for Sponsors and CROs
The following guidance is for implementing remote monitoring as a broad policy at the site level. In light of COVID-19, Veeva proposes that sites and sponsors take a risk-based approach to updating policies and study documents to include only critical elements needed in order to implement remote monitoring quickly while not introducing administrative burden on teams.
Policies and Documentation
As a trusted adviser and key partner, sponsors and CROs should advise sites on what is required to become “remote monitoring capable.” Generally speaking, sites and sponsors are remote monitoring capable when they have alignment across stakeholders, processes, and policies. When updating policies, sites and sponsors should understand the broadest regulations, policies, and expectations that apply (Figure 1), including the current thinking in light of COVID-19. Most importantly, sponsors and CROs should consider taking a risk-based approach when implementing remote monitoring for COVID-19 related trials to ensure patient safety while not adding administrative burden.
Existing regulations and policies should be referenced when applicable to ensure compliance is being upheld. Once understood, sites and sponsors can identify what they can control and implement (and what is required to be implemented now vs. later).
Sites and sponsors must ensure that the proper controls are in place across national regulations, clinical trial agreements, institutional policies, research informed consent forms, and internal SOPs.
A key consideration that will have a large impact on updating policies and documents is whether or not protected health information (PHI) should be shared during the remote monitoring process. Sharing PHI is allowed if the right approvals are in place.
The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes.1 A Waiver of HIPAA Authorization is required to remotely share PHI with monitors, and must inform the research participant of the purpose, process, and information being shared (either on-site or remotely). Often, sites do not realize that most Institutional Review Boards (IRBs) embed the Waiver of HIPAA Authorization into the template informed consent form they standardly require. Sponsors and sites should ensure that this waiver is included in their informed consent.
“An Authorization differs from an informed consent in that an Authorization focuses on privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. Whether combined with an informed consent or separate, an Authorization must contain specific core elements and required statements stipulated in the Rule.2” — HHS.gov
A Waiver of HIPAA Authorization can be embedded into the informed consent form and should contain the following specific core elements:
Authorization Core Elements:2
- A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
- The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
- The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure (“end of the research study” or “none” are permissible for research, including for the creation and maintenance of a research database or repository).
- Signature of the individual and date. If the individual’s legally authorized representative signs the Authorization, a description of the representative’s authority to act for the individual must also be provided.
Authorization Required Statements:2
- A statement of the individual’s right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity’s notice of privacy practices.
- Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
- A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.
An example Waiver of HIPAA Authorization form can be downloaded here.
Sites that choose not to waive HIPAA rights on research related information, whether shared during monitoring either on or off-site, can put themselves at risk of non-compliance. Considering the numerous identifiers that require redaction when a waiver is not in place (e.g., dates and unique, identifiable numbers), the redaction process can be stringent, time-consuming and prone to error.2
It can also be challenging to confirm that source documents are truly related to the enrolled participant if monitors can only review redacted source documents. Therefore, an understanding between the study monitor and site must be in place as early as possible to ensure that the clinical trial agreement and research informed consent form will support the expectations for sharing PHI during the monitoring process (for monitoring on and off site).
If the right approvals are in place, the process for allowing monitor access to PHI when off-site is best supported through the use of 21 CFR Part 11 compliant systems. These systems provide detailed audit trails that track document histories and utilize role-based permissions to determine access. Sites should maintain full oversight of the systems they provide monitors access to. To note, systems that protect documents from being downloaded or shared by monitors best support the remote monitoring of PHI. Since sites often grant monitors remote access to their EMR, sites should ask if providing remote access to other compliant systems within their control is truly adding additional risk.
Finalize Study-specific Source Plans
Once determined, study-specific methods for generating source data and supporting monitoring of that data should be documented. A Study Source Plan provides reassurance that documentation is in place to support the source data and monitoring plan, outlines methods utilized to facilitate participant study visits, describes how the source will be generated, details how it will be made available for monitoring, and includes approvals from both the site and sponsor-representative.
- Documentation: The ICF, protocol, and clinical trial agreement must include language in support of the on-site and remote monitoring plan. The informed consent should specifically outline the plan for sharing, disclosing, storing, and accessing PHI as well as a waiver of HIPAA Authorization when applicable.
- Visit Methods: Established visit methods that will be used to capture study data should be outlined. Methods include on-site visits, home visits, virtual visits, telephone calls, texting and/or capturing patient-reported outcomes from electronic methods using direct patient entry.
- Source Generation: The system name, vendor, purpose (either for research or clinical data collection), general source method, signature method, data originator, and transcription method to the eCRF should all be outlined.3
- Source Review Methods: Source data is often reviewed in a different format than it was generated in. Also, there is often more than one system used to generate source documents during a trial. Therefore, multiple source review methods are often used. Source data might be reviewed in different formats, depending if the monitor is on-site or off-site. Sponsors need awareness of what type of document will be provided during inspections (original, copy, or certified copy) and if an audit trail is accessible to them in electronic systems.
- Approvals: Study Source Plans should be approved by a representative of the study sponsor, the study PI, and by a research administrator. Dates and signatures should be captured on approvals. An example Study Source Plan can be downloaded here.
Communicating with Study Participants
Implementing remote monitoring practices may have downstream impacts on study patients. Ensure that your sites have a plan for determining what should be communicated to their participants. The following points should be considered:
- Consent: Will participants be required to re-consent due to protocol changes that also affect the informed consent document (such as updated visit schedules, updates around sharing PHI in new systems and/or remotely, new methods used to capture patient-reported outcomes, etc.)?
- Contact Information and Methods: Will methods for contacting participants change, for example, text messaging, will now be more frequently utilized, requiring the collection of their cell phone numbers, social media accounts, email address, home mailing address, etc? Ensure participants are aware if additional study contact will be implemented as well as if the format for the contact will change. Study patients should be aware of all methods of contact including receiving documents or surveys by mail, texts, phone calls, emails or home visits.
- Visit Schedule: As visits are assessed to determine how to decrease the burden of coming
on-site and promote more virtual workflow, participants must be aware of visit schedule changes.
Consider if on-site visits should transition to over the phone, virtually using video chat or
conferencing technology, include home health approaches where coordinators or medical
professionals will be performing home visits or should be postponed or canceled altogether.
If home visits are incorporated, make sure that participants are informed if they will be interacting with new personnel, such as a contracted home health group or vendor providing lab or clinical research coordinator services.
- Training: Study patients might require additional training and reference materials to ensure comfort when downloading applications onto their smartphones, using devices to support home monitoring (such as an accelerometer), using video conferencing, or completing electronic surveys. Remember that all materials participants receive should be approved by the study’s reviewing IRB.
2 NIH.gov. How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?
3 FDA.gov, 2013. Electronic Source Data in Clinical Investigations