Good Clinical Practice Guide
Results 1 to 4 of 4

Thread: Electronic Source Data Access for Monitors and Inspectors

  1. #1
    Forum Member
    Join Date
    Jul 2017

    Electronic Source Data Access for Monitors and Inspectors

    Recently, University Hospital Southampton NHS Foundation Trust have encountered some queries surrounding our processes as the Trust moves to a new Electronic Document Management System (EDMS).
    Working with our organisation IT team, we have been through a long process of ensuring not only that our record keeping for patient notes is compliant with the regulations and other legislation but also that it can be accessed by monitors and inspectors.
    When a monitor comes on site they are given a monitor account whereby they can log into the Trust patient records, on a read only basis, via a Trust computer. This account is fully auditable by the IT department and the R&D QA Manager. There are a number of safeguards built in, for example there are only 3 people in the Trust that can request these accounts, the name of the monitor and the study they are working on is recorded; they are only accessible through Trust managed computers; and they are time limited to expire when the Monitor is off-site.
    All Monitors are asked to sign a code of conduct which sets out their responsibilities. Monitors are expected to formally record all patient records accessed, and any inadvertently access in case of error (to avoid potential inappropriate disciplinary report to the Monitor’s employer). UHS contracts with Sponsors state that Data protection and confidentiality will be maintained by employees of the Sponsor or CRO. This is considered best practice to avoid the need for personal supervision of external organisation employees accessing hospital systems.
    The process has been in active use since January with no real issues. However, more recently, the process has been questioned as the MHRA Position Statement and Guidance on Electronic Health Records (2015) states: Access to the system should be available for inspectors and sponsor representatives (e.g. monitors and auditors), which is limited to trial patients. This will enable source data verification of clinical trial subjects whilst protecting the confidentiality of non-trial patients.
    As we said, we went through a long process of development with our IT team to enable access but it is not possible to limit access to just those records of participants entered onto a study. We are confident that, with the safeguards we have put in place, the confidentiality of all of our patients is protected.
    I would be interested in what solutions other Trusts have put in place and whether they have encountered similar problems.

  2. #2
    I too would be extremely interested in hearing about the type of solution that Trusts have put in place. I concur with the MHRA position on this topic; if non-Trust personnel are being granted access to EHRs, it is absolutely essential that they only have the ability to access the EHR of the specific patients in the clinical trial. Ideally, the security permissions in the EHR system should limit access to specific components of the EHS, though I appreciate that this is an even more difficult ask. Apart from the issues of breaking patient confidentiality by providing a level of access that is not limited to specific patients, there are GDPR issues too. The monitor has no legal basis for being given access to other patients' records, even if he/she doesn't actually access them. It is not appropriate to provide a level of access that theoretically gives that visibility to EHRs. The 2015 guidance was published to avoid these situations arising; in the intervening 3 years, the technology should have been brought in line with regulatory requirements I think.

  3. #3
    Dear All

    The MHRA GCP inspectorate queried the access to Trust electronic health record systems, which do not limit access to monitors with the Information Commissioner's Office (ICO). The ICO responded that the onus is on the Trust to demonstrate that the monitor has only accessed those records permitted (e.g. patients which have provided consent for the monitor(s) to access their source records). Therefore, there should be an agreement in place between the Trust and Monitor(s) to ensure only trial participant's records will be accessed for which consent has been obtained, the access should be read only and the system should have an audit trail. The audit trail should then be checked by the Trust to ensure that the monitor is only accessing those records which they have permission for, thereby verifying compliance with the terms of the access agreement.

    I hope this clarifies the issue. However, if you have further specific questions you can send a query to the Clinical Trials Helpline:

    Kind Regards,

    MHRA Moderator

  4. #4
    Forum Member
    Join Date
    Nov 2011
    The important phrase is :- “onus is on the Trust to demonstrate that the monitor has only accessed those records permitted”.
    To check all audit trails for all monitors/auditors/Inspectors access to all visits, by all subjects, would be resource intensive and not proportionate to the risk.
    In keeping with ICH E6 (R2) and the EMA risk proportionate guidance, a risk based approach could be taken. For instance, the audit trail for say 80% (or more) of the first accesses by the monitors/auditors/ inspectors to subjects records, could have the audit trail checked. Then if all is fine, subsequently a “spot check” (pseudo- randomized) of say 10% of the audit trails of future accesses, could be checked. Obviously there needs to be a procedure (SOP) for this and a process for documenting this QC and an escalation process for reporting discrepancies/problems. This procedure would also document the system capabilities and how they work in conjunction with organisational security measures to maintain data integrity and confidentiality.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts