OR WAIT 15 SECS
Shedding light on common EMR concerns about privacy, government regulations, and data integrity.
Electronic medical records (EMRs) have been considered a panacea for cutting down on medical errors, streamlining recordkeeping, and delivering quality care to patients by health care providers, medical technology companies, and even the president of the United States.1 They are also seen as a boon to clinical research by assisting in matching cancer patients with the right clinical trial,2 aiding in cost effective subject recruitment, and rapidly identifying adverse events.3 However, not everyone agrees that EMRs are ready for prime time.
In a recent practice improvement study, researchers looked at 50 primary care centers to evaluate the effect of EMRs on outcomes for treating diabetes. The study found that primary care centers using EMRs were less effective in treating diabetes than centers using standard recordkeeping systems. The researchers noted that there were significant differences among commercially available EMR systems, including the amount of training and technical support available.
Photography: Getty Images Illustration: Paul A. Belci
The study, published in the Annals of Family Medicine, concluded that "a high level of support for EMR implementation will be required" to meet the federal goal of EMRs for all Americans by 2014 while preserving and enhancing the quality of medical care. This analysis has promoted a lively discussion on the journal's Web site, with comments containing alternate viewpoints.4
Sponsors of clinical research are responsible for monitoring the progress of the investigation.5 In addition, medical device sponsors are responsible for having written procedures for how they will monitor the study.6 When monitors and quality assurance auditors visit clinical sites, they are confronted with a number of concerns about EMRs. These concerns fall into three broad categories:
A look at federal laws, regulations, and guidance documents as well as two case studies, provides answers to some of these questions and establishes a framework for GCP-compliant monitoring and recordkeeping.
With the advent of HIPAA in 1996 and the Privacy Rule regulations of 2002,9 many institutions began limiting access to EMRs. Clinical investigators, however, are required by FDA to maintain "adequate and accurate case histories."10 The principal GCP guideline, the ICH Guideline for Good Clinical Practice (E6), states that a sponsor specify that the investigator and institution shall "provide direct access to source data/documents for trial-related monitoring."11
The Privacy Rule requires that an individual participating in research provide signed permission or "authorization" before records may be accessed for researchers. This issue can be effectively dealt with in the informed consent form (ICF) that a research participant signs prior to any research related activities. The FDA-required elements of informed consent include a confidentiality clause that notes the possibility that FDA may inspect the records.12 ICFs routinely include that sponsor representatives may review the records. However, this one clause isn't sufficient to meet the requirements of the privacy rule. The ICF must also explain that a participant may withdraw from the study, the duration of the study, and the participant's signature and date. Each of these elements is necessary to meet HIPAA requirements. However, it is important to note that some institutions require a "stand alone" authorization that is separate from the ICF. In addition, some states may also require stand alone authorization. The sponsor needs to be aware of local regulations and policies.
FDA Web Sites to Bookmark
The National Institutes for Health have also published a guidance document on Clinical Research and the HIPAA Privacy Rule.9 These guidances indicate that it is not necessary to have a stand alone HIPAA disclosure. Compliance with the Privacy Rule can be accomplished with an appropriate ICF.
The Privacy Rule reinforces the importance of the informed consent process in clinical trials. It is important that the research participant be given a copy of the ICF in the language used during the consenting process. The Privacy Rule emphasizes that the consent authorization "must be written in plain language."9 If the investigator and sponsor prepare an adequate ICF and conduct an effective informed consent process, there is nothing in the Privacy Rule that prevents the monitoring of any medical record, including EMRs, even if the EMR is part of a larger record that includes nonresearch related health information. That is no different than the paper-based medical chart that monitors have been reviewing for decades. The question of privacy is resolved with appropriate disclosure in the ICF.
There have been few issues as confusing as the FDA regulation of electronic records and electronic signatures under 21 CFR Part 11. This confusion was compounded when some FDA inspectors probed the Part 11 compliance of hospital EMR systems. This continued even after FDA scaled back enforcement of Part 11 in the August 2003 Part 11 Scope and Application guidance document.13
One of the results of industry's Part 11 concerns is that sponsors began taking a closer look at the EMR systems in use at clinical sites. Sponsors wished to ensure that their data was being collected and recorded in a system that FDA would find acceptable. It is important to note that FDA has not asserted jurisdiction of medical institution EMR systems for compliance with Part 11. Instead, they issued the guidance document, Computerized Systems Used in Clinical Investigations in May 2007.14 This document is essentially protocol specific and does not mention EMR systems at institutions.
The concept of protocol specific compliance is very important. FDA regulates drugs, medical devices, and biologic products and not the practice of medicine. A case history can be used to illuminate this point.
Steps for Sponsors Using EMRs
A clinical study coordinator was approached by a sponsor with a lengthy questionnaire regarding the institution's compliance with Part 11.15 The sponsor wanted a detailed response from the institution's IT department. The IT members were not familiar with Part 11 and adhered to different technical standards. The questionnaire was not necessary because the FDA does not have jurisdiction over an institution's recordkeeping, only the investigator's records for a specific protocol. If the electronic recordkeeping system is specific to the protocol, it should follow the May 2007 guidance. If the institution's recordkeeping system is used for the practice of medicine, then it is not in FDA's jurisdiction. Essentially, sponsors should make sure that their own systems are compliant for their specific protocol, not the institution's. However, this does not mean that Part 11 should be ignored. In fact, the May 2007 guidance is instrumental in helping to ensure that records generated by an EMR system are GCP compliant. There is a continuing need for quality standards for recordkeeping of clinical research.
