By Sandra "SAM" Sather and Jennifer Lawyer, Clinical Pathways LLC
Clinical research professionals are accustomed to sponsors requiring on-site monitoring to ensure human subject protection, data integrity, and quality. During the COVID-19 pandemic, however, clinical research sites have reduced the number of staff on-site and restricted on-site monitoring. Travel restrictions and the safety of the sponsor or CRO monitors also compound the challenges of monitoring on-site. Additional challenges arose with monitoring plans for active trials and trials that were soon to begin. These trials often supported 100 percent source data verification (SDV), which is reviewing original data or certified copies to check for accuracy in the transcription into the electronic case report form, and/or 100 percent data review of trial subjects, which is the monitoring of the quality of the data, the compliance to the protocol, and the completeness of reporting subject safety. This revealed a significant barrier to the ability to quickly shift to remote monitoring in the short term, due to the lack of agility of the quality systems.
Many sponsors and CROs do not have a clinical quality management system that is responsive enough to update the monitoring plan based on risk. Some of this is due to the common practice of CROs treating risk-based monitoring as a more expensive line item or using it for only certain types of studies or clients. Additionally, the current state of quality systems includes technologies and other inflexible systems that create barriers to a more remote or virtual review of data quality. Even if the SOPs are general enough to support various site monitoring approaches, the actual trial execution, training, design, integration of technology, and differences in regional laws combine to create an unhealthy system.
In the long term, as we move into the reopening phases, faced with increased expenses and the challenges with on-site monitoring, clinical research professionals need to ensure their quality management systems have the flexibility for the new normal for site management.
Have you ever heard or stated, “We are not doing risk-based monitoring for this study”? This means that the monitoring function is conducting “traditional” monitoring. But regulatory agencies, including the FDA, require sponsors to monitor the quality of their clinical investigations, and the ICH E6 R2 Addendum made it clear that this includes ensuring that monitoring is based on risk. So, if the choice is to do 100 percent SDV, that decision should be based on an analysis of risk. Remember, SDV is not monitoring the quality of the data; it only monitors the accuracy in the case report form. All studies should apply risk-based monitoring (RBM) or risk management in determining whether and how to perform remote monitoring.1
The term RBM is sometimes used as if it is a technique and a noun, instead of an action or standard foundation of a clinical quality management system. This disconnect starts early, usually during the selection of the study vendors. The request for proposal (RFP) commonly inserts assumptions like “100 percent SDV,” which is then worked into the proposal by the vendor and gets into the foundation of the relationship with the sponsor. This should be questioned at the pre-study stage, and it should have been occurring before the pandemic. Many sponsors and CROs do not coordinate this well within the multiple layers of clinical organizations. Each stakeholder should complete this gap analysis as they move into the new normal post COVID-19.
Remote Monitoring Pre-COVID-19
So, what is your definition of remote monitoring? Is it part of centralized monitoring, or part of on-site monitoring prep and follow-up? Is it a separate activity? The FDA and the EU’s European Medicines Agency (EMA) released guidance to clarify remote monitoring before the pandemic. The FDA has for many years encouraged the use of various approaches to monitoring, including centralized monitoring and activities that review critical data off-site. The FDA’s 2013 guidance2 on risk-based monitoring also clarifies some alternative monitoring techniques that could be done remotely depending on the processes and systems in place. For example, 1) communication with sites, 2) informed consent form review, 3) informed consent process review, 4) original source data review, and 5) source data verification could be done remotely. Many of these activities also require some review of the site’s original source data remotely. Besides centralized monitoring of data entered into the eCRF, remote access of source documents can be challenging due to privacy, system security, site time, unharmonized definitions of source data and certified copies across sites and sponsors/CROs, and unnecessary laborious processes, such as misusing the word “de-identify” vs. “redact.”
In the EU, the General Data Protection Regulation3 (GDPR) has some stringent rules for collecting or processing subject data, which includes during the conduct of a clinical trial. GDPR adds complexity to remote monitoring of source data by requiring that investigative sites pseudonymize source documents before sponsors/CROs receive them off-site. This would require additional on-site monitoring later to confirm attributability of the data to the study subject. Therefore, if 100 percent SDV is required, the value of remote SDV decreases. Remote monitoring does have value globally for working with sites early to monitor quality performance. GDPR is applicable for all businesses in the EU, but also to any business that is collecting or processing data of an EU subject. This applies to any study conducted in the EU. Regarding remote monitoring pre-COVID-19, if it is in line with national or local requirements, remote monitoring is limited to non-source document review. This includes, for example, discussions regarding a trial subject’s progress, issue management discussions, and training site personnel, but not source data verification. Globally, subjects need to know about any risks, safeguards, and rights they have regarding their data. For study participants, this includes the remote monitoring of their data, when applicable. Informed consents should be reviewed to ensure they support the requirements.
