HHS OIG Report • February 2018 • OEI-04-15-00432 Entities’ Experiences and Perceptions of Reporting the Theft, Loss, or Release of Select Agents or Toxins to CDC In recent years, Congress and the media At a Glance have devoted attention to several events at laboratories involving the theft, loss, or • CDC expressed concern that entities release of select agents or toxins.1 Select that had reported no theft, loss, or agents and toxins are bacteria, viruses, release events (TLR events) involving select agents or toxins for multiple fungi, or other microorganisms that have the years may be underreporting them and potential to pose severe threats to health, may pose more of a risk than entities such as smallpox, Ebola, or anthrax. that regularly report TLR events. CDC Entities registered to possess, use, and requested that we collect information transfer select agents and toxins must report on entities’ experiences and perceptions of reporting TLR events. all events that involve a potential theft, loss, or release (TLR events) to the Federal • All 21 entities in our review had been Select Agent Program (FSAP). The registered with the Federal Select Agent Program (FSAP) at least 6 years, Centers for Disease Control and and two-thirds of them had reported at Prevention’s (CDC) Division of Select least one TLR event to the FSAP. The Agents and Toxins (DSAT) provides remaining one-third had never reported oversight of entities that are registered with a TLR event; however, we found no the Federal Select Agents Program (FSAP) evidence that any of the 21 entities were underreporting TLR events. to possess, use, and/or transfer select agents and/or toxins that pose a severe risk to • Entity-identified benefits to reporting public health and safety. TLR events include improvements to entity or FSAP processes and In FSAP terminology, a “theft” is the decreased risks to the entity and the unauthorized removal of a select agent or community. toxin. A “loss” is a failure to account for • Half of the entities in our review said a select agent or toxin. A “release” is an that obstacles to reporting TLR events occupational exposure or discharge of a include a fear of negative select agent or toxin outside of the primary consequences and a burdensome, restrictive reporting process. CDC may barriers of a biocontainment area.2, 3 be able to better encourage the CDC requested that the Department of reporting of TLR events by addressing these obstacles, improving entities’ Health and Human Services’ (HHS) Office training and guidance, and further of Inspector General (OIG) collect fostering a culture of safety within the information on entities’ experiences and FSAP that encourages such reporting. perceptions of reporting TLR events. The request was spurred by our May 2017 report 1 on CDC’s oversight of the FSAP, which found that almost 3 of every 4 entities (201 of 275) had reported no TLR events over a 3-year period (from 2013 through 2015).4 Although the number of TLR events reported to the FSAP has increased over time—which CDC attributes to entities’ becoming more aware of the reporting requirements—CDC has expressed concern that entities with no reported TLR events for multiple years may be underreporting them and may pose more of a risk than entities that regularly report TLR events.5 This report describes the extent to which sampled entities have reported TLR events; their perceptions of obstacles to and benefits of reporting TLR events; and the actions that CDC and entities can take to ensure reporting of all required events. We did not independently verify the accuracy or validity of entities’ statements. These comments reflect entities’ experiences and perceptions of the reporting of TLR events. Including these comments in this report does not indicate that OIG endorses these statements. This report is the second of three HHS OIG reports on CDC’s oversight of entities registered with the FSAP. The first report found that while CDC generally met its inspection goals for the FSAP, opportunities exist to strengthen its oversight.6 The third report will assess CDC’s oversight of entities’ compliance with the requirements at 42 CFR § 73.9(a)(6) regarding annual internal inspections. BACKGROUND The FSAP oversees the possession, use, and transfer of select agents and toxins and is jointly managed by HHS and the U.S. Department of Agriculture (USDA). The FSAP is composed of DSAT—part of CDC—and the Agriculture Select Agent Services (AgSAS), part of USDA’s Animal and Plant Health Inspection Service (APHIS).7 The focus of this report is CDC’s DSAT. See Appendix A for an overview of the structure and role of the FSAP and registered entities. Among its other oversight activities, CDC’s DSAT inspects FSAP-registered entities to determine whether they meet all of the regulatory requirements at 42 CFR part 73.8 During these inspections, if DSAT finds potential noncompliance with regulations, including the regulatory section regarding the reporting of TLR events (i.e., 42 CFR § 73.19), it identifies them as “observations.” To be compliant with the FSAP regulations, each entity must have a Responsible Official (RO). The RO must have the authority and responsibility to act on the entity’s behalf to ensure the entity’s compliance with the FSAP regulations. Entities may also designate one or more Alternate ROs who can act in the absence of the RO.9 The TLR Event Reporting Process After discovering a potential TLR event, an entity has three, and sometimes four, reporting responsibilities. First, it must immediately (within 24 hours) report the event to DSAT via telephone, fax, or email. Second, if the event is a potential theft or loss, the entity must immediately report it to appropriate law enforcement agencies. Third, it must follow the reporting requirements listed in its incident response plan; this may include reporting the event to a public health agency.10 Fourth, within 7 days, the entity must complete and submit to DSAT an Incident Notification and Reporting APHIS/CDC Form 3 (Theft/Loss/Release), also known as an APHIS/CDC Form 3.11 Even if an entity is unsure whether a TLR event occurred or whether it has fully resolved the incident, it should still submit an initial notification and a subsequent APHIS/CDC Form 3.12 The initial notification should include as much information as possible about the incident. At 2 a minimum, the entity must include the following:  type of TLR event (i.e., theft, loss, or release );  date, time, and duration of the incident;  name of the select agent or toxin and any identifying information (e.g., strain or other characterization information) involved in the incident;  an estimate of the quantity of select agent or toxin involved in the incident;  location where the incident occurred within the entity’s facility; and  listing of the law enforcement and/or public health agencies notified. Furthermore, in the case of a release, the entity must also provide in the initial notification the number of individuals potentially exposed, any actions taken to respond to the release (e.g., medical surveillance/intervention), and hazards posed by the release (e.g., potential impact to public health).13 On the APHIS/CDC Form 3, the entity must submit all of the information from the initial notification. The entity should also include supporting documentation, such as entity access logs, entity standard operating procedures, and the results of any followup investigation that it conducted.14 For releases only, the entity should also indicate the length of the exposure.15 At registered entities, individuals approved to access select agents and toxins (e.g., principal investigators) must immediately report any TLR event to the RO.16 The RO is responsible for acting on behalf of the registered entity.17 While the TLR regulation does not specify who at a registered entity is responsible for reporting a TLR event to DSAT, FSAP guidance clarifies that the RO or Alternate RO must submit the APHIS/CDC Form 3 to DSAT.18 Once DSAT receives a TLR event report, it initiates a multiphase process for assessing and responding to the reported incident.19 See Exhibit 1 for a flowchart depicting DSAT’s process for receiving and responding to reports of TLR events. Compliance Actions and TLR Events DSAT may initiate a compliance action against an entity for failing to report a TLR event. 