We are excited to announce SAM Sather’s contribution to the newly released 2016 Good Clinical Practice Q&A Reference Guide. We are proud of the caliber of the editorial board as well as the high quality editing and writing that went in to this year’s edition.
SAM’s chapter on The HIPAA Privacy Rule and FDA-Regulated Clinical Trials takes an in-depth look at the importance of privacy protection especially at the research level. The chapter includes a discussion of the unprecedented settlement agreed to by Feinstein Institute for Medical Research and the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) due to potential HIPAA violations of patients and research participants.
An example of a question answered in this year’s chapter is:
Question: Related to sponsor risk-based monitoring approaches, under the current HIPAA privacy and security requirements, is it permissible for covered entities to provide sponsors remote access to PHI to be remotely monitored (not monitored at the research site)? If yes, what are the specific requirements of the Covered Entity?
Abbreviated Answer: Some stakeholders (primarily sponsors) are investigating additional ways to monitor pertinent source data remotely. The methods to accomplish this vary, such as asking sites to scan and submit source electronically to the sponsor, development of an electronic source documentation system for studies, or ideally having access to the EHR remotely with the same Security and Privacy safeguards as when the monitor is on-site. Past and present requirements of HIPAA do not restrict remote access of PHI maintained at a covered entity (CE). When CEs consider providing remote access to PHI to sponsors, both the HIPAA Privacy and Security Rule requirements and FDA source document requirements for investigators apply, no different than a sponsor monitoring an EHR on-site. Related to FDA, for sponsors to conduct remote review of source, the monitor would need access to the same source documents that would be monitored on-site. Therefore, it is critical to establish prior to a site agreeing to conduct a study what is pertinent source for a study overall and at a particular site. This ensures that expectations are clear as to what is required to be disclosed, how that will be accomplished, and if any or all source can be monitored remotely. The same GCP quality data standards apply to data in any form monitored from any location, e.g., ALCOA (reference FDA 2007 guidance “Computerized Systems Used in Clinical Investigations” http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM070266.pdf) and FDA 2013 guidance “Electronic Source Data in Clinical Investigations” (http://www.fda.gov/downloads/drugs/guidancecomplianceregulatoryinformation/guidances/ucm328691.pdf).
Reminder, the FDA does not audit EHRs related to 21 CFR Part 11, rather, whether the pertinent source is maintained, adequate, and accurate related to the data quality standards for GCP.
So if sites were to provide source remotely, under HIPAA, CEs are required to have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI that is disclosed to prevent unauthorized access to the information (45 CFR 164.530(c)). In doing so, the Privacy Rule requires CEs obtain assurances that data disclosed to non-covered entities (e.g., sponsor remote monitors) for use is being used for the purposes described in the HIPAA Authorization and/or limited data use agreement, as well as for clinical trials in the clinical trial agreement (CTA). (Also refer to answers to other questions within this chapter.)
The HIPAA Security Rule requires the CE to conduct a risk assessment of all activities that include the use and disclosure of PHI. In the case of remote monitoring and CEs providing sponsors remote access of source otherwise monitored on-site, sites would need to assess overall what would be the probability and criticality of potential risks to ePHI provided remotely for any study, no matter how the PHI is being provided remotely (e.g., remote sign-in, PDFs emailed, or posted to a remote server).
When considering providing remote access to PHI, a covered entity must comply with all required implementation specifications under the Security Rule and may or may not be required to follow additional addressable specifications (refer to Q14.6). The covered entity must formally assess whether each addressable specification is a reasonable and appropriate safeguard in its environment (with respect to its likely contribution to protecting ePHI provided remotely for review). If the covered entity’s assessment shows that a measure will contribute to the security of the ePHI, it should implement the measure or a substitute measure, and if not, document the reasoning why not. This process contributes to the required risk analysis and documentation to maintain audit readiness for the CE.
A HIPPA Authorization or a waiver of authorization would still need to be in place that includes what PHI can be disclosed, by whom, and to whom. A CE may choose to include how the PHI is disclosed, but is not required. With a signed HIPAA Authorization, the data disclosed does not need to be de-identified. De-identified PHI does not allow review for ALCOA. Ideally to minimize risk, the pertinent PHI is temporarily disclosed for data review (e.g., remote and restricted temporary username and password access) and not a copy transferred to sponsor (e.g., PDFs that are printable or savable to external computers). This mimics more the process when on-site.
In summary, when a covered entity participates in clinical research that involves ePHI, it should consider how this contributes to the required security and to the risk analysis for covered entities. These covered entities that are participating in clinical trials must also meet GCP requirements, and the sponsor must meet their GCP requirements related to the integrity, security, and confidentiality of case histories. Working together to promote better approaches to confirmation of data integrity is important as the industry develops best practices based on risk management to protect human subject’s rights, welfare, and safety.
The guide is a great resource. Check it out. Here are some other examples of questions addressed in this chapter of the guide:
- Are there similarities between the FDA’s 21 CFR Part 11 requirements for investigator source data and the HIPAA Security Rule within the Privacy Rule for research centers that are covered entities?
- Under the Omnibus HIPAA Rulemaking, what are some compliance implications?
- What have been the most common Privacy Rule-related deficiencies noted in OCR inspections?
And much more!
The book is now available for purchase from Barnett International here.
The Clinical Pathways Team.