PREP Course # 25: Going Electronic?

Transcription

1 PREP Course # 25: Going Electronic? Presented by: Cerdi Beltre, Administrative Director, Clinical Research Service Martin L. Lesser, PhD, EMT-CC, Director and Investigator, Biostatistics Unit David Ballard, PhD, Director of Research Informatics, Assistant Investigator

2 CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the North Shore-LIJ for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director, Kevin Tracey, has disclosed a commercial interest in Setpoint, Inc. as the cofounder, for stock and consulting support. He has resolved his conflicts by identifying a faculty member to conduct content review of this program who has no conflicts. Cerdi Beltre, Martin L. Lesser, and David Ballard have nothing to disclose.

3 Objectives Provide overview of regulations and policies relating to electronic records. Discuss current solutions within our health system for: Safeguarding electronic PHI Resources available: Research Data Informed Consent Regulatory Binder

4 Research - Going Electronic In 2003, an estimated 95% of clinical trials relied on paper record. In the past several years, a dramatic increase in the adoption of electronic records A recent study suggests that 24% of physicians currently using some form of electronic health record, with the adoption rate much higher in larger practices than in small practices. Lots of EMR s are being rolled-out throughout the health system Reference: 1. Tufts Center for the Study of Drug Development, CROs Provide Gateway to Worldwide Clinical Trial Recruitment Efforts, Impact Report, July/August Kristin Brooks, CRO Industry Update: Growth, Expansion, and New Opportunities, Contract Pharma, May 2006.

5 New Era In 2011, Pfizer announced that it is conducting the first all-electronic clinical trial. The FDA has approved Pfizer s trial, which is being conducted under an investigational new drug (IND) application. The 16-week trial will evaluate the safety and efficacy of the drug Detrol la, which treats overactive bladder. It will compare the results of this electronic trial with the results of a traditional Phase IV trial completed in The aim is to replicate the results; if this happens, it will signal the electronic approach as a very viable and improved option for future clinical trial conduct. Reference: Pfizer Conducts First Electronic Clinical Trial Beginning of a New Era in Clinical Research? Link:

6 How do we go paperless? Comply with HIPAA Security Standards, HITECH, policies, etc. Ensure CRF Part 11 compliance (FDA when regulated) Have electronic means of capturing study data CRFs, Source, Regulatory Documents 6

7 The HIPAA Security Rule Establishes national standards to protect e-phi that is created, received, used, or maintained by a covered entity (we are an organized healthcare arrangement). Requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of e-phi. Office of Civil Rights (OCR) is responsible for issuing periodic guidance Check-out CMS HIPAA Security Series (Google it or follow link: tml) Reference: U.S. Department of health & Human Services. Improving the health, safety, and well-being of America. Health Information Privacy The Security Rule. Link: 7

8 HITECH Breach Notification rule HHS issued regulations requiring health care providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached. The breach notification requirements only apply to breaches of "unsecured" PHI. The HITECH Act mentions only two methods for securing PHI: encryption and destruction. >500 Individuals <500 HHS Secretary on a annual basis HHS Secretary Individuals Media 8

9 21 CFR Part CRF Part 11 - defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records. Applies to e-records created, modified, maintained, archived, retrieved, or transmitted under any records requirements set by the FDA or any e-records sent to the FDA even if not specified in regulations. Being re-evaluated but FDA intends to exercise enforcement discretion with certain parts (i.e. validation, audit trail, record retention, record copying). HIPAA security still applies. Source: Guidance for Industry- Part 11, Electronic Records; Electronic Signatures Scope and Application 9

10 Where are our policies?

11 Safeguarding Electronic Media Containing PHI Type of electronic media containing PHI Administrative Physical Technical Excel Spreadsheet or Word Applications/Software, Access Database, Large Data Files (i.e. images, video) Password protected and encrypt file Access limited to those authorized Track access (Data Insight -end of 2012) Automatic backup to health system server Employee training and security awareness Request and file copy of HIPAA security certificate Process for managing passwords including creation, changes, safeguarding and promoting common sense precautions System that tracks access and provides reports if needed System tracks security incidents and provides reports if needed Process to determine clearance and termination of access Periodic review of access performed Automatic back-up is enabled Individual login/password for this system Data encryption Unauthorized physical access, tampering, and theft controlled with: Locked doors Use of ID badges Plans for the final disposition of data/hardware Create retrievable exact back-up and storage before movement of equipment/data Procedures for the removal of ephi from electronic media before re-use or discarding (i.e. demagnetize or damage beyond repair) Cameras Alarms Warning signs Visitor passes Escorts Security guard Sign-in/sign-out Save on health system server which has: o antivirus software installed and kept turned on o automatic updates to download and install antivirus updates o Detection of intrusion o Prevention of intrusion o Installed a firewall and uses it Authentication (individual login/password for account) Encryption of data when transmitted via Security violations can and will be recorded Each person has unique ID which is appropriate to their role/function and to track user activity. Specify what is used for authentication: (i.e. Pin, password, token, smartcard, biometrics?) Automatic log-off after inactivity Implement policies/procedures to protect data from improper alteration or destruction System has a disaster recovery plan System has an emergency mode operation plan Data will be encrypted when being transmitted Lost data = lost research