20 However, because DSAT’s primary goal is to ensure entity compliance with the FSAP regulations, DSAT will first work collaboratively with entities so they can achieve compliance with these regulations.21 This may include issuing warning letters, implementing corrective action plans, and providing opportunities to address observations identified during DSAT inspections.22 DSAT may also revoke the entity’s registration or refer the entity to HHS OIG, which could impose a potential civil monetary penalty. In September 2017, DSAT posted new information to its website that outlines instances when compliance actions may be imposed on entities for TLR events.23 According to this information, the type and severity of the TLR event, among other factors (e.g., the biosafety level of the laboratory involved in the incident) would determine whether DSAT would subject the entity to compliance action and, if so, the severity of the compliance action. Efforts to Increase TLR Event Reporting and Compliance DSAT has initiated several efforts to create and strengthen a culture of safety and security and to increase compliance with the regulations for reporting TLR events (i.e., 42 CFR § 73.19). Since 2014, the FSAP has offered several training webinars, workshops, and seminars to educate entities 3 Exhibit 1: DSAT’s Process for Receiving and Responding to Notifications of TLR Events Entity notifies DSAT of a potential TLR event and submits a completed APHIS/CDC Form 3 within 7 days. Information Collection . DSAT logs and tracks information from initial notification and APHIS/CDC Form 3. DSAT analyzes the information to determine whether a TLR event actually occurred, the type of TLR event, and the risk to public health. TLR event confirmed? Classification and YES NO Evaluation DSAT proceeds to the DSAT communicates next steps. “no findings” in a letter to the entity. FILE CLOSED DSAT identifies factors that may have contributed to the TLR event and may conduct an onsite inspection to collect additional information regarding the TLR event. Theft or Loss: DSAT conducts a security review and, if appropriate, notifies Investigation and the Federal Bureau of Investigation and verifies that the entity contacted the Federal, State, or local law enforcement agencies named in the entity’s Information-Sharing Incident Response Plan. Release: If appropriate, DSAT notifies other Federal agencies and verifies that the entity contacted the Federal, State, or local public health agencies named in the entity’s Incident Response Plan. DSAT sends the entity a formally signed letter—requiring a response—that includes DSAT’s findings on the factors that contributed to the TLR event and the actions that the entity should take to reduce recurrence. Entity responds to DSAT letter. Followup and File Is the entity’s response sufficient to demonstrate that the issues DSAT Closure identified have been addressed? YES NO FILE CLOSED DSAT and the entity continue to communicate until the issues that caused the TLR event have been resolved and the case is closed. DSAT may perform additional onsite inspections to enhance its monitoring of the entity’s response to the TLR event. Source: HHS OIG analysis of DSAT’s and the FSAP’s policies and guidance for reporting TLR events, 2017. 4 about the requirements for reporting TLR events and other safety, security, and incident response issues.24 CDC also recently proposed changes to the APHIS/CDC Form 3 and requested public comments on these proposed changes.25 CDC also requested public comments on ways to enhance the quality, utility, and clarity of TLR data and minimize entities’ burden. On October 31, 2017, the updated APHIS/CDC Form 3 was approved by the Office of Management and Budget. The revised form includes improvements such as clarifying what needs to be reported as a “release” and “loss” and additional fields to assist with categorizing the type of release, type of exposure, and the understanding of safety and security risk levels relative to human illness. Methodology for This Review We analyzed FSAP regulations, as well as FSAP or DSAT policies and guidance documents, to understand the TLR reporting requirements and DSAT’s oversight of them. We also collected data from the National Select Agent Registry (NSAR) to obtain the observations identified during DSAT inspections from 2013 through 2015 related to the requirement to report TLR events. We selected a purposive sample of 22 entities. We began with a population of 233 entities that were continuously registered with the FSAP from 2013 through 2015. From this population of 233 entities, we identified a subpopulation of 75 entities that received a 2015 Registration Renewal inspection from DSAT.26 From this subpopulation of 75 entities, we selected a purposive sample of 22 entities. We distributed Web-based surveys to these 22 entities in March and April 2017. In the surveys, we requested information about entities’ perceptions and experiences in reporting TLR events to the FSAP. We asked entities about their experiences and perceptions regarding the obstacles to reporting TLR events, actions to encourage such reporting, and benefits of such reporting. We analyzed data from 21 of the 22 entities in our review. Although all 22 entities responded to our survey request, 1 entity responded that it was no longer registered with the FSAP and could not provide data in response to our survey questions. Therefore, our findings are based on survey responses from 21 of the 22 entities in our review. Most entities’ responses pertained to the FSAP, but some entities specifically referenced CDC’s DSAT. We make these distinctions in the instances where they occurred. We did not independently verify the accuracy or validity of entities’ statements. See Appendix B for more details on our methodology. 5 RESULTS Two-thirds of the 21 entities in our review had reported TLR events to CDC Of the 21 entities in our review, 14 stated that they had reported at least one TLR event to the FSAP—specifically, to CDC’s DSAT—since they had been registered. Ten of these 14 entities had reported TLR events to the FSAP at least once from 2013 through 2015, reporting an average of 4 TLR events during that timeframe. The other four entities had not reported a TLR event to the FSAP from 2013 through 2015 but stated that they had reported at least one TLR event to the FSAP at some point since they had been registered. The remaining 7 of 21 entities stated that they had never reported a TLR event to the FSAP at any point while registered with the program. Specifically, these entities stated that they had not reported TLR events to the FSAP because they had not experienced any incidents that required a TLR event to be reported. We have no evidence to indicate that these 21 entities are underreporting TLR events. After analyzing data from DSAT’s inspections from 2013 through 2015, we determined that DSAT did not identify any observations at these seven entities regarding 42 CFR § 73.19. Thus, DSAT did not cite any of these entities for failure to report TLR events. The entities in our review were not new to the program and had been registered with the FSAP for an average of 12 years (ranging from 6 to 13 years). See Exhibit 2 for a comparison of entities that had reported at least one TLR event to the FSAP versus those that had reported none. This comparison includes a variety of characteristics, such as the average length of time the entities have been registered with the FSAP. We also analyzed whether these entities only stored (and did not use) select agents or toxins, which would limit the possibility that TLR events could occur at these entities. Only one of the seven entities in our review that had never reported TLR events was registered as having only spaces for storage (rather than use). 6 Exhibit 2: Characteristics of the 21 Entities in Our Review, By TLR Event Reporting Status Entities That Had Entities That Had Never Reported At Least One Reported TLR Events Characteristic TLR Event (7 Entities) (14 Entities) Average Length of Time Entity Had Been 12 12 Registered With the FSAP (in Years) Entity Size Average Number of Principal Investigators 4 2 Average Number of Laboratories 9 3 Entity Type* Government Non-Federal 5 1 Academic 4 1 Government Federal 1 3 Commercial 1 2 Private Nonprofit 3 0 Highest Biosafety Level at Entity Biosafety Level 4 1 0 Biosafety Level 3 12 4 Biosafety Level 2 1 3 Biosafety Level 1 0 0 Average Number of Compliance Actions, 0.6 0.4 2013–2015** Source: HHS OIG analysis of DSAT data, 2017. * A government non-Federal entity is part of an agency of a State or local government (excluding academic entities). An academic entity is a private or public university, college, or other institution of higher learning. A government Federal entity is part of an agency in the Federal Government. A commercial entity is a privately owned for-profit company, including partnerships and corporations either privately held or whose shares are traded on the open market. CDC defines a private entity as any privately owned company, including partnerships and corporations in which no part of the income is distributed to the owners, directors, officers, members, or stockholders and whose principal purpose is for charitable or benevolent purposes. CDC and APHIS, 2015 Annual Report of the Federal Select Agents Program. Accessed at https://www.selectagents.gov/annualreport2015.html on September 19, 2017. However, in the National Select Agent Registry, DSAT labels the latter type of private entities as “private (nonprofit).” ** Compliance actions are used to address serious or repeated observations and include corrective action plans, registration denials, registration suspensions, registration revocations, and referrals. Referrals may be made to Agriculture Select Agent Services (AgSAS), the Federal Bureau of Investigation, or HHS OIG. AgSAS is the U.S. Department of Agriculture’s counterpart to DSAT; for more on AgSAS, see page 17. For more information on compliance actions and DSAT’s use of them from 2013 to 2015, please see our previous report: OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight (OEI-04-15-00430), May 2017, pp. 5–6, 13–14. 