Sponsor Site Questionnaire FAQs Regarding Maestro Care Data Security and Validation 1. Are the electronic source documents or computer systems specific to the site and/or developed by the site? a. Developed by Epic 2. Is the computer system Internet Based? 3. Does the computer system use a Local Area Network? 4. What is the primary use of the computer system? a. Electronic Medical Records System (EMR) b. Lab Information System (ECG, Xray, Etc.) 5. Are there procedures and/or manuals available at the site that describe: a. how to install and maintain the system: No (see below) b. how to validate a system: No (see below) c. how to operate and use the system: Yes d. how to back up the data in the system and, if necessary, recover the data: Yes e. how users of the system are trained: Yes f. alternative methods for recording the information normally gathered by the system (in case of system unavailability): Yes (see below) g. how data in the system will be archived or otherwise retained after the study is completed: Yes Epic is a network-based application, so sites do not install anything locally. Everything is installed, tested, and maintained by the Maestro Care team, and they maintain the necessary documentation for this. There are downtime procedures for each Duke site to follow in case of system or network unavailability. 6. Is this system validated? (i.e. Is there documentation available to verify that the system was installed correctly and all functions to be used for the study have been tested to ensure they accurately, reliably and consistently perform as intended?), In terms of validation of our Epic environment, there is an extensive testing process that was employed before go-live, and would also be used prior to any major changes to the system, to validate its functionality. This process was built on best practices provided by Epic, but also included test cases built by Duke for our environment. Documentation regarding these procedures and the results is maintained by the MaestroCare team. It should be noted that while this testing is extensive, we are not making any claims that our testing would be in line with FDA 21 CFR Part 11 compliance requirements. 7. Is the computer system validated under 21 CFR Part 11? a. No, Duke s Medicine s Epic EMR system is not validated under 21 CFR Part 11. However, we maintain compliance with HIPAA and consider electronic signatures within the Epic system to be legally binding
8. Is the computer hardware kept in a secure location?, all of Duke s Epic servers are located in secured data center facilities 9. Is the location of the data physically secure (for example, computer server and data tapes in locked room)? 10. Dose the computer system have a virus detection/protection program?, Anti-malware protection software is employed on all systems that are commonly affected by malware. 11. How are modifications/system enhancements handled? a. We have a change management process to document the promotion of system changes from development through test and production environments. Changes are reviewed by a Change Advisory Board before being allowed to proceed. 12. In the event of power outage, is there a power backup available? 13. Is the data in the system backed up on a regular basis? Please comment as to how frequently this occurs. Are back-ups maintained in a secure location?, backed up daily and maintained in a secure location 14. Is there a process for backing up the data in the system?, There is a nightly data backup 15. Is the data backup sent offsite? a. No 16. Is there a process for restoring data from backup media? 17. In the case of system failure, what back-up procedures are available and how are they accessible? a. The production Epic environment is shadowed in near-real time to a recovery system that allows quick failover in the case of system downtime. Epic's Business Continuity Access (BCA) devices are also deployed to allow for local access at clinic locations in the case of network downtime. 18. Is there a procedure that describes how data backups are made and kept? Does this procedure address disaster recovery? 19. Is there a procedure that describes electronic record retention? a. Epic uses an enterprise-wide data repository that requires no data archiving or purging of electronic records from the system. This configuration ensures that complete electronic patient records are immediately available to authorized users.
20. Are the electronic records archived in accordance to local regulations for clinical studies or patient records, whichever is longer? a. Epic uses an enterprise-wide data repository that requires no data archiving or purging of electronic records from the system. This configuration ensures that complete electronic patient records are immediately available to authorized users. 21. Is there periodic testing to ensure continued functionality of all validated processes? a. Our Maestro Care environment has an extensive testing and change management process to verify correct operation of the system, but we need to be careful about the use of the word "validation" as that might imply that we meet 21 CFR Part 11's validation procedures, which we don't. 22. Does the audit trail indicate the reason a change was made, if the reason is not obvious? a. We have formal change management processes that include documentation and approval of all changes. 23. Does the site have SOPs regarding system and process management of EMR systems (i.e., system maintenance, security requirements, training, back-up, etc.)?. 24. Is there a plan on how to continue with business in the event of a system failure?. User Access and Electronic Signatures 25. Are procedures in place for use of the computer system? 26. Does the EMR system have a User Manual?, Epic provides extensive documentation for the system. In addition, Duke develops custom documentation as-needed for localized features or functions. 27. Are users trained on how to operate the computer system? a. All users are required to complete a customized training curriculum before being provided access to Duke's Epic environment. 28. Is the user training documented? 29. Are unique user IDs and passwords required to access the system? a. Unique User IDs and passwords are maintained through Duke's enterprise-wide identity management system, which provides automated mechanisms to limit access to Duke systems based on an individual's affiliation with Duke as a faculty, staff, or student, or as a sponsored guest. 30. Is each individual s user ID unique and never reassigned to a different individual? 31. Are individual users required to periodically change their password and not share it with other individuals?
