Guidance

Access to EHR by sponsor representatives in clinical trials

Requirements for sponsor representatives using EHR (electronic health records) in clinical trials.

From:
Medicines and Healthcare products Regulatory Agency
Published
26 November 2020
Last updated
8 September 2021 — See all updates

This guidance is for sponsors, contract research organisations (CROs) and investigator sites when considering management of personal data processed in relation to research. Read this in conjunction with the HRA/MHRA joint advice on data protection impact assessments (DPIAs). In this context ‘processing’ also means access to electronic health records (EHRs).

The data collected and analysed during clinical trials is verified and overseen by clinical trial sponsors via representatives such as clinical research associates (CRAs) or monitors. They will review the medical records to ensure that they match the data collected by the sponsor, via source data verification (SDV). The trial participants consent to this access of their medical records in writing, as part of the consent to take part in the clinical trial.

Increasingly, medical records are now electronic and this poses the following challenges:

  • direct access by the monitor/CRA to these records
  • ensuring that access is restricted to only those participants in the trial
  • ensuring that the monitor/CRA cannot access records of patients not in the trial, but maintained on the same system

Historically, monitors could be provided with the physical records of individual trial participants, without also providing them access to the records of other patients. Where EHRs allow similarly restricted access, access may continue to be provided as it has been. Where EHRs do not have this functionality, additional safeguards are required.

Expectations

Provision of research monitor access to EHRs should be an integral part of organisational level (or EHR level) planning and risk assessment. EHR system design should ensure research monitor access is limited to only the records of clinical trial participants and that this access is auditable.

Where EHR systems are not designed to allow this, it should be included in the next system update.

Where EHR systems are not yet able to restrict monitor access to the records of only their clinical trial participants, using printouts from the EHR is not an appropriate mitigation or safeguard. You should consider this in organisation (or EHR) level risk assessments and use short-term mitigations until there is a system update.

Such short-term mitigations should include reliance on the information governance obligations imposed on sponsors and their representatives by the model clinical trial agreements such as mCTA, for example:

  • giving monitors access to EHR (such access is deemed to be processing) in accordance with the template agreement - this requires that they understand their responsibilities for information governance, including their obligation to process the data of clinical trial participants securely
  • ensuring that monitors have employment contracts (with the sponsor, CRO or authorised delegate) - this provides for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable personal data breaches, and should include accessing EHR data of persons other than relevant clinical trial participants

It is not appropriate or necessary for monitors and investigators sites to enter into further non-disclosure agreements.

Monitors should have standard training on the use of the specific EHR, to cover actions to be taken in the event of any inadvertent breach

Inspection findings

Where this restricted access is not possible, the MHRA has seen that some NHS organisations have been printing out medical records for monitors to review.

MHRA inspectors have encountered several issues with this approach. For example, information is not always available, as medical histories have been incomplete and important information has been missing, due to the printed report settings.

The MHRA has seen gaps in printouts as reports are generated from one date to another and these are not always continuous; in some cases, this has resulted in weeks of missing data and also missing safety information. Additionally, information can be held in annotations in the systems that are also not printed out, such as causality assessment for adverse events. The practice of printing out these records also places a burden on the investigator sites.

Printing out an EHR risks the loss of some or all of the data if it needs to be moved within the site. This creates a risk of inappropriate disclosure, distress and harm to patients, data breach and possible enforcement action.

Printed data may also be out of date due to the time taken to collate it, or incomplete due to incompatibilities in the IT system, which would increase the risk of breaching General Data Protection Regulation (GDPR) and may have a negative impact on the clinical trial.

When paper patient records are lost (or found in places where they are not supposed to be) there is a significant impact on public trust. If patients are not confident that their data will be kept securely, it may hinder their willingness to participate in clinical trials

Remote direct access to EHRs by sponsor monitors (or auditors) in clinical trials

The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) good clinical practice (GCP) requires - and GCP principles - expect direct access to trial participant medical/health records for the sponsor’s representatives, who are monitors and auditors, employed by the sponsor or delegated/contracted third party. Remote direct access to the medical/health records of clinical trial participants allows source data review (SDR) and source data verification (SDV) to occur without the monitor (or auditor) having to visit the investigator site/institution.