7 Almost half of the entities in our review identified obstacles to reporting TLR events, most commonly citing a fear of negative consequences; entities also suggested actions to address these obstacles Even though entities are required to report TLR events to the FSAP, it is possible that actual or potential obstacles could discourage entities from reporting TLR events. Of the 21 entities in our review, 10 identified such actual or potential obstacles.27 Eight of the 10 entities said that fears of negative consequences for reporting TLR events may pose actual or potential obstacles to reporting. Three of the 10 entities stated that burdens in the reporting process may also pose actual or potential obstacles to reporting TLR events. See Exhibit 3 for the full listing of these entity- identified obstacles to reporting TLR events that entities identified, as well as the number of entities that identified them. Appendix C compares the extent to which these obstacles were identified by entities that had reported at least one TLR event to the FSAP versus those that had not. Exhibit 3: Entity-Identified Actual or Potential Obstacles to Reporting TLR Events Actual or Potential Obstacle Number of Entities Fear of Negative Consequences From Reporting 8 Fear of Punishment 5 Fear of Damaged Reputation 4 Other/Nonspecific* 2 Reporting Process Is Burdensome and Restrictive 3 Entity Staff Are More Focused on Responding to 1 Incident TOTAL** 10 Source: HHS OIG analysis of entities’ survey responses, 2017. * These entities’ responses included general references to a fear that reporting TLR events would have a negative impact on the entity’s program for select agents and toxins. ** The sum of the number of entities that identified these obstacles exceeds the total because some entities identified more than one obstacle. Entities suggested a variety of actions that DSAT and entities could take to address these actual or potential obstacles to encourage the reporting of TLR events. Specifically, 14 of the 21 entities in our review suggested actions that could address entities’ fears of negative consequences or problems with the reporting process.28 See Exhibit 4 for the listing of these actions, by the number of entities that suggested each action. Exhibit 11 in Appendix D compares the extent to which these actions were suggested by entities that had reported at least one TLR event to the FSAP versus those that had not. 8 Exhibit 4: Entity-Suggested Actions To Encourage TLR Event Reporting That Could Address Entities’ Fear of Negative Consequences and a Burdensome Reporting Process Action Number of Entities Address Entities’ Fear of Negative Consequences 11 The FSAP or Entities Could Ensure That the Reporting Process Allows for Nonpunitive Reporting and That 11 Staff Know This The FSAP or Entities Could Ensure That the Response to 2 Reports of TLR Events Is Commensurate With the Incident Make the Reporting Process Less Burdensome and 6 Restrictive The FSAP or Entities Could Improve the Process 4 The FSAP Could Improve the APHIS/CDC Form 3 2 TOTAL* 14 Source: HHS OIG analysis of entities’ survey responses, 2017. * The sum of the number of entities that suggested these actions exceeds the total because some entities suggested more than one action. Address Entities’ Fear of Negative Consequences With regard to actions that the FSAP and entities could take to ensure that the reporting process allows for nonpunitive reporting and that staff know this, specific comments included:  The FSAP should develop ways to encourage reporting without “intentional retribution” to the entity or its programs.  The FSAP should demonstrate that the process is not punitive.  The FSAP should make further attempts to “decriminalize” the process for reporting TLR events to address the current perceived attitude as one of “guilty first.”  The entity should inform staff that they will not “get into trouble” if they report a TLR event to the RO or Alternate RO.  The entity should make sure that personnel understand that their jobs are in jeopardy only if they conceal such incidents. With regard to actions that the FSAP and entities could take to ensure that the response to a report of a TLR event is commensurate with the incident, specific comments included:  The FSAP should have a measured response based on the seriousness of the entity’s TLR event.29  It is important for staff to trust the entity/oversight bodies to respond in a reasonable, measured way. Too often, the punishment does not “fit the crime.”30 Make the Reporting Process Less Burdensome and Restrictive With regard to actions that the FSAP and entities could take to improve the reporting process itself, specific comments included: 9  The FSAP could create a different reporting mechanism for releases of select agents or toxins. A different reporting form for releases could reduce possible hesitation to report a release (e.g., a laboratory exposure), which is likely more common than a theft or a loss. The APHIS/CDC Form 3 groups releases together with thefts and losses, and to many entities, this grouping denotes illegal activity and possible punitive action.  Entities could allow all or any laboratory employee involved to fill out the APHIS/CDC Form 3 along with the RO or Alternate RO.  Entities can try to provide internal methods for TLR event reporting that facilitate compliance, cooperation, and communication. With regard to actions that the FSAP could take to improve the reporting form, specific comments included:  The FSAP should frequently reassess the format and required fields in forms. It seems that the current focus is more on the bureaucratic aspects of reporting rather than on safety, security, and open communications.  The FSAP could create an online APHIS/CDC Form 3 that is prepopulated with the entity’s information. This form could require a login. Sixteen entities in our review suggested other actions to encourage the reporting of TLR events, most commonly suggesting improved training and guidance and establishing a culture of safety Even though entities are required to report TLR events, the FSAP and entities may be able to take certain actions that can encourage entities to report TLR events. Sixteen of the 21 entities in our review also suggested other actions that the FSAP or entities could take to encourage the reporting of TLR events.31 These actions include improving training and guidance regarding the reporting of TLR events, establishing a culture of safety that emphasizes the value of reporting, and improving the collaboration between the FSAP and entities. See Exhibit 5 for the full listing of other actions that entities suggested the FSAP or entities could take to encourage the reporting of TLR events and the number of entities that suggested these actions. Additionally, Exhibit 12 in Appendix D contains the listing of suggested actions, by entities that had reported at least one TLR event to the FSAP versus those that had not. 10 Exhibit 5: Entity-Suggested Other Actions That the FSAP or Entities Could Take To Encourage Reporting of TLR Events Action Number of Entities Improve Training and Guidance on Reporting TLR Events 9 Entities Could Improve Understanding of Requirements and Responsibilities 4 The FSAP and Entities Could Share Lessons Learned 3 The FSAP Could Provide Technical Assistance 2 Other/Nonspecific* 3 Establish a Culture of Safety That Emphasizes the Value of Reporting 8 The FSAP and Entities Could Develop Positive Messaging and Methods for Reporting 5 The FSAP and Entities Could Ensure That the Program Is Transparent 5 and Accountable The FSAP and Entities Could Ensure Honesty, Trust, and Support in the 2 Program Other/Nonspecific** 1 Improve Collaboration Between the FSAP and Entities 5 The FSAP and Entities Could Establish Good Working Relationships 4 The FSAP Could Increase Resources for Inspectors To Follow Up With 1 Entities After They Report TLR Events Ensure Program Allows for Process Improvements 2 TOTAL*** 16 Source: HHS OIG analysis of entities’ survey responses, 2017. * These responses included general references to FSAP or entity training, discussions, and communication. ** This response included a general reference to build a culture of biosafety within the laboratory. *** The sum of the number of entities that suggested these actions exceeds the total because some entities suggested more than one action. Improve Training and Guidance on Reporting TLR Events With regard to actions that entities could take to improve the understanding of requirements and responsibilities, specific comments included:  Entities should remind personnel that the reporting of TLR events is required by law.  