Skip to main content
Compliance

Select Agents and Toxins

PURPOSE

Due to the health effects, contagiousness, treatment availability, and vulnerable-population concerns associated with certain biological substances, the federal government regulates and “maintain[s] a list of each biological agent and each toxin that has the potential to pose a severe threat to public health and safety.”

HISTORY

The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 regulates a variety of select agents and toxins (SATs). The act authorizes the US Department of Health and Human Services (HHS) and the United States Department of Agriculture (USDA) to publish lists of SATs that may endanger plant, animal, or public health. The law requires these agencies to control access to SATs and establish safety requirements for the use and possession of these substances.

Different agencies define SATs differently. HHS administers its program through the Centers for Disease Control and Prevention (CDC), while USDA administers its own program through the Animal Plant Health Inspection Service (APHIS). To minimize administrative conflicts between regulations, the law provides for unity of administrative procedures and a system by which those registering with both agencies may be authorized through both agencies using one registration form.

In 2012, as part of their biennial review, HHS and USDA created a classification of regulated “Tier 1 agents,” which are subject to additional safety and control requirements

APPLICABILITY TO BYU–HAWAII

The SAT regulations apply to people or facilities wishing to obtain, transfer, or otherwise handle one of the substances that has been designated by APHIS or CDC as an SAT. Several types of organizations fall within the rule’s scope, including universities and research centers. To the extent BYU–Hawaii handles SATs in its laboratories and research, it must comply with the regulations governing SATs.

REQUIREMENTS

The regulations require entities to

  1. register with CDC or APHIS to “possess, use, or transfer” regulated agents and toxins;
  2. ensure that the facility has adequate biosafety policies and containment measures;
  3. train all individuals that have access to the agents and toxins; and
  4. keep records of any activity involving the agents and toxins.

The requirements for possessing and using SATs are nearly identical between the regulatory agencies. All entities possessing SATs must be registered with the CDC or APHIS, and access to SATs must be limited to persons who “have a legitimate need to handle or use such agents and toxins.” An entity possessing SATs must designate a Responsible Official (RO) to coordinate the entity’s compliance with the regulations.

A. Tier 1 Agents

Pursuant to regulations published in 2012, certain SATs are categorized as “Tier 1.” The Tier 1 category accounts for and responds to the particular risks associated with certain agents and toxins. If an entity possesses Tier 1 agents, it must adhere to additional regulations.

Requirements for entities possessing Tier 1 agents include (1) conducting assessments of individuals before they receive access to Tier 1 agents, (2) continually monitoring these individuals even after they are given access, (3) reporting suspicious behavior, (4) maintaining a mandatory occupational health program, and (5) various other requirements.

B. Responsible Official

The entity’s RO must (1) have a degree of familiarity with SAT regulations, (2) lead the entity’s compliance with these regulations, and (3) “act on behalf of the entity” with regard to the regulated activities. The RO is required to “[h]ave a physical (and not merely a telephonic or audio/visual) presence at the registered entity . . . and be able to respond in a timely manner to onsite incidents involving select agents and toxins in accordance with the entity's incident response plan.”

It is also the RO’s responsibility to see that (1) each lab is inspected yearly, (2) existing problems are corrected, and (3) the inspection results and outcome are placed in the entity’s required records.

Additionally, an RO must (1) limit access to SATs to people who “have a legitimate need to handle or use such agents and toxins,” (2) receive preliminary and continuing access approvals for these people from the Attorney General, and (3) enforce restrictions against those people denied access to SATs by the Attorney General.

For the entity’s registration to be complete, the RO must pass the Attorney General’s security risk assessment. If the RO is absent, then a previously approved alternate may assume responsibility.

C. Security

Entities possessing SATs must ensure that only individuals who have passed a security risk assessment have access to the SATs.37 Additionally, the law requires each entity to establish a security plan that adequately safeguards the substance and provides protection and security commensurate with the SATs’ risks. SATs must be kept separate from the building’s public areas.

An entity’s security plan must do all of the following.

