U.S. Department of Health & Human Services Office of Inspector General Entities Generally Met Federal Select Agent Program Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness OEI-04-15-00431 June 2018 Suzanne Murrin Deputy Inspector oig.hhs.gov General for Evaluation and Inspections Report in Brief U.S. Department of Health & Human Services June 2018 OEI-04-15-00431 Office of Inspector General Entities Generally Met Federal Select Agent Why OIG Did This Review Program Internal Inspection Requirements, But Select agents and toxins are potential bioweapons that can CDC Could Do More To Improve Effectiveness cause significant loss of life and economic damage. Incidents of What OIG Found mishandling of select agents and Eighteen of the 21 entities registered with the Federal Select Agent Program toxins by some entities (FSAP) and that were included in our review registered with the FSAP have reported to us that they conducted internal raised questions about DSAT’s Key Takeaway inspections annually for all areas where select ability to oversee entities’ Most entities in our review agents were used or stored, as required, from 2013 responsible handling of select conducted internal to 2015. In nearly all cases, the Centers for Disease agents and toxins. Entities’ inspections as required. Control and Prevention’s (CDC) Division of Select internal inspections are one These inspections are Agents and Toxins (DSAT) had identified and cited critical safeguard to help protect important tools for those few entities that reported to us they did not public health and safety. In this protecting public health and conduct these inspections as required. During their review, OIG examines entities’ safety, and many of them internal inspections, most entities cited observations and DSAT’s roles in identified potential (i.e., instances of potential regulatory implementing and overseeing noncompliance with noncompliance) for the Select Agents Regulations’ these internal inspections. This biosafety and security Biosafety section (14 entities) or Security section (6 builds on a companion review in requirements. However, entities). This is consistent with the types of which OIG examined DSAT’s these inspections may not observations that DSAT most commonly found in its inspections of entities. always be as thorough and inspections, according to a previous HHS OIG well documented as they report. How OIG Did This Review should be. CDC should take We reviewed DSAT data, survey However, the DSAT inspectors whom we surveyed steps to strengthen the data, and documentation from in our review also reported that in their experience, effectiveness of inspections, a purposive sample of 24 DSAT entities’ internal inspections are not always including through training inspectors and 21 entities sufficiently thorough (15 of 24 inspectors) or and guidance to entities and registered with the FSAP from sufficiently documented (7 of 24 inspectors), which its own inspectors. 2013 through 2015. We may hinder the effectiveness of these inspections. determined whether entities Data that we collected from DSAT inspections for registration renewals support reported conducting internal these claims. DSAT inspectors also raised concerns that unclear inspection inspections during this requirements and insufficient training challenge both DSAT’s ability to oversee timeframe and whether DSAT entities’ internal inspections and entities’ ability to conduct them. Some entities cited those entities that did not reported similar concerns. These challenges may partially explain why entities’ conduct them. We asked DSAT internal inspections are not always sufficiently thorough or sufficiently inspectors about their challenges documented. in overseeing entities’ compliance with the internal What OIG Recommends and How the Agency Responded inspection requirement and We recommend that CDC take steps to strengthen the effectiveness of entities’ asked entities about their internal inspections by clarifying the FSAP internal inspection requirements and challenges in conducting internal the procedures for assessing entity compliance, and developing and providing inspections. additional training both to DSAT inspectors and entities on these requirements and procedures. CDC concurred with all four of our recommendations. TABLE OF CONTENTS BACKGROUND 1 Methodology 4 FINDINGS Of the 21 entities we reviewed, 18 reported conducting internal inspections for all areas and for 7 all 3 years under review; CDC cited 2 of the 3 remaining entities for not conducting internal inspections as required Most entities found observations for Biosafety or Security 9 Eighteen CDC inspectors in our review raised concerns about whether entities’ internal 11 inspections are sufficiently thorough or sufficiently documented Nearly all CDC inspectors reported that unclear inspection requirements or insufficient training 15 challenge their ability to oversee entities’ internal inspections or entities’ ability to conduct them CONCLUSION AND RECOMMENDATIONS Clarify the requirement for internal inspections 17 Clarify the procedures for DSAT inspectors to assess entity compliance 18 For DSAT inspectors, develop and provide additional training 18 For entities, develop and provide additional training and guidance 19 AGENCY COMMENTS AND OIG RESPONSE 20 APPENDICES A: The Purpose and Structure of the Federal Select Agent Program 21 B. The 10 Federal Regulatory Sections That Pertain to Entities’ Internal Inspections (42 CFR 22 Part 73) C. Detailed Methodology 23 D. Entities’ Observations During Internal Inspections 26 E. Information on the Methods To Conduct Internal Inspections and To Correct and To Close 28 Observations From 2013 Through 2015 F. DSAT Inspector Concerns With Entities’ Internal Inspections 32 G. Comparison of DSAT-Identified Observations and Entity-Identified Observations for Each of 33 the 10 Inspection Standards H. Reported Challenges With Overseeing and Conducting Internal Inspections 35 I. Agency Comments 37 Acknowledgments 40 BACKGROUND Objectives 1. To determine the extent to which the Centers for Disease Control and Prevention’s (CDC) Division of Select Agents and Toxins (DSAT) ensured that entities registered with the Federal Select Agent Program (FSAP) complied with the requirement for internal inspections. 2. To describe the extent to which registered entities identified and corrected instances of potential regulatory noncompliance (i.e., observations) during their internal inspections. 3. To describe challenges that DSAT inspectors and entities reported regarding internal inspections. Overview of the Federal Select Agent Program Select agents are biological agents and toxins that have the potential to pose a severe threat to public health and safety; to animal and plant health; or to animal or plant products.1 The FSAP oversees the possession, use, and transfer of select agents and toxins and is jointly managed by the U.S. Department of Agriculture (USDA) and the Department of Health and Human Services (HHS).2 (See Appendix A for more information on the purpose and structure of the FSAP.) Entities that intend to possess, use, or transfer select agents or toxins must register with the FSAP.3 Within HHS, CDC’s DSAT is responsible for managing the public health and safety aspect of the FSAP. Specifically, DSAT oversees entities’ compliance with the Select Agent Regulations at 42 CFR part 73 to ensure that the entities are conducting their work safely and securely. This report examines only the oversight activities of DSAT within the FSAP. Hereinafter, references to “CDC” pertain to DSAT and DSAT’s oversight role within the FSAP, unless otherwise specified. Potential vulnerabilities in the Federal Select Agents Program Recent incidents of alleged mishandling of select agents have caused Congress to question entities’ ability to safely handle select agents and the FSAP’s ability to properly oversee these entities. 4 For example, one news 1 CDC, Division of Select Agents and Toxins: What is a Select Agent? Accessed at https://www.cdc.gov/ph pr/dsat/what-is-select-agents.htm on January 3, 2018. 2 HHS regulates those agents that cause disease in humans, while USDA regulates those that can cause disease in animals and plants. 3 42 CFR § 73.7(a) (2017). 4 For example, see How Secure are U.S. Bioresearch Labs? Preventing the Next Safety Lapse, House, 114th Cong. (2016). Accessed at https://energycommerce.house.gov/hearings-and- votes/hearings/how-secure-are-us-bioresearch-labs-preventing-next-safety-lapse on August 16, 2017. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 1 OEI-04-15-00431 report described potentially dangerous events involving the mistaken transportation of live anthrax spores to facilities all over the country from a military lab in Utah. 5 As a result, the Government Accountability Office (GAO) and the Department of Health and Human Services’ Office of the Inspector General (HHS OIG) have recently reviewed the FSAP’s oversight of registered entities.6,7 Most recently, GAO found several issues with the FSAP’s ability to effectively oversee entities’ regulatory compliance.8 Specifically, GAO reported that the FSAP may not target entities’ highest risk activities during its inspections and that training and workforce gaps may result in inconsistencies in FSAP inspectors’ knowledge of the Select Agent Regulations and in inspectors’ approach to reviewing entity compliance. In response, the FSAP agreed to further integrate a risk-based approach into inspections and to assess the workforce and training needs of its inspectors. CDC’s oversight of entity compliance with the Select Agent Regulations CDC’s DSAT typically conducts a registration renewal inspection at each entity it oversees in tandem with the renewal of the entity’s DSAT inspections of existing FSAP registration. A registration renewal inspection is entities may occur only a routine review of an entity’s entire program. Registration renewal every 3 years. inspections may be either announced or unannounced, and they span the preceding 3-year period.9 During a DSAT registration renewal inspection, a team of DSAT inspectors conducts an onsite inspection of all registered laboratories and storage 5 Hennigan, W.J., “Army says failures in leadership at biodefense lab led to mishandled anthrax shipments,” Los Angeles Times, January 15, 2016. Accessed at http://www.latimes.com/nation/la-na- army-anthrax-20160115-story.html on September 20, 2017. Young, Alison, “Hundreds of safety incidents with bioterror germs reported by secretive labs,” USA Today, July 1, 2016. Accessed at https://www.usatoday.com/story/news/2016/06/30/lab-safety-transparency-report/86577070/ on August 16, 2017. 6 For example, see GAO, High-Containment Laboratories: Improved Oversight of Dangerous Pathogens Needed to Mitigate Risk, GAO-16-642, August 2016. 7 This report is the third in a series of HHS OIG reports on DSAT’s oversight of entities registered with the FSAP. The first two reports were CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight, OEI-04-15-00430, May 2017; and Entities’ Experiences and Perspectives Reporting Select Agents and Toxins Theft, Loss, and Release Events to CDC, OEI-04-15-00432, February 2018. 8 GAO, High-Containment Laboratories: Coordinated Actions Needed to Enhance the Select Agent Program’s Oversight of Hazardous Pathogens, GAO-18-145, October 2017. 