9/21/2021
The Medicines and Healthcare products Regulatory Agency (MHRA) of the United Kingdom (UK) updated their guidance document, “Access to Electronic Health Records (EHR) by Sponsor representatives in clinical trials” in September 2021. Originally released in November 2020, it did not provide adequate guidance on direct remote access of EHR. Other relevant guidance only included small sections on remote monitoring, including the March 2020 guidance describing best practices for managing clinical trials during the COVID-19 pandemic and the November 2020 guidance describing how to minimize disruptions in the conduction and integrity of clinical trials amid the ongoing pandemic.
The updated remote access guidance clarifies that it is preferable for monitors to directly access the EHR remotely, as long as there is limited access. Limited access ensures that the monitor or other personnel who should be granted access can only view records related to the study participants. If this in not feasible, certified copies of the entire record may be used. To reduce burden, monitors should not be required to be onsite or on a video call to access EHR. Additionally, study participants should be made aware of the potential for remote access of their personal data and the consent form should reflect this possibility.
The EHR needs to have the following to ensure safety and confidentiality of the records:
The monitor should have read-only privilege and cannot change data.
The identity of the monitor needs to be verified when creating the read-only access.
System logins should have user access controls with two-factor authentication.
Access to the EHR should time out and automatically log out the monitor after a period of inactivity.
Read only access to the system should restrict printing, copying, and downloading of any information.
Site staff should have knowledge of and give permission for remote access to the EHR.
If an online portal is used to upload and store documents for remote SDV or SDR, the following need to be in place:
Any personally identifying data needs to be redacted before uploading to a sponsor provided portal.
Unredacted scanned or electronic source documents may be uploaded directly to a site’s portal.
Remember that it is burdensome to ask for the site to redact and upload large volumes of records. The documents requested should be determined using a risk-based approach and should focus on Critical to Quality data and study participant protection.
The following sponsor controls need to be in place for direct access to EHR:
The monitoring plan should be reviewed by the sponsor to ensure it is following a risk proportionate approach to SDV or SDR.
The electronic device used for direct access should be provided by the sponsor.
If a monitor is using their own device, it needs to be approved by the sponsor.
To ensure UK GDPR is followed, remote access must occur where data transfer is permitted (e.g., from within the UK or where there is a UK adequacy decision).
The sponsor needs to adequately train monitors on how to protect the confidentiality of study participants’ data and on any other information security requirements.
Guidance is frequently updated to clarify new concerns or to address frequently asked questions. As the long haul new normal develops, new guidance and changes can be expected. To keep up with the latest, sign up to receive our blog to your inbox.
New to remote monitoring or remote access of EHR? Clinical Pathways offers a recorded webinar “Case for Sponsor Monitoring Remote Access to a Site’s EMR!” Purchase HERE.
You may also be interested in the recorded webinar “Remote Monitoring Operations and Maintaining HIPAA, GCP, and COVID-19 Restrictions” available for purchase HERE.
- The Clinical Pathways Team
Enjoy this blog? Please like, comment, and share with your contacts.