The monitor (or auditor) may have remote direct access to the health records of clinical trial participants by logging into the EHR system (‘log-in access’) remotely rather than onsite or via video calls, where investigator site/institution personnel use screen sharing of EHR systems (‘guided access’) or to display original paper records. Log-in access requires far less investigator site/institution personnel involvement during the review so it is preferable and should be fully considered and discounted before using guided access.

The investigator site/institute may upload scanned or electronic copies of source documents into a secure portal (‘upload access’). However, this would not be considered direct access unless it is a complete and certified copy of the EHR system in an investigator provided portal.

Use of internet document sharing portals to share trial participant source documents

Where the portal is provided by the sponsor (or delegate), the investigator/institution must redact any data that may directly or indirectly identify the participant. To protect the privacy of the trial participant, only the participant trial identification number must be used. These records should be deleted after the monitor (or auditor) has completed the review. The sponsor and the investigator should prearrange details of who will perform the deletion and when. For example, the deletion could be after all data queries for the participant have been resolved and the case report form locked or when an audit, if conducted, has completed.

For portals provided by the investigator site/institution, unredacted scanned or electronic source documents may be uploaded. The investigator/institution should consider the applicable requirements for direct log-in access to the EHR system set out below when using such a portal.

The provision of source documents via upload access should be risk-based and proportional, focusing on review and/or verification of critical data to ensure the reliability of results and protection of the trial participants.

The process for the provision of the documentation should not put an excessive and unreasonable time burden on the investigator site/institution personnel or excessive and additional costs on the investigator site/institution that has not been agreed beforehand.

There should be acceptance that in some cases, the investigator/institution may not be able to support upload access, particularly when on-site direct access is available.

The sponsor should also accept that on-site visit limitations may be necessary by the investigator site/institution due to resource requirements where the sponsor requests extensive on-site visits to compensate for any previous restriction of remote access to the medical/health records that prevented complete SDV/SDR using the full EHR.

The Research Ethics Committee (REC) and UK study wide review for the NHS (for example, as undertaken in HRA and Health and Care Research Wales (HCRW) Approval) assess the consent process. Investigator sites/institutions should take assurance from this review and not further review the adequacy of the transparency arrangements approved for the trial.

The participant information sheet and/or consent form must state that sponsor and regulatory authorities’ personnel can access a trial participant’s medical/health records and explicit consent must be obtained for this as in current practice.

Supplemental information concerning method of the monitor (or auditor) access is available and the participant information sheet should provided it to the participant by including the link to the HRA website http://www.hra.nhs.uk/patientdataandresearch in the GDPR transparency statement. The investigator should also provide his web page to the trial participants as a paper copy upon request by the trial participant (for example, if the participant cannot access the internet).

EHR system functionality

We recognise that some EHR systems may not have the necessary functionality to allow log-in access, whether remote or on-site. Making such changes may not be immediately feasible and short-term mitigations during the COVID-19 pandemic may need to be made to permit clinical trials to be remotely monitored (or audited) to assure trial participant safety and results reliability due to limitations to on-site visits. These short-term mitigations are set out in MHRA COVID 19 guidance Managing clinical trials during Coronavirus (COVID-19). The following content applies in normal circumstances.

To facilitate log-in access to the EHR system, the EHR system should have the following functionality in addition to restriction to trial participants set out above:

