The Common Rule and Continuous Improvement in Health Care: A Learning Health System Perspective

By Harry Selker, Claudia Grossmann, Alyce Adams, Don Goldmann, Christopher Dezii, Gregg Meyer, Veronique Roger, Lucy Savitz, Rich Platt
October 1, 2011 | Discussion Paper


To generate needed improvements in health care, its delivery, and its outcomes, organized and sustained efforts at continuous improvement are needed. The Institute of Medicine’s Roundtable on Value & Science-Driven Health Care has developed the vision of a health care system that gets the right care to the right people when they need it, and captures the results for making improvements: a learning health system. The Roundtable sees the creation of generalizable new knowledge as a necessary, routine aspect of the delivery of health care. Activities that involve measurement, comparison, evaluation, systematic introduction of accepted therapies, sharing of experience and information, and coordination of these activities among organizations, either are, or should become, normal expected activities of such organizations.

Ambiguity around the degree to which such continuous-improvement activities, including both clinical-effectiveness assessment and quality improvement, are seen as human-subject research has been a burden to those working in the field, to their institutions, and to patients. For this critical work to be done, it is imperative that there be a clear framework for whether or not human-subject research requirements apply. We believe a risk-based framework, in which oversight is commensurate with the level of risk imposed by the study, is the right approach. This framework proposes that for studies that seek only to collect information or that carry no more than minimal risk, that human-subject investigational review board (IRB) review may not be warranted. We recommend that in addition, it is essential to determine whether these activities are 1) routine clinical-effectiveness assessments and quality-improvement activities that are appropriate activities of the health care system, or 2) whether they are sufficiently separate from routine care that they should be classified as human-subject research, as covered by the Common Rule. We believe that the former, clinical-effectiveness assessment and quality improvement involving accepted therapies, should be excluded from regulation and oversight as human-subject research, but rather should be subject to the oversight and regulations appropriate to all clinical care.

Both human-subject research and continuous-improvement assessments by learning organizations are crucial social goods that should be facilitated, not impaired, in the interest of the public. Adjustments in the Common Rule that will facilitate the ethical and safe conduct of human-subject research are welcome changes. However, applying the Common Rule, even with enhancements, to continuous-improvement activities that clinicians and health systems are obligated to carry out, could in fact impair the actual optimal delivery of health care advances from such research. Health care organizations already bear responsibility for overseeing the safe and effective delivery of care, and they and society have many mechanisms to be sure this responsibility is fulfilled. It is entirely logical to define their responsibility to include identifying and then disseminating knowledge about best treatments and practices, and assign the oversight responsibility to them. Realigning responsibilities in this way will reinforce the understanding that quality, safety and effectiveness assessments, and care innovation are the core of a learning health system.


Changing Healthcare Environment

Despite the many achievements in health care in the United States, fundamental redesign is needed to substantially improve quality and safety, while reducing costs. American health care has brought many remarkable improvements in medical outcomes, such as increases in the survival of extremely low-birth-weight babies; continued improvement in the survival of patients with acute myocardial infarction, facilitated by system improvements in emergency response and door-to-balloon times; and reductions in the risk of central catheter-associated bloodstream infection to levels that were unthinkable just 10 years ago, by the reliable execution of evidence-based interventions. However, as important as these improvements are, they have occurred largely in isolation of broader systems improvements, and in parallel with unsustainable growth in health care costs. The gaps between where health care is and where it needs to be are particularly stark when considered in light of the Institute of Medicine’s (IOM) overarching framework of value and equity, but are also evident in each of the framework’s components: efficiency, timeliness, access, evidence-based care, patient- and family-centered care, and safety. There is an unavoidable responsibility of all involved in health care, and in particular health care organizations, to ensure real and sustainable improvements.

Continuous improvement—incorporating innovation, disciplined quality improvement, and evaluation—will be critical to finding new designs and solutions that will close these gaps and eventually meet the goals of optimizing patient experience and outcomes, improving the health of the population, and controlling cost. Innovation and quality improvement are often thought of as distinct endeavors, but in fact there is no clear boundary between them in addressing these gaps.

