Research Documentation and Data Security
Download
Report
Transcript Research Documentation and Data Security
Research Documentation: What
to Write, What to Save, How to
Store It
Tracy Rightmer, J.D.
Compliance Manager
December 16, 2008
Objectives
Discuss essential elements of a data
and document management plan
Present strategies for efficient
management of research related
documentation
Highlight effective tools for use in
managing study files
Discuss some common audit findings
Describe measures for ensuring
subject confidentiality and data storage
International Conference on
Harmonization
The International Conference on
Harmonization of Technical
Requirements for Registration of
Pharmaceuticals for Human Use (ICH)
is a unique project that brings together
the regulatory authorities of Europe,
Japan and the United States and
experts from the pharmaceutical
industry in the three regions to discuss
scientific and technical aspects of
product registration
ICH
The purpose is to make
recommendations on ways to achieve
greater harmonization in the
interpretation and application of
technical guidelines and requirements
for product registration in order to
reduce or obviate the need to duplicate
the testing carried out during the
research and development of new
medicines
E6:Good Clinical Practice
Consolidated Guidance
An international ethical and scientific
quality standard for the design,
conduct, performance, monitoring,
auditing, recording, analyses, and
reporting of clinical trials
GCP
Compliance with this standard
provides public assurances that the
rights, safety and well-being of trial
subjects are protected, consistent with
the Declaration of Helsinki, and that
the clinical trial data are credible
Provide a unified standard to facilitate
internal acceptance of clinical data by
the regulatory authorities in these
jurisdictions
GCP 2.10
All clinical trial information should be
recorded, handled, and stored in a way
that allows its accurate reporting,
interpretation, and verification
Documentation is Essential
“If it isn’t documented, it didn’t happen”
Viewed as a bother, but invaluable if a
problem arises
No one method is mandatory (no onesize-fits-all solution)
But there are certain essential
elements
Range of Complexity
Simple anonymous survey or use of
de-identified existing samples
Versus
Multi-site coordination of a doubleblinded drug study with 12 visits over
two years
Jargon
“Regulatory Binder”
“Case Report Forms”
“Source Documentation” (original
documents, data and records, such as
hospital records, lab reports, subjects’
diaries, pharmacy records, etc.)
Jargon
Memo To File or Note to File
An amendment is an amendment
(Study personnel added via
amendment)
Approaches to research
documentation
Chronological
By topic/section
Some combination of the two
Maintain copies of all final
documents
History or ‘bread-crumb trail’ or ‘show
your work’
Word-processing functions such as
‘track changes’
Header/footer use for version/dates
Version Control: only one version is
‘active’ at a point in time
Future electronic submission will
necessitate strict electronic version
control
Important sections of a regulatory
binder
Protocol (including all amendments
and all versions)
Consent forms and HIPAA research
authorization forms (approved by IRB)
Regulatory approvals (IRB, RSC,
PRC, etc) and any required
reapprovals
Important sections, cont’d
All correspondence, including emails,
letters, faxes, notes of phone calls
Signature log, including name, initials,
signature, dates of involvement, and
study responsibilities
Recruitment materials, including
letters, advertisements, flyers, website
postings, etc (approved by IRB)
Delegation of Responsibilities Log
SAMPLE FORM
Note: The PI is ultimately responsible for all aspects of the study.
Title/Study #:__________________________________________________________________________________________________________
Principal Investigator: ____________________________Coordinator: _____________________
Facility/Department/Division:_____________________________________________________
*Record staff responsibilities using the following codes, list all that apply:
A) Subject Recruitment
D) Assesses Subject for Adverse Events
B) Obtains Informed Consent
E) Administers Study Medications
C) Performs Study Assessments
F) Drug Accountability
Study Personnel
Printed Name
Title Study Personnel
Role
(e.g. PI, Investigator,
Coordinator,
Pharmacist, etc.)
Responsibilities*
(List all letters
that apply)
Training
Date
Signature of
Study Personnel
G) Regulatory Reporting/Paperwork
H) Data Management
I) Other: _____________________
Initials of
Study
Personnel
PI Signature and Date
Obligation
Start
Date
End
Date
Important sections, cont’d
Samples of all forms to be used for
data collection, including screening
logs, eligibility checklists, case report
forms, drug accountability logs
Assessment tools to be used
Any subject who signs a consent form is considered enrolled regardless of whether they are screen failures.