9 FSAP, 2015 DSAT Inspection Report Processing Annual Summary, 3 (2016). Accessed at https://www.cdc. gov/phpr/dsat/documents/2015_dsat_inspection_report_processing_annual_summary.pdf on March 12, 2018. In communications with us, CDC explained that registration renewal inspections encompass the 3-year period before the inspection takes place. In addition to registration renewal inspections, DSAT may conduct other types of inspections depending on the observations identified in previous inspections and the risk DSAT determines that the entity poses to public health and safety. For more information about the other types of DSAT inspections, see HHS OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight, OEI-04-15-00430, May 2017. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 2 OEI-04-15-00431 areas within the entity. The DSAT inspectors may observe entity staff as they work, and they may interview staff to ensure practices comply with the Select Agent Regulations. The DSAT inspectors also review documentation associated with the Select Agent Regulations, such as plans in the areas of Biosafety, Security, and Incident Response and training records. At the end of the inspection, DSAT inspectors brief the entity about observations identified during the inspection. In addition, DSAT inspectors provide a written report to the entity that details the regulations for which the inspectors are citing the entity with observations. Depending on the amount and frequency of serious-risk observations, DSAT may subject the entity to one or more compliance actions.10 Corrective Action Plans are compliance actions that DSAT may propose to an entity. Entities voluntarily participate in Corrective Action Plans, which allow entities to develop steps to address the observations that DSAT identified. Corrective Action Plans also allow DSAT to provide technical assistance and monitor entities’ progress in correcting the observations.11 If an entity chooses not to participate in a Corrective Action Plan, DSAT expects that the entity will complete all actions to address the observations within 30 days. DSAT-led inspections are an important line of defense against dangers to public health and safety. However, DSAT typically does not inspect entities’ entire select agents programs more often than once every 3 years.12 As a first line of defense, the Select Agent Regulations at 42 CFR part 73 require entities to monitor their own compliance through internal inspections conducted at least annually.13 Requirements for entities’ internal inspections Requirements at 42 CFR § 73.9(a)(6) state that each entity must have a Responsible Official (RO) whose role is to “[e]nsure that annual inspections are conducted for each registered space where select agents or toxins are stored or used in order to determine compliance with the Effective internal requirements of this part.” The regulations also state that the results inspections protect public health and of each internal inspection must be documented and any safety observations identified during the inspection must be corrected.14 10 For a description of the types of compliance actions that DSAT may initiate, see HHS OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight, OEI-04-15-00430, May 2017. 11 FSAP, General FAQ’s About Select Agents and Toxins, “What Is the Corrective Action Plan program?” Accessed at http://www.selectagents.gov/faq-general.html on April 17, 2018. 12 DSAT may inspect certain aspects of an entity’s program more often than every 3 years. 13 42 CFR § 73.9(a)(6). 14 As of 2017, entities must also document the corrections of their observations. Possession, Use, and Transfer of Select Agents and Toxins; Biennial Review of the List of Select Agents and Toxins and Enhanced Biosafety Requirements, 82 Fed. Reg. 6278, 6285 (Jan. 19, 2017). Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 3 OEI-04-15-00431 Although the FSAP website offers several resources to assist entities in complying with the Select Agent Regulations, its guidance on how to meet the requirement for internal inspections is lacking key information.15 For example, the FSAP website and resources do not clearly state which of the Select Agent Regulations’ 22 regulatory sections must be addressed in entities’ internal inspections.16 DSAT officials reported to us that 10 of the 22 sections pertain to entities’ internal inspections. This report refers to these 10 sections as the “inspection standards.” See Appendix B for a list of these 10 inspection standards. Further, the FSAP website includes inspection checklists that DSAT inspectors use for 8 of the 10 inspection standards but does not provide checklists for the remaining 2 inspection standards. As an FSAP oversight agency, DSAT is responsible for ensuring that entities conduct internal inspections as required. During registration renewal inspections, DSAT inspectors review documentation of an entity’s internal inspections to verify that the entity is in compliance with all 10 inspection standards. They also verify that corrective actions were taken for any observations identified during the inspections. If a DSAT inspector determines that an entity did not fulfill these requirements because, for example, the entity did not conduct an internal inspection or was not in compliance with all 10 inspection standards in its inspection, the inspector may record an observation against the entity. Methodology We analyzed the Select Agent Regulations, as well as FSAP and DSAT policies and guidance documents, to understand the internal inspection requirements and DSAT’s oversight of them. We also collected data from the FSAP’s National Select Agent Registry (NSAR) to identify observations identified during DSAT inspections from 2013 through 2015 related to entities’ internal inspections. We selected a purposive sample of 22 entities. We began with a population of 233 entities that were continuously registered with the FSAP from 2013 through 2015. From this population of 233 entities, we identified a subpopulation of 75 entities that received a 2015 registration renewal inspection from DSAT. 17 From this subpopulation of 75 entities, we selected the purposive sample of 22 entities. 15 For example, see the FSAP, Responsible Official Resource Manual. Accessed at https://www.selectagent s.gov/rorm-responsibilities.html on August 22, 2017. 16 Page 22 of the 2014 Responsible Official Resource Manual states that internal inspections include a review of inventory procedures for the entity’s biological select agents and toxins, and that annual reviews of the biosafety plan, security plan, and incident response plans are required. Page 15 of the 2017 Responsible Official Resource Manual states that the RO should “[c]reate an annual inspection that encompasses every aspect of safety, security, and incident response at the entity.” Neither version clearly indicates whether these are the only parts of the Select Agent Regulations that must be addressed in internal inspections. 17 In some cases, DSAT conducted other inspections of these entities in 2015 in addition to conducting a registration renewal inspection. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 4 OEI-04-15-00431 In March 2017, we distributed web-based surveys to a purposive sample of 24 DSAT inspectors who conducted the 2015 Registration Renewal Inspections at the entities in our sample.18 We asked DSAT inspectors about their experiences overseeing entities’ internal inspections and any challenges associated with overseeing entities’ compliance with the internal inspection requirement. We distributed web-based surveys to the 22 entities in our purposive sample in March and April 2017. In the surveys, we requested information about entities’ internal inspections that were conducted from 2013 through 2015, the observations identified during these inspections, and challenges associated with conducting internal inspections. We also asked the entities to upload documentation of the internal inspections that were “closest in time” to (i.e., the least number of days before or after) their 2015 DSAT registration renewal inspections. We analyzed data from all 24 DSAT inspectors in our review and from 21 of the 22 entities in our review.19 See Appendix C for more details on our methodology. Limitations Because our sample of entities is purposive, our results apply only to the entities in our review. Responses cannot be generalized to all entities registered with the FSAP or to all entities registered during our timeframe (from 2013 through 2015). As part of our surveys, we requested supporting documentation of internal inspections. We did not independently verify the accuracy or completeness of this documentation. We did not collect information on the frequency of observations that entities identified during internal inspections. Entities may not track the frequency of observations, and how entities define what constitutes an observation (e.g., whether the same incident across multiple laboratories at an entity is one observation or multiple observations) may vary across entities. 18 Our sample of DSAT inspectors represents more than half of all DSAT inspectors employed at the time we administered the survey. DSAT estimates that there were 40 inspectors employed in March 2017. Of these, 29 conducted 2015 registration renewal inspections at the 22 entities in our sample. The 24 DSAT inspectors whom we selected were the subset who were currently employed by DSAT at the time of our review. 19 Although all 22 entities responded to our survey request, 1 entity responded that it was no longer registered with the FSAP and could not provide data in response to our survey questions. Therefore, our findings are based on survey responses from 21 of the 22 entities in our review. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 5 OEI-04-15-00431 Observations identified both by entities and DSAT regarding the same regulatory section and subsection may not be about the same sub-subsection(s).20 Additionally, observations identified both by entities and DSAT regarding the same regulatory section and subsection may not result from the same incident or type of incident. Standards This study was conducted in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. 20 The Select Agent Regulations have a multilevel structure. For example, 42 CFR § 73.16(b)(2) denotes three levels: (1) a regulatory section, (2) a subsection, and (3) a sub-subsection. We collected observation data from the entities to the subsection level. NSAR data specifies observations at the sub-subsection level. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 6 OEI-04-15-00431 FINDINGS Eighteen of the 21 entities registered with the FSAP and that were included in our review reported to us that they conducted internal inspections annually for all areas where select agents were used or stored, as required, from 2013 to 2015. In nearly all cases, CDC’s DSAT had identified and cited those few entities that reported to us that they did not conduct these inspections as required. During their internal inspections, most entities cited observations for the Select Agent Regulations’ Biosafety section (14 entities) or Security section (6 entities). This is consistent with the types of observations that DSAT most commonly found in its inspections, according to a previous HHS OIG report. However, the DSAT inspectors whom we surveyed in our review also reported that in their experience, entities’ internal inspections are not always sufficiently thorough (15 of 24 inspectors) or sufficiently documented (7 of 24 inspectors), which may hinder the effectiveness of these inspections. Data that we collected from DSAT inspections for registration renewals support these claims. DSAT inspectors also raised concerns that unclear inspection requirements and insufficient training challenge both DSAT’s ability to oversee entities’ internal inspections and entities’ ability to conduct them. Some entities reported similar concerns. These challenges may partially explain why entities’ internal inspections are not always sufficiently thorough or sufficiently documented. Of the 21 entities in our review, 18 reported conducting internal inspections Of the 21 entities as required —i.e., they reported conducting at least one internal inspection we reviewed, each of the 3 years under our review—from 2013 through 2015—and for all 18 reported areas in which select agents conducting internal and toxins were used or 21 entities in our review stored. The three remaining inspections for all 20 entities conducted at least one internal entities reported that they inspection from 2013 through 2015 areas and for all did not conduct internal 19 entities conducted internal inspections 3 years under inspections as required. For for all years in our review review; CDC cited two of these three, CDC’s 18 entities conducted internal DSAT cited the entities. inspections for all years and for all areas 2 of the 3 remaining (i.e., “as required”) • One entity stated entities for not that it had not conducted internal inspections for any of the 3 years of our conducting internal review. According to this entity, it did not conduct internal inspections inspections as because the “previous RO did not understand” his or her “duties and required inspection requirements.” DSAT conducted one inspection of this entity from 2013 through 2015, a registration renewal inspection in June 2015. This inspection resulted in a total of 55 observations, including 1 observation Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 7 OEI-04-15-00431 regarding the requirement to conduct, document, and correct observations identified in internal inspections.21, 22 This entity voluntarily participated in a Corrective Action Plan in November 2015 for, in part, failing to meet the oversight provisions outlined in the regulations.23 The entity completed the Corrective Action Plan in October 2016, and DSAT closed all observations that had led the entity to be placed on the Corrective Action Plan. • The second entity reported conducting internal inspections for all 3 years of our review but noted that the inspection in 2013 did not include all areas that used select agents and toxins. This entity stated that in 2013, entity inspectors examined only the room where select agents were stored. The entity failed to inspect two other FSAP-registered labs where select agents were used. DSAT conducted multiple inspections of this entity from 2013 through 2015, including a 2015 registration renewal inspection. In total, DSAT identified 98 observations at this entity during this timeframe, 2 of which pertained to the requirement to conduct, document, and correct observations identified in internal inspections.24 This entity voluntarily participated in a Corrective Action Plan in December 2014 for, in part, failing to meet the oversight provisions outlined in the regulations.25 DSAT also conducted an additional unannounced inspection of this entity after the Corrective Action Plan was initiated, and the entity ultimately replaced the RO. The entity completed the Corrective Action Plan in May 2016, and DSAT closed all observations that had led the entity to be placed on the Corrective Action Plan. • The remaining entity reported that internal inspections were conducted on all areas in 2013 and 2014, but it did not conduct an inspection in 2015 because of holiday scheduling conflicts. DSAT conducted one inspection of this entity from 2013 through 2015, a registration renewal inspection that took place in October 2015. At the time of the DSAT inspection, the entity’s internal inspection had not been conducted but was scheduled to take place later that year. However, the 21 DSAT also identified observations pertaining to the following inspection standards: Security (42 CFR § 73.11); Biosafety (42 CFR § 73.12); Incident Response (42 CFR § 73.14); Training (42 CFR § 73.15); and Records (42 CFR § 73.17). 22 For the 273 registration renewal inspections that DSAT conducted from 2013 to 2015, DSAT identified a mean of 18 observations and a median of 13 observations per inspection. 23 The Corrective Action Plan also cited the entity’s failure to meet the Security, Biosafety, Incident Response, Training, and inventory (i.e., Records) provisions outlined in the regulations. 24 DSAT also identified observations pertaining to the following inspection standards: Registration and Related Security Risk Assessments (42 CFR § 73.7); Restricting Access to Select Agents and Toxins, and Security Risk Assessments (42 CFR § 73.10); Security (42 CFR § 73.11); Biosafety (42 CFR § 73.12); Incident Response (42 CFR § 73.14); Training (42 CFR § 73.15); Transfers (42 CFR § 73.16); and Records (42 CFR § 73.17). 25 The Corrective Action Plan also cited the entity’s failure to meet the Biosafety, inventory (i.e., Records), and Tier 1 provisions outlined in the regulations. “Tier 1” provisions pertain to a subset of select agents and toxins that have been identified as presenting the greatest risk of deliberate misuse with the most significant potential for mass casualties or devastating effects to the economy, critical infrastructure, or public confidence. FSAP, Select Toxin Guidance. Accessed at https://www.selectagents.gov/stg- requirements.html on May 11, 2017. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 8 OEI-04-15-00431 entity’s internal inspection was not conducted in 2015 as originally scheduled; instead, it was rescheduled to early 2016.26 Because DSAT’s inspection occurred before the entity’s scheduled internal inspection in 2015 and focused on the 3-year period prior to DSAT’s inspection, DSAT did not cite this entity for not conducting its 2015 internal inspection.27 DSAT may identify that this entity did not conduct a 2015 internal inspection and cite it, accordingly, during its 2018 registration renewal inspection. The 20 entities in our review that conducted at least one internal inspection from 2013 through 2015 each reported that they documented the results of each inspection.28 They also provided us with supporting documentation of their “closest-in-time” internal inspections. Most entities found Of the 20 entities in our review that reported conducting at least one internal inspection from 2013 to 2015, 17 identified at least one observation observations for during their internal inspections. Of the 10 inspection standards, most of Biosafety or Security these 17 entities found observations for Biosafety or Security. Specifically, 15 unique entities reported finding observations for Biosafety, Security, or both, while less than half of the entities (7 unique entities) reported finding observations regarding 1 or more of 4 other inspection standards.29 This is consistent with our earlier report in which we found that CDC’s DSAT most frequently identified observations for Biosafety and Security during its inspections of entities from 2013 through 2015.30 Exhibit 1 compares the number of entities that reported finding observations regarding Biosafety and Security with the number of entities finding observations regarding the remaining eight inspection standards. Appendix D details the number of entities that found observations regarding each inspection standard for each year in our review. Entities’ observations in Biosafety and Security included: (1) no record of a biosafety drill having occurred in 2014; and (2) a security plan that did not detail procedures for removing unauthorized or suspicious persons from the premises. Entities’ observations in the remaining eight sections included (1) an incident response plan that did not detail how the entity would deal 26 This entity stated that it did not conduct another internal inspection in 2016, so we considered the January 2016 inspection to serve as the internal inspection for 2016, not 2015. Therefore, the entity did not conduct internal inspections at least once every year from 2013 through 2015 as required by the Select Agent Regulations. 27 DSAT identified 15 observations pertaining to the following inspection standards in its October 2015 registration renewal inspection: Security (42 CFR § 73.11), Biosafety (42 CFR § 73.12), and Training (42 CFR § 73.15). 28 These 20 entities consist of the 18 entities that reported conducting internal inspections as required, and 2 entities that reported conducting at least 1 internal inspection from 2013 through 2015. It does not include the remaining entity in our sample, which did not conduct any internal inspections from 2013 through 2015. 29 All 7 entities reporting observations regarding 1 or more of the 4 other inspection standards were among the 15 that also reported observations in Biosafety or Security. 30 HHS OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight, OEI-04-15-00430, May 2017, p. 10. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 9 OEI-04-15-00431 with a suspicious package; and (2) inventory forms that did not include areas to record who moved inventory, how much inventory was moved, and when the inventory was moved. Exhibit 1: More entities found observations for two inspection standards than for eight other inspection standards 15 unique entities reported either Biosafety, Security, or both 0 Biosafety (42 § CFR 73.12) 14 Security (42 § CFR 73.11) 6 7 unique entities reported one or more of the remaining 8 regulatory sections Training (42 § CFR 73.15) 4 Incident Response (42 § CFR 73.14) 3 Records (42 § CFR 73.17) 3 Restricting Access to Select Agents and Toxins, 1 and Security Risk Assessments (42 CFR § 73.10) Responsible Official (42 § CFR 73.9) 0 Restricted Experiments (42 § CFR 73.13)* 0 Transfers (42 CFR § 73.16) 0 Notification of Theft, Loss, or Release 0 (42 CFR § 73.19) Source: OIG analysis of entities’ survey responses pertaining to 2013-2015 internal inspections, 2017. * Of the 22 entities in our review, DSAT approved 1 entity to conduct restricted experiments during our timeframe. Note: Three entities also found observations that they classified as “other” because the observations did not pertain to one of the specific inspection standards. Instead, according to the entities, these observations pertained to items such as a visual pressure-loss alarm in a laboratory, floors that needed waxing, and minor issues noted during an inspection of registered space involving things such as caulking. Ten entities reported identifying observations specifically in their 2015 internal inspections. All 10 entities also reported that as of spring 2017, they had corrected the issues leading to these observations and closed these observations. Entities reported using various methods for closing the observations (e.g., training, modifying existing plans and procedures), and DSAT inspectors reported various methods for ensuring that entities’ observations were closed (e.g., reviewing documentation, conducting visual inspections). Appendix E contains additional information on the methods (i.e., the length; the timing; whether the inspections were announced or unannounced; documentation methods; and the individuals involved in the inspections) that entities in our review used to conduct internal inspections from 2013 through 2015. Appendix E also contains information about entities’ methods for correcting the issues leading to observations and closing Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 10 OEI-04-15-00431 observations and DSAT’s methods for verifying that entities closed the observations. Eighteen CDC Of the 24 CDC DSAT inspectors surveyed in our review, 18 raised concerns about whether entities’ internal inspections are sufficiently thorough or inspectors in our sufficiently documented. Exhibit 2 shows these concerns and the number of review raised DSAT inspectors reporting each. concerns about Exhibit 2: Most DSAT inspectors raised concerns that entities’ whether entities’ internal