Redacting Source Data in Remote Monitoring: Common Myths

4/21/2020

Myth: Source data needs to be redacted before it can be reviewed by a monitor for remote monitoring.

Answer: The question is, why would you redact when the patient gave authorization to use and disclose the information for the purposes laid out in the authorization and consent? Remote review is not “collecting” data; it is “reviewing” data. Also, redacting is super laborious, manual, and prone to errors. Redacting cannot mean de-identification, since that would mean we cannot identify the person. We must be able to confirm attributes. When remote monitoring, monitors do not need to have the site redact the documents like when sending to a safety officer who is keeping them. The security of the systems being used to view is the most important piece.

“Pertinent Source” means to be sure it is clear and agreed upon what is pertinent source to review. During COVID-19, prioritizing critical data that needs verification should be the focus. Also, is it clear to all parties what is critical source? Pointers are to ask for only what you need, to be sure that the subject has authorized this use and disclosure, to be sure the system is secure, and to ensure it meets the requirements of the site’s processes. Remember, we are not collecting; we are reviewing. Do you really need the site to download documents to a system they do not control? There are sites that have a "medical box" that they use this for or other processes that keep their risks low for unauthorized disclosures.

Myth: A lot of the concern is around the HIPAA Privacy Rule and circumstances like clinical research in which protected health information (PHI) may be used or disclosed by covered entities. The transmitted source record/medical record should be “de-identified” mitigating privacy risks and thereby supporting the secondary use of data for clinical research.

Answer: We can’t do a risk mitigation that prevents us from following a clinical trial regulation. What risk is being addressed? There is huge risk in “de-identification.” According to the Privacy Rule, de-identified information is where that individual cannot be identified, and 18 specific identifiers are removed. It takes a statistician to confirm the process has made it impossible to reidentify. These 18 identifiers are things like initials, addresses, any code or number associated with the individual, date of birth, and many more. So be careful using the terms interchangeably: redaction and de-identification are not the same. Additionally, HIPAA does not require redacted info when providing source from a covered entity to a sponsor for a clinical trial when they have a clinical trial agreement (CTA) and when there is a HIPAA authorization in place from the subject that includes what data can be disclosed. So, burdening the sites to redact is not necessary. This has been holding us back from more remote monitoring even before this crisis. Also, we cannot use de-identified source because it is not attributable.

Another part of HIPAA that is being misunderstood and misapplied is the “Minimum Necessary Rule” under HIPAA. This rule is not applicable to clinical trials per HIPAA when the study patient has given authorization. This is because restricted information might impact data integrity and subject safety.

Since the systems that may be used to hold source documents need to meet the security standards of the covered entity and the system is providing a service to the site, the site has to be sure they have a business associate (BA) agreement with the vendor to ensure they are only using the info for the purpose agreed upon and verify for how long maintained, etc. It is better to use a site approved process and system, for example a video conference. Outside the US, it might be that the site will not allow any remote viewing of data, but remote teleconferencing and discussions about the subjects can be done and documented.

Myth: The site is losing control of the source documents when they are providing copies to the source in a sponsor owned repository.

Comment: When the site is providing an original view by video conference or by direct access to the original source securely and remotely, the site does not lose control of their source. When the site agrees to upload “copies” of source to a sponsor repository they are not losing control of their source, but they may be losing control of the security of the information. See the previous question.

The site does not lose any control of their source since they are providing certified copies, and they retain the original. Remember, the site should have a good certified copies process to ensure it is validated as followed and accurate.

The HIPAA Booklet is a good reference for this, including authorizations, exceptions to minimum necessary rule, etc.

Also, if sponsors have a vendor that can work with a site and the site and the vendor establish a BA agreement, they can use the same approach. Certified copies of original source can be handled like access to EMR.

Our popular “Remote Monitoring Operations While Maintaining HIPAA, GCP, and COVID-19 Restrictions” webinar prompted many important questions, which we answered during the webinars. If you missed the webinar, a recording is now available for purchase by clicking this link. The webinar FAQ is available as a free companion document with the webinar recording for a limited time.

- The Clinical Pathways Team

Enjoy this blog? Please like, comment, and share with your contacts