Safeguarding Participant Data During Risk-based Monitoring — Practical Considerations

During the current COVID-19 pandemic, it has become necessary for sponsors of clinical trials to rely on remote  methods to access electronic health records and electronic source data. With risk-based monitoring becoming more common, and with sponsor/CRO monitors reviewing electronic source data remotely, many questions have arisen regarding what security measures need to be in place to ensure the protection of study participants’ data.

On March 20, 2020, the Office of Civil Rights (OCR) in the U.S. released a Notification of Enforcement Discretion¹ and a set of frequently asked questions on telehealth and HIPAA² that clarify that protected health information (PHI) can be shared through teleconference methods in good faith during the pandemic. In the notice, the OCR states that the security rule is not suspended but rather the penalty will not be imposed for Health Insurance Portability and Accountability Act (HIPAA)³ security violations made in good faith. In order to comply with the good faith provision, covered entities must use non-public facing communication products. Therefore, it is acceptable to remotely access PHI to monitor clinical trials. Regardless, the PHI needs to be safeguarded to follow the good faith requirement, good clinical practices (GCPs), regional regulations, and the clinical site’s standard operating procedures (SOPs).

Sponsors usually think of 21 CFR Part 11⁴ requirements for computerized systems as relevant to sites for inputting electronic case report form (eCRF) data and other systems supporting data integrity, but sites’ protection of subject privacy and security of data is driven by the requirements of the OCR in the U.S. and the General Data Protection Regulation⁵ (GDPR) in the EU.  For the EU, remote access of PHI needs to comply with any regional requirements under the ePrivacy Directive.⁶ According to the statement by the European Data Protection Board,⁷ only data that is necessary to complete the objectives should be obtained. For the FDA, the confidentiality of the subject data must comply with the informed consent. If the participant was consented prior to switching to remote monitoring, it should be verified that the consent includes this possibility, and reconsent must be obtained if the data will be used in a manner inconsistent with the original consent language and HIPAA authorization. It is a best practice to include remote monitoring of data in all consents.

Risk-Based Monitoring, Not SDV

The source data available to the sponsor must be the pertinent study participant data needed to "monitor" the trial. It does not mean that all that data must be reviewed, also known as 100 percent source data verification (SDV), as monitoring pertinent data based on risk analysis is the basis of risk-based monitoring. The investigator must meet all applicable rules for data monitoring and privacy/security. Documenting and maintaining pertinent source data in a way that meets the ALCOA+ quality documentation standards is a requirement of clinical trial investigators. This source data should be made available to sponsors in a way that meets the privacy/security standards that are applicable in the region/country. So why ask sites for more than you need, thus increasing both the burden and risk of a data breach?

So, regarding the settings of a sponsor’s laptop or other systems:

• The sites are the owners and custodians of the source data, which many times includes medical histories and other medical information. The sponsor should not ask a site to use a system that controls the source and takes this out of the hands of the site.
• Additionally, the transfer of source data to a system is riskier than viewing it temporarily on a screen with nothing being downloaded/uploaded and no data remaining when the user logs off. This should be validated and controlled as much as possible. The best way to do that is by having the site control the system, not the sponsor.
• Whenever there is a manual process to manage the disclosure and use of private information of the individuals being recruited or who are enrolled in a clinical trial, this increases the risk of breach or noncompliance, and it needs to have agreed-upon quality control and quality assurance plans. For example, the system cannot prevent an action or cannot validate whether it was or was not done, such as a monitor printing or taking a screen shot of data. As early as possible, the sponsor should coordinate with sites about data monitoring and ensure they are speaking to the right person or department; this is often outside the research department.

Security Of Computerized Systems

In Section VII (Security) of its guidance Computerized Systems for Use in Clinical Trials, FDA indicates that measures should be put in in place to ensure that only those who are authorized to access the computer will be able to do so. For a monitor working remotely, this would mean that when the computer is not in use, it would utilize a lock screen requiring a password. While using the computer, the monitor should position it so that others cannot view study data on screen (e.g., not on a plane or in a public location). If audio is involved, the monitor should use a headset to ensure privacy. Good documentation of the manual actions is essential. Remember to follow good documentation practices according to ICH E6(R2) Good Clinical Practice (GCP).⁹

Additionally, there are requirements for software security, so the monitor needs to ensure that their computer is up to date with antivirus/antimalware software to mitigate risk of loss or theft of study data. Having monitors use the sponsor's laptops rather than their own is a consideration, depending on how they are accessing data remotely. A risk assessment should be performed to determine the adequacy of safety and security measures.

