01/05/2021
Photo by John Schnobrich on Unsplash
With no end to site restrictions in sight, sponsor/CRO monitors continue to look for guidance on best practices and logistics for remote monitoring during the pandemic. Our Clinical Leader article “Remote Monitoring In The Wake Of COVID-19 — Practical & Regulatory Considerations” has inspired related questions. Here is a sample of a recent one.
Question: Many sites now use eReg vendors such as Veeva, Florence, RealTime, etc. as a source document depository database for monitors to review and leave source questions within. This allows the monitors to conduct the SDV on certified source remotely.
Part 1 of the blog covered important details about sticky notes being used in monitoring. If you missed it, read more HERE.
Question 1:
What are some best practices for monitoring eSource remotely?
Answer:
As we mentioned in our article, being sure that the site has supplied all pertinent source is really important, no matter if it is original or certified copies. This includes what is required to be monitored per the monitoring plan and also what is relevant for a particular study participant at the site. This may not mean everything needs to be monitored. It also does not mean it has to be a hard copy.
Many sites have source in various places, such as EMR(s), Worksheets, more than one eSystem, e.g., labs, radiology, outpatient clinics, etc. What would the FDA request to see?
It is burdensome to have sites upload documents that are in another system if the monitor has the ability to review it in an acceptable way otherwise. Sounds like from the initial statement that the system is managed by the site and not the sponsor. This is preferred due to privacy and security. Each site should have a process on how to support the investigator’s requirement to provide pertinent source to the sponsor for review.
Question 2: Do source documents need to be redacted to meet HIPAA requirements before placed in a repository for remote SDV?
Answer:
Related to privacy, source document redaction is not the same as HIPAA de-identification. So, when you hear the documents are redacted to meet HIPAA requirements, that is incorrect. De-identification under HIPAA is making the source not identifiable or attributable. This would not meet the ALCOA quality documentation standard. The documents would not be useable for SDV. If you have an authorization from the patient, why are you redacting? This is not done when onsite. Security of the data is the primary concern, so systems that meet high validated standards is essential. Redaction in clinical trials (not HIPAA) is a practice used by sponsor safety surveillance when they ask for site documents to keep when investigating an SAE. Sponsors are not or should not be keeping source for SDV, of course (right?) So with proper security, like is done onsite but with adjustments to the different risks, the files do not need to be redacted because they are not permanently maintained by the sponsor for SDV. Redacting is a large burden and one of the root causes of sites’ refusal to do so.
Direct and secure access by monitors to the sites' system is ideal, so why not monitor using their EMR? Many medical centers have a process to securely provide access for remote medical records to outside individuals, with the patient’s authorization, e.g., physician to physician, during audits. This practice is more and more common. Be sure to ask the right people at the site.
Also, we commonly hear something is HIPAA compliant; what does HIPAA compliant mean? A vendor's statement of this does not mean that this has been awarded by the Office for Civil Rights (OCR). There is no certification for HIPAA compliance. https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html
The question should be, for the study specific purposes, does the system support the requirements of the HIPAA Security Rule and meet the site’s system requirements for disclosure. This is hard for sponsors to do since sites can have different levels of requirements that are stricter than the HIPAA requirements. The good news is that HIPAA was not developed to make records inaccessible, as long as there is permission and it is securely done.
There are systems that the OCR has stated are closed systems and are okay for telehealth https://www.hhs.gov/about/news/2020/03/20/ocr-issues-guidance-on-telehealth-remote-communications-following-its-notification-of-enforcement-discretion.html. System vendors may have paid for a general compliance audit for part 11 and HIPAA by independent auditors, but again, it is how the system is used that needs to be compliant with HIPAA and Part 11 for the study. For example, do we have the right permission from the study participant? Does the HIPAA Authorization allow for this type of disclosure?
Read our related Clinical Leader article, “Safeguarding Participant Data During Risk-based Monitoring — Practical Considerations.”
You may be interested in our recorded webinars:
1. ‘Remote Monitoring Operations and Maintaining HIPAA, GCP, and COVID-19 Restrictions’ including a helpful Q&A reference free with purchase.
The focus is on the sponsor/CRO’s perspective. Purchase by clicking here.
2. ‘A Case for Sponsor Monitoring Remote Access to a Site’s EMR!’
The focus is on the site’s perspective. Purchase by clicking here.
Clinical Pathways also offers a variety of GCP eLearning courses for individual training or as enterprise solutions. We can use your content to create new trainings for in-person, web-based, or eLearning formats to meet your company's training needs. We can also update our off-the-shelf courses to include your processes, SOPs, and branding.
Want a faster and more affordable option? Clinical Pathways offers convenient course bundles of off-the-shelf eLearning at a discounted rate. Visit our store by clicking HERE to learn more or to view interactive demos.
-The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.