Remote Monitoring During And Post COVID-19
The practical implications of the restrictions and challenges during the pandemic are that sites can adjust to the new state of remote monitoring using a risk-based approach. The global guidance from regulatory authorities supports remote access for critical data during the restrictions. Has the current pandemic been a trigger to consider a risk-based approach and better support for remote monitoring? Is this true even in Europe?
The FDA guidance4 for conducting clinical trials during COVID-19 restrictions supports remote monitoring for oversight of clinical sites. A risk-based decision should be made on what data are critical to monitor, while ensuring subject safety, data quality, and data integrity.
The EU guidance5 for conducting clinical trials during COVID-19 notes in Chapter 11, Changes to Monitoring, that the term “off-site Monitoring” refers to remote communications between the site and sponsor, but this does not include remote source data verification. Besides needing to be in line with current and temporary national law, the EU states that remote SDV can only be considered “during the public health crisis for trials involving COVID-19 treatment or prevention or in the final data cleaning steps before database lock in pivotal trials investigating serious or life-threatening conditions with no satisfactory treatment option.” The remote review should focus on critical data, like primary efficacy data and important safety data. If secondary endpoint data can be assessed at the same time without asking for more source documentation and not adding to the site’s workload, then that is acceptable during the crisis. The EU guidance notes that remotely reviewed data will likely need re-monitoring, especially when the information has been de-identified and the review has been restricted to less data. De-identified data or pseudonymized source data would require additional information to confirm identity at a later time. When using the word “redacting,” one must define the level of redaction, which does not necessarily mean at the level of de-identification. Following the regional, local, and institutional requirements must be ensured.
The interpretations of the EU guidance may ironically lead to more on-site monitoring after the crisis normalizes, depending on what the monitoring plans require for SDV. For global trials conducted in the U.S. and EU, this will require innovations to support more source data review (SDR, which we will discuss in a moment) and less SDV, as well as more remote monitoring of data. Protecting the privacy, safety, and rights of study subjects is paramount. It is interesting that two regulatory agencies have such wide differences in the approach to remote site oversight. Is this due to SDV?
Telehealth And Remote Monitoring
One global practice that has helped the industry during the pandemic is healthcare’s use of telehealth, also referred to as telemedicine, prior to COVID-19. In the U.S., the Office for Civil Rights (OCR) released an Enforcement Discretion6 and a Frequently Asked Questions guidance7 clarifying how telehealth may be used for remote healthcare visits during the pandemic. For clinical trials, subjects can have virtual visits through non-public videoconferences or home health services, when it is safe and feasible. It has been observed that sites that are part of managed care using telehealth are more adaptable to performing clinical trial study visits using similar approaches as telehealth.
Fortunately, the service providers’ telehealth platforms for managed care in the U.S. often have been vetted by the healthcare institutions for HIPAA compliance. These institutions would need to consider the differences and risks in using video conferencing for remote study participant visits and for remote monitoring meetings between the sponsor monitor and the site’s research team vs. physician and patient visits. In many cases, the sites and monitors can use video conferencing for remote visits with sites to discuss clinical trial participants’ study cases.
GDPR allows telehealth under certain conditions.8 The information must still be lawfully collected, which would be covered by the subject signing the consent to participate in the study and complete study visits, with permission for collection and processing of certain data. Additionally, the data is needed for compliance with regulatory authorities’ requirements to monitor subjects’ safety, for inspections, and for data retention.
Telehealth solutions need to meet the principles of GDPR:
- Lawful, fair, and transparent processing
- Purpose limitation
- Data minimization
- Accurate and up-to-date processing
- Limitation of storage in a form that permits identification
- Confidentiality and security
- Accountability and liability
Telehealth also needs to be compliant with any regional requirements under the ePrivacy Directive.9 According to the statement10 by the European Data Protection Board, only data that is necessary to complete the objectives should be obtained.
Given the requirements for protecting the rights of data subjects in the European Union, telehealth for subject visits is more challenging and complex than in the United States, where the Office for Civil Rights (OCR) released an Enforcement Discretion11 for good faith disclosure of protected health information during the crisis. Telehealth may be employed more frequently, even after the crisis, and more guidance on how to proceed is likely to follow.
Remote Source Data Review Vs. Source Data Verification Post COVID-19
As previously noted, SDV involves reviewing original data or certified copies to check for accuracy in the transcription into the electronic case report form, while SDR refers to monitoring the quality of the data, the compliance to the protocol, and the completeness of reporting subject safety. SDR may include some SDV. In the U.S. and EU, remote SDR can be performed when agreed upon between the sponsor and sites. When SDR involves SDV, it gets trickier and must meet national, local, and institutional restrictions for privacy.
There needs to be well thought out use cases related to what is acceptable for each sponsor and site based on their approved processes. For example, can a monitor ask a site’s CRC to hold a paper source document in front of a screen during a video conference for the monitor to review? Can the CRC send a subject’s lab value in the “chat” function for a monitor’s review? Can a site attach a copy of a source document to an email to the sponsor monitor?
In the EU, the EMA’s guidance12 for conducting clinical trials during COVID-19 states that remote SDV should be restricted per national and emergency measures to cases related to critical data and subject safety, which is very few trials. They mention a few possible scenarios: sharing pseudonymized copies of trial-related source documents with the monitor that would likely require re-monitoring on-site later; direct controlled remote access to subjects’ electronic medical records; and video review of medical records with clinical site team support, without sending any copy to the monitor and without the monitor recording images during the review.
Sponsors and sites need restrictions in place regarding the use of the chat function and any recording of the session because of the risk of a breach of protected health information. Some examples of risks include a lab value and patient name being entered and sent to the monitor in the chat or the monitor recording the session or taking screenshots of the source data during the session.
Both the sites and the sponsors/CROs should have processes in place to ensure subjects’ privacy. For future trials, sponsors/CROs should include an assessment of the site’s requirements related to remote communications regarding study subjects in site qualification visits. The sponsor should also ensure their processes for remote monitoring are flexible enough to support the variable restrictions from site to site, including using the site’s approved technology vs. the sponsor’s.
Should a site redact source documents before sending or making them available? Should a site provide direct access to the electronic source documents? How does the monitor document SDV remotely in the eCRF; does the eCRF system define the monitor’s review the same as on-site? Each of these answers depends on the country, local, and institutional requirements of the site, sponsor, and vendors. Regardless, the sponsor has obligations to ensure it can review the quality of the documentation equally on-site and remotely. Ensuring the documentation meets the ALCOA standards is essential, that is, the source documents are attributable, legible, contemporaneous, original, accurate, and complete.13
As restrictions lift and on-site monitoring is permitted, reviewing that clinical sites have good documentation of their actions related to changes to the clinical trial will become a top priority. Areas to focus on include documentation of consent, deviations related to changes, and documentation of communication with subjects (e.g., about home shipment of investigational product or protocol changes).
Remote monitoring and remote access to EHRs were possible before COVID-19 restrictions, but few thought about how best to implement them. The positive outcome and lessons learned from navigating through COVID-19 restrictions are that there can be a future with increased remote monitoring for clinical trials. The industry needs to question whether tasks that are completed on-site are necessary or if they are being completed on-site just because it is “how things are done.” If a remote monitoring requirement is not part of the monitoring plan, it may be possible to challenge the norm. For example, remote investigational product accountability may initially not seem feasible, but there may be evidence of accountability with documentation, or video conferencing may provide another virtual solution. It is likely that enough data will be gathered to support a continued progression to remote visits for subjects and remote monitoring, using a risk-based process to ensure quality clinical trials.
- ICH E6(R2) Guideline for Good Clinical Practice, Section 5.0, November 2016
- FDA Guidance on Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring, August 2013
- EU The General Data Protection Regulation 2016/679
- FDA Guidance on Conduct of Clinical Trials of Medical Products during COVID-19 Public Health Emergency, March 2020
- EMA Guidance on the Management of Clinical Trials During the COVID-19 (CORONAVIRUS) Pandemic Version 3, April 28, 2020
- OCR Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
- OCR FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
- Teleconsultation and COVID-19: who can practice remotely and how? Information for professionals practicing telehealth (telemedicine and telehealth), published on 18.03.20.
- Directive 2009/136/EC
- Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak, March 16, 2020
- OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, March 30, 2020
- EMA Guidance on the Management of Clinical Trials During the COVID-19 (CORONAVIRUS) Pandemic Version 3, 28/04/2020
- ICH E6(R2) Guideline for Good Clinical Practice, Section 4.9.0, November 2016
About The Authors:
Sandra “SAM” Sather MS, BSN, CCRC, CCRA, is an industry-leading consultant whose mission is to promote clinical quality systems for sponsors/CROs and investigators/research institutions. She has over 25 years of clinical experience, with a B.S. in nursing and an M.S. in education with a specialization in training and performance improvement. Sather is the VP of Clinical Pathways, a consulting firm located in the Research Triangle Park area in North Carolina. She is dual certified by the Association for Clinical Research Professionals (ACRP) for over 10 years (CCRA and CCRC) and a current member of the ACRP Academy Board of Trustees and Regulatory Affairs Committee (RAC).
As the operations director at Clinical Pathways, Jennifer Lawyer’s focus is on implementing processes to improve quality and on-time delivery for eLearning development and project management. As an eLearning project manager, she ensures the day-to-day processes run efficiently and products are high-quality and completed on time. Prior to joining Clinical Pathways, Lawyer worked as a clinical research professional and a private duty nurse. She holds a B.S. in psychology, an A.S. degree in nursing, and two clinical trials research associate certificates (core competencies and advanced topics). She is a member of the Association of Clinical Research Professionals (ACRP) and is working on her professional certification.