Entities could train staff to always inform the RO and Alternate RO when a TLR occurs or is suspected.  Entities could plan for and provide better training, drills, and exercises that allow staff to practice the conditions under which they would report TLR events. With regard to actions that the FSAP and entities could take to share lessons learned, specific comments included:  The FSAP could provide more webinars to discuss past incidents in which TLR events were reported and the “after actions” 32 resulting from those incidents.  The FSAP could provide educational opportunities and share lessons learned so people see 11 the value of reporting TLR events. With regard to actions that the FSAP could take to provide technical assistance, specific comments included:  The FSAP could take on a supportive role with entities that are new or less experienced.  DSAT could assist entities with risk mitigation and control strategies, guidance, education, and training. Establish a Culture of Safety That Emphasizes the Value of Reporting With regard to actions that the FSAP and entities could take to develop positive messaging and methods for reporting TLR events, specific comments included:  The FSAP could develop ways to encourage reporting without “intentional retribution” to the entity or its programs.  The FSAP could demonstrate that the process is not punitive but is educational and can prevent future incidents.  DSAT could emphasize that the reporting of TLR events is an opportunity for DSAT to assist the entity rather than impose automatic penalties, fines, or inspections. [We note that according to CDC, TLR events do not automatically result in penalties or fines.]  Entities can positively communicate with their staff about the reporting of TLR events and try to provide internal training that encourages TLR event reports using methods for internal reporting that facilitate compliance, cooperation, and communication. With regard to actions that the FSAP and entities could take to ensure that the program is transparent and accountable, specific comments included:  The FSAP could continue its efforts to be more transparent.  The FSAP could hold the responsible individuals accountable while also remembering that those reporting a TLR event are generally not the “guilty party.”  The FSAP could establish a good rapport with entities that allows for open discussion and interactions.  Entities need to have an open, transparent program. With regard to actions that the FSAP and entities could take to ensure honesty, trust, and support in the program, specific comments included:  The FSAP could establish a good rapport with the entities that allows for open discussion and interactions.  Entities could develop a culture of trust and safety between biosafety officers and researchers.  Entities must encourage an atmosphere of honesty, trust, and support for all of their programs and personnel, which would promote honest interactions among the research staff, with the FSAP, and with the community. Improve the Collaboration Between the FSAP and Entities With regard to actions that the FSAP could take to establish good working relationships, specific comments included: 12  The FSAP could build “partnership” relationships with the ROs.  The FSAP could encourage honest interactions and good working relationships between the DSAT file manager and the entity.  DSAT could address entities’ perception of DSAT as a “governing bad guy.” With regard to actions that the FSAP could take to improve its collaboration with entities by increasing resources for inspectors to follow up with entities after they report TLR events, the specific comment was:  The FSAP should also provide adequate resources, time, and training to its inspectors and during the followup after the TLR event report as it often feels as if the focus is more on the bureaucratic aspects of reporting rather than a focus on safety, security, and open communications. Ensure That Entities’ Programs Allow for Process Improvements With regard to actions that entities could take to ensure that their respective programs allow for process improvements, specific comments included:  Entities could view reporting a TLR event as an opportunity to make enhancements or more robust control strategies and mitigate defined weaknesses.  Entities need to have an open and transparent program that is constantly evolving to allow for process improvement. Nearly all entities identified benefits to reporting TLR events, most commonly citing improvements to entity or FSAP processes Entities are required to report TLR events to the FSAP; however, actual or potential benefits may help entities see the value in reporting TLR events. Of the 21 entities in our review, 20 identified actual or potential benefits related to reporting TLR events to the FSAP.33 See Exhibit 6 for a listing of the actual or potential benefits that entities identified for reporting TLR events to the FSAP and the number of entities that identified each benefit. In addition, see Appendix E for the full listing of entity-identified benefits of reporting TLR events, by entities that had reported at least one TLR event to the FSAP versus those that had not. With regard to the actual or potential benefits from improvements to entity or FSAP processes, specific comments included:  TLR event reports ensure that entities review and improve their existing procedures in the areas of security, incident response, and biosafety. These reviews and improvements can prevent future incidents or help entities respond to them.  Reporting TLR events allows entities to improve their processes by better understanding what went wrong and what caused the TLR event.  When entities report all TLR events, it allows the FSAP to assess the overall impact of the regulations. For example, the FSAP can assess whether any regulations need rewording or clarification to improve reporting, compliance, and/or safety. In addition, it allows oversight agencies to assess whether regulations should be retired or updated. 13 Exhibit 6: Entity-Identified Actual or Potential Benefits From Reporting TLR Events Actual or Potential Benefit Number of Entities Improvements to Entity or FSAP Processes 11 Decreased Risk to Entity or Community 6 DSAT Technical Assistance 5 Compliance and Accountability 5 Trust and Transparency 5 TOTAL* 20 Source: HHS OIG analysis of entities’ survey responses, 2017. * Note: The sum of the number of entities that identified these benefits exceeds the total because some entities identified more than one benefit. With regard to the actual or potential benefits from decreasing the risk to the entity and the community, specific comments included:  Reporting TLR events allows for the entity and the FSAP to have a quicker response to the incident and decreased risk of exposure to laboratory personnel and the community.  Benefits to the reporting of TLR events are identifying lab exposures and providing prophylaxis (e.g., medical intervention taken to prevent disease). In cases of theft, reporting TLR events aids in identifying breaches and improving security.  Reporting all TLR events strengthens the laboratory system and protects the public. With regard to the actual or potential benefits from (1) receiving technical assistance from the FSAP, (2) compliance and accountability, and (3) trust and transparency, specific comments included:  Reporting TLR events will allow the FSAP to assist the entity with the best way to deal with the incident.  Reporting TLR events promotes and ensures compliance and confidence in the entity.  Reporting TLR events to the FSAP ensures that the FSAP is aware of incidents before the TLR events “hit the news.”  The honest reporting of TLR events promotes trust among the institution, regulators, and the community. 14 CONCLUSION In recent years, Congress and the media have devoted attention to several TLR events at laboratories involving select agents and toxins. All of these TLR events were required to be reported—and were reported—to the FSAP, as they posed a risk to public health and safety. However, DSAT expressed concern to us that entities with no reported TLR events for multiple years may be underreporting them and may pose more of a risk than entities that regularly report TLR events. In our May 2017 report examining CDC’s oversight and inspections of entities registered with FSAP, we found that almost three of every four entities did not report a TLR event during the 3-year period from 2013 through 2015. In part because of this finding, CDC requested that we collect information on entities’ experiences in and perceptions on reporting TLR events. In the current report, we found that 7 of 21 entities in our review had never reported a TLR event to the FSAP at any point while registered with the program, but we have no evidence to indicate that any of the 21 entities are underreporting TLR events. In light of CDC’s ongoing efforts to improve its oversight of the FSAP—particularly, regarding its efforts to increase the reporting of TLR events and compliance—Exhibit 7 illustrates how the actions that entities suggested in our review to encourage the reporting of TLR events might coincide with or enhance CDC’s ongoing or future efforts to increase the reporting of TLR events and compliance. Exhibit 7: Entity-Suggested Actions To Encourage TLR Event Reporting and CDC’s Ongoing or Future Efforts To Increase TLR Event Reporting and Compliance Entity-Suggested Actions To Encourage CDC’s Ongoing or Future Efforts To Increase TLR Event Reporting TLR Event Reporting and Compliance Address entities’ fears of negative consequences Improved education and training Improve TLR event reporting training opportunities (e.g., webinars or and guidance seminars) Establish a culture of safety that emphasizes the value of reporting Improve collaboration between the FSAP and entities Ensure the program allows for Changes to APHIS/CDC Form 3, process improvements enhancements to TLR data, and reductions in entity burden Make the reporting process less burdensome and restrictive Source: HHS OIG analysis of entities’ survey responses and CDC-reported activities, 2017. 