Assessing the potential impact of ICH E6 R3 on Electronic Health Records (EHRs). Help is available!

Section 4.3 of the draft guidance indicates that the sponsor should review whether the systems used by the investigator/institution (e.g., electronic health records and other record keeping systems for source data collection) are fit for purpose in the context of the trial.

Other expectations include (not an exhaustive list):

  • The responsible party (i.e., the investigator) should ensure that security controls are maintained for computerised systems.
  • These controls should include user management and ongoing measures to prevent, detect and/or mitigate security breaches.
  • Aspects such as user authentication requirements and password management, firewall settings, antivirus software, security patching, system monitoring and penetration testing should be considered.
  • The responsible party (i.e., the investigator) should maintain adequate backup of the data.
  • Procedures should cover the following: system security measures, data backup and disaster recovery.
  • The responsible party (i.e., the investigator) is responsible for the validation status of the system throughout its life cycle.
  • Validation should demonstrate that the system conforms to the established requirements for completeness, accuracy, and reliability and is consistent with intended performance.

It all sounds overwhelming. After all, the Investigator likely has little say in what system an institution might use. The reality is that the IT department in most institutions is already doing this work and there likely are processes and procedures in place to address most, if not all, of these requirements.

I found this out myself back in the day when sponsors started asking whether EHRs were Part 11 compliant. It took forever to get answers to my questions from a large health care provider but once I got to the right IT person and they understood why I was asking the questions, I learned more about Installation Qualification (IQ), Operational Qualification (OQ) and Performance Qualification (PQ) than I ever cared to know. Then FDA came out and said they did not intend to assess institutional EMRs/EHRs for Part 11 compliance, so the issue of validation became a moot point.

Now the with the EU guidance on computerized systems (which becomes effective in September) and the ICH E6 R3 draft guidance, which is global in nature, the questions around system validation are back on the table.

The good news is that the eClinical forum has developed an Investigator Site eSource Readiness Assessment (eSRA) Tool. Many of the data points needed for clinical research originate in electronic health records, making the EHRs “eSource” for clinical research. Even if these data points are printed from the EHRs and then re-entered into an EDC (Electronic Data Capture) system for a clinical trial, the source of the information must still be confirmed as compliant with standards set forth in regulations (ALCOA++) and applicable guidance documents. The questionnaire helpfully suggests which questions should be answered by your IT department and once completed can be given to any sponsor a stie is working with. It is free for sites to download, comes with instructions and is being used globally. As for IQ, OQ and PQ, they occur in that order to ensure the system is fit for use and functions according to user requirements.