The best improvement efforts will draw upon a substantial scientific foundation. Important components of a scientific approach to quality improvement include: clear, measurable process and outcome goals, iterative testing, and appropriate analytic methods. [2] Equally important are rigorous planning, evaluation, and learning processes that ensure that the critical elements and context-specific adaptations needed for spread and scale-up are understood and incorporated into strategy and execution. Other criteria may apply to assessments of clinical effectiveness.

Based on such efforts, fundamental system change will require a strategic, coordinated effort to address the six interrelated levels of the system: the community; patient; clinical provider; microsystem; health care organization; and policy, payment, and regulatory environments. For innovation and quality-improvement efforts to have traction and maximal impact, the relationships between these levels need to be understood and leveraged. Moreover, as a lens for looking at improvements on all of these levels, the patient experience is central. Ideally, the patient is not just a recipient of care, but an active partner. Clinical-effectiveness research, which focuses on learning about what works best for whom and under what circumstances, can be enriched by appreciating and harnessing the experience of individual patients and their providers as they grapple with often incomplete or conflicting evidence to inform clinical decision making. The patient is also a partner in this process of searching for and improving health care; the objectives should reflect patients’ perspectives, and the processes should respect their autonomy, even while engaging them in the joint effort to improve health care for all.

Continuous improvement is the foundation for a learning system that discovers and applies the best possible evidence to the care of individual patients, their communities, and the institutions in which they receive care. This paper explores the distinctions between continuous improvement—considered for the purposes of this discussion to include quality and clinical effectiveness assessments—and human-subject research that requires formal oversight by an institutional review board (IRB). In the context of patient partnerships in care and care improvement, we focus on managing the balance of potential risk to patients and the potential to improve quality, safety, and outcomes.


The Learning Health System

The charter of the IOM Roundtable on Value & Science-Driven Health Care states that “by the year 2020, 90 percent of clinical decisions will be supported by accurate, timely, and up-to-date clinical information, and will reflect the best available evidence.”[3] To accomplish this, particularly in light of the rapidly increasing complexity of health care, we require a sustainable system that gets the right care to the right people when they need it, and then captures the results for making improvements. That is, the nation needs a health care system that learns. [4] The Roundtable interprets “learning” in this context to mean both that the system learns to use evidence-based approaches for prevention, diagnosis, and treatment, and also that it learns from the care it delivers to develop new evidence. This mandate incorporates elements traditionally considered to be quality-improvement activities and others classified as evaluation of clinical effectiveness. Overall, in order to achieve a learning health system, and in line with Joint Commission expectations, the health care delivery system must commit itself to an ongoing process of continuous improvement.

The Roundtable, therefore, sees the creation of generalizable new knowledge as a necessary and routine aspect of the delivery of health care. As noted in the Roundtable’s report Learning What Works, “developing and using information on which treatments work best for whom is imperative to achieving better value from health care expenditures.”[5] It is envisioned that this continuous improvement process will often use sophisticated tools, many of which are also used for health services research. Specifically noted is that “given the growing capacity of information technology to capture, store, and use…clinically rich data, the advantages become even clearer for identifying and advancing methods and strategies that draw research closer to practice.”[6] Examples of activities that should qualify as routine operations, when conducted on behalf of health care organizations/providers to assess quality or effectiveness initiatives, include:

  • Use of routinely collected health care information for purposes other than direct care of individual patients.
  • Analysis of administrative databases.
  • Surveys related to quality and effectiveness of care.
  • Systematic variation of care within a health care system or patient population, provided that all patients receive care that is in general use, is consistent with the guidance of regulatory and standard-setting bodies, and carries no more than minimal risk.
  • Coordination of any of these activities among multiple providers or organizations.
  • Dissemination of learning from tests of change through publication or other means.


Providers and their health care organizations may also need to exchange protected health information with other organizations to perform these activities. Examples of specific situations requiring such information to be exchanged that should qualify as routine operations include:

  • A hospital or individual practice may only be able to learn which patients are readmitted to other hospitals by obtaining this information from the patients’ health plans or insurers.
  • A practice might not learn of immunizations provided through public programs, e.g., at supermarkets, from immunization registries. This information is needed to understand the practice’s overall performance in immunizing patients actually in need of immunization.
  • A pharmacy benefits management company is uniquely able to inform providers about whether patients are actually obtaining prescribed medications, and whether they are refilling prescriptions in a manner that is consistent with good adherence.
  • A consortium of hospitals or other health care organizations should be permitted to share information for benchmarking or to identify best practices. While the use of identifiable information should be minimized, it may be necessary to exchange identifiable information in some circumstances.

Regulatory Environment

The mandate to improve care in a learning health system will be carried out in the context of federal regulation, including guidance for scientific and ethical review of projects by IRBs based on the “Common Rule,”[7] and for the protection of health information security and privacy based on the Health Insurance Portability and Accountability Act (HIPAA).[8] Regulations require that IRBs approve studies only if human subjects are properly informed about and protected from risks related to research, and that there are adequate provisions to protect privacy and confidentiality. In addition to these protections of personal information, HIPAA provides detailed safeguards for institutional handling of patients’ private information.

A basic tenet of the IOM’s vision of a learning health system is that activities involving measurement, comparison, evaluation, systematic introduction of accepted therapies, sharing of experience and information, and coordination of these activities among organizations either are, or should become, normal expected activities. This suggests that these activities should be excluded from oversight by regulations governing research that have their basis in the Belmont Report and the Common Rule, and instead be subject to the oversight of usual clinical care. In particular, the premise that learning health system activities that focus on more than a single patient or test a hypothesis constitute “human-subject research” that requires federal oversight needs to be revised. Rather, such activities should be seen in light of the Belmont Report criterion, also often cited, that practice must adhere to standard or accepted norms that carry a reasonable expectation of success in order to avoid being classified as research requiring oversight.[9] Moreover, to the extent that we accept the learning health system view that secondary use of medical information is essential to an effective program of continuous improvement, these uses should be considered routine operations with regard to HIPAA regulations. Their use should be subject to the same privacy and security controls applied to the use of protected health information for all operations, including strong protections of confidentiality via the HIPAA Privacy and Security Rules.

Ambiguity around the degree to which continuous-improvement activities are seen as human-subject research has been a burden to those working in the field, their institutions, and patients. For this critical work to be done, it is imperative that there be a clear framework about whether or not human-subject research requirements apply. For evaluations that carry no more than minimal risk, it is essential to determine whether they are routine, appropriate activities of the health care system, or whether they are sufficiently separate from the routine that they should be classified as human-subject research covered by the Common Rule. It is also important to determine whether these continuous-improvement activities should be considered to be routine operations in order to determine appropriate HIPAA oversight.

We believe that continuous-improvement efforts involving accepted therapies should be excluded from regulation and oversight as research. Noted below are several specific problems that arise in the current framework when regulatory mechanisms that govern human-subject research are applied to continuous-improvement activities.

Studies for which the risk to the patient is limited to disclosure of personal information have been on the rise, and are expected to increase as more clinical information is captured in electronic health records. Differentiation between the risks associated with this type of research and those associated with interventional studies is needed. The qualitative differences between these types of risk suggest that a different approach to oversight and regulation is needed.

A major focus of IRB review is the need for patients to have full informed consent in human-subject research. It should be noted that obtaining consent often is not a perfect process. Reviews of these processes by organizations, including the IOM, have found that they fall short of meeting their goal of informing patients about potential risks involved in taking part in studies to allow truly informed decisions about participation. Instead, they have become vehicles for protecting institutions rather than patients. [10] In this context, it should be appreciated that if continuous-improvement activities are not considered human-subject research, institutions still bear responsibility, as they do for usual clinical care.

Aside from the issues outlined above, inconsistent application of HIPAA and IRB standards to health care research impedes important research and leads to biased sampling and invalid conclusions.[11] Additionally, HIPAA and the Common Rule sometimes conflict, creating confusion and uncertainty. This lack of clarity has led to differing and sometimes overly cautious interpretations of regulations by IRBs. This is further exacerbated in multi-center studies where each center’s IRB can come to very different conclusions about the same study.