15 This report is the second of three HHS OIG reports on CDC’s oversight of entities registered with the FSAP. The first report found that while CDC generally met its inspection goals for the FSAP, opportunities exist to strengthen its oversight. The third report will provide CDC with information on entities’ compliance with the requirements at 42 CFR § 73.9(a)(6) for annual internal inspections. 16 APPENDIX A: The Structure and Role of the FSAP and Registered Entities The FSAP oversees the possession, use, and transfer of select agents and toxins and is jointly managed by HHS and the U.S. Department of Agriculture (USDA). The FSAP is composed of DSAT—part of CDC—and the Agriculture Select Agent Services (AgSAS), part of USDA’s Animal and Plant Health Inspection Service (APHIS).34 See Exhibit 8 for the departments, agencies, and divisions responsible for providing FSAP oversight. DSAT’s role within the FSAP is to oversee entities that possess, use, or transfer select agents and toxins that pose a severe risk to public health and safety. AgSAS’s role within the FSAP is to oversee entities that possess, use, or transfer select agents and toxins that pose a severe risk to animal and plant health or to animal and plant products. Exhibit 8: The FSAP Oversight Structure Federal Select Agent Program (FSAP) U. S. Department of Health and U.S. Department of Agriculture Human Services (USDA) (HHS) Centers for Disease Control Animal and Plant Health and Prevention Inspection Service (CDC) (APHIS) Division of Select Agents and Toxins Agriculture Select Agent Services (DSAT) (AgSAS) Source: HHS OIG analysis of the FSAP, About Us. Accessed at https://www.selectagents.gov/about.html on August 23, 2017. Entities must register with the FSAP to possess, use, or transfer select agents or toxins in their laboratories.35 Each entity may have one or more laboratories, and each laboratory may have contain one or more principal investigators and other staff who conduct research with the select agents and toxins, in addition to the RO and Alternate RO. 17 APPENDIX B: Detailed Methodology Sample Selection Of the 233 entities that were continuously registered with the FSAP from 2013 through 2015, we identified a subpopulation of 75 entities that received a 2015 Registration Renewal inspection from DSAT. Of this subpopulation, we selected a purposive sample of 22 entities. We selected this sample to ensure representation with regard to the following characteristics:  entity size, as determined by the number of principal investigators and laboratories at the entity;  entity type; and  whether the entity had been the subject of a compliance action from 2013 through 2015. See Exhibit 9 for information about the population, subpopulation, and purposive sample on these selection characteristics from 2013 through 2015. Data Collection In March and April 2017, we sent a Web-based survey to the 22 entities in our sample. We received responses from all 22 entities. However, upon receipt of our request, one entity responded that it was no longer registered with the FSAP. Therefore, no staff at the entity were knowledgeable about the entity’s previous research with select agents and toxins, and they could not complete our request. We confirmed with DSAT that this entity was no longer registered with the FSAP as of 2016. Therefore, we removed this entity from our analysis, and our findings are based on survey responses from 21 entities. The one entity that did not respond to our request was a commercial entity with four principal investigators, five laboratories, and no compliance actions from 2013 through 2015. We asked entities about their experiences of reporting TLR events and the benefits and challenges associated with reporting TLR events. We also asked entities for actions that they and the FSAP could take to encourage reporting of TLR events. We also collected information from DSAT staff and reviewed final and draft DSAT or FSAP policies to learn about current and planned program policies, goals, and oversight activities related to the requirement for reporting TLR events. Finally, we collected data from the NSAR to obtain the observations identified during DSAT inspections from 2013 through 2015 related to the requirement to report TLR events. Data Analysis Based on entities’ self-reported information, we identified entities that had reported at least one TLR event to the FSAP versus those that had not. For those entities that had never reported TLR events to the FSAP, we analyzed NSAR data to determine whether these entities were cited for observations regarding their failure to notify DSAT of thefts, losses, or releases (i.e., 42 CFR § 73.19) from 2013 through 2015. We also used NSAR and other DSAT data to determine the following for each entity: length of time the entity had been registered with the FSAP, size of the entity (i.e., number of principal investigators and laboratories), the highest biosafety level at the entity, and the number of compliance actions to which the entities were subjected from 2013 through 2015. 18 Exhibit 9: Selection Characteristics of the Population, Subpopulation, and Purposive Sample of Entities Registered With the FSAP From 2013 Through 2015 Population of Entities Subpopulation of Continuously Entities with 2015 Selection Characteristic Registered With Registration Sample the FSAP From Renewal 2013 Through Inspections 2015 (233 Entities) (75 Entities) (22 Entities) Entity Size Average Number of Principal Investigators 2 2 3 Average Number of Laboratories 4 4 7 Entity Type* Government Non-Federal 75 23 6 Academic 73 24 5 Government Federal 36 11 4 Commercial 35 12 4 Private Nonprofit 14 5 3 Average Number of Compliance Actions, 2 0 1 From 2013 Through 2015** Source: HHS OIG analysis of DSAT Data, 2017. * A government non-Federal entity is part of an agency of a State or local government (excluding academic entities). An academic entity is a private or public university, college, or other institution of higher learning. A government Federal entity is part of an agency in the Federal Government. A commercial entity is a privately owned for-profit company, including partnerships and corporations either privately held or whose shares are traded on the open market. CDC defines a private entity as any privately owned company, including partnerships and corporations in which no part of the income is distributed to the owners, directors, officers, members, or stockholders and whose principal purpose is for charitable or benevolent purposes. CDC and APHIS, 2015 Annual Report of the Federal Select Agents Program. Accessed at https://www.selectagents.gov/annualreport2015.html on September 19, 2017. However, in the National Select Agent Registry, DSAT labels the latter type of private entities as “private (nonprofit).” ** Compliance actions are used to address serious or repeated observations and include corrective action plans, registration denials, registration suspensions, registration revocations, and referrals. Referrals may be made to Agriculture Select Agent Services (AgSAS), the Federal Bureau of Investigation, or HHS OIG. AgSAS is the U.S. Department of Agriculture’s counterpart to DSAT; for more on AgSAS, see page 17. For more information on compliance actions and DSAT’s use of them from 2013 to 2015, please see our previous report: OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight (OEI-04-15-00430), May 2017, pp. 5–6, 13–14. To describe the obstacles to reporting TLR events, actions to encourage such reporting, and benefits of such reporting, we conducted qualitative and quantitative data analysis on the responses we received from the 21 entities in our review. For the qualitative data, we first reviewed the data and identified preliminary themes of obstacles, actions to encourage, and benefits. In doing this, we determined that some entities’ responses did not align with the question asked and, instead, better aligned with another question. Consequently, we recategorized some entities’ responses to more closely