In the second part of our series entitled Important Considerations when Shopping for EDC, we will discuss and evaluate compliance needs and consider more than just part 11 compliance. We will continue to examine multiple strategies that make the procedure less confounding and more beneficial to your organization when shopping for an EDC platform.
Phase 2: Evaluate compliance needs, and consider more than just Part 11
When compliance is raised in regards to clinical technology, it is most commonly toward 21 CFR Part 11. Of course, a potential EDC system must have the ability to comply. But there are other significant compliance considerations as well. When considering an EDC system evaluation, one should consider protocol compliance, GCP compliance, and increasingly HIPAA.
21 CFR, Part 11: Compliance with the FDA guidance on electronic systems deals primarily with Access and Authorization and Electronic Records and Signatures.
Access and Authorization: Technical controls must be incorporated within the EDC software to meet the prerequisites of the Part 11 regulation on access and authorization. These include access to the system, such as unique usernames and passwords. The system should be implemented in a secure environment, but in event of a breach the software should also provide controls to protect data, for instance through encryption. But how far an EDC system goes will give you an indication of how seriously a software vendor regards compliance. Are there password rule enforcements, password and data encryption and hosting security controls or does the vendor rely on procedural controls to cover the gaps? Most EDC software stops at access controls, but once inside the system – the ability to perform certain tasks, or even view certain data should be limited to authorized users. Look for systems that provide role-based models for determining what functionality is permissible for particular users, and have the ability to limit data viewing by geographical segregation or direct assignment of management responsibility.
Electronic Records and Signatures: Electronic records are really about the audit trail. With data storage being so cheap, at this point every activity should be tracked in the system. However, those items that are required are an identifier of the user entering or changing the data and a timestamp for the initial entry or change. If the user is changing previously entered data then a reason for change should also be supplied. Look for systems that make the audit trail easily accessible from within the application, and in an easy to read format. For signatures, look for systems that have clear indication of the significance of the electronic signature, and those that require a password to be entered – even after the user is authenticated into the system.
21 CFR Part 11 compliance is not the only compliance that an EDC system should be able to adhere to.
Protocol compliance: EDC, when it has the proper features, may assist with protocol compliance as well. At screening, patients may be provided a visit schedule based on their initial visit. This schedule would indicate acceptable dates within the respective visit window for each subsequent visit. EDC should also give indications of outliers on data. These outliers may be indications that a particular site, or even a particular coordinator, is not following the protocol with the way they interact with the patient. In such a case, intervention is then possible to correct for the deviation. When using 3rd-party collection devices, such as hand-held, more control can be placed on proper collection of the data. For example, directions may be provided for the measuring of blood pressure, or reminders may be sent for timely consumption of medicine. As technology options increase, higher patient engagement from EDC available on multiple devices will improve protocol compliance.
GCP compliance: GCP is often overlooked when it comes to EDC. GCP deals with Informed Consent, IRB’s, Investigator requirements and documentation maintained at the site. It involves monitoring, data handling, and record keeping. It covers safety information and payments. Does EDC directly cover all these areas? No, but it can make it considerably easier to satisfy the requirements of GCP. How often are Data Safety Monitoring Boards considered in EDC selection? Not much, but the regret is often high when DSMB reports are required on a timely basis. PDF representations of the eCRFs, which are required to be kept at the respective sites, are not usually considered at the time EDC software is selected. However, this feature becomes an important feature at the end of a study. During a submission, the same feature is especially vital in a bookmarked version for easy navigation by the regulatory authority. Ask the vendor about how the EDC application helps to meet GCP requirements during your selection process.
HIPAA compliance: HIPAA, or other regulation governing the use of Protected Health Information (PHI), is often overlooked for clinical technology in general, but especially EDC. However, PHI often finds its way into the clinical trial in various forms. The most common crossover is with patient initials and or date of birth. Older systems require initials and or date of birth in identifying the subject, but many geographical regions now restrict the use of initials in clinical studies. The system must provide alternatives in these cases. Integrations, with other systems like CTMS or IRT, have the potential to unintentionally introduce patient identifying information to the clinical space. Document or image uploads, which are becoming more common, have the same potential if not properly redacted. Look for features from the EDC application that guard against unintentional breaches to the HIPAA regulation.
Next week, we will examine creation of the EDC Scoring list.