Does PHI reviewed remotely have to be redacted?


I had a question come to me recently about whether PHI reviewed remotely must be redacted in any way, here is what we discussed:   

Q: Is it necessary to redact subject identifier information if collected by a sponsor for monitoring/verification purposes as long as the site has obtained a valid ICF/HIPAA authorization?


SAM: No, as long as the authorization is adequate for what PHI, the purpose, expiration date, recipient and sender of the PHI (just like required for on-site review). The authorization could explain the access is remote to help better inform the patient to better make a decision regarding agreeing.       

Also, many covered entities will have stricter practices related to institutional procedures that have been put in place as a result of the security rule risk assessment and put in place as a preventive measure to prevent unauthorized disclosures (breeches) when PHI is disclosed outside the CE, especially to an non-covered entity like a sponsor.

REMEMBER: Granting access to the EMR for onsite review has been difficult and taken a long time (and still challenging in some cases), but now we are asking to do this remotely…

1) Many sites are getting requests from sponsor/CROs for copies of source electronically and it is causing a great amount of unrest and negative reaction. It is Very important that the expectations are established in the CTA to cover resourcing and cost from a site perspective.

Many sites have reported that sponsors are not disclosing these types of practices ahead of time clearly and the burden on the site is enormous!

2) Also, is the sponsor going to do 100% review remotely? This is not really a risk-based approach, but more about $$ savings (travel).

3) Also, for the same reasons we did not allow monitors to copy paper source at sites and take it home or to the hotel to review later, same thing with remote access or PDFs of source.

4) Lastly, in most cases the disclosure of PHI to a non-member / employee of the CE comfort level comes from that party being on-site where the security risks are minimized. Now we are promoting remotely doing this. So, riskier and many sites will need some time and better assurances to take that risk.      
Collaboration is key to make the eSource vision of EMRs populating eCRFs… encourage your client to promote direct entry into CRFs as source.      

Once PHI is released to a non-covered entity it is no longer protected under the Privacy Rule. Subject's need to be informed of this in the authorization in terms they can understand. I am not sure the sponsor can provide enough protections of the use of the info and security of the PHI for the CEs. Temporary access without the ability to print or copy is ideal.     

Relationship building and incentives are also key.     

Attend a session on EMRs, ALCOA and part 11, August 8th, 1pm EST. Access this link for more info!