align with the questions. For example, if a response to the question pertaining to 19 obstacles was phrased as an action to encourage reporting (e.g., “improve the form”), we moved the response to the category on actions to encourage reporting. We then re-reviewed all responses in each category and finalized our themes and subthemes of obstacles, actions to encourage, and benefits. We counted each entity only once for each theme and subtheme, regardless of the number of times the entity provided a comment related to the theme or subtheme. We then conducted quantitative analysis to determine the frequency of responses in each theme and subtheme for obstacles, action to encourage, and benefits, respectively. Limitations We reviewed a purposive sample of entities registered with the FSAP between 2013 and 2015 that fell under DSAT’s oversight authority. Since we selected a purposive sample, our results apply only to the 21 entities in our review. Entities’ responses cannot be generalized to all entities under DSAT’s oversight authority or to all entities registered with the FSAP. Most entities’ responses pertained to the FSAP, but some entities specifically referenced CDC’s DSAT. We make these distinctions in the instances where they occurred. We did not independently verify the accuracy or validity of entities’ statements. While we did, in some cases, modify comments from their original wording to clarify comments (e.g., by using the questions posed to entities, as context), make grammatical or typographical edits, or use excerpts of comments to align with the organization of this report, we did not alter the meaning or tone of the comments. Further, these comments reflect entities’ experiences and perceptions of the process for reporting TLR events, but other stakeholders may have valid information, experiences, or perceptions that contradict them. Finally, the inclusion of these comments does not indicate that OIG endorses the statements. Conclusions about differences between the responses of the entities that had reported at least one TLR event and those that had not are limited due to the small sample size. Additionally, statements about the obstacles, actions to encourage, and benefits cited by entities that had never reported TLR events likely represent their perceptions of obstacles, actions, and benefits, as they do not have first-hand experience in reporting TLR events to the FSAP. Standards This study was conducted in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. 20 APPENDIX C Exhibit 10: Entity-Identified Actual or Potential Obstacles to Reporting TLR Events, by Entities With and Without TLR Event Reports Number of Number of Entities That Entities That Total Actual or Potential Obstacle Had Reported Had Never Number of At Least One Reported TLR Entities TLR Event* Events** Fear of Negative Consequences To Reporting 5 3 8 Fear of Punishment 2 3 5 Fear of Damaged Reputation 4 0 4 Other/Nonspecific*** 1 1 2 Reporting Process Is Burdensome and 2 1 3 Restrictive Staff Are More Focused on Responding to 0 1 1 Incident TOTAL**** 6 4 10 Source: HHS OIG analysis of entities’ survey responses, 2017. Note: Conclusions about differences between the responses of the entities that have reported at least one TLR event and those that have not are limited due to the small sample size. Additionally, statements about obstacles that have been provided by entities that have never reported TLR events likely represent their perceptions of obstacles, since these entities do not have first-hand experience in reporting TLR events. * Of the 14 entities in our review that had reported at least one TLR event, 6 identified actual or potential obstacles to reporting TLR events. Of the remaining eight entities, five indicated that there were no obstacles to reporting TLR events to the FSAP. Two entities did not provide responses. The remaining entity responded to the question about obstacles but described actions to encourage the reporting of TLR events; for this entity, we did not classify the response as an identification of an obstacle and instead included the response in our analysis of suggested actions to encourage the reporting of TLR events. ** Of the seven entities in our review that had never reported TLR events, four identified actual or potential obstacles to reporting TLR events. The three remaining entities indicated that there were no obstacles to reporting TLR events to the FSAP. *** These entities’ responses included general references to a nonspecific fear that reporting TLR events would have a negative impact on the entity’s program for select agents and toxins. **** The sum of the number of entities that identified these obstacles exceeds the total because some entities identified more than one obstacle. 21 APPENDIX D Exhibit 11: Entity-Suggested Actions To Encourage TLR Event Reporting That Could Address Entities’ Fear of Negative Consequences and a Burdensome Reporting Process, by Entities With and Without TLR Event Reports Number of Number of EntitiesThat Entities That Total Number Action Had Reported Had Never of Entities At Least One Reported TLR TLR Event* Events** Address Entities’ Fear of Negative 7 4 11 Consequences The FSAP or Entities Could Ensure That the Reporting Process Allows for 7 4 11 Nonpunitive Reporting and That Staff Know This The FSAP or Entities Could Ensure That the Response to TLR Event Reports is 1 1 2 Commensurate With the Incident Make the Reporting Process Less 4 2 6 Burdensome and Restrictive The FSAP or Entities Could Improve the 3 1 4 Process The FSAP Could Improve the 2 0 2 APHIS/CDC Form 3 TOTAL*** 9 5 14 Source: HHS OIG analysis of entities’ survey responses, 2017. Note: Conclusions about differences between the responses of the entities that have reported at least one TLR event and those that have not are limited due to the small sample size. * Of the 14 entities in our review that had reported at least one TLR event, nine suggested actions to encourage TLR event reporting related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. Of the remaining five entities, three suggested only actions not related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. Two entities did not respond to the question. ** Of the seven entities in our review that had never reported TLR events, five suggested actions to encourage TLR event reporting related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. The remaining two suggested only actions not related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. *** The sum of the number of entities that suggested these actions exceeds the total because some entities suggested more than one action. 22 Exhibit 12: Entity-Suggested Other Actions That the FSAP or Entities Could Take To Encourage TLR Event Reporting, by Entities With and Without TLR Event Reports Number of Number of Entities Entities That Total That Had Actions Had Never Number of Reported At Reported Entities Least One TLR Events** TLR Event* Improve Training and Guidance on Reporting TLR 4 5 9 Events Entities Could Improve Understanding of Requirements and Responsibilities 2 2 4 The FSAP and Entities Could Share Lessons Learned 1 2 3 The FSAP Could Provide Technical Assistance 1 1 2 Other/Nonspecific*** 2 1 3 Establish a Culture of Safety That Emphasizes the Value 7 1 8 of Reporting The FSAP and Entities Could Develop Positive Messaging and Methods for Reporting 4 1 5 The FSAP and Entities Could Ensure That Program Is 4 1 5 Transparent and Accountable The FSAP and Entities Could Ensure Honesty, Trust, and 1 1 2 Support in the Program Other/Nonspecific**** 1 0 1 Improve Collaboration Between the FSAP and Entities 4 1 5 The FSAP and Entities Could Establish Good Working Relationships 3 1 4 The FSAP Could Encourage the FSAP Increase Resources for Inspectors To Follow Up With Entities After 1 0 1 They Report TLR Events Ensure Program Allows for Process Improvements 2 0 2 TOTAL***** 10 6 16 Source: HHS OIG analysis of entities’ survey responses, 2017. Note: Conclusions about differences between the responses of the entities that have reported at least one TLR event and those that have not are limited due to the small sample size. * Of the 14 entities in our review that had reported at least one TLR event, 10 suggested actions to encourage TLR event reporting that were not related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. Of the remaining four entities, two suggested only actions related to addressing entities’ fear of negative consequences or a burdensome process for reporting TLR events. The remaining two entities did not respond to the question. ** Of the seven entities in our review that had never reported TLR events, six suggested actions to encourage TLR event reporting that were not related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. The remaining entity suggested only actions related to addressing entities’ fear of negative consequences or a burdensome process for reporting TLR events. *** These responses included general references to the FSAP or entity training, discussions, and communication. **** This response included a general reference to building a culture of biosafety within the laboratory. ***** The sum of the number of entities that suggested these actions exceeds the total because some entities suggested more than one action. 