inspections are not sufficiently thorough or sufficiently internal inspections documented are sufficiently thorough or sufficiently documented 18 11 Reported That Not Sufficiently Internal Thorough 6 Inspections Are Reported No Not Always Concerns Sufficiently Thorough or Sufficiently 4 Documented Both 3 Not Sufficiently Documented Source: OIG analysis of DSAT inspectors’ survey responses, 2017. “While some entities have Specifically, 15 DSAT inspectors raised concerns that entities’ internal good systems to evaluate inspections are not sufficiently thorough. Of these DSAT inspectors, 11 all parts, some entities reported concerns that the internal inspections do not always address all have limited their review inspections standards used to assess compliance. The observations that to only a part of the DSAT cited in its 2015 registration renewal inspections of these entities regulations, or they are support the inspectors’ concern that internal inspections are not sufficiently not documenting [their thorough. Specifically, of the 20 entities in our review that conducted at inspections] effectively.” least 1 internal inspection, DSAT cited 8 entities for not including all – DSAT inspector inspection standards in their internal inspections. For example, DSAT cited one entity for not including a review of Security (i.e., 42 CFR § 73.11) for each laboratory during its 2013 internal inspection. Of these 15 DSAT inspectors, 9 reported concerns that entities do not always conduct internal inspections with sufficient rigor to meaningfully monitor compliance with the Select Agent Regulations. Some DSAT inspectors expressed concern that this lack of rigor may lead entities to miss potentially serious observations. Indeed, six of the nine DSAT inspectors reported that they often identify observations regarding issues that the entity is not aware of but that it should have identified in its internal inspections. Some of the Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 11 OEI-04-15-00431 nine inspectors attributed entities’ lack of rigor to what they characterized as a perception by entities that internal inspections are an administrative burden, saying that entities do not recognize the value of internal inspections. Other inspectors attributed these concerns to the limitations of “self-policing” and entities’ unwillingness to report negative results. See Entities do not always Appendix F for a more detailed list of concerns reported by DSAT “evaluate security controls, inspectors. training, or recordkeeping requirements. As a result, Our review of DSAT inspection findings supports the concern that entities partial assessments are may not identify all potential observations through their internal inspections. common and fail to identify Specifically, we determined that on several occasions, DSAT identified deficiencies in a timely observations for inspection standards for which the entity did not identify manner.” – DSAT inspector any observations. In contrast, there were no instances for which the entity identified an observation for a regulatory section and DSAT did not. In addition, entities in our review identified observations, on average, for approximately one inspection standard, while DSAT identified observations, on average, for five inspection standards.31 Exhibit 3 compares the number of entities that identified observations and the number of entities for which DSAT identified observations. Appendix G provides more information about the 10 inspection standards for which both DSAT and entities identified observations. 31 Entities that conduct their internal inspections after DSAT’s registration renewal inspection may not identify observations for the same inspection standard as DSAT because the issues that led to observations were corrected after the DSAT inspection, leaving no observations for the entity to identify. About one-third of the entities in our review (6 of 20) conducted their internal inspection after DSAT’s inspection. These entities conducted their inspections, on average, 6.7 months after DSAT’s inspection (ranging from 2.3 to 10.4 months after). In contrast, 14 of 20 entities conducted their internal inspections before DSAT’s inspection. These entities conducted their inspections, on average, approximately 3.3 months before DSAT’s inspection, ranging from 13 days to 10 months before. Therefore, these 14 entities had an opportunity to identify observations before DSAT identified them but did not. For 5 of these 14 entities, DSAT identified observations regarding inspection standards that were not included in the documentation of the entities’ annual internal inspections. This demonstrates that DSAT identified observations regarding inspection standards for which these 5 entities may not even have been inspecting or had not documented their inspection. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 12 OEI-04-15-00431 Exhibit 3: DSAT inspectors found observations for more inspection standards than entities did Responsible Official (42 § CFR 73.9) 9 Restricting Access to Select Agents and Toxins, and Security Risk Assessments 4 (42 § CFR 73.10) Security (42 § CFR 73.11) 3 18 Biosafety (42 § CFR 73.12) 10 19 Incident Response (42 § CFR 73.14) 1 13 Training (42 § CFR 73.15) 1 17 Transfers (42 § CFR 73.16) 3 Records (42 § CFR 73.17) 2 17 DSAT-identified observations Entity-identified observations Source: OIG analysis of data from DSAT registration renewal inspections and entities’ survey responses regarding their “closest-in-time” internal inspections, 2017. *Note: Neither DSAT nor any entities found observations for Restricted Experiments (42 CFR § 73.13) or Notification of Theft, Loss, or Release (42 CFR § 73.19). In addition to raising concerns that entities’ internal inspections are not “The most frequent sufficiently thorough, 7 of the 24 DSAT inspectors in our review reported problem is [lack of] concerns that entities are not fully documenting their internal inspections. If documentation that all entities’ internal inspections are not fully documented to reflect the parts of the regulation inspection scope and results, DSAT inspectors have limited ability to verify have been [addressed that the inspections were conducted, that they addressed all required by the internal aspects of compliance, and that any observations were corrected as inspection].” required. Consistent with their reported concerns, during DSAT’s 2015 registration renewal inspections, inspectors cited 8 of the 20 entities in our – DSAT inspector review for not conducting internal inspections as required (i.e., 42 CFR § 73.9(a)(6)) because the entities did not thoroughly document their internal inspections. OIG also reviewed entities’ documentation of internal inspections and determined that many of these inspections were not sufficiently thorough, not sufficiently documented, or both. No entities’ inspection documentation included all ten of the inspection standards of 42 CFR part 73. This could mean that they did not include these inspection Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 13 OEI-04-15-00431 standards in their inspections or that they did not document their inclusion of them. For the 20 entities that conducted at least one internal inspection from 2013 to 2015, entities’ documentation of their “closest-in-time” internal inspections indicated that, on average, 5 of the 10 inspection standards were addressed. Two entities addressed only two regulatory sections in their inspection documentation. Exhibit 4 shows the number of entities whose documentation demonstrated they addressed up to 10 inspection standards. Exhibit 4: No entity addressed all 10 inspection standards in the inspection documentation we reviewed One Inspection Standard 0 Two 2 Three 3 Four 1 Five 2 Six 3 Seven 1 Eight 4 Nine 4 All Ten Inspection Standards 0 Number of Entities Source: OIG analysis of entities’ internal documentation regarding their “closest-in-time” internal inspections, 2017. The following 6 inspection standards were addressed by a majority of entities according to “closest-in-time” internal inspection documentation:  Security (42 CFR § 73.11) – 17 entities,  Biosafety (42 CFR § 73.12) – 20 entities,  Restricted Experiments (42 CFR § 73.13) – 14 entities,32  Incident Response (42 CFR § 73.14) – 14 entities,  Training (42 CFR § 73.15) – 13 entities, and  Records (42 CFR § 73.17) - 14 entities. The remaining 4 inspection standards were each addressed by half or less of the entities. These cover:  Responsible Official (42 CFR § 73.9) – 8 entities,  Restricting Access to Select Agents and Toxins; Security Risk Assessments (42 CFR § 73.10) – 9 entities,  Transfers (42 CFR § 73.16) – 10 entities, and  Notification of Theft, Loss, or Release (42 CFR § 73.19) – 1 entity. 32 Of the 22 entities in our review, DSAT approved 1 to conduct restricted experiments during our timeframe. This entity is included among the 14 entities with documentation that addressed Restricted Experiments (42 CFR § 73.13). The remaining entities include Restricted Experiments (42 CFR § 73.13) in their internal inspections to verify that work objectives do not contain restricted experiments. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 14 OEI-04-15-00431 Finally, a few (4 of 24) DSAT inspectors reported that some entities do not conduct internal inspections at all. Of these four inspectors, one was involved in the 2015 registration renewal inspection for one of the two entities in our review that reported not conducting any internal inspections for one or more years between 2013 and 2015. The remaining three DSAT inspectors appear to be commenting on entities not included in our review. Nearly all CDC Of the 24 CDC DSAT inspectors surveyed in our review, 23 reported challenges that affect DSAT inspectors’ ability to oversee entities’ internal inspectors reported inspections or entities’ ability to conduct these inspections. All 23 of these that unclear DSAT inspectors reported that unclear requirements or insufficient training inspection on the internal inspection requirement present a challenge to DSAT requirements or inspectors or entities. Exhibit 5 shows the number of inspectors that reported this challenge as affecting DSAT oversight, entities’ ability to insufficient training conduct internal inspections, or both. challenge their ability to oversee Exhibit 5: Most DSAT inspectors reported that unclear internal inspection requirements or insufficient training challenged DSAT entities’ internal oversight or entities’ ability to conduct internal inspections inspections or entities’ ability to conduct them For DSAT 6 Unclear Inspection Requirements or Insufficient Training No Concerns Present Challenges to 1 Overseeing or Conducting Both Internal Inspections 15 23 DSAT leadership “needs For Entities to provide more detailed 2 guidance and training, delivered on a more Source: OIG analysis of DSAT inspectors’ survey responses, 2017. consistent basis, to ensure uniformity Of these 23 DSAT inspectors, 21 noted that unclear requirements or between teams in insufficient training challenge DSAT’s ability to objectively and consistently verifying compliance.” – oversee entity compliance with the internal inspection requirement.33 Some of these inspectors (10) also reported that DSAT inspectors inconsistently or DSAT inspector differently apply the requirements to entities’ internal inspections. This 33 Of these 21 DSAT inspectors, 4 reported only that requirements are unclear, 3 reported only that training is insufficient, and 14 reported both challenges to DSAT inspectors. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 15 OEI-04-15-00431 inconsistency may be the result of unclear requirements or insufficient training. Additionally, 17 DSAT inspectors reported their perceptions that unclear requirements or insufficient training affect entities’ ability to conduct internal inspections.34 “Different inspectors Of the 21 entities in our review, 8 also reported that unclear requirements or insufficient training present challenges to their ability to conduct internal focus on different areas inspections.35 Unclear requirements for internal inspections and insufficient of the regulations based training may explain, in part, our findings regarding entities’ internal on their experience. We inspections’ not being sufficiently thorough or sufficiently documented. In have also been cited by addition, 11 of the 21 entities reported their perceptions that DSAT one inspector for items inspectors apply the internal inspection requirements inconsistently. This that other inspectors may indicate that DSAT inspectors need clarity on the internal inspection have found acceptable in requirements or may need more training, or both, as well. the past.” – Entity Eleven of the 23 DSAT inspectors and 5 entities also reported other Responsible Official challenges associated with the internal inspection process. See Appendix H, Exhibits 12 and 13 for a complete listing of the challenges that DSAT inspectors and entities reported. 34 Of these 17 DSAT inspectors, 1 reported only that requirements are unclear, 5 reported only that training is insufficient, and 11 reported both challenges to entities. 35 Of these 8 entities, 3 reported only that requirements are unclear, 4 reported only that training is insufficient, and 1 reported both challenges to entities. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 16 OEI-04-15-00431 CONCLUSION AND RECOMMENDATIONS The Select Agent Regulations are intended to protect public health and safety by ensuring that entities possessing, using, or transferring select agents and toxins are conducting their work safely and securely. Entities’ internal inspections are important first-line tools for helping ensure that entities are meeting these critical health and safety requirements. Eighteen of the 21 entities registered with the FSAP and that were included in our review reported to us that they conducted internal inspections annually for all areas where select agents were used or stored, as required by Select Agent Regulations, from 2013 to 2015. In nearly all cases, DSAT had identified and cited those few entities that reported to us that they did not conduct these inspections as required. During their internal inspections, most entities cited observations for the Select Agent Regulations’ Biosafety section (14 entities) or Security section (6 entities). This is consistent with the types of observations that DSAT most commonly found in its inspections, according to a previous HHS OIG report. However, the DSAT inspectors whom we surveyed in our review also reported finding that, in their experience, entities’ internal inspections are not always sufficiently thorough (15 of 24 inspectors) or sufficiently documented (7 of 24 inspectors), which may hinder the effectiveness of these inspections. Data that we collected from DSAT inspections for registration renewals support these claims. DSAT inspectors also raised concerns that unclear inspection requirements and insufficient training challenge both DSAT’s ability to oversee entities’ internal inspections and entities’ ability to conduct them. Some entities reported similar concerns. These challenges may partially explain why entities’ internal inspections are not always sufficiently thorough or sufficiently documented. In light of these findings, as well as GAO’s previous findings that the FSAP may not target entities’ highest risk activities during its inspections and that training and workforce gaps may result in inconsistencies in FSAP inspectors’ oversight, we recommend that CDC: 36 Clarify the requirement for internal inspections CDC should clarify to DSAT inspectors and to entities the breadth and depth required for internal inspections, including which of the regulatory sections and subsections of 42 CFR part 73 must be addressed as inspection standards. Consistent with its ongoing efforts to establish effective risk assessment and mitigation policies for the FSAP overall, CDC may want to 36 GAO, High-Containment Laboratories: Coordinated Actions Needed to Enhance the Select Agent Program’s Oversight of Hazardous Pathogens, GAO-18-145, October, 2017. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 17 OEI-04-15-00431 consider using a risk-based approach for determining the breadth and depth required for internal inspections. CDC should also make sure entities are aware the new clarified requirements, for example, by publishing them in the Responsible Official Resource Manual. These clarifications would help ensure that entities focus, conduct, and document internal inspections appropriately to maximize the effectiveness of this tool in protecting public health and safety. Clarify the procedures for DSAT inspectors to assess entity compliance CDC should make clear to inspectors the procedures for assessing entity compliance with the internal inspection requirement. For example, CDC should clarify:  The methods for assessing whether entities’ activities constitute a sufficiently thorough inspection;  The documentation that entities must provide to DSAT inspectors for internal inspections to be considered sufficiently documented;  Whether and under what conditions DSAT inspectors should cite entities for noncompliance with the internal inspection requirement if they find that entities’ internal inspections were ineffective (e.g., that entities did not find—and should have found—observations that DSAT inspectors found); and,  How and when DSAT inspectors should coordinate with other DSAT inspectors when unique problems arise to establish a uniform response in a timely manner before responding to the entity. These clarifications could promote effectiveness and consistency. For DSAT inspectors, develop and provide additional training CDC should develop additional training for inspectors regarding the requirements and procedures for assessing entity compliance with the internal inspection requirement. CDC may want to solicit the input of inspectors in developing this training to ensure it covers the typical scenarios and areas of common confusion regarding internal inspections. CDC should also ensure that the training enhances the consistency among inspectors and prepares inspectors to more uniformly answer entities’ questions about the internal inspection requirement. CDC should determine when and how often inspectors should attend this training (e.g., an initial training for new inspectors and periodic refresher training). Additionally, CDC could consider rotating DSAT team members among inspection teams to promote consistent procedures and promising practices across teams. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 18 OEI-04-15-00431 For entities, develop and provide additional training and guidance CDC should offer periodic training to entity staff—particularly ROs— regarding internal inspection requirements. CDC may want to consider focusing on how entities should scope their internal inspections, and their value in protecting the entity’s and the public’s health and safety. In addition to training, CDC should determine what additional tools and resources for entities may enhance the effectiveness of their internal inspections. For example, CDC’s DSAT may want to publish guidance on internal inspection requirements on the FSAP website and in the Responsible Official Resource Manual. CDC may want to emphasize the importance of internal inspections to entities. Additionally, CDC could ensure checklists for each required section are available on the FSAP website and assist entities who want to adapt them for their own inspections. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 19 OEI-04-15-00431 AGENCY COMMENTS AND OIG RESPONSE CDC concurred with all four of our recommendations. First, CDC concurred with our recommendation to clarify to DSAT inspectors and to entities the breadth and depth required for entities’ internal inspections. CDC stated that the FSAP will develop a policy document to clarify the internal inspection requirement and will share the draft policy document with the regulated community and FSAP inspectors to obtain feedback before finalizing the policy. Second, CDC concurred with our recommendation to make clear to DSAT inspectors the procedures for assessing entity compliance with the internal inspection requirement. CDC stated that the FSAP (which consists primarily of DSAT inspectors) will develop inspector training in consultation with FSAP inspectors. This training will address methods for assessing entity compliance with the internal inspection requirement. Additionally, the FSAP will develop internal guidance addressing how and when DSAT inspectors should coordinate with other DSAT inspectors and USDA inspectors to establish uniform responses to unique problems before responding to entities. Third, CDC concurred with our recommendation to develop additional training for inspectors regarding the requirements and procedures for assessing entity compliance with the internal inspection requirement. CDC stated that in collaboration with FSAP inspectors, the FSAP will develop inspector training to address the procedures and requirements for evaluating whether an entity’s annual inspection activities constitute an appropriately comprehensive inspection. This training will be added to the inspector training program to help improve consistency among inspectors. Finally, CDC concurred with our recommendation to offer periodic training to entity staff regarding internal inspection requirements. CDC stated that the FSAP will focus on how entities should scope their internal inspections in the policy document that clarifies the breadth and depth required for entities’ internal inspections. The FSAP will share the draft policy with the regulated community to obtain feedback before finalizing the policy. The FSAP will also review the current checklists on the FSAP website to determine if the checklists are beneficial to entities in meeting the annual internal inspection requirement. Finally, a workshop for entities scheduled for August 2018 will include training on the new policy. For the full text of CDC’s comments, see Appendix I. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 20 OEI-04-15-00431 APPENDIX A: The Purpose and Structure of the Federal Select Agent Program The FSAP regulates entities’ possession, Exhibit 6: The FSAP oversight structure use, and transfer of select agents and Federal Select Agent Program toxins. Oversight of the FSAP is composed (FSAP) of two Federal agencies. Within HHS, U.S. Department of U.S. Department of CDC’s DSAT oversees Health and Human Agriculture (USDA) entities that possess or Services (HHS) use select agents and toxins that have the potential to pose Centers for Disease Animal and Plant a severe threat to Control and Health Inspection public health and Prevention (CDC) Service (APHIS) safety. In addition, the U.S. Department of Agriculture’s (USDA) Division of Select Agriculture Select Animal and Plant Agents and Toxins Agent Services (DSAT) (AgSAS) Health Inspection Service’s (APHIS) Agriculture Select Source: HHS OIG analysis of the Federal Select Agent Program, Agent Services About Us. Accessed at https://www.selectagents.gov/about.html (AgSAS) oversees on February 15, 2017. entities that possess or use select agents and toxins that have the potential to pose a severe threat to animal and plant health or to animal and plant products. Some agents qualify as “overlap agents”37—biological agents or toxins that have been determined to have the potential to pose a severe threat both to human health and animal health or animal products. Overlap agents are jointly regulated by both HHS and USDA. See Exhibit 6 (above) for the departments, agencies, and divisions responsible for providing FSAP oversight. In addition to its FSAP management and oversight responsibilities, CDC has laboratories that are registered with the FSAP. To avoid concerns of CDC self-regulation, these laboratories are inspected by USDA. 37 See FSAP, Select Agents and Toxins List. Accessed at https://www.selectagents.gov/selectagentsandtoxi nslist.html, on April 23, 2018. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 21 OEI-04-15-00431 APPENDIX B: The 10 Federal Regulatory Sections That Pertain to Entities’ Internal Inspections (42 CFR Part 73) This report refers to these 10 sections as the “inspection standards.” Responsible Official……………………………………….…… 42 CFR § 73.9 Restricting Access to Select Agents and Toxins, and Security Risk Assessments…………………..…….. 42 CFR § 73.10 Security……………………………………………………………... 42 CFR § 73.11 Biosafety………………………………………………………..…. 42 CFR § 73.12 Restricted Experiments……………………….…………….. 42 CFR § 73.13 Incident Response………..…………………………………… 42 CFR § 73.14 Training……………………………………………………............ 42 CFR § 73.15 Transfers……………………………………………………………. 42 CFR § 73.16 Records……………………………………………………………… 42 CFR § 73.17 Notification of Theft, Loss, or Release……………..… 42 CFR § 73.19 Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 22 OEI-04-15-00431 APPENDIX C: Detailed Methodology Detailed Methodology Sample Selection. Of the 233 entities that were continuously registered with the FSAP from 2013 through 2015, we identified a subpopulation of 75 entities that received a 2015 registration renewal inspection from DSAT. Of this subpopulation, we selected a purposive sample of 22 entities. We selected this sample to ensure representation on the following characteristics:  Entity size, as determined by the number of principal investigators and laboratories at the entity;  Entity type; and  Whether the entity had been the subject of a compliance action from 2013 through 2015. See Exhibit 7 for information about the population, subpopulation, and purposive sample on these selection characteristics from 2013 through 2015. Exhibit 7: Selection Characteristics of the Population, Subpopulation, and Purposive Sample of Entities Registered With the FSAP From 2013 Through 2015 Population of Subpopulation Entities of Entities Continuously With 2015 Selection Characteristics Sample Registered With Registration the FSAP, 2013 Renewal Through 2015 Inspections (233 Entities) (75 Entities) (22 Entities) Entity Size Average Number of Principal 2 2 3 Investigators Average Number of 4 4 7 Laboratories Entity Type* Government Non-Federal 75 23 6 Academic 73 24 5 Government Federal 36 11 4 Commercial 35 12 4 Private Nonprofit 14 5 3 Average Number of Compliance Actions, From 2 0 1 2013 Through 2015** Source: HHS OIG analysis of DSAT data, 2017. * A government non-Federal entity is part of an agency of a State or local government (excluding academic entities). An academic entity is a private or public university, college, or other institution of higher learning. A government Federal entity is part of an agency in the Federal Government. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 23 OEI-04-15-00431 A commercial entity is a privately owned for-profit company, including partnerships and corporations either privately held or whose shares are traded on the open market. CDC defines a private entity as any privately owned company, including partnerships and corporations in which no part of the income is distributed to the owners, directors, officers, members, or stockholders and whose principal purpose is for charitable or benevolent purposes. CDC and APHIS, 2015 Annual Report of the Federal Select Agents Program. Accessed at https://www.selectagents.gov/annualreport2015.html on September 19, 2017. However, in the National Select Agent Registry, DSAT labels the latter type of private entities as “private (nonprofit).” ** Compliance actions are used to address serious or repeated observations and include corrective action plans, registration denials, registration suspensions, registration revocations, and referrals. Referrals may be made to Agriculture Select Agent Services (AgSAS), the Federal Bureau of Investigation, or HHS OIG. AgSAS is the U.S. Department of Agriculture’s counterpart to DSAT; for more on AgSAS, see page 19. For more information on compliance actions and DSAT’s use of them from 2013 to 2015, please see our previous report: OIG, CDC Generally Met Its Inspection Goals for the Federal Select Agent Program; However, Opportunities Exist To Strengthen Oversight (OEI-04-15-00430), May 2017, pp. 5–6 and 13–14. For these 22 sampled entities, we obtained from DSAT the names and contact information for the 29 DSAT inspectors involved in the 2015 registration renewal inspections for the sampled entities. We removed the names of those inspectors who no longer worked with DSAT and selected all remaining inspectors (24) for our sample. This sample represents more than half of the 40 total inspectors that DSAT estimates were employed at the time we administered our survey. We also obtained from DSAT the ROs’ names and contact information. Data collection. To understand the internal inspection requirements and DSAT’s oversight of them, we collected the Select Agent Regulations and DSAT policies and guidance documents. We also collected data from the NSAR to identify observations that DSAT inspectors identified regarding entities’ internal inspections. In March 2017, we sent a web-based survey to the 24 DSAT inspectors in our sample. We asked DSAT inspectors about their experiences overseeing entities’ internal inspections. Specifically, we asked DSAT inspectors about their methods for verifying entities’ compliance with the internal inspection requirement during DSAT inspections, as well as their methods for verifying that an entity corrected observations identified in their internal inspections. We also asked DSAT inspectors to report challenges associated with the internal inspection requirement. We received responses from all 24 DSAT inspectors in our sample. In March and April 2017, we sent a web-based survey to the 22 entities in our sample. We asked about their internal inspection processes and the observations found during these inspections from 2013 through 2015, as well as supporting documentation as appropriate. We also asked the entities about challenges in internal inspection processes and with DSAT oversight. We received responses from all 22 entities, either from the ROs or their designated staff. However, on receiving our request, one entity responded that it was no longer registered with the FSAP. Therefore, no staff at the entity were knowledgeable about the entity’s previous research Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 24 OEI-04-15-00431 with select agents and toxins, nor could they complete our request. We confirmed with DSAT that this entity was no longer registered with the FSAP as of 2016. Therefore, we removed this entity from our analysis, and our findings are based on survey responses from 21 entities. This entity was a commercial entity with four principal investigators, five laboratories, and no compliance actions from 2013 through 2015. We did not remove from our review the DSAT inspectors who conducted the 2015 registration renewal inspection for this entity because they had conducted the 2015 registration renewal inspections for other entities in our sample. Data analysis. Using entities’ self-reported information, we identified entities that did and did not conduct internal inspections as required. For those entities that reported not conducting internal inspections as required, we analyzed NSAR data to determine whether DSAT cited these entities for observations regarding their failure to perform internal inspections (i.e., 42 CFR § 73.9(a)(6)) from 2013 through 2015. We also analyzed the entities’ self-reported observations from their “closest-in-time” internal inspections and compared these to the observations that DSAT identified in its 2015 registration renewal inspections.38 We also reviewed survey data and documentation to determine the sections of the Select Agent Regulations that entities addressed in their internal inspections, as well as the length of the inspections; their timing; whether the inspections were announced or unannounced; the documentation methods; and the individuals involved in the inspections. To identify challenges to overseeing and conducting internal inspections, we conducted qualitative data analysis on the survey responses we received from the 24 DSAT inspectors and the 21 entities in our review. First, we reviewed the data and identified challenges to DSAT inspectors in overseeing entities’ internal inspections and challenges to entities in conducting internal inspections as preliminary themes. In doing this, we determined that some inspectors’ and entities’ responses did not align with the question asked and instead better aligned with another question. Consequently, we recategorized some responses to more closely align with the questions. For example, if a response to the question about how the inspection process could be improved was phrased as a challenge (e.g., “unclear requirements”), we moved the response to the category on challenges. We then re-reviewed all responses in each category and finalized our themes and subthemes. We counted each inspector or entity only once for each theme and subtheme, regardless of the number of times the inspector or entity provided a comment related to the theme or subtheme. 38 The “closest-in-time” inspection is the entity’s internal inspection that was the least number of days before or after the 2015 DSAT registration renewal inspection. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 25 OEI-04-15-00431 APPENDIX D: Entities’ Observations During Internal Inspections Exhibit 8: The Number of Entities Reporting Observations During Internal Inspections, by Regulatory Section and Subsection, From 2013 Through 2015 Number of Entities Reporting Observations During Internal Regulatory Section* Inspections 2013 2014 2015 Total Responsible Official (42 CFR § 73.9) 0 0 0 0 -- Section (a-d) 0 0 0 0 Restricting Access to Select Agents and Toxins, 0 0 1 1 and Security Risk Assessments (42 CFR § 73.10) -- Section (a-j) 0 0 0 0 -- Section (k) 0 0 1 1 Security (42 CFR § 73.11) 3 5 3 6 -- Section (a-b) 0 0 0 0 -- Section (c) 1 3 1 4 -- Section (d) 0 0 1 1 -- Section (e) 0 0 1 1 -- Section (f) 2 4 0 5 -- Section (g) 1 0 0 1 -- Section (h) 2 1 1 2 Biosafety (42 CFR § 73.12) 11 11 9 14 -- Section (a) 0 1 0 1 -- Section (b) 0 1 0 1 -- Section (c) 1 2 1 2 -- Section (d) 1 1 1 2 -- Section (e) 2 1 2 2 -- unclassified** 9 7 7 11 Restricted experiments (42 CFR § 73.13) 0 0 0 0 -- Section (a-c) 0 0 0 0 Incident response (42 CFR § 73.14) 1 2 0 3 -- Section (a) 0 0 0 0 -- Section (b) 0 2 0 2 -- Section (c) 0 0 0 0 -- Section (d) 1 2 0 3 -- Section (e) 0 2 0 2 -- Section (f) 1 0 0 1 Training (42 CFR § 73.15) 1 4 0 4 -- Section (a) 0 1 0 1 -- Section (b) 1 0 0 1 -- Section (c) 0 0 0 0 -- Section (d) 0 3 0 3 continued on next page Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 26 OEI-04-15-00431 Number of Entities Reporting Observations During Internal Regulatory Section* Inspections 2013 2014 2015 Total Transfers (42 CFR § 73.16) 0 0 0 0 -- Section (a-l) 0 0 0 0 Records (42 CFR § 73.17) 1 2 0 3 -- Section (a) 1 2 0 3 -- Section (b-c) 0 0 0 0 Notification of Theft, Loss, or Release (42 CFR § 0 0 0 0 73.19) -- Section (a-b) 0 0 0 0 