12 Set a password and encrypt an Excel spreadsheet 1. Click the Microsoft Office Button, point to Prepare, and then click Encrypt Document. 2. In the Password box, type a password, and then click OK. Reenter password, then click OK. Save the file. Remove password protection from an Excel spreadsheet Use the password to open the spreadsheet. Click the Microsoft Office Button, point to Prepare, and then click Encrypt Document. In the Encrypt Document dialog box, in the Password box, delete the encrypted password, and then click OK. Save the spreadsheet. Source: MS Excel Help 12

13 Developing or integrating software?

14 Current Resources & Solutions

15 Data Management Services and Support from the Biostatistics Unit Martin L Lesser, PhD Director, Biostatistics Unit Feinstein Institute for Medical Research Professor, Departments of Molecular Medicine & Population Health Hofstra North Shore-LIJ School of Medicine

16 Data Management Support Services Case Report Form Development Database Design and Programming Data Entry Procedures (web-based vs non-web-based) Data Quality Assurance: Validation, queries and audits Confidentiality Data Security Data Backup Procedures Report generation Standard Operating Procedures (SOPs) Manual of Operations (MOP) Hardware and Software Configuration

17 Database Architecture Web-based (Coldfusion/JavaScript/MS SQL Server ) Secured web server (username and password) URL -

18 Database Characteristics User-specific logon Site-specific (user can only access their site data) Generate real-time reports (enrollment log, etc.) Each CRF/form has data/form validation and auto calculations (minimize data anomalies) Intelligence added auto selection of inclusion/exclusion form and determination of eligibility Secured web and file server entire database including transaction logs backed up nightly Audit trail

19 CRFs Common to all Databases Subject registration Demographics Baseline clinical data Physical exam Medical History/Cancer History Concomitant medications Laboratory (chemistry, hematology) Radiology BMT common forms Procedures and drug administration Adverse events (AE, SAE) Specimen tracking forms Off-study report (can also use CIBMTR forms)

20 Active Database Applications Udall Parkinson s Disease Database (Eidelberg, NINDS) Litwin-Zucker Memory Disorders Database (Davies, NINDS) RCT of Celecoxib in Recurrent Respiratory Papillomatosis (Steinberg, NIDCD) Clinical Research Center Protocol Tracking (Morgan) Geriatric Ambulatory Psychiatric Clinic Database (Koppel) WOR34 Rheumatoid Arthritis Database Planning Grant (Aranow in development) Other miscellaneous databases

21 Planning a Database Contact the Biostatistics Unit Plan well in advance A properly designed data base (from CRFs to database to SOPs to MOPs) can take up to several months

22 Electronic consent 22

23 North Shore Informatics Group Data management services for Clinical research Electronic CRFs Electronic Data Capture Clinical Alerts Online Consent LIMS Genomics 23

24 Patient Research Information SysteM 24

25 PRISM 25

26 Electronic CRF 26

27 Electronic consent Requirements Electronic Consent must be added to the protocol. Must receive IRB approval. 27

28 Coordinator Workflow 28

29 Participant Workflow Participant Receives 29

30 Participant Workflow 30

31 Final Step Participant and Coordinator Receive 31

32 Electronically Signed Consent 32

33 Data Collected 33

34 Regulatory Binder 34

35 Electronic Regulatory Binder Keep paper source (or certify copy) Monitoring log Delegation of responsibility Signed Consent Forms Source documents Electronic Required education Public Registration of Research Studies Protocol IRB correspondence/ approvals FWA Assurance Screening/Enrollment Advertising/ educational materials Sample tracking and shipping Local lab certificates/reference Ranges Investigational Product information Sponsor correspondence FDA forms CVs, Licenses, COI 35

36

37

38

39

40

41

42

43

44

45

46 Availability of Records 1. All records must be readily available for review and copying. 2. All necessary equipment must be provided to facilitate viewing and copying of the records. 3. A reproduction must be a true and accurate copy of the original record. If the copy does not reveal changes or additions to the original record, the original must be retained. Reference: Inspections, Compliance, Enforcement, and Criminal Investigations, CPG Sec Use of Microfiche and/or Microfilm for Method of Records Retention, link:

47 Certification of originals ALCOA: Electronic source data and source documentation must meet the same fundamental elements of data quality -attributable, legible, contemporaneous, original, and accurate.* Original data: Values that represent the first recording of study data. FDA is allowing original documents and the original data recorded on those documents to be replaced by copies provided the copies are identical and have been verified as such.* Certified Copy: A certified copy is a copy of original information that has been verified, as indicated by a dated signature, as an exact copy having all of the same attributes and information as the original. NOTE: The copy may be verified by dated signature or by a validated electronic process. A certified copy of a source document may serve as a source for a clinical investigation.** Reference: *FDA Guidance Document: Computerized Systems Used in Clinical Investigations (May 2007) **CDISC Clinical Research Glossary, Link: 47

48 Expected Changes Update in IRB Form Purchase of a CTMS Electronic signature Policies/guidance will be created or modified Data Insight end of 2012 Flagging electronic health records Data loss prevention program 48

49 Contacts Cerdi Beltre Clinical Research Service David Ballard, PhD Research Bioinformatics Martin Lesser, PhD Biostatistics

50 Q U E S T I O N S?