Access to Electronic Health Records by Sponsor representatives in clinical trials (2024)

This guidance is for Sponsors, Contract Research Organisations (CROs) and investigator sites when considering management of personal data processed in relation to research. It should be read in conjunction with the HRA/MHRA joint advice on Data Protection Impact Assessments (DPIAs). In this context ‘processing’ also means access to EHRs.

The data collected and analysed during clinical trials are verified and overseen by clinical trial Sponsors via representatives such as Clinical Research Associates (CRAs) or monitors. They will review the medical records to ensure that they match the data collected by the Sponsor, via Source Data Verification (SDV). The trial participants consent to this access of their medical records in writing, as part of the consent to take part in the clinical trial.

Increasingly, medical records are now electronic (Electronic Health Records; EHRs) and this poses the following challenges:

• direct access by the monitor/CRA to these records
• ensuring that access is restricted to only those participants in the trial
• ensuring that records of patients not in the trial, but maintained on the same system, are not accessed by the monitor/CRA

Historically, monitors could be provided with the physical records of individual trial participants, without also providing them access to the records of other patients. Where EHRs have been designed to allow similarly restricted access, access may continue to be provided as it has been. Where EHRs do not have this functionality, additional safeguards are required.

Expectations

Provision of research monitor access to EHRs should be an integral part of organisational level (or EHR level) planning and risk assessment. EHR system design should ensure research monitor access is limited to only the records of clinical trial participants and that this access is auditable.

Where EHR systems have not been designed to allow this, this should be addressed at the next system update.

Where EHR systems are not yet able to restrict monitor access to the records of only their clinical trial participants, resorting to printouts from the EHR is not an appropriate mitigation or safeguard. This should be addressed in organisation (or EHR) level risk assessments and short-term mitigations implemented pending system update.

Such short-term mitigations should include:

• Reliance upon the information governance obligations imposed upon sponsors and their representatives by the model clinical trial agreements (mCTA, etc.), e.g.
  • Monitors should be provided with access to EHR (such access is deemed to be processing) in accordance with the template agreement. This requires that they understand their responsibilities for information governance, including their obligation to process the data of clinical trial participants securely,
  • Monitors should hold employment contracts (with the sponsor, CRO, or authorised delegate). This provides for personal accountability and sanctions for breach of confidence or misuse of data including deliberate or avoidable personal data breaches. This would include accessing EHR data of persons other than relevant clinical trial participants.

It is not appropriate or necessary for monitors and investigators sites to enter into further non-disclosure agreements.

Standard training for monitors on use of the specific EHR, to cover actions to be taken in the event of any inadvertent breach

Inspection findings

Where this restricted access is not possible MHRA has seen that some NHS organisations have been printing out medical records for monitors to review.

MHRA Inspectors have encountered several issues with this approach. For example, information is not always available, as medical histories have been incomplete and important information has been missing, due to the printed report settings.

MHRA has seen gaps in printouts as reports are generated from one date to another and these are not always continuous; in some cases, this has resulted in weeks of missing data and also missing safety information. Additionally, information can be held in annotations in the systems that are also not printed out, such as causality assessment for adverse events. The practice of printing out these records also places a burden on the investigator sites.

Printing out an EHR risks the loss of some or all of the data should it need to be moved within the site. This creates a risk of inappropriate disclosure, distress and harm to patients, data breach and possible enforcement action.

Printed data may also be out of date due to the time taken to collate it, or incomplete due to incompatibilities in the IT system, which would increase the risk of breaching GDPR and may have a negative impact on the clinical trial.

When paper patient records are lost (or found in places where they are not supposed to be) there is a significant impact on public trust. If patients are not confident that their data will be kept securely, it may hinder their willingness to participate in clinical trials

ICH GCP requires¹ and GCP principles² expect direct access to trial participant medical/health records for the sponsor’s representatives, who are Monitors and Auditors, employed by the sponsor or delegated/contracted third-party. Remote direct access to the medical/health records of clinical trial participants allows source data review (SDR) and source data verification (SDV) to occur without the Monitor (or Auditor) having to visit the investigator site/institution.