An example is when it is the intention to print EMRs and use them in a subject case history for a clinical trial. Then, it should be done in a manner consistent with FDA guidance. The guidance document allows for a certified copy to be made of an electronic record. Using certified copies is one way of maintaining data integrity of EMRs. The guidance requires a dated signature to attest that the EMR has "all of the same attributes and information as the original."
Developing quality standards is best done at the beginning of the study. Sponsors must familiarize themselves with the recordkeeping system of each clinical site and work with investigators and study staff to establish consistent documentation of protocol required data. When using EMRs it is necessary to establish the source document and how the integrity of that document will be maintained.
A look at another case study can show us why.16 A clinical site printed out an EMR and used it as a worksheet or study "source document" in a clinic chart. Several copies of the printout existed with undated and unsigned handwritten annotations. There were three or more versions of the same intake summary or operative report, each with different data. This is in direct conflict with the recordkeeping maxim of Attributable, Legible, Contemporaneous, Original, and Accurate (ALCOA). This resulted in an audit finding that was discussed with the investigator and study staff. It easily could have resulted in an inspectional finding listed on a FDA Form 483 Inspectional Observations during an FDA inspection.
Sometimes it is necessary for a monitor or auditor to travel to a specific workstation at a location other than the investigator's offices to review an institution's EMRs. That should be determined at the beginning of the study and built into a monitoring or auditing plan. Case report forms (CRFs) need to be compared against source documents. If the source document is a printed EMR, then the monitor needs to periodically verify the accuracy of the printed version. First, it should be a Certified Copy with a dated signature. If the source document is the EMR, then the monitor needs to have access to the EMR to do the comparison with CRFs. This is particularly important for review of adverse events (AEs). If the EMR is not reviewed, then review of AEs is not occurring.
The inherent problem with EMRs is the fact that they can be changed over time. The need to document certain data at a certain point in time can be addressed with the "certified copy." For example, if you want to document adverse events at study visit three, then you need to have some means of documenting data entry on the date of visit three.
Here again we encounter the concept of a protocol specific electronic record. If the clinical investigator wants to use an EMR to document a protocol required activity, then a certified copy is a useful tool. However, if the source document remains in a medical center's EMR system, while the sponsor and FDA have the right to review it, there is no way to guarantee that the record has been changed since the protocol required activity occurred. It is a difficult situation that sponsors and investigators are grappling with.
Electronic medical records and computerized systems are now a part of daily life, but EMRs still have a way to go before they can actualize everything that's expected of them. In the mean time, sponsors can take steps to ensure the protection of each participant's privacy and the integrity of data captured on EMRs.
1. G. Bush, 2006 State of the Union Address, The White House Web site, http://www.whitehouse.gov/stateoftheunion/2006 (access
ed December 22, 2007).
2. J.W. Goldwein et al., Abstract No. 6626, Journal of Clinical Oncology, 2007 ASCO Annual Meeting Proceedings, Part 1 Vol. 25, No. 18S (June 20 Supplement) 2007: 6626.
3. M. Mowry and D. Constantinou, "Electronic Health Records: A Magic Pill?" Applied Clinical Trials, February 2007.
4. J.C. Crosson et al, "Electronic Medical Records and Diabetes Quality of Care: Results From a Sample of Family Medicine Practices," Annals of Family Medicine, 5: 209-215 (2007).
5. Code of Federal Regulations, Title 21, Part 312 Section 56(a) (U.S. Government Printing Office, Washington, DC).
6. Code of Federal Regulations, Title 21, Part 812 Section 25(e) (U.S. Government Printing Office, Washington, DC).
7. U.S. Department of Health & Human Services, Health Insurance Portability and Privacy Act of 1996 (U.S. Government Printing Office, Washington, DC).
8. Code of Federal Regulations, Title 21, Part 11 (U.S. Government Printing Office, Washington, DC).
9. Code of Federal Regulations, Title 45, Parts 164-168 (U.S. Government Printing Office, Washington, DC).
10. Code of Federal Regulations, Title 21, Part 312.62(b) (U.S. Government Printing Office, Washington, DC).
11. Food and Drug Administration, "ICH E6 Good Clinical Practice: Consolidated Guidance, Section 4.9.7, Federal Register 62 (90), 25691-25709 (May 1997).
12. Code of Federal Regulations, Title 21, Part 50 Section 25(a)(5) (U.S. Government Printing Office, Washington, DC).
13. Code of Federal Regulations, Title 45, Part 164 Section 508(c)(2) (U.S. Government Printing Office, Washington, DC).
14. Food and Drug Administration, Guidance for Industry: Part 11 Electronic Records; Electronic Signatures—Scope and Application (FDA, Rockville, MD, 2003).
15. Food and Drug Administration, Guidance for Industry: Computerized Systems Used in Clinical Investigations (FDA, Rockville, MD, 2007).
16. Author's client correspondence, 2006.
17. Author's client correspondence, 2006.
Carl Anderson is a regulatory compliance consultant based in Tacoma, WA, email: email@example.com