FDA Urges Data Security, Controls When Using EHR in Clinical Trials
The Food and Drug Administration issued new guidance on electronic health record data security this week that encourages employing privacy and security controls when performing clinical trials.
The Food and Drug Administration issued new guidance this week that encourages organizations using electronic health record (EHR) data in FDA-regulated clinical investigations to have a robust data management plan in place that prioritizes the integrity of data.
According to the guidance, best practice dictates that when using EHRs at a clinical investigation site appropriate security measures be employed in order to protect the confidentiality of study data. This especially rings true for when organizations use data from clinical studies performed outside the U.S., via EHR systems not cleared by the Office of the National Coordinator (ONC) for Health Information Technology.
Data-centric Security for Healthcare Compliance
In these scenarios the FDA stresses access to electronic systems needs to be limited to authorized users, the authors of records need to be identifiable, and audit trails need to be available in order to track changes to data.
“If the clinical investigation site is using a system that does not contain the adequate controls previously described in the bulleted items, sponsors should consider the risks of employing such systems (e.g., the potential harm to research subjects, patient privacy rights, and data integrity of the clinical investigation and its regulatory implications)” the guidance reads.
The guidance also encourages organizations that maintain EHR for clinical purposes ensure the data is in structured, not unstructured.
Currently EHR technology certified under the ONC Health IT Certification Program has to meet selected privacy and security protection requirements for an individuals' health information.
In most instances, EHR, essentially electronic versions of the charts traditionally found in hospitals or doctor's offices, are subject to the HIPAA Privacy Rule. EHR data can include information on patients like their immunization status, any medication they take, radiology images, or their weight or age.
Like all guidance issued by the FDA, this document, “Use of Electronic Health Record Data in Clinical Investigations” (.PDF) is a recommendation and isn't considered binding. It does represent the federal agency's stance on the topic however.