Remote direct access to the health records of clinical trial participants may be undertaken by the Monitor (or Auditor) logging into the EHR system (‘Log-in Access’) remotely rather than onsite or via video calls, where investigator site/institution personnel use screen sharing of EHR systems (‘Guided Access’) or to display original paper records. Log-in Access requires far less investigator site/institution personnel involvement during the review so it is preferable and should be fully considered and discounted prior to using Guided Access.

The investigator site/Institute may upload scanned or electronic copies of source documents into a secure portal (‘Upload Access’). This however would not be considered direct access unless it is a complete and certified copy of the EHR system in an investigator provided portal.

1. INTEGRATED ADDENDUM TO ICH E6(R1): GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R2) November 2016, 1.21, 4.8.10 (n), 4.9.7, 5.1.2, 5.15.1, 5.15.2, 6.10.
2. UK Statutory Instrument 2004/1031 (as amended) 31A, (8) and Schedule 1, Part 2, (9).

Where the portal is provided by the sponsor (or delegate), there must be redaction by the investigator/institution of any data that may directly or indirectly identify the participant. To protect the privacy of the trial participant only the participant trial identification number must be used. These records should be deleted after the Monitor (or Auditor) has completed the review. The details of who will perform the deletion and when, should be prearranged between the sponsor and the investigator (for example, the deletion could be after all data queries for the participant have been resolved and the case report form locked or when an audit, if conducted, has completed).

For portals provided by the investigator site/institution, unredacted scanned or electronic source documents may be uploaded. The investigator/institution should consider the applicable requirements for direct Log-in Access to the EHR system set out below when using such a portal.

The provision of source documents via Upload Access should be risk-based and proportional focussing on review and/or verification of critical data to ensure reliability of results and protection of the trial participants.

The process for the provision of the documentation should not put an excessive and unreasonable time burden on the investigator site/institution personnel or excessive and additional costs on the investigator site/institution that has not been agreed beforehand. There should be acceptance that in some cases, the investigator/institution may not be able to support Upload Access, particularly when on-site direct access is available. The sponsor should also accept that on-site visit limitations may be necessary by the investigator site/institution due to resource requirements where the sponsor requests extensive on-site visits to compensate for any previous restriction of remote access to the medical/health records that prevented complete SDV/SDR using the full EHR.

Consideration of Participant Consent

The Research Ethics Committee (REC) and UK Study Wide Review for the NHS (for example, as undertaken in HRA and HCRW Approval) assess the consent process. Investigator sites/institutions should take assurance from this review and not further review the adequacy of the transparency arrangements approved for the trial.

The participant information sheet and/or consent form must state that sponsor and regulatory authorities’ personnel can access a trial participant’s medical/health records and explicit consent must be obtained for this as per current practice.

Supplemental information concerning method of the Monitor (or Auditor) access is available and should be provided to the participant in the participant information sheet by including the link to the HRA website: http://www.hra.nhs.uk/patientdataandresearch in the GDPR transparency statement. This web page should also be provided by the investigator to the trial participants as a paper copy upon request by the trial participant (for example if the participant cannot access the internet).

EHR System Functionality

It is recognised that some EHR systems may not have the necessary functionality to allow Log-in Access, whether remote or on-site. Making such changes may not be immediately feasible and short-term mitigations during the COVID-19 pandemic may need to be made to permit clinical trials to be remotely monitored (or audited) to assure trial participant safety and results reliability due to limitations to on-site visits. These short-term mitigations are set out in MHRA COVID 19 guidance Managing clinical trials during Coronavirus (COVID-19). The following content applies in normal circ*mstances.

To facilitate Log-in Access to the EHR system, the EHR system should have the following functionality in addition to restriction to trial participants set out above:

1. To forbid changes to the data and information in the EHR system by the Monitor (or Auditor), a user role with read-only permission should be available and assigned on an individual basis to each Monitor (or Auditor). Log-in Access to the EHR system must not be provided if the Monitor (or Auditor) has the ability to edit (add/change/delete) information of any kind in the EHR system. The EHR system should log additions and deactivations of users and any changes to permissions associated with specific user roles.
2. To increase assurance that the person accessing the EHR system is the person approved by the sponsor and previously identified by the investigator site/institution to access the EHR system when logging-in, there should be user access controls with two-factor authentication for accessing the read-only user account, which can be provided by the EHR system itself or via the investigator site/institution’s network access process. For two-factor authentication, in addition to the username and password, the user is required to add additional information that they have (for example, a token number, PIN sent to the user’s mobile, etc.) This additional control is required, because where direct Log-in Access to the EHR system takes place when the Monitor (or Auditor) visits the investigator site/institution there are restrictions in place to identify and control the Monitor (or Auditor) accessing the EHR system. For example, the Monitor (or Auditor) may have to sign in and/or provide ID and provision of the device to the Monitor (or Auditor) used to access the EHR system is under the direct control of the investigator site/institution personnel.
3. To reduce the risk of inappropriate Log-in Access to the EHR system, there should be an automatic time-out, where the user is logged out of the EHR system following a period of inactivity.
4. To prevent unnecessary and inappropriate copying and sharing of information from the EHR, the EHR system should restrict printing, copying, and downloading of information from the EHR system, for the read-only user role given to the Monitor (or Auditor). The system should not rely on an automatic download of documents on to the user’s device (which remain after the session has completed) in order to view the documentation.
5. Monitoring (or auditing) activity using remote Log-in Access to the EHR system should only be undertaken when investigator site/institution staff are aware of and have agreed to it happening, as per on-site visits. Functionality for date/ time restricted Log-in Access to the EHR system for the read-only user role should be in place. Once the user account is created, Log-in Access to the EHR system can then be restricted to a specific review time period, rather than Log-in Access being allowed at all times. The investigator site/institution personnel must be able to have such control of monitor/auditor access, as they would for an on-site visit. The EHR system should log the creation and deactivation of a user account, and the user role that is given to that user (read-only), as well as when that user logs in and logs out of the EHR system.

Where the EHR system allows, it is recommended that specific roles and appropriate permissions for investigator site/institution personnel, e.g. Research Nurse, Investigator, Trial Co-ordinator are considered in addition to a Monitor (or Auditor) read-only role. These roles could then have permission to grant Log-in Access to the Monitor (or Auditor) to specific ‘participants’ records and to set up review time periods for the Monitor (or Auditor) to undertake their activities, as this would reduce the number of requests to the system administrator, who would only be required to initially set up and finally deactivate the Monitor (or Auditor) user account.

System Security

Remote direct Log-in Access to the EHR system poses an additional security risk. Security aspects of the system concern the software developer/provider, the organisation hosting the system and the sponsor accessing the system remotely and all are recommended to consult relevant guidance and standards on computer system security to inform their quality management system (e.g. ISO27001).

The vendor of the EHR system should have identified any security risks relating to remote use and these should have been addressed as part of the functional specifications of the EHR system during development and validation. There should be a process for ongoing maintenance of security of the EHR system, for example, applying any future security updates.

There should be the implementation of robust security procedures by the sponsor and investigator site/institution, such as; password criteria and renewal rules, firewalls, virus and malware protection, penetration testing (to identify vulnerabilities), system monitoring for detection of inappropriate/unusual activities/intrusions and changes to network configurations, threat intelligence software, physical security considerations at data centres and timely implementation of any security updates/patches.

Controls Implemented by Investigator Site/Institution for remote direct Log-in Access to EHR system by the Monitor (or Auditor).

1. The investigator site/institution should ensure that the EHR system installation facilitates remote Log-in Access.
2. In order to allow remote direct Log-in Access to the EHR system by the Monitor (or Auditor), the investigator site/institution must verify the identity of the Monitor (or Auditor) as part of creation of the read-only user account for the EHR system. This could have been undertaken at a previous on-site visit or by remote video call to see the person, together with a documented review of government issued photographic identification (for example, a passport, national identity card, driving licence etc [a copy of which should not be retained]). It is recommended that the sponsor provides documentation to the investigator site/institution to confirm who the person is that they have authorised to conduct monitoring (or auditing).
3. The investigator site/institution should implement formal procedures to manage the set up and deactivation of the Monitor (or Auditor) user accounts by the EHR system administrator and to conduct a regular audit of users of the EHR system, to ensure that any user accounts in place are currently valid. This would detect users who are no longer required to have Log-in Access, but whose user accounts have not been deactivated. There should also be risk-based audit trail review of activity undertaken in the EHR system by the Monitor (or Auditor), to detect any inappropriate activity and to implement corrective and preventative actions.

