Recently, University Hospital Southampton NHS Foundation Trust have encountered some queries surrounding our processes as the Trust moves to a new Electronic Document Management System (EDMS).
Working with our organisation IT team, we have been through a long process of ensuring not only that our record keeping for patient notes is compliant with the regulations and other legislation but also that it can be accessed by monitors and inspectors.
When a monitor comes on site they are given a monitor account whereby they can log into the Trust patient records, on a read only basis, via a Trust computer. This account is fully auditable by the IT department and the R&D QA Manager. There are a number of safeguards built in, for example there are only 3 people in the Trust that can request these accounts, the name of the monitor and the study they are working on is recorded; they are only accessible through Trust managed computers; and they are time limited to expire when the Monitor is off-site.
All Monitors are asked to sign a code of conduct which sets out their responsibilities. Monitors are expected to formally record all patient records accessed, and any inadvertently access in case of error (to avoid potential inappropriate disciplinary report to the Monitor’s employer). UHS contracts with Sponsors state that Data protection and confidentiality will be maintained by employees of the Sponsor or CRO. This is considered best practice to avoid the need for personal supervision of external organisation employees accessing hospital systems.
The process has been in active use since January with no real issues. However, more recently, the process has been questioned as the MHRA Position Statement and Guidance on Electronic Health Records (2015) states: Access to the system should be available for inspectors and sponsor representatives (e.g. monitors and auditors), which is limited to trial patients. This will enable source data verification of clinical trial subjects whilst protecting the confidentiality of non-trial patients.
As we said, we went through a long process of development with our IT team to enable access but it is not possible to limit access to just those records of participants entered onto a study. We are confident that, with the safeguards we have put in place, the confidentiality of all of our patients is protected.
I would be interested in what solutions other Trusts have put in place and whether they have encountered similar problems.