Besides inconsistency, there is underlying vagueness in the criteria used for quality and effectiveness assessments. Oft-cited in IRB evaluations are questions of whether the study is intended to generate generalizable knowledge, and whether it is intended for publication. If one or both are intended, it is understood to be actual human-subject research, and IRB scrutiny is needed. Clearly, these questions do not relate to the level of risk posed to human subjects, the intended focus of an IRB. Even if not intended for publication, a potentially risky intervention should be carefully reviewed. On the other hand, even if intended for publication, a risk-free intervention intended to enhance adherence to accepted practice should not be held up by IRB review and/or by the requirement for an obtrusive informed consent process. Indeed, a 3-year study of this issue by the Hastings Center found that intent to publish (and share learning) was not an appropriate criterion for IRB review. [12]

Finally, not only does the current oversight system fail to facilitate continuous improvement activities, the bureaucratic burdens imposed by review processes are time-consuming, expensive, and may contribute to the abandonment of important initiatives.[13] A new approach to the oversight of innovation and disciplined quality and effectiveness assessments— the lifeblood of a learning health system—is needed.

Change Needed

For these reasons, we propose a new framework for oversight and regulation that provides important protections for patients and study participants, and clarifies the uncertainty that currently hampers quality improvement and clinical-effectiveness assessments. [14]

One of the areas in need of clarification is the labeling of quality and effectiveness assessments as human-subject research or as part of routine operations of a learning health system. Many valid and thoughtful reasons are cited both for and against designating these activities as research. On one hand, the research label implies adhering to a level of scientific rigor necessary to provide useful insights for improvement, and this deserves observance and promotion. This also implies a need for the careful and thoughtful oversight that is currently done through review by an institution’s IRB. On the other hand, the research label is not consistent with the expectation that these assessments be a routine responsibility of health systems and providers, and therefore that the oversight required for these activities need not be the same as that required for human-subject research posing more than minimal risk to patients.

We believe this distinction is counterproductive and no longer relevant, since a core tenet of the learning health system is that continuous improvement using the best available methods and resources should be part of organizations’ core operations. Such activities should not be encumbered simply because they use state-of-the-art methods or because they use patient information.

Aside from labeling, a rethinking of quality and effectiveness assessments oversight is needed both to better meet the needs of patients, clinicians, and institutions involved in this work, and move the nation towards a health system that continuously improves. Progress toward this kind of a system can be achieved by focusing oversight on the following goals: 1) protecting patients from risk beyond that incurred through regular care; 2) ensuring that health systems and providers meet their moral (and in some cases, legal) responsibilities to assess and improve care; 3) lessening the burdens imposed by oversight of such efforts so that the ability to evaluate care and its improvement is not impeded; and 4) assigning oversight responsibilities appropriately.


Risk-Based Oversight Framework

We believe these goals are furthered by using a risk-based framework in which oversight is commensurate with the level of risk imposed by the study. This is consistent with the approach recently proposed by Emanuel and Menikoff [15] for changes in the Common Rule that governs review of human-subject research. They propose risk stratification and review based on three categories:

  1. Studies limited to the collection of information, without a study intervention.
  2. Studies in which there is an intervention, but only of minimal risk (“encountered in daily life or during the performance of routine physical or psychological examinations or tests”). [16]
  3. Studies involving an intervention of more than minimal risk.

Based on this schema, research and quality and effectiveness assessments that only pose risk to the patient related to the misuse or release of their health information, and are designated by institutions to support continuous improvement, do not require oversight as research. Furthermore, HIPAA regulations governing the use of data for standard health care operations should apply. This change would obviate the kind of problems outlined above that arise from burdensome and sometimes inconsistent application of the Common Rule and HIPAA guidance. We would add that even in such cases, oversight be addressed as part of clinical operations, not by an IRB process. In this, we suggest that all activities adhere to fair information practices such as those outlined in the Markel Foundation’s “Connecting for Health” initiative, [17] which include optimizing the amount and kind of information collected and having policies to ensure openness and transparency.