Screening
# Screen Date
ID #
Screen
Race/
failure
Ethnicity Reason
Gender
*
**
Enrollment
Study Completion
Consented By
Date of Study
Completion or Reason for
Early
withdrawal
Withdraw
***
Date ICF
Signed
Comments
1
Hispanic
2
Hispanic
3
Hispanic
4
Hispanic
5
Hispanic
6
Hispanic
7
Hispanic
8
Hispanic
9
Hispanic
10
Hispanic
Use the appropriate number that applies.
*
Race/Ethnicity
1. American Indian or Alaska Native
2. Asian
3. Native Hawaiian or Other Pacific
Islander
4. Black or African American
5. White
6. More Than One Race
7. Unknown or Not Reported
**
***
Screen Failures
1. Subject did not meet entry criteria(s)
2. Subject withdrew consent
3. Lost to follow-up
Reasons for Withdrawals
1. Subject's request
2, AE/SAE
3. Lost to follow-up
4. Other, specify in comments.
4. Protocol non-compliance
5. Death
6. Other, specify in comments.
Important sections, cont’d
Any reporting requirements, such as
Annual report to FDA
Continuing review approved by IRB
Adverse event reports
Protocol deviation/violation reports
Evidence of periodic monitoring (per the
protocol’s DSMP)
DSMB recommendations (if any)
Important sections, cont’d
Versions of all sponsor materials, if
applicable, including:
Sponsor’s clinical protocol,
Investigator’s Brochure,
Amendments,
Sponsor’s correspondence
Records of monitoring visits
ICH Essential Documents
Those documents which individually
and collectively permit evaluation of a
trial and the quality of the data
produced
Focus heavily on pharmaceuticalsponsored trials
Include groups of documents,
generated before the trial commences,
during the clinical trial, and after
termination of the study
GCP Essential Documents
Many sponsor-related items, such as
CVs of investigators
1572s
Laboratory certifications
Laboratory normal values
Master randomization list with plan to
decode
Individual Subject Files
Consent form and RAF, signed and dated*
Eligibility Checklist
Enrollment note
Visit flowchart
Case report forms
Lab data
AE summary
Patient diaries
Enrollment Note Template
SAMPLE FORM
[It is recommended that investigators create enrollment notes when enrolling subjects into their
study to document the consent process. This template is offered as a guide but investigators are
encouraged to create their own study specific templates as appropriate or to use a written
(rather than check list) form of enrollment note to fit their individual needs.]
Title/Study #:
Principal Investigator:
Subject Name: _________________________
ID#: _________________________
Yes
No
1. Subject has met inclusion criteria.
2. Subject has no exclusion criteria.
3. Informed consent was obtained prior to any study procedures being
performed.
4. Subject was provided with an explanation of study procedures, risks,
benefits, and alternatives, was given the opportunity to ask questions,
and agrees to participate.
5. Subject was given a copy of the informed consent.
6. Contact information of research staff given to subject.
7. Additional information:
Signature ________________________________________
Date _____________
*Separate storage
Signed consent
forms
Key linking
identifiers to codes
Study Termination/Close-out
Final report
Publication
Retention and storage of regulatory
documents per requirements
More complex scenarios
Yale PI is the Sponsor-investigator of
an IND, or the lead investigator on a
multi-site study
Additional responsibilities, including
maintaining CVs and training
certificates of all personnel from all
sites, and IRB approvals (and
reapprovals) from all sites
Multi-site coordination
Lead PI is responsible for data integrity
and data and safety monitoring
Monitoring is an evaluation of the
clinical research process which should
occur throughout the life of the
protocol
Lead PI is responsible for informing all
co-investigators of progress, and
events such as SAEs, etc
Common Audit Findings
AEs
11%
Eligibility
16%
ICF Issues
52%
Training
21%
Famous Last Words
We always do our safety follow-up
phone contacts.
The PI verifies all subjects’ eligibility
before enrollment.
We ask about AEs at every visit.
The 1st Rule to Data Storage
How do I store my data?
SECURELY!
Data Security
Recent developments:
Loss of a CD with identified data
Theft of a laptop with identified data
Theft of a desktop computer with
identified data
Theft of a briefcase with identified data
Best practices
Work in progress
Several task forces working on these
issues
Review some basics to think about
and incorporate into practice
Confidentiality
Common Rule has always required
that confidentiality be protected to the
extent possible
Good medical practice also
incorporates pledges of confidentiality
Steps must be taken to minimize the
risk of breaches of confidentiality
Common Rule definition
Private information includes information about
behavior that occurs in a context in which an
individual can reasonably expect that no
observation or recording is taking place, and
information which has been provided for
specific purposes by an individual and which
the individual can reasonably expect will not be
made public (for example, a medical record)
Private information must be individually
identifiable (i.e., the identity of the subject is or
may readily be ascertained by the investigator
or associated with the information) in order for
obtaining the information to constitute research
involving human subjects
HIPAA
Adds layers of ensuring privacy and
data security
HIPAA Security focuses on electronic
media, but Privacy covers all forms of
data
Uses somewhat different definitions
Both CR and HIPAA
Need to get permission to access,
share personal information, via
consent or authorization.
If authorized, sharing is allowed per
the specifics of the approved
documents
Jargon
Anonymous
Coded
De-identified
Terms are not synonymous!
Jargon
Anonymous:
1: not named or identified <an
anonymous author> <they wish to
remain anonymous>
2 : of unknown authorship or origin
<an anonymous tip>
3 : lacking individuality, distinction, or
recognizability
Merriam-Webster, on-line
Jargon
Coded:
a system used for brevity or secrecy of
communication, in which arbitrarily
chosen words, letters, or symbols are
assigned definite meanings
Dictionary.com
Implies there is a link somewhere
Jargon
De-identified:
Not a word
Usually thought to refer to stripping the
18 HIPAA identifiers (including dates)
So may be more stringent than
anonymous, but also could be coded
or not
Jargon
Anonymous is not de-identified nor coded
Some use the term ‘no identifiers’
Anonymous should be reserved for
situations when there are no identifiers
and no code to link back
Anonymous would allow recording of
dates
Coded
Some code is used to track subjects
and their data
Must be master file listing identifiers
(name) with code to allow decoding,
addition of new data
NEVER store the link with the data
Separate
means
separate!
Jargon
Moveable media:
CDs, diskettes,
jump drives,
laptops, palm tops,
Blackberry, flash
drives, Encryption
Secure networks
Password
protection
Advice
Do not keep data with identifiers on
moveable media
May become more than just advice
Advice
“Tell them never to
leave their laptops
in the back seat of
the car.”
Kristina Borror,
OHRP
Other methods to secure data
Password protection
Fingerprinting
Auto log-off
Lock-down cables on laptops
Restrictions on downloading
Confidentiality section of the HIC
application
Describe all sites where data will be
used or stored
Describe how the data will be
transmitted or transported
Describe specifically who will have
access
Describe how the data will be secured
If copies of data are on moveable
media, describe security measures for
these media
Sharing with co-investigators
Avoid unprotected email
Coded data best
Destruction
Old data/old computers
Via ITS, Procedure 1609, Media Control:
http://mire.med.yale.edu/hipaapolicies/
When use or retention of any media containing confidential
information (including protected health information) is completed, the
confidential information must be destroyed, rendered unrecoverable,
or returned to the system owner.
The primary means for electronic media reuse is zeroing, or
degaussing and the primary means for electronic media disposal is
zeroing, degaussing, or physical destruction, as applicable to the
medium.
Deleting data or reformatting the disk is NOT if electronic media
contains electronic Protected Health Information or other confidential
information.
Destruction cont.
Zeroing uses a disk utility (e.g., Data Removal Service
software) to write “zero” to all areas of a disk, thereby
overwriting any data that may be on the disk. Zeroing is
required rather than simply formatting or initializing the disk
which simply marks the disk as blank, so that it only appears
empty - other disk utilities are available that can "unformat" the
disk and recover the data, so formatting/reformatting is not an
acceptable practice.
Degaussing or demagnetizing is a procedure that reduces the
magnetic flux on the disk to virtual zero by applying a reverse
magnetizing field. Degaussing a magnetic storage medium
removes all the data stored on it.
In general, other electronic media (DVD, CD, diskette, zip
drive etc.,) must be physically destroyed to be rendered
unreadable.
Medical campus: use the online instructions or contact the
ITS-Med Help Desk http://its.med.yale.edu/help/
Conclusions
Take steps to develop a specific
document management plan tailored
to the protocol
Take steps to implement data security
measures
Stay tuned!
References
Common Rule:
http://www.hhs.gov/ohrp/humansubject
s/guidance/45cfr46.htm
ICH GCP:
http://www.fda.gov/cder/guidance/959f
nl.pdf
HIPAA Privacy and Security:
http://info.med.yale.edu/hic/hipaa/index.html
Quotable Quotes
If it isn’t documented, it didn’t happen
No one-size-fits-all solution
How do I store my data? Securely!
Bread-crumb trail
Separate means separate
An amendment is an amendment