Remote Access To EMRs

A best practice is for sites to allow secure electronic access to a study participant's electronic health records and other pertinent source data not in the electronic medical record (EMR), after verifying the monitor's identity. The monitor could review the data on the screen through a video conference but should not be able to download the data onto the monitor's system. The site SOP may require other personnel to be with the monitor online or otherwise. This best practice takes planning, coordination, and approval within the study site; this is a system-level practice and takes longer to assess, and if possible, implement.

There should be an agreement between the site and the sponsor as to the monitor's actions when there are any manual activities that cannot be restricted when viewing data remotely on the sponsor monitor's laptop. These agreements might require the monitor to agree to refrain from taking screen shots or printing anything. There may be a requirement for an additional agreement between the monitor and the site as well. Prior to the pandemic, some medical centers provided a laptop to monitors to complete the SDV while on-site and did not let them use their own computers to perform the SDV. Others would allow a monitor to be at their sponsor’s corporate office at a specific time (working hours of the site) on a specific computer IP address. Then the site could oversee the actions and lessen the risk to quality control. The agreement between the site and sponsor usually includes the minimum security requirements for the computer system, including agreed-upon practices for the monitor, as well as specific activities that are not permitted, such as taking screen shots of a document on the screen with the monitor’s mobile phone camera.

HIPAA

HIPAA has always required that a covered entity perform a risk assessment related to potential breaches, and any external access is an important category into which sponsor/CRO monitoring falls. The HIPAA privacy rule is frequently used as the reason for not allowing data to be shared, even when the participant’s HIPAA authorization allows disclosure of PHI, including remotely or virtually. It is more likely that a site’s SOPs are the reason data cannot be shared. Remote monitoring with monitors working at home has made some of the common requirements not possible to follow. Some sites have modified their requirements during the pandemic to allow more access, but this might be temporary, and it is likely we will fall somewhere in the middle. It is important to keep the channels of communication open to the right stakeholders.

Conclusion

For sites, the sponsor monitor's computer system is a risk because the monitor and the computer system are external to their organizations, and the sites are obligated to meet all applicable requirements for patient privacy and security. As a result, sites usually impose restrictions on their end to decrease risk of breaches, or at least they should. Some of these requirements overlap with Part 11 and some do not, such as secure usernames and passwords. Sites’ SOPs should cover how they work with monitors (external approved users) to fulfill their obligations to provide access to pertinent source data to the monitor (not for the monitor to collect data).

For small amounts of data, this can be done through a video conference between the site and the monitor. This might be the easiest and most streamlined method for both sponsor and site if it meets the system requirements. The FDA's guidance during the pandemic has been to focus on the critical data and the quality of the documentation, so this is not likely 100 percent SDV. Risk-based monitoring adaptation will likely increase in the future, and the FDA supports¹⁰ the decision to move forward with this approach.

References

1. OCR Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
2. OCR FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
3. Health Insurance Portability and Accountability Act of 1996
4. Electronic Records & Electronic Signatures, 21 CFR Part 11, Mar. 1997
5. EU The General Data Protection Regulation 2016/679
6. Directive 2009/136/EC
7. Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak, March 16, 2020
8. FDA Guidance on Computerized Systems Used in Clinical Investigations, May 2007
9. ICH E6(R2) Guideline for Good Clinical Practice, November 2016
10. FDA Guidance on Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring, August 2013

About the Authors:

Sandra “SAM” Sather, MS, BSN, CCRC, CCRA, is an industry-leading consultant whose mission is to promote clinical quality systems for sponsors/CROs and investigators/research institutions. She has over 25 years of clinical experience, with a BS in nursing and an MS in education with a specialization in training and performance improvement. Sather is the VP of Clinical Pathways, a consulting firm located in the Research Triangle Park area in North Carolina. She is dual certified by the Association for Clinical Research Professionals (ACRP) for over 10 years (CCRA and CCRC) and a current member of the ACRP Academy Board of Trustees and Regulatory Affairs Committee (RAC).

As the operations director at Clinical Pathways, Jennifer Lawyer’s focus is on implementing processes to improve quality and on-time delivery for eLearning development and project management. As an eLearning project manager, she ensures the day-to-day processes run efficiently and products are high-quality and completed on time. Prior to joining Clinical Pathways, Lawyer worked as a clinical research professional and a private duty nurse. She holds a BS in psychology, an AS degree in nursing, and two clinical trials research associate certificates (core competencies and advanced topics). She is a member of the Association of Clinical Research Professionals (ACRP) and is working on her professional certification.