  1. Describe procedures for physical security, inventory control, and information systems control
  2. Contain provisions for the control of access to select agents and toxins including the safeguarding of animals . . . or plants . . . exposed to or infected with a select agent
  3. Contain provisions for routine cleaning, maintenance, and repairs
  4. Establish procedures for removing unauthorized or suspicious persons
  5. Describe procedures for addressing loss or compromise of keys, keycards, passwords, combinations, etc. and protocols for changing access permissions or locks following staff changes
  6. Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records
  7. Contain provisions for ensuring that all individuals with access approval . . . understand and comply with the security procedures
  8. Describe procedures for how the Responsible Official will be informed of suspicious activity . . . and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity
  9. Contain provisions and policies for shipping, receiving, and storage of select agents and toxins

The information security system implemented by the plan must do all of the following

  1. equip security systems with “controls that permit only authorized and authenticated users”
  2. limit user access to information appropriate for the user’s responsibilities, and update access controls when the user’s access level changes
  3. guard against malicious code
  4. consistently provide updates and patches
  5. “provide backup security measures”

SAT storage containers must be secured with protective elements such as card systems and lock boxes. Suspicious packages must be inspected “before they are brought into or removed from the area where select agents or toxins are used or stored.” Intra-entity transfers must be regulated to prevent theft or compromise. Individuals must not share their access means (such as passwords or keys), and must promptly tell the Responsible Official if any access means (or the hardware on which the means are stored) are compromised. Individuals must also report “suspicious persons or activities,” SAT theft, SAT loss, SAT release, and potentially manipulated SAT records.

The institution must immediately report any missing or stolen SATs to (1) APHIS or the CDC and (2) law enforcement, whether or not the substance is thereafter found. The notification must include the SAT’s name, the estimated quantity of the lost or stolen SAT, location of the SAT prior to its loss or theft, its approximate time of theft, and an accounting of all the law enforcement agencies that received a report of the incident. The entity must also send to APHIS or CDC a Form 3 regarding the incident within a week

If a substance is released outside the containment area, the entity must immediately report the incident to APHIS or the CDC, then send in a Form 3 within one week. The initial report must include the type of substance, its estimated quantity, the approximate release time and length, the location of release, the amount of people who may have been initially exposed to the release, response actions, and potential release hazards.

Theft, release, and loss notifications may be performed by phone, email, or fax.

Each year, the entity must carry out an exercise or drill testing the security plan, review the plan, and make any needed revisions. The entity must also review the security plan, along with the biosafety plan and incident response plan, every time an incident occurs.

Entities with Tier 1 agents are required to have a more robust security plan that incorporates (1) screening procedures to be performed before an individual is given Tier 1 SAT access, (2) policies that Responsible Officials will follow in “coordinat[ing] their efforts with the entity's safety and security professionals to ensure security of Tier 1 select agents and toxins,” and (3) “procedures for the ongoing assessment of the suitability of personnel with access to a Tier 1 select agent or toxin” (including policies for reporting, training, and monitoring). Additionally, entities with Tier 1 agents must establish three or more security barriers protecting SAT areas, and use an intrusion detection system (IDS) that is monitored by employees “capable of evaluating and interpreting the alarm and alerting the designated security response force or law enforcement.” If these entities believe that security or police forces will take more than fifteen minutes to respond, they must establish security barriers to keep intruders away from the SATs during that time.

Enhanced security measures are also required for entities that keep the Variola major or Variola minor virus and for entities that keep the foot-and-mouth or rinderpest viruses. Certain other SATs have their own specific security requirements.

D. Biosafety Plan

Entities possessing SATs “must develop and implement a written biosafety plan that is commensurate with the risk of the select agent or toxin, given its intended use.” The plan, which must be effective in containing the substance, must include thorough information about the containment procedures and biosafety measures for that substance. The CDC recommends that various publications should be consulted while these plans are being made, including “NIH Guidelines for Research Involving Recombinant or Synthetic Nucleic Acid Molecules,” published by the NIH.

Required elements of a biosafety plan include safety procedures, containment protocols, decontamination procedures, identification of hazards, information on workplace protective equipment, information on containment equipment, and information on engineering controls.

Further, “[t]he biosafety plan must include an occupational health program for individuals with access to Tier 1 select agents and toxins, and those individuals must be enrolled in the occupational health program.” Federal guidance states that the occupational health program should contain information on risk assessment, medical assessment and surveillance, access to clinical health services and management, and hazard communication

Each year, the entity must carry out an exercise or drill testing the biosafety plan, and must revise the plan when needed. The entity must also review the biosafety plan (along with the incident response plan and security plan) every time an incident occurs.