  1. To forbid changes to the data and information in the EHR system by the monitor (or auditor), a user role with read-only permission should be available and assigned on an individual basis to each monitor (or auditor). Log-in access to the EHR system must not be provided if the monitor (or auditor) has the ability to edit (add/change/delete) information of any kind in the EHR system. The EHR system should log additions and deactivations of users and any changes to permissions associated with specific user roles.
  2. To increase assurance that the person accessing the EHR system is the person approved by the sponsor and previously identified by the investigator site/institution to access the EHR system when logging-in, there should be user access controls with 2-factor authentication for accessing the read-only user account, which can be provided by the EHR system itself or via the investigator site/institution’s network access process. For 2-factor authentication, in addition to the username and password, the user is must add additional information that they have (for example, a token number or PIN sent to the user’s mobile). This additional control is required, because where direct log-in access to the EHR system takes place when the monitor (or auditor) visits the investigator site/institution there are restrictions in place to identify and control the monitor (or auditor) accessing the EHR system. For example, the monitor (or auditor) may have to sign in and/or provide ID and provision of the device to the monitor (or auditor) used to access the EHR system is under the direct control of the investigator site/institution personnel.
  3. To reduce the risk of inappropriate log-in access to the EHR system, there should be an automatic time-out, where the user is logged out of the EHR system following a period of inactivity.
  4. To prevent unnecessary and inappropriate copying and sharing of information from the EHR, the EHR system should restrict printing, copying, and downloading of information from the EHR system, for the read-only user role given to the monitor (or auditor). The system should not rely on an automatic download of documents on to the user’s device (which remain after the session has completed) in order to view the documentation.
  5. Monitoring (or auditing) activity using remote log-in access to the EHR system should only take place when investigator site/institution staff are aware of and have agreed to it happening, as is the case for on-site visits. Functionality for date/ time restricted log-in access to the EHR system for the read-only user role should be in place. Once the user account is created, log-in access to the EHR system can then be restricted to a specific review time period, rather than log-in access being allowed at all times. The investigator site/institution personnel must be able to have such control of monitor/auditor access, as they would for an on-site visit. The EHR system should log the creation and deactivation of a user account, and the user role that is given to that user (read-only), as well as when that user logs in and logs out of the EHR system.

Where the EHR system allows, we recommend considering specific roles and appropriate permissions for investigator site/institution personnel (such as research nurse, investigator, trial co-ordinator) in addition to a monitor (or auditor) read-only role. These roles could then have permission to grant log-in access to the monitor (or auditor) to specific ‘participants’ records and to set up review time periods for the monitor (or auditor) to undertake their activities, as this would reduce the number of requests to the system administrator, who would only need to initially set up and finally deactivate the monitor (or auditor) user account.

System security

Remote direct log-in access to the EHR system poses an additional security risk. Security aspects of the system concern:

  • the software developer/provider
  • the organisation hosting the system
  • the sponsor accessing the system remotely

We recommend that they all consult relevant guidance and standards on computer system security to inform their quality management system (for example, ISO27001).

The vendor of the EHR system should have identified and managed any security risks relating to remote use as part of the functional specifications of the EHR system during development and validation. There should be a process for ongoing maintenance of security of the EHR system, for example, applying any future security updates.

The sponsor and investigator site/institution should set up robust security procedures such as:

  • password criteria and renewal rules
  • firewalls, virus and malware protection
  • penetration testing (to identify vulnerabilities)
  • system monitoring for detection of inappropriate/unusual activities/intrusions and changes to network configurations
  • threat intelligence software
  • physical security considerations at data centres
  • timely implementation of any security updates/patches

Controls set up by investigator site/institution for remote direct log-in access to EHR system by the monitor (or auditor).

  1. The investigator site/institution should ensure that the EHR system installation facilitates remote log-in access.
  2. In order to allow remote direct log-in access to the EHR system by the monitor (or auditor), the investigator site/institution must verify the identity of the monitor (or auditor) as part of creation of the read-only user account for the EHR system. This could have taken place at a previous on-site visit or by remote video call to see the person, together with a documented review - but a copy not retained - of government-issued photographic identification (for example, a passport, national identity card, driving licence). We recommend that the sponsor provides documentation to the investigator site/institution to confirm who the person is that they have authorised to conduct monitoring (or auditing).
  3. The investigator site/institution should implement formal procedures to manage the setup and deactivation of the monitor (or auditor) user accounts by the EHR system administrator and to conduct a regular audit of users of the EHR system, to ensure that any user accounts in place are currently valid. This would detect users who no longer need log-in access, but whose user accounts have not been deactivated. There should also be risk-based audit trail review of activity undertaken in the EHR system by the monitor (or auditor), to detect any inappropriate activity and to carry out corrective and preventative actions.

