, some people think that comes with some authority I could throw around or be the bad guy for them. Sometimes it does mean that, but you have to know when to pull that trigger and exercise that and not show up every day in that space of I make these decisions, I have the authority because that isn’t my role.

Justin Osborne: Yeah. And I like that. I like having the attitude of a partner, like you said, that you’re there to actually help them and build a research program or move it in a certain direction together with them. You’re another piece of the necessary puzzle of that. So you mentioned helping programs be innovative if they want to go in that direction. Obviously regulations are changing and being updated. How are things like all the hot topics, AI and DCTs and everything else going on in research, how does that impact your research compliance world and what thoughts do you have on that?

Kate Cohen: Yeah, so AI keeps me up at night, that there’s just so much to it, not just in the research space, but for me in the general healthcare space, how we’re using it, what kind of information we put in it. And I think when you’re talking about designing interventions or studies that have AI or something like AI that’s new, that’s misunderstood, that’s antiquated regulations don’t totally make sense for having your compliance person at the table to talk that out and really work through that is really important before you design your whole study and put it through the IRB, get your funding and then, whoops, you’re ready to enroll patients. And compliance is actually, this is protected health information. We can’t use AI for this or that. And so in having that partner at the forefront to help you work through some of those challenges as you’re dealing with new emerging technology or things that are not our bread and butter that we do every day at a regular old phase three sponsored drug study, a lot of us can do that in our sleep. That’s easy. We know how to work through that.

But some of these new things with wearable devices and all of those things, they’re things that our researchers are using and developing incredible new ideas for interventions and improvement of healthcare, improvement of all sorts of things. All I’m going to say is you have to be at the table. So how is it impacting me and the research compliance space? It makes me worried and having to educate people and make sure, “Hey, when we’re talking about something like this, I got to be at the table. We got to talk.” I have somebody on my compliance team who identifies herself as techy, and that also really helps me to have somebody who can translate that language and know what the tech people are talking about, not just in a research context, but in general compliance. And I recognize my own weakness and I’ve had to help supplement some of that expertise with my teams.

Justin Osborne: So using AI just as an example because you had mentioned the regulations are not up-to-date. Obviously, they can’t keep up with the speed that the technology is moving. Is that where the gap is? Is that where the concern comes in from your world in that it has not yet made it to a regulation, and so institutions are just left up to their own opinions on this matter? Or is it just that there’s so much unknown about the potential that causes potential risk in your world?

Kate Cohen: I think it’s both. So I think there are regulations that we apply to situations with, say example AI. So we have HIPAA when we want to use AI with protected information, but when HIPAA was written, AI was not part of what they were thinking about. Even recent proposed updates, not what everybody’s thinking about. And we saw this with the common rule updates as well, that everyone was so excited about the updates and the first updates, and they did a lot to address where there were some regulatory gaps where you were having to apply regulations that weren’t really designed for this scenario to these scenarios. And it was clunky. Maybe these most recent regulatory changes with commonwealth didn’t go far enough because there’s yet another set of all these new things that we’re having to apply regulations that weren’t necessarily written with that in mind too.

So it’s not that there isn’t regulation that can be applied, it’s that it’s clunky. I don’t know another word to use for it other than that-

Justin Osborne: No, that works.

Kate Cohen: Because one, it wasn’t designed with that in mind, and the technology is changing so quickly that there’s no way that they could ever keep up with this from a regulatory perspective with the way laws get made. And so we’re always going to have to be dealing with the clunkiness of having take this that wasn’t designed for this and put it over here where it does. It doesn’t need to somehow fit in the box. It doesn’t fit nicely, but we got to work with what we got, right?

Justin Osborne: Absolutely, absolutely. That makes sense. Okay, so I’m going to step back because you’ve gotten into some of the regulations and we’ve talked in broad terms about the research compliance world. You said you fell into it yourself. There are people I’m sure listening and out there that are interested in getting into this world that are fascinated by all these topics. So what advice do you have for people that are wanting to get into research compliance?

Kate Cohen: If you’re in an organization that’s already doing research and you’re trying to break in, or maybe you’re on the general compliance side, trying to dabble or break into research, my recommendation would be to go and talk to the research people, get to know them, get to know what kind of research is happening, shadow if you can. I will say, again, having sat on the general compliance side of things first and then move to research and back to general and back and forth, the research people always say, “We’re different. You don’t understand. We’re completely different.” So I think really trying to understand why they are so unique, why they are different, and understanding not just what kind of research your organization does, but the lifecycle of a research study.

Do you know why a study is phase one versus phase three? Do you know what the regulatory pathway for getting new drugs or new devices approved are? Can you understand outside of the specific research that your organization is doing, why research happens, how it happens, what that looks like, what a CRO is? We use a lot of acronyms in research. So do you know what those are and how to get familiar with them? And then for me, I really think somebody who’s new to research compliance sit through a consent with a patient who’s in an interventional study, watch what the coordinator does, get to know what that process looks like, not just for your own experience, but also because I think in my experience sometimes all of us compliance people, no matter where you sit, we sit in our rural offices and we sometimes forget the the patients that are involved until one of them calls us with a complaint or there’s a concern.

It’s easy to deal just in the details of policies and documents and contracts and regulations. And sitting through that consent process, I think, is really helpful to always bring it back to the patient should be the center of all the work that we’re doing, but including research compliance. If you don’t work in an organization that does research, you don’t have that opportunity, my number one recommendation is to phone a friend. So the research compliance community is actually relatively small. Everybody in this community is willing to talk to you, bounce questions off of you, let you come and see their program. I’ve done that with people who I’ve met at HCCA, research compliance conferences, invited them to come and spend a day at my organization, talk to people. How are we set up? What are the things that our compliance program does?