23 APPENDIX E Exhibit 13: Entity-Identified Actual or Potential Benefits of Reporting TLR Events, by Entities With and Without TLR Event Reports Number of Number of Entities Entities Total That Had That Had Actual or Potential Benefit Number of Reported At Never Entities Least One Reported TLR Event* TLR Events Improvements to Entity or FSAP Processes Improvements 8 3 11 Decreased Risk to Entity or Community 4 2 6 DSAT Technical Assistance 4 1 5 Compliance and Accountability 2 3 5 Trust and Transparency 3 2 5 TOTAL** 13 7 20 Source: HHS OIG analysis of entities’ survey responses, 2017. Note: Conclusions about differences between the responses of the entities that have reported at least one TLR event and those that have not are limited due to the small sample size. Additionally, statements about benefits that have been provided by entities that never reported TLR events likely represent potential benefits since these entities do not have first-hand experience reporting TLR events. * Of the 14 entities in our review that had reported at least one TLR event, 13 identified benefits to reporting TLR events. The remaining entity did not respond to the question. ** The sum of the number of entities that identified these benefits exceeds the total because some entities reported more than one benefit. 24 ACKNOWLEDGMENTS Victoria Coxon served as the lead analyst for this study. Office of Evaluation and Inspections staff who provided support include Kevin Farber, Seta Hovagimian, and Christine Moritz. This report was prepared under the direction of Dwayne Grant, Regional Inspector General for Evaluation and Inspections in the Atlanta regional office, and Jaime Stewart, Deputy Regional Inspector General. To obtain additional information concerning this report or to obtain copies, contact the Office of Public Affairs at Public.Affairs@oig.hhs.gov. 25 ENDNOTES 1 Recent news articles have summarized the highly publicized laboratory events and Congressional interest in the topic. For example, see Alison Young and Nick Penzenstadler, “Inside America’s Secretive Biolabs,” USA Today, May 28, 2015. Accessed at https://www.usatoday.com/story/news/2015/05/28/biolabs-pathogens-location-incidents/26587505/ on August 15, 2017. See also the articles grouped under the headline “Biosafety Labs Under Scrutiny,” USA Today, no date. Accessed at https://www.usatoday.com/topic/9ee9e5de-b702-4fbc-9e5d-1b595adcf938/biolabs/ on August 15, 2017. 2 An occupational exposure is “any reasonably anticipated skin, eye, mucous membrane, parenteral contact, or respiratory aerosol exposure to select agents or toxins that may result from the performance of an employee’s duties.” 42 CFR § 73.1. 3 APHIS/CDC. Select Agents and Toxins—Theft, Loss, or Release Information Document, p. 2. Accessed at https://www.selectagents.gov/resources/CompleteTHEFT%20LOSS%20%20RELEASE%20guidance%20document%2 0June82010_FINAL.pdf on September 1, 2017. 4 HHS OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight (OEI-04-15-00430). Accessed at https://oig.hhs.gov/oei/reports/oei-04-15-00430.asp on August 31, 2017. 5 CDC observed yearly increases in the number of reported TLR events from 2004 to 2010, in addition to a significant increase in reported TLR events after the FSAP issued guidance in 2008 to entities on reporting TLR events. Richard D. Henkel, Thomas Miller, and Robbin S. Weyant, CDC. Monitoring Select Agent Theft, Loss, and Release Reports in the United States—2004–2010. Accessed at https://www.selectagents.gov/publications.html on August 15, 2017 and at https://www.selectagents.gov/resources/Monitoring_Select_Agent_Theft_Loss_Release.pdf on August 15, 2017. The original article was first published December 1, 2012, in Applied Biosafety, Vol. 17, Issue 4, pp. 171–180. Accessed at http://journals.sagepub.com/doi/abs/10.1177/153567601201700402 on June 14, 2017. 6 Ibid. 7 DSAT is housed within CDC’s Office of Public Health Preparedness and Response (OPHPR). OPHPR, DSAT, Division of Select Agents and Toxins: About the Federal Select Agent Program. Accessed at https://www.cdc.gov/phpr/dsat/about-fsap.htm on August 15, 2017. 8 Registered entities are facilities approved by the FSAP to conduct research with select agents and toxins. FSAP, About Us. Accessed at https://www.selectagents.gov/about.html on September 27, 2017. In contrast, some entities (e.g., clinical, diagnostic, or public health laboratories) do not deliberately work with select agents and toxins but may occasionally encounter them in the course of their diagnostic activity. These entities are not required to register with the FSAP. However, if a TLR event were to occur at an unregistered entity, it must immediately report the incident to the FSAP. The focus of this review is the reporting by registered entities. FSAP, APHIS/CDC Form 3: Report of Theft, Loss, or Release of Select Agents and Toxins—Incident Form to Report Potential Theft, Loss, Release, or Occupational Exposure. Accessed at https://www.selectagents.gov/resources/APHIS- CDC_Form_3_Guidance_Document.pdf on October 23, 2017. 9 42 CFR § 73.9(a). Additionally, according to CDC, in 2016 there were 196 releases reported to the FSAP, 99 of which were received from clinical or diagnostic laboratories that were not required to be registered with the FSAP because they met the “exempt entity” requirements specified in the select agent regulations. CDC and APHIS, 2016 Annual Report of the Federal Select Agent Program, p. 27. Accessed at https://www.selectagents.gov/resources/FSAP_Annual_Report_2016.pdf on December 13, 2017. 26 10 42 CFR § 73.19. Per 42 CFR § 73.14(b), the entity’s incident response plan must fully describe the entity’s response procedures for the theft, loss, or release of a select agent and toxin. Additionally, per 42 CFR § 73.14(e)(2), entities with Tier 1 agents such as Ebola, Marburg, or smallpox (i.e., Biosafety Level 4 entities) must have incident response plans that describe procedures for how the entity will notify the appropriate Federal, State, and local law enforcement agencies of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents and toxins. According to CDC, biosafety levels are assigned to entities on the basis of the type of select agents and toxins they possess, use, or transfer. Entities designated as Biosafety Level 4—the highest level—are authorized to use Tier 1 Select Agents and Toxins, such as the Ebola, Marburg, or smallpox viruses. Entities registered as Biosafety Level 3 are authorized to use select agents and toxins that cause serious or potentially lethal disease through respiratory transmission, such as the Eastern Equine Encephalitis virus, the virus that causes sleeping sickness. Entities registered as Biosafety Level 2 work with select agents or toxins that pose moderate hazards to laboratory staff and the environment, such as Staphylococcus aureus. Entities registered as Biosafety Level 1 work with select agents or toxins that are not known to consistently cause disease in healthy adults, such as E. coli, and present minimal potential hazard to laboratory staff and the environment. CDC. Quick Learn Lesson: Recognizing the Biosafety Levels. Accessed at https://www.cdc.gov/training/quicklearns/biosafety/ on December 14, 2017. HHS. Biosafety in Microbiological and Biomedical Laboratories, 5th Edition. pp. 123-289. 11 42 CFR § 73.19; DSAT and AgSAS, Responsible Official User Manual, March 2017. Accessed at https://www.selectagents.gov/resources/Responsible_Official_User_Manual.pdf on August 15, 2017. DSAT and AgSAS, Responsible Official Resource Manual, October 2014. Accessed at http://www.selectagents.gov/resources/RO_Manual_2014.pdf on December 1, 2016. APHIS/CDC, Select Agents and Toxins—Theft, Loss, or Release Information Document. p. 3. Accessed at https://www.selectagents.gov/resources/CompleteTHEFT%20LOSS%20%20RELEASE%20guidance%20document%2 0June82010_FINAL.pdf on September 1, 2017. DSAT may also notify AgSAS and other Federal agencies such as the U.S. Department of Homeland Security and the U.S. Department of Transportation. DSAT—unlike law enforcement, firefighters, or emergency medical personnel—is not a first responder, but it does have the capability to enter laboratories and storage spaces at entities with all biosafety levels. CDC, DSAT, Theft, Loss, or Release of Select Agents. Accessed at https://www.selectagents.gov/resources/training/2015_Theft_Loss_or_Release_of_Select_Agents.pdf on August 15, 2017. 12 Thefts or losses must be reported even if the parties responsible for stealing or losing the select agent or toxin are identified and/or if the entity recovers the select agent or toxin. 42 CFR § 73.19. Additionally, any laboratory incidents that have the potential to be a theft or a loss (e.g., inventory discrepancies) should also be reported. 