Equal benefits to our residential courses, without the travel.View Courses
All our courses. 12 months access. One flat fee.More Information
Non-members can signup to keep up to date with RQA news and events.Add your details now
1st December 2020
The following guidance has been jointly developed by the Heath Research Authority (HRA) and MHRA, in consultation with the Information Commissioners Office (ICO), on behalf of the UK.
Published 26 November 2020
This guidance is for Sponsors, Contract Research Organisations (CROs) and investigator sites when considering management of personal data processed in relation to research. It should be read in conjunction with the HRA/MHRA joint advice on Data Protection Impact Assessments (DPIAs). In this context ‘processing’ also means access to EHRs.
The data collected and analysed during clinical trials are verified and overseen by clinical trial Sponsors via representatives such as Clinical Research Associates (CRAs) or monitors. They will review the medical records to ensure that they match the data collected by the Sponsor, via Source Data Verification (SDV). The trial participants consent to this access of their medical records in writing, as part of the consent to take part in the clinical trial.
Increasingly, medical records are now electronic (Electronic Health Records; EHRs) and this poses the following challenges:
Historically, monitors could be provided with the physical records of individual trial participants, without also providing them access to the records of other patients. Where EHRs have been designed to allow similarly restricted access, access may continue to be provided as it has been. Where EHRs do not have this functionality, additional safeguards are required.
Provision of research monitor access to EHRs should be an integral part of organisational level (or EHR level) planning and risk assessment. EHR system design should ensure research monitor access is limited to only the records of clinical trial participants and that this access is auditable.
Where EHR systems have not been designed to allow this, this should be addressed at the next system update.
Where EHR systems are not yet able to restrict monitor access to the records of only their clinical trial participants, resorting to printouts from the EHR is not an appropriate mitigation or safeguard. This should be addressed in organisation (or EHR) level risk assessments and short-term mitigations implemented pending system update.
Such short-term mitigations should include:
It is not appropriate or necessary for monitors and investigators sites to enter into further non-disclosure agreements.
Standard training for monitors on use of the specific EHR, to cover actions to be taken in the event of any inadvertent breach
Where this restricted access is not possible MHRA has seen that some NHS organisations have been printing out medical records for monitors to review.
MHRA Inspectors have encountered several issues with this approach. For example, information is not always available, as medical histories have been incomplete and important information has been missing, due to the printed report settings.
MHRA has seen gaps in printouts as reports are generated from one date to another and these are not always continuous; in some cases, this has resulted in weeks of missing data and also missing safety information. Additionally, information can be held in annotations in the systems that are also not printed out, such as causality assessment for adverse events. The practice of printing out these records also places a burden on the investigator sites.
Printing out an EHR risks the loss of some or all of the data should it need to be moved within the site. This creates a risk of inappropriate disclosure, distress and harm to patients, data breach and possible enforcement action.
Printed data may also be out of date due to the time taken to collate it, or incomplete due to incompatibilities in the IT system, which would increase the risk of breaching GDPR and may have a negative impact on the clinical trial.
When paper patient records are lost (or found in places where they are not supposed to be) there is a significant impact on public trust. If patients are not confident that their data will be kept securely, it may hinder their willingness to participate in clinical trials
Published 26 November 2020