1. The trial monitoring plan should be prepared and/or reviewed by the sponsor to ensure that a risk proportionate approach to Source Data Verification/Review is implemented.
2. Direct access to participant health records is a requirement of monitoring (or auditing) and the sponsor should already have procedures in place, however, the sponsor should review these procedures and the sponsor’s DPIA concerning remote Log-in Access by Monitor (or Auditor) to the EHR system, to ensure appropriate controls are in place and the Monitors (or Auditors) are trained in the procedures.
3. Remote Log-in Access to the EHR system at UK sites must only be undertaken from a physical location in the UK, an EEA state, or another state covered by a UK adequacy decision
4. The device through which remote Log-in Access to the EHR system is used should be provided by the sponsor, or the sponsor should have undertaken an assessment of the security processes applied to the device(s) of any subcontracted service providers (e.g. CROs, freelance Monitors (or Auditors)). The use of the Monitors’ (or Auditor) own devices is acceptable where approved by the sponsor. Devices must not be left unattended and accessible when logged into the EHR system.
5. The sponsor must not record any video calls where screen sharing of guided direct access or of paper source documentation has taken place. There must be no records of any trial participant information in any “chat” function of the remote video call.
6. The model clinical trial agreements require that Monitors (or Auditor) are suitably trained to understand information governance requirements. There should be training courses put in place by the sponsor to cover the protection of trial participants’ data confidentiality in relation to the contractual obligations of the sponsor with the investigator site/institutions.

7. The sponsor should ensure through training and employment contracts that all Monitors (or Auditors) comply with information governance requirements.

8. The sponsor’s processes and training should include:

a. Where remote Log- in Access to the EHR system can take place to ensure privacy for example;

i. not accessing EHR system in an open plan office without suitable privacy screens in place on the device

ii. not accessing EHR system in a public space or other location where there is high risk that others who are not authorised could view sensitive information

iii. if Login Access is from the Monitor (or Auditor) home residence then this should be done privately, i.e., away from family etc.

iv. the Monitor (or Auditor) should log out of the EHR system prior to leaving the device used unattended (for example, if leaving a desk where a desk top PC is being used, even if log-in to the sponsor’s system remains).

b. What is not permitted, for example, taking photographs of the device screen, taking electronic screen images, printing and downloading information from the EHR system or documenting any information that identifies a trial participant, for example in an email. It should be explicit that sharing of user accounts and log-in information for the EHR system with another person is strictly forbidden.

c. Sharing of content of the EHR system with anyone other than the Monitor (or Auditor) should be undertaken by the investigator site/Institution personnel and not by the Monitor (or Auditor). For example, the investigator site/institution should provide redacted content from the EHR system to sponsor pharmacovigilance function in relation to queries about a serious adverse event and not the Monitor (or Auditor) sharing their screen/projecting the screen to show EHR system content at a meeting with other sponsor personnel discussing the SAE. It is acceptable that a Monitor (or Auditor) may need to document information from the medical records that is necessary to record monitoring/audit activities (for example, relating to ineligibility, SAEs), however, the participant must only be identified by their trial identification number.

d. Actions to take if there is a breach of participant confidentiality, for example, the circ*mstances where there is the need to inform the investigator site/institution immediately.

e. Actions to take if there is a data security breach, for example if the device used to access the EHR system is lost or stolen, including the possibility to remotely delete all the data content of the device. The sponsor should provide monitors (or auditors) contact details of who they should inform if a potential or actual data security breach occurs.

f. Actions to take if Monitor (or Auditor) has the ability to or has accessed non-trial participants, i.e., the EHR system restrictions to trial participants has not been implemented accurately or any accidental accessing of the records of non-trial participants.

g. Ensuring that the investigator site/institution is promptly informed when the user account of the Monitor (or Auditor) is no longer required.

h. That printed records from the EHR system could only serve as an alternative to direct access if these are certified copies. Inspection findings have shown that this is difficult to achieve and it is therefore not recommended as an alternative to direct access to the EHR system. Guided access could be considered instead.

Please refer to Electronic health records - MHRA Inspectorate for further information.