The intermediate category of studies that involve interventions but do not subject participants to more than minimal risk offer the greatest opportunity for innovation in the approach to oversight of continuous-improvement projects. We feel that if risk to patients does not exceed that of usual care, and the intervention being tested is accepted customary care, IRB oversight is not warranted. Measurement, analysis, and commonly accepted low-risk treatments do not constitute sources of additional risk, and therefore assessment of accepted care is not itself more risky than receiving care without assessment. An example of this might be a study to systematically compare the outcomes of two alternative treatments each considered usual accepted care, and to collect information to compare outcomes. Assignment could include some forms of randomization—for instance, assignment of some practices to one or another already accepted, minimal-risk practice. In these cases, it is the responsibility of health care organizations to 1) designate such activities as having operational importance, 2) oversee them, and 3) assume responsibility for their conduct.

It should be noted that distinct from assessments with an operational focus and limited to various forms of usual and accepted care, those that involve novel or experimental approaches, such as clinical trials to determine the efficacy of a new intervention, or comparing a new treatment with an existing standard of care, should be subject to IRB oversight, even when the study is intended to support a continuous-improvement goal. We emphasize, however, that the act of conducting an intervention should not be the trigger for IRB oversight. Rather, the non-operational nature of the assessment or the presence of greater-than-minimal risk should lead to IRB oversight. In addition to improving efficiency for these projects, redirecting operational-improvement studies to alternative oversight will allow overburdened IRBs to dedicate more of their time and resources to reviewing these studies that pose the greatest risk and are not part of routine operations.

To clarify how these categories might be applied, we suggest a framework for oversight that considers risk, on the one hand, and whether the assessment is primarily of operational value (as determined by the institution), on the other. Figure 1 shows the possibilities that emerge from this framework and the associated oversight mechanisms.

Figure 1 | Oversight of continuous improvement efforts in a learning health system.


A first step in the determination of where an assessment falls in this framework is whether an institution finds it to be of operational value, i.e., quality improvement, and is therefore willing to assume responsibility for its oversight. If this is the case, and the assessment falls within the information-only or minimal-risk categories (lighter shaded squares), then we suggest that institutional oversight, with liability based on that related to usual clinical care, is most appropriate. In not imposing more than the risk associated with “routine physical or psychological examinations or tests,” [18] we do not think that IRB oversight or individual consent, beyond that already accepted for given care (e.g., for a procedure), is necessary. Further, we consider the application of HIPAA standards for operational activities as most appropriate to allow for the necessary analyses to be done, while still preserving patient information privacy and security at the level already accepted for operational processes.

On the other hand, if the assessment is not deemed to be of operational value, or it imposes risk that is greater than minimal as defined above (darker shaded squares), then we suggest that oversight responsibility should reside with the IRB. In this case, additional consent requirements would be determined by the IRB, and HIPAA standards for research would apply.

Continuous-improvement assessments, as part of the obligation of a learning organization, are a social good that should be facilitated, not impaired. As such, clinicians and health systems are obligated to carry out such activities, and participation in these investigations should be considered a normal part of giving and receiving care. We believe that implicit in a patient’s consent to care should be consent to improve and participate in quality and effectiveness assessments limited to the information-only and no-more-than-minimal risk categories outlined above. Suggestions have been made for approaches to obtaining blanket consent, persisting over time, from patients at the outset of care. While this might seem to improve the efficiency of obtaining consent from most patients, the exclusion of non-consenters from system-wide improvement studies has the potential to create unnecessary bias in situations where no additional risk is being incurred. For example, in a study retrospectively examining medical record data to search for associations between the uses of various interventions with certain complications, a restriction on including all patients would be counterproductive to this useful work, and does not seem warranted. Therefore, if such assessments pose no more risk than that associated with receiving care, are for the benefit of the care of all, and must be an intrinsic part of a learning organization, we see no compelling reason that consent should be required, especially when obtaining consent could have an adverse impact on the mandate to improve care for all.

We feel that many possible models for institutional oversight can fill the needs of a rigorous continuous-improvement enterprise that meets the criteria described above. We do not think that a single approach will work for all institutions, and we believe it is important to avoid creating a new bureaucracy. Nonetheless, organizations should be required to maintain enforceable policies and procedures to ensure the appropriate designation of activities as being important for their operations, to ensure that they carry no more than minimal risk, to ensure that quality-improvement efforts are rigorous and effective, and to accept responsibility for their appropriate conduct.

