Home · Resources · White Papers
White Papers

Guidance for Remote Monitoring

for Sponsors and CROs

The following guidance is for implementing remote monitoring as a broad policy at the site level. In light of
COVID-19, Veeva proposes that sites and sponsors take a risk-based approach to updating policies and
study documents to include only critical elements needed in order to implement remote monitoring quickly
while not introducing administrative burden on teams.

Policies and Documentation

As a trusted adviser and key partner, sponsors and CROs should advise sites on what is required to
become “remote monitoring capable.” Generally speaking, sites and sponsors are remote monitoring
capable when they have alignment across stakeholders, processes, and policies. When updating policies,
sites and sponsors should understand the broadest regulations, policies, and expectations that apply
(Figure 1), including the current thinking in light of COVID-19. Most importantly, sponsors and CROs
should consider taking a risk-based approach when implementing remote monitoring for COVID-19
related trials to ensure patient safety while not adding administrative burden.

Existing regulations and policies should be referenced when applicable to ensure compliance is being
upheld. Once understood, sites and sponsors can identify what they can control and implement (and what
is required to be implemented now vs. later).

Sites and sponsors must ensure that the proper controls are in place across national regulations, clinical
trial agreements, institutional policies, research informed consent forms, and internal SOPs.

Figure 1 . Hierarchy of Authority in Clinical Research

A key consideration that will have a large impact on updating policies and documents is whether or not
protected health information (PHI) should be shared during the remote monitoring process. Sharing PHI
is allowed if the right approvals are in place.

The HIPAA Privacy Rule establishes the conditions under which protected health information may be
used or disclosed by covered entities for research purposes.1 A Waiver of HIPAA Authorization is required
to remotely share PHI with monitors, and must inform the research participant of the purpose, process,
and information being shared (either on-site or remotely). Often, sites do not realize that most Institutional
Review Boards (IRBs) embed the Waiver of HIPAA Authorization into the template informed consent form
they standardly require. Sponsors and sites should ensure that this waiver is included in their
informed consent.

“An Authorization differs from an informed consent in that an Authorization focuses on
privacy risks and states how, why, and to whom the PHI will be used and/or disclosed
for research. An informed consent, on the other hand, provides research subjects with a
description of the study and of its anticipated risks and/or benefits, and a description of
how the confidentiality of records will be protected, among other things. An Authorization
can be combined with an informed consent document or other permission to participate
in research. Whether combined with an informed consent or separate, an Authorization
must contain specific core elements and required statements stipulated in the Rule.2
— HHS.gov

A Waiver of HIPAA Authorization can be embedded into the informed consent form and should contain
the following specific core elements:

Authorization Core Elements:2

  • A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
  • The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
  • The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure.
  • Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure (“end of the research study” or “none” are permissible for research, including for the creation and maintenance of a research database or repository).
  • Signature of the individual and date. If the individual’s legally authorized representative signs the Authorization, a description of the representative’s authority to act for the individual must also be provided.

Authorization Required Statements:2

  • A statement of the individual’s right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity’s notice of privacy practices.
  • Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
  • A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.

An example Waiver of HIPAA Authorization form can be downloaded here.

Sites that choose not to waive HIPAA rights on research related information, whether shared during
monitoring either on or off-site, can put themselves at risk of non-compliance. Considering the numerous
identifiers that require redaction when a waiver is not in place (e.g., dates and unique, identifiable
numbers), the redaction process can be stringent, time-consuming and prone to error.2

It can also be challenging to confirm that source documents are truly related to the enrolled participant if
monitors can only review redacted source documents. Therefore, an understanding between the study
monitor and site must be in place as early as possible to ensure that the clinical trial agreement
and research informed consent form will support the expectations for sharing PHI during the
monitoring process (for monitoring on and off site).

If the right approvals are in place, the process for allowing monitor access to PHI when off-site is best
supported through the use of 21 CFR Part 11 compliant systems. These systems provide detailed audit
trails that track document histories and utilize role-based permissions to determine access. Sites should
maintain full oversight of the systems they provide monitors access to. To note, systems that protect
documents from being downloaded or shared by monitors best support the remote monitoring of PHI.
Since sites often grant monitors remote access to their EMR, sites should ask if providing remote access
to other compliant systems within their control is truly adding additional risk.

Finalize Study-specific Source Plans

Once determined, study-specific methods for generating source data and supporting monitoring of that
data should be documented. A Study Source Plan provides reassurance that documentation is in place to
support the source data and monitoring plan, outlines methods utilized to facilitate participant study visits,
describes how the source will be generated, details how it will be made available for monitoring, and
includes approvals from both the site and sponsor-representative.

  • Documentation: The ICF, protocol, and clinical trial agreement must include language in support
    of the on-site and remote monitoring plan. The informed consent should specifically outline the
    plan for sharing, disclosing, storing, and accessing PHI as well as a waiver of HIPAA
    Authorization when applicable.
  • Visit Methods: Established visit methods that will be used to capture study data should be
    outlined. Methods include on-site visits, home visits, virtual visits, telephone calls, texting and/or
    capturing patient-reported outcomes from electronic methods using direct patient entry.
  • Source Generation: The system name, vendor, purpose (either for research or clinical data
    collection), general source method, signature method, data originator, and transcription method to
    the eCRF should all be outlined.3
  • Source Review Methods: Source data is often reviewed in a different format than it was
    generated in. Also, there is often more than one system used to generate source documents
    during a trial. Therefore, multiple source review methods are often used. Source data might be
    reviewed in different formats, depending if the monitor is on-site or off-site. Sponsors need
    awareness of what type of document will be provided during inspections (original, copy, or
    certified copy) and if an audit trail is accessible to them in electronic systems.
  • Approvals: Study Source Plans should be approved by a representative of the study sponsor,
    the study PI, and by a research administrator. Dates and signatures should be captured on
    approvals. An example Study Source Plan can be downloaded here.

Communicating with Study Participants

Implementing remote monitoring practices may have downstream impacts on study patients. Ensure that
your sites have a plan for determining what should be communicated to their participants. The following
points should be considered:

  • Consent: Will participants be required to re-consent due to protocol changes that also affect the
    informed consent document (such as updated visit schedules, updates around sharing PHI in
    new systems and/or remotely, new methods used to capture patient-reported outcomes, etc.)?
  • Contact Information and Methods: Will methods for contacting participants change, for
    example, text messaging, will now be more frequently utilized, requiring the collection of their cell
    phone numbers, social media accounts, email address, home mailing address, etc? Ensure
    participants are aware if additional study contact will be implemented as well as if the format for
    the contact will change. Study patients should be aware of all methods of contact including
    receiving documents or surveys by mail, texts, phone calls, emails or home visits.
  • Visit Schedule: As visits are assessed to determine how to decrease the burden of coming
    on-site and promote more virtual workflow, participants must be aware of visit schedule changes.
    Consider if on-site visits should transition to over the phone, virtually using video chat or
    conferencing technology, include home health approaches where coordinators or medical
    professionals will be performing home visits or should be postponed or canceled altogether.

    If home visits are incorporated, make sure that participants are informed if they will be interacting
    with new personnel, such as a contracted home health group or vendor providing lab or clinical
    research coordinator services.

  • Training: Study patients might require additional training and reference materials to ensure
    comfort when downloading applications onto their smartphones, using devices to support home
    monitoring (such as an accelerometer), using video conferencing, or completing electronic
    surveys. Remember that all materials participants receive should be approved by the study’s
    reviewing IRB.

References:


1 HHS.gov, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
2 NIH.gov. How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?
3 FDA.gov, 2013. Electronic Source Data in Clinical Investigations