Justin Osborne: That’s great.

Kate Cohen: And then once you have some of those conversations, find somebody who’s willing to either mentor you or just have a regular touchpoint with you so that you have someone off this perspective. You have an opinion. Sometimes when you’re getting into this new, you start down these paths and you think, “I don’t know anything. I have so much to learn.” Or, “I think that’s right.” And then the minute somebody pushes back on you, you’re like, “But am I right? I think I am.” And so sometimes it’s good to just have that older friend to say, “I don’t know what I’m thinking. Does that make sense to you? Am I missing something?” And then last thing is the research space has so many conferences, more than most spaces, I think. I really encourage anyone who’s interested in research compliance to get connected with HCCA, go to that conference, the research compliance conference. They also have a research compliance academy, and you want to go through the basics.

I would also say there’s lots of conferences that are not compliance focused, but that you will learn a ton about research. You’ll have an opportunity to engage with operational teams, ACRP, SOCRA, MAGI, all of those, just getting a good idea of what are hot topics, what are other people talking about? For people who are focused on billing compliance in the research space, there is a billing compliance dedicated conference that’s coming up here at the end of February. So there’s lots of places you can go, and I know it’s hard to get conference dollars in your budget, but the value of it and not just the content, it really is the people. And I will say I’ve met so many people at conferences who are my phone a friend, and I have become phone a friend for plenty of people that I’ve met at conferences and stepped into a mentor role for some people who have come to these conferences wanting to learn because they’re getting into these new types of roles. So talk to people, meet people.

Justin Osborne: That’s great advice. Yeah, obviously research compliance, as we’ve talked about, is very broad. It’s a very large world. How do you keep up with everything changing, all the updates coming down the pike from all the different organizations? How do you keep up with it?

Kate Cohen: It’s hard. So for me, I rely really heavily on Listservs and making sure that I’m signed up for Listserv emails from OIG, from other professional organizations like HCCA or other organizations that I’m a member of. And I really rely on a lot of those emails to help me make sure that I’m aware of what’s going on, what’s coming down the pipeline, how it might impact my organization. I will also say conferences. I need to come back to that. That has also been incredibly helpful. Most of these conferences will have a year in review that will highlight some of the specific areas that maybe have regulatory changes or guidance updated. So I do rely on some of that as well. For me, the other thing is I always try to remind myself that I have to stay curious. I have to stay interested because in your day-to-day, it can be really easy to just put your head down and do your work and attend your meetings.

And if you’re not constantly trying to learn, it really is going to hinder your success. It’s going to hinder your program’s success. So really is important that my team and I approach everything we do as something that should be changed on a regular basis. Nothing is stagnant. Nothing should just be put in place and then it’s done because it can’t just be done. Your program won’t be successful if you’re not constantly updating your approach, your risk assessment, your work plan, your audit plan for what is coming down the pipeline or what has changed since you made that. As a general example, we had some items in our work plan that were built around part of a proposed billing change that got postponed. So I hadn’t revisited that document on a regular basis to say, “Hey, this is actually no longer play. We’re going to pull it. We’re going to defer these items. We’re going to see what happened on that.”

My document would just reflect I hadn’t done something without approaching it as a living breathing document that has to be changed all the time. I think that’s, for me, how I stay up-to-date and how I make sure that the program that I’m running is up-to-date. But it’s hard. There’s a lot of stuff going on. There’s a lot of things that, depending on the kinds of research you do, could really impact you or impact your organization as a whole. The other thing I’ll say is if you’re in a research focused role and you’re not otherwise connected to your compliance program at your organization, that’s a good reason to get connected to them so that you understand some of the things that are coming down the pipeline that impact the organization that on its surface may not seem like it has an impact on research, but really might.

So it may not be termed a research regulatory update, but it does in fact have implications for your program. If you’re not plugged in and you don’t know what preparations or what changes are coming through the organization because of that, you may miss something or be late to the party and the other… I just think it’s really important to say because people don’t say this enough. It’s okay if you’re late to the party. The ideal is that you’re not, but when you know about it, you address it. That’s important, even if it’s a little bit later than it should be.

Justin Osborne: No, that’s great. That’s great. So how many compliance department and office folks right now are shaking their fists at Kate? Because now everybody from the research office is going to go to them and ask for all the updates and all the info, but I do think that’s a good idea. I think that that is a great way for the research team outside of compliance to look at compliance as a resource to help them.

Kate Cohen: Yeah, it should be. It should be a partnership.

Justin Osborne: Yeah, yeah. Well, Kate, this has been fantastic. I really appreciate your time. Thank you for explaining this world to us and diving in a little bit about what research compliance is.

Kate Cohen: Oh, yeah. Well, thanks for having me. I’m always happy to talk about any of these topics. I’m glad to have been invited.

Justin Osborne: This is great information. I’m sure people will take a lot from this and appreciate it. So thanks again, Kate.

Kate Cohen: Thanks.

Justin Osborne: Be sure to follow, like and subscribe to On Research with CITI Program. If you enjoyed this episode, you may be interested in other podcasts in the CITI Program universe, including On Campus and On Tech Ethics. You can listen to all our podcasts on Apple Podcasts, Spotify, and other streaming services. You should also review CITI Program’s content offerings regularly, as we are continually adding new courses, subscriptions, and webinars. Thanks for listening.