The new guidance intends to assist sponsors, contact research organisations and investigator sites in complying with their processing obligations during clinical trials.
On 26 November 2020, the Medicines and Healthcare products Regulatory Agency (MHRA) and the Health Research Authority (HRA), in conjunction with the Information Commissioner’s Office (ICO), published its guidance on site access to Electronic Health Records (EHRs) during clinical trials.
During clinical trials, personal data is collected, analysed and verified by clinical trial sponsors (Sponsors) through Clinical Research Associates (CRAs), clinical monitors or trial monitors (Monitors).
Once collected, analysed and verified, the CRAs/Monitors review the medical records of the data subjects to ensure that they match the data collected by the Sponsors – a process otherwise known as Source Data Verification (SDV).
The guidance highlights that in previous situations where physical records were used, CRAs/Monitors only received the physical records of participants - therefore preventing unauthorised access to other subjects’ data.
As such, the guidance aims to address the challenges faced resulting from an increasing use of medical records as EHRs rather than physical records. These challenges include:
- Direct access by the CRAs/Monitors to these records as part of the SDV process
- Ensuring that access to data within EHR systems is restricted to only those participants in the trial
- Ensuring that records of patients not in the trial, but maintained on the same EHR system are not accessed by the CRAs/Monitors
Whilst the guidance recognises that most EHR systems have been designed to restrict unwarranted access from taking place, unauthorised data access may continue to occur in cases where EHR systems do not have such functionality. It clarifies therefore, that where such situations arise additional safeguards are required. Namely:
- Where an EHR system is being used in a clinical trial and does not have the capacity to restrict access by the CRAs/Monitors, such EHR system functionality needs to be rectified at the next system update.
- Pending any EHR system update taking place, mitigating steps should be implemented in the short-term, including ensuring that the CRAs/Monitors have employment contracts containing appropriate confidentiality clauses.
The guidance also recognises in certain cases where inspections of EHR systems have taken place, the MHRA, HRA and ICO respectively found various sites seeking to resolve these problems by printing out EHRs in hard copy. The guidance, however, regards this practice as “problematic” given not only the nature for it to compromise the confidentiality of the healthcare data, but also the risks associated with providing the CRAs/Monitors:
- Out-of-date information
- Inadequate information
For these reasons, the guidance reiterates that the requirement is such that Sponsors, contact research organisations and investigator sites should have EHR systems that permit appropriate restrictions of access to data.