E. Incident Response Plan

An institution’s incident response plan must be written, site-specific, “coordinated with any entity-wide plans, kept in the workplace, and available to employees for review.” Additionally, “[t]he incident response plan must fully describe the entity's response procedures for the theft, loss, or release of a select agent or toxin; inventory discrepancies; security breaches (including information systems); severe weather and other natural disasters; workplace violence; bomb threats and suspicious packages; and emergencies such as fire, gas leak, explosion, power outage, and other natural and man-made events.

The incident response plan must also include all of the following.

  1. The name and contact information (e.g., home and work) for the individual or entity (e.g., responsible official, alternate responsible official(s), biosafety officer, etc.)
  2. The name and contact information for the building owner and/or manager, where applicable
  3. The name and contact information for tenant offices, where applicable
  4. The name and contact information for the physical security official for the building, where applicable
  5. Personnel roles and lines of authority and communication
  6. Planning and coordination with local emergency responders
  7. Procedures to be followed by employees performing rescue or medical duties
  8. Emergency medical treatment and first aid
  9. A list of personal protective and emergency equipment, and their locations
  10. Site security and control
  11. Procedures for emergency evacuation, including type of evacuation, exit route assignments, safe distances, and places of refuge
  12. Decontamination procedures

Each year, the entity must carry out an exercise or drill testing the incident response plan, review the plan, and make any needed revisions. The entity must also review the incident response plan (along with the biosafety plan and security plan) every time an incident occurs.

There are additional incident response plan requirements for Tier 1 agents. A Tier 1 incident response plan must contain (1) the procedures that will be followed if the security alarm system fails and (2) the procedures that will be followed when the entity informs law enforcement about suspicious activity.

F. Training

Entities possessing SATs must provide information and training on biocontainment, biosafety, security, and incident response to all those who are given access approval or permitted to enter the area with an escort. The training must address the needs of the individual, the work they will do, and the risks of the SATs.

Training records must be kept documenting the recipient name, date, training description, and comprehension verification method.

Every year, the entity must hold a refresher training for every person who is approved to access SATs. Training is also required when significant revisions are made to one or more of the entity’s procedural plans (i.e., biosafety, security, incident response).

Additional training is required for entities with Tier 1 substances: “Entities with Tier 1 select agents and toxins must conduct annual insider threat awareness briefings on how to identify and report suspicious behaviors.”

G. Documentation

Entities subject to the regulations are required to keep records of (1) SATs in their possession and (2) activities related to SATs. Specifically, the law requires that records be kept for all of the following:

  1. “current inventory for each select agent (including viral genetic elements, recombinant and/or synthetic nucleic acids, and organisms containing recombinant and/or synthetic nucleic acids) held in long-term storage”
  2. “current inventory for each toxin held”
  3. an “accounting of any animals or plants intentionally or accidentally exposed to or infected with a select agent (including number and species, location, and appropriate disposition)”
  4. a list of individuals with access approval
  5. “[i]nformation about all entries into areas containing select agents or toxins, including the name of the individual, name of the escort (if applicable), and date and time of entry”
  6. records created by the Responsible Official in the course of his or her duties
  7. records created under the written security, biosafety, incident response, and training plans
  8. written reconciliation of discrepancies

The Federal regulations also require the entity to implement a system to ensure that databases and documentation materials are (1) accurate, (2) verifiable, and (3) accessible to limited personnel.

The entity must maintain all records related to SATs for at least three years.

PENALTIES

Those that do not follow the legal requirements governing select agents and toxins may be charged a civil fine of up to $250,000 (for an individual) or $500,000 (for entities).

COMPLIANCE CALENDAR

The Responsible Official (RO) must submit information regarding all persons who need access to SATs, then update each person’s information at least every five years. An institution’s registration for SATs lasts for three years, and an individual’s access approval can is valid up to three years. The RO is responsible for ensuring that storage and use facilities undergo annual compliance inspections.

Every year, the entity must carry out a test (i.e. exercise or drill) of its biosafety plan and incident response plan. The entity must review both the biosafety plan and the incident response plan once each year (along with after incidents and possibly drills), and must revise the plan when necessary. Every year, an entity must provide refresher trainings for persons that access the SATs. Regulatory records must be stored for three years.