Other*** 1 2 1 3 Total**** 13 12 10 17 Source: OIG analysis of entities’ survey responses, 2017. Note: The FSAP website includes inspection checklists that DSAT inspectors use for 8 of these 10 inspection standards. It does not include checklists for Restricting Access to Select Agents and Toxins, and Security Risk Assessments (42 CFR § 73.10) or Notification of Theft, Loss, or Release (42 CFR § 73.19). This may explain, in part, why some entities in this analysis did not identify observations for these inspection standards during their internal inspections. * The full text of these regulatory sections and subsections can be found at https://www.ecfr.gov/cgi- bin/text-idx?tpl=/ecfrbrowse/Title42/42cfr73_main_02.tpl. ** “Unclassified” observations are the result of observations that fall under 42 CFR § 73.12 but originate from guidance in other sources, such as the Biosafety in Microbiological and Biomedical Laboratories guide or the NIH [National Institutes of Health] Guidelines for Research Involving Recombinant or Synthetic Nucleic Acid Molecules (NIH Guidelines). On the basis of guidance from DSAT, we grouped the observations that entities identified as falling under these other sources as “unclassified” potential noncompliance with the regulations regarding select agents and toxins at 42 CFR § 73.12. *** Entities reported that they classified some of their observations as “other” because the observations did not pertain to the inspection standards. Instead, according to the entities, these observations pertained to items such as a visual pressure-loss alarm in a laboratory, floors that needed waxing, and minor issues noted during an inspection of registered space involving things such as caulking. **** Sums across columns or rows may not equal totals because some entities had observations (1) regarding the same inspection standards for multiple years or (2) regarding multiple inspection standards for the same year. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 27 OEI-04-15-00431 APPENDIX E: Information on the Methods To Conduct Internal Inspections and To Correct and To Close Observations From 2013 Through 2015 Methods to conduct internal inspections Beyond the regulatory requirements, the FSAP allows flexibility in how entities conduct their internal inspections. For example, entities are free to determine how many days the inspection will take (i.e., the length), when the inspection will occur (i.e., the timing), and whether the inspection will be announced in advance to entity staff. Entities also have flexibility in developing their own methods of documenting the inspection, as well as determining the individual(s) at the entity who are involved in the inspection. Length. The average length of entities’ internal inspections was 3 days, ranging from 1 to 9 days.39 Some entities’ inspections were spread throughout the year (i.e., they did not inspect all FSAP-registered areas at the same time), but no entities conducted the same inspections of the same area more than once per year. Different areas were inspected, or the same areas were inspected for different inspection standards at different times. Timing. Two entities scheduled their internal inspections in the same months from 2013 through 2015. All other entities (15 of 17) conducted internal inspections that were scheduled at different times from year to year.40 39 The analysis was based on 19 of the 20 entities that conducted at least 1 internal inspection. We analyzed the documentation of entities’ “closest-in-time” internal inspections to determine the length of internal inspections. Because of the large number of laboratories at one of our sampled entities, we allowed the entity to submit summaries of its inspections for each laboratory rather than all of the documentation of its inspections for each laboratory. Information about inspection length was not included in the summaries that this entity submitted. 40 The analysis was based on 17 of the 20 entities that conducted at least 1 internal inspection. For us to include an entity in the analysis, it had to have conducted inspections in all 3 years and specified the dates those inspections occurred. We analyzed the documentation of entities’ “closest-in-time” internal inspections to determine the length of internal inspections. Because of the large number of laboratories at one of our sampled entities, we allowed the entity to submit summaries of its inspections for each laboratory rather than all of the documentation of its inspections for each laboratory. Information about inspection length was not included in the summaries that this entity submitted. The second entity could not verify the dates of the 2013 or 2014 inspections, which had been conducted before the current RO was hired and did not have sufficient documentation. The last entity did not conduct an internal inspection one of the years. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 28 OEI-04-15-00431 Announced versus unannounced.41 Fourteen of the 20 entities in our sample that reported conducting at least one internal inspection stated that they announced internal inspections to Principal Investigators and lab staff prior to the start of the inspection. The remaining six stated that they did not make any prior announcements. Of the 14 entities that reported conducting announced inspections, they most frequently reported that inspections were announced to ensure the availability of relevant staff (9 entities). Some entities (six) also reported that they conducted announced inspections so that Principal Investigators could plan studies around the inspection to lessen disruption. Thus, some entities reported that the amount of time between the announcement and the inspection varied depending on staff availability. Entities reported giving Principal Investigators or laboratory staff notice that ranged from 2 days to 3 months before conducting the inspections. Of the six entities that conducted unannounced inspections, three reported conducting unannounced inspections because they had no need to announce the inspections. According to these entities, announcements are unnecessary either because the Principal Investigator was not involved in the inspection and therefore did not need notice or because the staff worked every day as though an internal inspection were occurring and did not need to prepare for disruption. Three entities chose not to announce inspections because they did not want staff to adjust their work areas in ways that would be unrepresentative of “real-time daily operations.” One of these entities stated, though, that notice would have been provided, if necessary, depending on the particular work being conducted. Documentation methods. Most entities in our review (16 of 20) reported using FSAP checklists either exclusively or in conjunction with entity-specific methods to document their internal inspections from 2013 through 2015.42 See Exhibit 9 for the number of entities that reported using only FSAP checklists, only entity-specific methods (i.e., no FSAP checklists), or a combination of FSAP checklists and entity-specific methods to document their internal inspections for the 3 years under our review. 41 We generally considered “announced” inspections to be those in which the entity reported that it formally notified staff about upcoming inspections. However, in one case, the entity responded that it did not announce the internal inspections because the entity’s facility was so small that everyone was aware of the inspection without a formal announcement. We coded this entity as “announced” for the purposes of this analysis. 42 The analysis was based on the 20 entities in our review that conducted at least one internal inspection during the 3-year period under our review (2013 through 2015). Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 29 OEI-04-15-00431 Exhibit 9: Number of entities reporting using only FSAP checklists, only entity-specific methods, or a combination of methods, to document internal inspections from 2013 through 2015 Both FSAP Entity- FSAP Checklists Specific Checklists and Entity- Methods Only Specific Only 8 of 20 Methods 4 of 20 8 of 20 Source: OIG analysis of entity checklists and survey responses, 2017. The number of entities reporting that they used FSAP checklists (either exclusively or with entity-specific documentation methods) increased from 2013 to 2015. In 2013, 12 of the 20 entities that conducted at least 1 inspection from 2013 through 2015 used FSAP checklists to conduct their internal inspections. By 2015, the number of entities using FSAP checklists increased by four entities. One of the entities that started using FSAP checklists by 2015 stated that it did so to address previous deficiencies that the internally developed methods did not address. Another entity stated that because FSAP checklists were recommended by DSAT, the entity assumed that the checklists were more complete than entity-specific methods. The entities that used entity-specific documentation methods provided various reasons for using them. Of the 12 entities that used entity-specific documentation methods, 6 reported they used these methods because they had been developed before the FSAP checklists. In addition, five entities explained that they used the entity-specific documentation methods because they include items specific to their respective entities or contained more details than the FSAP checklists. For example, one entity stated that its documentation methods captured additional State regulations pertaining to select agents and toxins. According to the same entity, its documentation method is “similar to the FSAP checklist and covers the same requirements. We added more items… with more details.” This entity added that, in 2015, it revised its entity-specific documentation methods to address previous observations “and ensure continuity of corrective action” and compliance. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 30 OEI-04-15-00431 Individuals involved in the inspections. Of the 20 entities in our review that conducted at least one internal inspection, the RO led these inspections each year at 13 entities. In contrast, for 5 of the 20 entities, the RO did not lead any of the internal inspections. In four of these five cases, the RO always delegated the responsibility of leading the internal inspection to the Alternate RO. For the fifth entity, the Alternate RO led the inspection for 2 of the 3 years and the Biological Select Agents and Toxins Facility Director Designee led the inspection for the third year. Three of these five entities did not have the RO on the inspection team during any of the internal inspections in our review. The fourth entity always had the RO on the inspection team, and the fifth entity had the RO on the inspection team for 1 year (2015) but not for the other 2 years. The RO at the remaining 2 of the 20 entities led the inspections some years and delegated this responsibility to the Alternate RO some years. Methods to correct and to close observations. Entities in our review used various methods to close observations identified during internal inspections from 2013 through 2015. Among the 15 entities that described their methods for correcting observations, most (11) instituted new internal training to address the observations and more than half (8) modified existing plans or internal procedures. Fifteen entities also stated that their respective entities have a formal process to close observations after they have been corrected, while two entities did not report having a formal process. Of the 15 entities reporting a formal process, the process varied depending on the types of observations identified. At eight entities, supervisors (e.g., ROs, Alternate ROs, or Biosafety Officers) verify and approve the closure. Seven entities reported formal documentation procedures to close observations. Five entities described using a formal tracking system to ensure that observations were documented and closed. In addition, during registration renewal inspections, DSAT inspectors are responsible for verifying that entities corrected and closed observations identified during entities’ internal inspections. All 24 DSAT inspectors in our review reported that they verify that an entity has corrected—or has made progress towards correcting—observations identified in entities’ internal inspections. These inspectors reported relying on documentation (19 inspectors), visual inspection (15 inspectors), and interviews (7 inspectors) to verify that observations have been closed or partially closed. If DSAT inspectors identify observations during internal inspections that have not been corrected, 22 of the 24 inspectors reported that they would include this information in their inspection report and potentially refer it to DSAT. Nine inspectors said they would discuss the observations and potential corrective actions with the RO. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 31 OEI-04-15-00431 APPENDIX F: DSAT Inspector Concerns With Entities’ Internal Inspections Exhibit 11: Number of DSAT Inspectors Raising Concerns About Entities’ Internal Inspections Number of DSAT Description of Concern Inspectors Entities’ Internal Inspections Are Not Sufficiently Thorough (They do not address all inspection standards or are not 15 sufficiently rigorous) Entities’ Internal Inspections Do Not Address All Inspection 6 Standards Entities’ Internal Inspections Are Not Sufficiently Rigorous 4 Both Entities’ Internal Inspections Do Not Address All Inspection Standards and Entities’ Internal Inspections Are 5 Not Sufficiently Rigorous Entities Do Not Identify All Observations Identified By DSAT 6 Inspectors Entities Do Not Sufficiently Document Internal Inspections 7 Some Entities Do Not Conduct Internal Inspections 4 Total DSAT Inspectors Reporting Concerns 18* Source: OIG analysis of inspector and entity survey responses, 2017. *Sum of DSAT inspectors does not equal the total because some DSAT inspectors reported more than one concern. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 32 OEI-04-15-00431 APPENDIX G: Comparison of DSAT-Identified Observations and Entity-Identified Observations for Each of the 10 Inspection Standards Exhibit 10: Number of Entities For Which DSAT and Entities Identified Observations During 2015 Registration Renewal Inspections and Internal Inspections That Were “Closest In Time” Regulatory Section* and Number of Entities For Which DSAT and Subsections Entities Identified Observations Number of Number of Number of Entities For Entities For Entities for Which Both Which which DSAT Entities and Entities Identified DSAT Identified Observations Identified Observations Observations Responsible Official (42 CFR § 73.9) 9 0 0 -- Section (a) 8 0 0 -- Section (b) 1 0 0 -- Section (c) 1 0 0 -- Section (d) 0 0 0 Restricting Access to Select Agents 4 0 0 and Toxins, and Security Risk Assessments (42 CFR § 73.10) -- Section (a) 3 0 0 -- Section (b) 1 0 0 -- Section (c-j) 0 0 0 -- Section (k) 1 0 0 Security (42 CFR § 73.11) 18 3 3 -- Section (a) 3 0 0 -- Section (b) 2 0 0 -- Section (c) 16 1 1 -- Section (d) 5 0 0 -- Section (e) 2 1 0 -- Section (f) 9 1 1 -- Section (g) 0 0 0 -- Section (h) 2 1 0 Biosafety (42 CFR § 73.12) 19 10 10 -- Section (a) 9 1 1 -- Section (b) 8 1 1 -- Section (c) 0 1 0 -- Section (d) 1 1 0 -- Section (e) 4 2 1 -- unclassified** 16 7 5 continued on next page Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 33 OEI-04-15-00431 Regulatory Section* and Number of Entities For Which DSAT and Subsections Entities Identified Observations Number of Number of Number of Entities For Entities For Entities for Which Both Which which DSAT Entities and Entities Identified DSAT Identified Observations Identified Observations Observations Incident response (42 CFR § 73.14) 13 1 1 -- Section (a) 2 0 0 -- Section (b) 6 1 1 -- Section (c) 6 0 0 -- Section (d) 9 1 1 -- Section (e) 7 1 0 -- Section (f) 4 0 0 Training (42 CFR § 73.15) 17 1 1 -- Section (a) 10 0 0 -- Section (b) 4 0 0 -- Section (c) 10 0 0 -- Section (d) 5 1 0 Transfers (42 CFR § 73.16) 3 0 0 -- Section (a) 2 0 0 -- Section (b-d) 0 0 0 -- Section (e) 1 0 0 -- Section (f-l) 0 0 0 Records (42 CFR § 73.17) 17 2 2 -- Section (a) 16 2 2 -- Section (b) 3 0 0 -- Section (c) 2 0 0 Total*** 20 11 11 Source: OIG analysis of entities’ survey responses and data from DSAT registration renewal inspections, 2017. Note: The FSAP website includes inspection checklists that DSAT inspectors use for 8 of these 10 inspection standards. It does not include checklists for Restricting Access to Select Agents and Toxins, and Security Risk Assessments (42 CFR § 73.10) or Notification of Theft, Loss, or Release (42 CFR § 73.19). This may explain, in part, why no entities in this analysis identified observations for these sections during their internal inspections. * The full text of these regulatory sections and subsections can be found at https://www.ecfr.gov/cgi- bin/text-idx?tpl=/ecfrbrowse/Title42/42cfr73_main_02.tpl. ** “Unclassified” observations are the result of observations that fall under 42 CFR § 73.12 but originate from guidance in other sources, such as the Biosafety in Microbiological and Biomedical Laboratories guide or the NIH [National Institutes of Health] Guidelines for Research Involving Recombinant or Synthetic Nucleic Acid Molecules (NIH Guidelines). On the basis of guidance from DSAT, we grouped the observations that entities identified as falling under these other sources as “unclassified” potential noncompliance with the regulations regarding select agents and toxins at 42 CFR § 73.12. *** The sum of observations identified by DSAT or entities may exceed the total because at some entities, DSAT or the entity identified observations regarding multiple regulatory sections. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 34 OEI-04-15-00431 APPENDIX H: Reported Challenges With Overseeing and Conducting Internal Inspections Exhibit 12: Number of DSAT Inspectors Reporting Challenges in DSAT Overseeing Internal Inspections and in Entities Conducting Internal Inspections Number of Unique Description of Challenge DSAT Inspectors Reporting This Challenge Unclear Requirements or Insufficient Training Challenge DSAT Inspectors’ Ability To Oversee or Entities’ Ability To Conduct Internal Inspections (23 Unique Inspectors Reporting) Unclear Requirements or Training For DSAT Inspectors 21 Only Unclear Requirements for DSAT 4 Inspectors Only Insufficient Training for DSAT Inspectors 3 Both Unclear Requirements and Insufficient 14 Training Unclear Requirements or Training For Entities 17 Only Unclear Requirements for Entities 1 Only Insufficient Training for Entities 5 Both Unclear Requirements and Insufficient 11 Training for Entities Other Challenges (11 Unique Inspectors Reporting) DSAT Resource Constraints (e.g., time, technical 9 expertise, people) Entity Resource Constraints (e.g., time, technical 1 expertise, people) Evolving Inspection Process (i.e., inspection procedures 3 change with every change in regulations or leadership.) DSAT Lacks Appropriate Enforcement Actions 1 Total Reporting Challenges 23* Source: OIG analysis of inspector survey responses, 2017. ** The sum of challenges reported by DSAT or entities may exceed the total because some DSAT inspectors reported more than one challenge. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 35 OEI-04-15-00431 Exhibit 13: Number of Entities Reporting Challenges in Conducting Internal Inspections Number of Unique Description of Challenge Entities Reporting This Challenge Unclear Requirements or Training For Entities 8 Only Unclear Requirements For Entities 3 Only Insufficient Training For Entities 4 Both Unclear Requirements and Insufficient Training 1 for Entities Entity Resource Constraints (e.g., time, technical 3 expertise, people)** DSAT Lacks Appropriate Enforcement Actions** 1 Minimal Collaboration Between DSAT and Entities** 1 Total Reporting Challenges 15* Source: OIG analysis entity survey responses, 2017. * The sum of challenges reported by entities may exceed the total because some entities reported more than one challenge. ** Five unique entities reported these other challenges. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 36 OEI-04-15-00431 APPENDIX I: Agency Comments Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 37 OEI-04-15-00431 Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 38 OEI-04-15-00431 Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 39 OEI-04-15-00431 ACKNOWLEDGMENTS Lori Jouty served as the lead analyst for this study. Others in the Office of Evaluation and Inspections who conducted the study include Lauren Buss, Victoria Coxon, and Lucio Verani. Office of Evaluation and Inspections staff who provided support include Kevin Farber, Seta Hovagimian, and Christine Moritz. This report was prepared under the direction of Dwayne Grant, Regional Inspector General for Evaluation and Inspections in the Atlanta regional office, and Jaime Stewart, Deputy Regional Inspector General. To obtain additional information concerning this report or to obtain copies, contact the Office of Public Affairs at Public.Affairs@oig.hhs.gov. Entities Generally Met FSAP Internal Inspection Requirements, But CDC Could Do More To Improve Effectiveness 40 OEI-04-15-00431 ABOUT THE OFFICE OF INSPECTOR GENERAL The mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is to protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of beneficiaries served by those programs. This statutory mission is carried out through a nationwide network of audits, investigations, and inspections conducted by the following operating components: Office of Audit The Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with its own audit resources or by overseeing audit Services work done by others. Audits examine the performance of HHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are intended to provide independent assessments of HHS programs and operations. These assessments help reduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS. Office of Evaluation The Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress, and the public with timely, useful, and reliable and Inspections information on significant issues. These evaluations focus on preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of departmental programs. To promote impact, OEI reports also present practical recommendations for improving program operations. Office of The Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and misconduct related to HHS programs, Investigations operations, and beneficiaries. With investigators working in all 50 States and the District of Columbia, OI utilizes its resources by actively coordinating with the Department of Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI often lead to criminal convictions, administrative sanctions, and/or civil monetary penalties. Office of Counsel to The Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering advice and opinions on HHS programs and the Inspector operations and providing all legal support for OIG’s internal operations. General OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS programs, including False Claims Act, program exclusion, and civil monetary penalty cases. In connection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG renders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides other guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement authorities.