FDA: Make Sure EHRs Used for Clinical Studies Are SecureAgency Issues Guidance Spelling Out Its Policy
The Food and Drug Administration has issued new guidance spelling out its policy for organizations using electronic health record data in FDA-regulated clinical investigations, such as studies of the long-term safety and effectiveness of various drugs. Among other criteria, the EHRs need to contain certain privacy and security controls, the FDA says.
EHRs used for clinical investigations should be certified under the Department of Health and Human Services' Office of the National Coordinator for Health IT's EHR certification program, which requires products to meet a variety of privacy and security protection requirements for patient data, the FDA says.
But if data from EHRs that are not ONC-certified is collected from "foreign" sources - such as from clinical studies conducted outside the U.S. - sponsors need to consider whether such systems also have "certain privacy and security controls in place to ensure that the confidentiality, integrity and security of data are preserved," the agency says. That includes:
- Limiting access to electronic systems only to authorized users;
- Identifying authors of records;
- Ensuring that audit trails are available to track changes to data;
- Ensuring that records are available and retained for FDA inspection as required by applicable regulations.
The guidance is significant because it provides information on what to look for and cautions about the possible implications of using an EHR that does not meet the ONC's or another reputable certifying body's standards, says regulatory attorney Marti Arvin of security consultancy CynergisTek.
"Having information for clinical trials in an EHR is not new. The FDA has always had a focus on data integrity and the ability to validate study data when they conduct an inspection or investigation," she says. "Encouraging interoperability between the EHR and the electronic data capture system is one way to improve the data integrity because it helps avoid human error on transcription."
The guidance generally is positive with respect to the use of EHRs for clinical studies, providing researchers with issues to consider when using them, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"For example, if a researcher is obtaining data from an EHR system outside of the U.S. that has not gone through the U.S. certification process, the researcher should consider that the system may not be locally required to have the same privacy and security features, such as the same level of access controls and audit logs. This could impact the integrity of the data," he notes.
Harnessing Real-World Data
The FDA says in a statement that its new guidance, "The Use of EHR Data in Clinical Investigations," is aimed at expanding the agency's "methodological repertoire to build on our understanding of medical products throughout their lifecycle."
Jacqueline Corrigan-Curay, M.D., director of the office of medical policy in FDA's Center for Drug Evaluation and Research, notes: "Harnessing the real-world data being captured in EHRs enables clinical investigators to collect data from routine medical care and generate scientific evidence that's appropriate for regulatory decision making and helps generate accurate, science-based information healthcare professionals and patients need to use medical products to maintain and improve public health."
The guidance's goals are to "modernize and streamline clinical investigations" through the use of EHR data and the inclusion of real-world data in clinical investigations, the FDA says.
In addition, the guidance will encourage research sponsors and healthcare organizations to work with vendors of EHR systems and electronic data capture systems to further advance the interoperability and integration of those systems, the FDA says.
The agency notes that the 21st Century Cures Act - which aims to advance medical innovation and treatments - requires the FDA to achieve certain deliverables on the use of real-world evidence, including a framework for a program to evaluate real-world evidence and to issue guidance about the use of evidence in regulatory decision making.
The 12-page, non-binding guidance provides recommendations for how healthcare organizations and other entities involved in medical research can use EHRs as a source for clinical investigations involving drugs and biological products and medical devices, including investigations conducted in clinical practice settings.
Besides spotlighting various privacy and security controls, the guidance also spells out other recommendations and best practices for EHRs used in clinical investigations.
Those include making sure that EHRs used for clinical investigations meet various data standards; choosing structured data over unstructured data; and validating interoperability between EHR and electronic data capture systems.
Who will find the guidance most useful?
"This guidance applies to researchers, which could include medical research institutions, academic medical centers, pharmaceutical companies and others," Greene notes.
Even healthcare providers who maintain their EHRs predominately for clinical purposes should find the guidance helpful in case any of their patients participate in research studies, he says.
"For example, when considering retention of EHRs, the healthcare provider who maintains the EHR technology may want to consider whether the EHRs were used in research and, if so, whether the researchers need to have access to a copy of the data for FDA purposes," he says.
The guidance points out that when it comes to systems that have not been certified by ONC, there is an increased potential for data integrity to be compromised, Arvin notes.
"The ONC certification process has known measures and functionality that must be in the system to get certified. Without that, it diminishes the ability to protect the integrity and increases the risk to the data overall including the patient/subject's privacy."
The data collected for clinical trials is often the same data that is collected for routine patient care, Arvin notes. "From that perspective, the concerns do not differ from standard privacy and security concerns in any healthcare organization. However, there can be services that are performed and data gathered solely because of the individual's participation in the clinical study," she adds.
Healthcare organizations must make decisions regarding whether data gathered solely for clinical studies becomes part of the legal medical record or resides somewhere else in the EHR, she notes.
"For example, if participation on the study required that the subject is HIV negative but there is no clinical indication for performing an HIV test, should the results of that test be included in the clinical record for anyone who can access it for care to see - or should it be segregated elsewhere in the EHR with more limited access?" she asks.