32. How many log-in attempts are allowed before it locks the user s account? a. Three 33. Does the system automatically log off the user after idle periods? 34. Is there a procedure that describes how User IDs and passwords will be maintained? a. Unique User IDs and passwords are maintained through Duke's enterprise-wide identity management system, which provides automated mechanisms to limit access to Duke systems based on an individual's affiliation with Duke as a faculty, staff, or student, or as a sponsored guest. In addition, access to Duke's Epic EHR environment is provided only to those who have a legitimate need, and there are automated tools in place to manage the process for authorizing these requests. Password policy requirements (e.g. complexity, aging, lock-out, and re-use restrictions) are implemented through Active Directory. 35. Is there a procedure that describes System Administration access vs. User access? a. Epic s multi-leveled role-based security architecture allows you to determine each user s type and level of access. Access to specific operations is granted through a user s specific configuration of User Role, User Security Classifications, and Profile settings: User Role assignments determine what buttons and menu bar options are available to users. Each role is also associated with a timeout action and number of minutes the system can be left inactive before it logs the user out or secures the session. Security Classifications determine whether a user can access specific menus, functions and features. A dietician, for example, would not need to see all of the features and information that a nurse or physician would. Dieticians are able to work more quickly and efficiently seeing only the features and information they need. You can assign users separate Security Classifications that correspond with each area where the users work. Profiles determine which content appears to a member or members of a functional role. For example, a Profile setting determines which Patient Summary reports are available to a user, assuming they have security to see Patient Summary reports at all. Profiles can be assigned to individual users, department and unit workstations, or Security Classifications. 36. Is a log kept and maintained under change control detailing who has system access and what level of access (for example, System Administrator, User, Read Only)? 37. Will the Monitor have access to the electronic health records?, through the Release to Inspector report 38. Will the Monitor for the clinical trial be issued read-only access with a password to access the electronic data for subjects participating in the clinical trial? 39. Does your institution require the Monitor to complete a site-specific access request form and/or complete an online course before accessing the system? a. No, the study team will request access for the monitor through Health Information Management (HIM) and an online course is not required for monitors
40. Is the clinical investigator able to ensure accurate and complete electronic and printed readable copies of electronic records, suitable for review and copying? a. Clinical investigator can ensure accurate and complete electronic records. However, these may not be printed or copied for Monitor use without de-identification 41. Will a monitor, auditor, or inspector be able to directly access the information for the study that is in the system? (e.g. Will the monitor be given an unique User ID and password to be able to log into and view data within the system?), they will be provided with a PDF Release to Inspector report 42. Are there restrictions that prevent Monitor access to identifiable personal information for patients not involved in this study? 43. Do you use electronic signatures?, All electronic signatures executed by Duke employees, agents or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures. Additionally, examples of actions that the System automatically date-, time-, and user-stamps include: 44. If you are using electronic signatures, does it have the following? User ID, password, date stamp, time stamp, the meaning associated with the signature (for example, review, approval, responsibility and/or authorship, etc.)., examples of actions that the System automatically date-, time-, and user-stamps include:
45. When an electronic signature is used does the electronic record display the full printed name of the signer? 46. Does the record contain the date and time the electronic signature was executed? 47. Does the record contain the meaning (e.g. review, approval, responsibility, authorship) of the electronic signature?, examples of actions that the System automatically date-, time-, and user-stamps include: 48. Does the signer s name, and the date, time, and meaning of every electronic signature appear on every display or printout of the signed record? 49. Does the system require the use of all components (i.e. user ID and password) for the first signature in a signing session? 50. Are there any changes planned to the system which may affect access or the method in which source data is recorded? a. No 51. After the trial is closed, are e-records available for access during the records retention period? 52. Can archived electronic medical records be retrieved for a regulatory inspection after the study is closed? 53. In regards to electronic signatures: a. Is the electronic signature protected from intentional or unintentional miss-use? b. Is the electronic signature protected from cutting and pasting to other records? c. Is the electronic signature made invalid when a signed record is altered? i. The answer to the above questions is yes. 54.
Audit Trail 55. Is there an audit trail in the system to capture changes to data? If yes, does the system keep a record of all data captured and all changes made to this data? Does the change contain the following items in the audit trail? User name/id of who authored the change, date stamp, time stamp, reason for change, original data is accessible within the history of the change., Epic s clinical applications capture an extensive audit trail that includes the user ID, date and time of access, and contact record accessed. Examples of actions that the EpicCare Enterprise Clinical System automatically date-, time-, and user-stamps include: 56. Can the audit trail be printed out? 57. Does the audit trail record the identity of the operator, the date and time of the operation, and the previously recorded information (if any)? 58. Is the audit trail switched on from the point of data entry? 59. Can the audit trail be edited? a. No