In conclusion, health care organizations already bear substantial responsibility for overseeing the safe and effective delivery of preventive care and treatment and they have developed many mechanisms to fulfill this responsibility. It is therefore logical to define their responsibility to include identifying and then disseminating knowledge about best treatments and practices, and to assign the oversight responsibility to them. Realigning responsibilities in this way will reinforce the understanding that quality, safety, and effectiveness assessments, along with care innovation, are the core of a learning health system. Unless continuous-improvement assessments involve care that differs from an accepted practice or pose more than minimal risk, they should not require the processes applied to human-subject research under the Common Rule. Instead, they should be governed by the requirements of good health care and information protection, as they are intrinsic to the care all patients should receive.



  1. Ibid.
  2. Provost, L. P. 2011. Analytical studies: A framework for quality improvement design and analysis. BMJ Quality & Safety 20: i92-i96.
  3. Charter of the Institute of Medicine Roundtable on Value & Science-Driven Health Care. Available at pdf (accessed October 18, 2011).
  4. Institute of Medicine (IOM). 2007. The Learning Healthcare System. Washington, DC: The National Academies Press.
  5. IOM. 2011. Learning What Works: Infrastructure Required for Comparative Effectiveness Research. Washington, DC: The National Academies Press.
  6. IOM. 2010. Redesigning the Clinical Effectiveness Research Paradigm: Innovation and Practice-Based Approaches. Washington, DC: The National Academies Press.
  7. The Common Rule, “Federal Policy for the Protection of Human Research Subjects,” is based on the HHS 45 CFR part 46 Subpart A, by which identical language is used in the regulations for 15 federal departments and agencies, and which includes the creation and conduct of IRBs.
  8. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9.
  9. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. 1979. The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research. Available at (accessed October 18, 2011).
  10. IOM. 2002. Responsible Research: A Systems Approach to Protecting Research Participants. Washington, DC: The National Academies Press.
  11. IOM. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press
  12. Lynn, J., M. A. Baily, M. Bottrell, B. Jennings, R. J. Levine, F. Davidoff, D. Casarett, J. Corrigan, E. Fox, M. K. Wynia, G. J. Agich, M. O’Kane, T. Speroff, P. Schyve, P. Batalden, S. Tunis, N. Berlinger, L. Cronenwett, J. M. Fitzmaurice, N. N. Dubler, and B. James. 2007. The ethics of using quality improvement methods in health care. Annals of Internal Medicine 146(9): 666-673.
  13. IOM. Beyond the HIPAA Privacy Rule.
  14. Current developments, such as the release of an Advanced Notice of Proposed Rule Making (ANPRM) proposing changes in the Common Rule, “Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators” (July 25, 2011 Federal Register), by the Department of Health and Human Services, signal an opportunity for progress in this arena.
  15. Emanuel, E. J., and J. M. Menikoff. 2011. Reforming the regulations governing research with human subjects. New England Journal of Medicine 365: 1145-1150.
  16. 45 CFR 46.102(i)
  17. Markle Foundation. Markle Common Framework. Available at (accessed October 18, 2011).
  18. 45 CFR 46.102(i)



Suggested Citation

Selker, H., C. Grossmann, A. Adams, D. Goldmann, C. Dezii, G. Meyer, V. Roger, L. Savitz, and R. Platt. 2011. The Common Rule and Continuous Improvement in Health Care: A Learning Health System Perspective. NAM Perspectives. Discussion Paper, National Academy of Medicine, Washington, DC.

Conflict-of-Interest Disclosures

None disclosed.


The views expressed in this paper are those of the authors and not necessarily of the authors’ organizations, the National Academy of Medicine (NAM), or the National Academies of Sciences, Engineering, and Medicine (the National Academies). The paper is intended to help inform and stimulate discussion. It is not a report of the NAM or the National Academies. Copyright by the National Academy of Sciences. All rights reserved.

Join Our Community

Sign up for NAM email updates