42 CFR § 73.19. Laboratory incidents that have the potential to be a release—such as dropped plates in a laboratory or an animal bite that did not break the skin—should also be reported, even if the event remained in the primary or secondary barriers and a potential but unconfirmed exposure occurred. 42 CFR § 73.19. APHIS/CDC, Incident Form to Report Potential Theft, Loss, or Release, or Occupational Exposure (APHIS/CDC Form 3). Accessed at https://www.selectagents.gov/resources/APHIS-CDC_Form_3_Guidance_Document.pdf on September 6, 2017. APHIS/CDC, Select Agents and Toxins—Theft, Loss or Release Information Document. Accessed at https://www.selectagents.gov/resources/CompleteTHEFT%20LOSS%20%20RELEASE%20guidance%20document%2 0June82010_FINAL.pdf on September 6, 2017. 13 42 CFR § 74.19(b)(1); APHIS/CDC, Select Agents and Toxins—Theft, Loss, or Release Information Document, p. 3. Accessed at https://www.selectagents.gov/resources/CompleteTHEFT%20LOSS%20%20RELEASE%20guidance%20document%2 0June82010_FINAL.pdf on August 15, 2017. 14 APHIS/CDC, Select Agents and Toxins—Theft, Loss, or Release Information Document. p. 3. Accessed at https://www.selectagents.gov/resources/CompleteTHEFT%20LOSS%20%20RELEASE%20guidance%20document%2 0June82010_FINAL.pdf on August 15, 2017. 15 42 CFR § 73.19(b)(1)(iii). 16 42 CFR § 73.11(d)(7)(iii – iv), 73.19(a) and (b). 17 42 CFR § 73.9(a)(3). 18 See 42 CFR § 73.19 and Incident Form to Report Potential Theft, Loss, Release, or Occupational Exposure. Accessed at https://www.selectagents.gov/resources/APHIS-CDC_Form_3_Guidance_Document.pdf on August 15, 2017. 19 FSAP, Procedure for Processing Reports of Theft, Loss, or Release of Select Agents and Toxins, APHIS/CDC Form 3. Approved date: October 31, 2013. Richard Henkel, Ph.D., DSAT, Theft, Loss and Release—encouraging a culture where incidents are reported to management and to the FSAP. Accessed at 27 https://www.selectagents.gov/resources/training/2015_Theft_Loss_or_Release_of_Select_Agents.pdf on August 15, 2017. 20 Compliance actions are used to address serious or repeated observations and include corrective action plans, registration denials, registration suspensions, registration revocations, and referrals. Referrals may be made to AgSAS, the Federal Bureau of Investigation, or HHS OIG. For more information on compliance actions and DSAT’s use of them from 2013 to 2015, please see our previous report: HHS OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight (OEI-04-15-00430), May 2017, pp. 5–6 and 13–14. 21 CDC, Policy 5 – Criteria for HHS OIG or Federal Bureau of Investigation Referrals. August 15, 2012 and June 2, 2017. 22 Ibid. 23 FSAP, Severity Spectrum of Inspection Departures and Enforcement Actions. Accessed at https://www.selectagents.gov/enforcement.html on October 2, 2017. 24 For example, on April 19, 2016, the FSAP conducted a webinar in collaboration with the Federal Bureau of Investigation to discuss changes to the FD-961 Bioterrorism Risk Assessment Form and the FSAP security risk assessment process. This webinar included a presentation entitled Theft, Loss, or Release of Select Agents and Toxins. HHS and USDA, Federal Select Agent Program, Resources, Training. Accessed at https://www.selectagents.gov/training.html on October 23, 2017. In addition, the FSAP also held an in-person workshop for ROs and Alternate ROs on December 6–8, 2016, which provided participants with tailored information for different types of entities about maintaining select agent regulatory compliance, including reporting TLR events to the FSAP. HHS and USDA. Federal Select Agent Program, Resources, 2016 SA Grams, 8/24/16. Accessed at https://www.selectagents.gov/sagrams_2016.html on October 23, 2017. 25 Proposed Data Collection Submitted for Public Comment and Recommendations, 81 Fed. Reg. 96456 (Dec. 30, 2016). 26 A Registration Renewal inspection is a routine DSAT inspection of all spaces where select agents and toxins are used and stored to determine compliance with 42 CFR part 73. DSAT’s goal is to conduct this type of inspection at registered entities once every 3 years. 27 Of the remaining 11 entities, 7 indicated that there were no obstacles to reporting TLR events, and 3 entities did not respond to the question. The remaining entity responded to the question about obstacles but described actions to encourage the reporting of TLR events. Therefore, for this entity, we did not classify the response as an identification of an obstacle and instead included the response in our analysis of suggested actions to encourage the reporting of TLR events. 28 Of the remaining seven entities, five suggested actions that were not related to entities’ fear of negative consequences or a burdensome TLR event reporting process. The remaining two entities did not respond to the question. 29 Upon followup, this entity clarified that its comments addressed potential actions that entities could take to foster optimal interactions with entity staff to encourage open discussion and reporting of issues. The entity stated that it has a great deal of oversight from different government agencies and had an adversarial relationship with a non-CDC oversight agency several years ago. This entity reported that strong and open communication with all oversight entities is critical and that its program continually promotes that perspective. This entity also reported that it has been impressed with the quality of the DSAT inspectors and file managers and that its interactions with DSAT have been excellent and fair. 30 Upon followup, this entity provided additional context for this comment. It explained that it was in the process of moving to new laboratory space during a DSAT inspection. In the inspection, DSAT identified multiple observations pertaining to the entity’s documentation. However, DSAT did not identify any observations related to the safety of the facility, its personnel, or the public, nor did it identify any instances in which the entity failed to report TLR events. Because of the documentation-related observations, DSAT placed the entity on a corrective action plan. The entity told us that although it found value in participating in the corrective action plan, it thought that DSAT overreacted to the observations identified. From the entity’s perspective, DSAT’s language in the entity’s inspection report generated a significant problem. The entity stated: “[T]he language made it seem that our offenses were of the most egregious sort and that we were all going to jail.” Congress later requested portions of this report which, according to the entity, were subsequently leaked to the press. The reporter portrayed the leaked information as depicting a major breach of the facility and a loss of select agents and toxins. According to the entity, the DSAT inspectors were working at the time under a very restrictive set of guidelines that did not allow them the latitude to have a more nuanced response. Although the entity’s perception is that DSAT has already gone a considerable way towards remedying this issue, the 28 entity nonetheless mentioned the episode in its responses to our survey, citing the issue of proportionate response as an area for possible further action to encourage TLR event reporting. 31 Of the remaining five entities, three suggested only actions related to entities’ fear of negative consequences or a burdensome process for reporting TLR events. The remaining two entities did not respond to the question. 32 The term “after actions” refers to entities’ actions to address issues identified in an After-Action Report. After-Action Reports identify factors found to contribute to an incident such as a TLR event, while also highlighting the actions taken by an entity to address these factors and prevent future incidents. For example, CDC released an After-Action Report on the 2014 incident in which laboratory personnel were unintentionally exposed to potentially viable anthrax. One issue that CDC’s After-Action Report identified was that scientists failed to follow an approved, written study plan that met all laboratory safety requirements. CDC described several “after actions” for the entity to take to address this issue, such as (1) an immediate moratorium on all transfers of select agents and toxins; (2) reviewing and updating all procedures for inactivating select agents and toxins; and (3) establishing a review group to look at the systems, procedures, and personnel issues that led to this event. CDC, CDC Director Releases After-Action Report on Recent Anthrax Incident; Highlights Steps to Improve Laboratory Quality and Safety. Accessed at https://www.cdc.gov/media/releases/2014/p0711-lab-safety.html on December 14, 2017. 33 The remaining entity in our review did not provide a response to the question asking respondents to describe the benefits of reporting TLR events to the entity and the FSAP. 34 DSAT is housed within CDC’s Office of Public Health Preparedness and Response (OPHPR). OPHPR, DSAT, Division of Select Agents and Toxins: About the Federal Select Agent Program. Accessed at https://www.cdc.gov/phpr/dsat/about-fsap.htm on August 15, 2017. 35 42 CFR § 73.10(a). 29