Controls put in place by the sponsor (or authorised delegated party such as CRO)

  1. The sponsor should prepare and/or review the trial monitoring plan to ensure that a risk proportionate approach to source data verification/review is in place.

  2. Direct access to participant health records is a requirement of monitoring (or auditing) and the sponsor should already have procedures in place. However, the sponsor should review these procedures and the sponsor’s DPIA concerning remote log-in access by monitor (or auditor) to the EHR system, to ensure appropriate controls are in place and the monitors (or auditors) are trained in the procedures.

  3. Remote log-in access to the EHR system at UK sites must only take place from a physical location in the UK, an EEA state, or another state covered by a UK adequacy decision.

  4. The device used for remote log-in access to the EHR system should be provided by the sponsor, or the sponsor should have undertaken an assessment of the security processes applied to the device(s) of any subcontracted service providers (for example, CROs, freelance monitors or auditors). The use of the monitors’ (or auditor’s) own devices is acceptable where approved by the sponsor. Devices must not be left unattended and accessible when logged into the EHR system.

  5. The sponsor must not record any video calls where screen sharing of guided direct access or of paper source documentation has taken place. There must be no records of any trial participant information in any ‘chat’ function of the remote video call.

  6. The model clinical trial agreements require that monitors (or auditors) are suitably trained to understand information governance requirements. The sponsor should put training courses in place to cover the protection of trial participants’ data confidentiality in relation to the contractual obligations of the sponsor with the investigator site/institutions.

  7. The sponsor should ensure through training and employment contracts that all monitors (or auditors) comply with information governance requirements.

  8. The sponsor’s processes and training should include the following.

a. Ensuring privacy where remote log- in access to the EHR system can take place, for example:

i. not accessing EHR system in an open-plan office without suitable privacy screens in place on the device

ii. not accessing EHR system in a public space or other location where there is high risk that others who are not authorised could view sensitive information

iii. if login access is from the monitor’s (or auditor’s) home residence, they should do it privately (for example, away from family)

iv. the tonitor (or auditor) should log out of the EHR system before leaving the device unattended (for example, if leaving a desk where a desktop PC is in use, even if log-in to the sponsor’s system remains)

b. What is not permitted, for example, taking photographs of the device screen, taking electronic screen images, printing and downloading information from the EHR system or documenting any information that identifies a trial participant such as in an email. It should be explicit that sharing user accounts and log-in information for the EHR system with another person is strictly forbidden.

c. Only the investigator site/institution personnel should share content of the EHR system with anyone other than the monitor (or auditor). For example, the investigator site/institution should provide redacted content from the EHR system to sponsor pharmacovigilance function in relation to queries about a serious adverse event (SAE). The monitor (or auditor) should not share their screen/project the screen to show EHR system content at a meeting with other sponsor personnel discussing the SAE. It is acceptable that a monitor (or auditor) may need to document information from the medical records that is necessary to record monitoring/audit activities (for example, relating to ineligibility or SAEs), however, the participant must only be identified by their trial identification number.

d. Actions to take if there is a breach of participant confidentiality, for example, the circumstances where there is the need to inform the investigator site/institution immediately.

e. Actions to take if there is a data security breach, for example if the device used to access the EHR system is lost or stolen, including the possibility to remotely delete all the data content of the device. The sponsor should provide monitors (or auditors) contact details of who they should inform if a potential or actual data security breach occurs.

f. Actions to take if the monitor (or auditor) has the ability to or has accessed non-trial participants, for example, if the EHR system restrictions to trial participants has not been set up accurately, or any accidental accessing of the records of non-trial participants.

g. Ensuring that the investigator site/institution is promptly informed when the user account of the monitor (or auditor) is no longer required.

h. Printed records from the EHR system can only serve as an alternative to direct access if these are certified copies. Inspection findings have shown that this is difficult to achieve so we do not recommend it as an alternative to direct access to the EHR system. Consider using guided access instead.

Further information

Refer to Electronic health records - MHRA Inspectorate for further information.

Updates to this page

Published 26 November 2020
Last updated 8 September 2021 show all updates

  1. Updated guidance for viewing Electronic Health Records (EHR) remotely

  2. First published.

Sign up for emails or print this page

Contents