Research Documentation: What to Write, What to Save, How to Store It

1
Research Documentation What to Write, What to
Save, How to Store It

• Tracy Rightmer, JD, CIP
• Compliance Manager
• December 8, 2009

2
AAHRPP ANNOUNCEMENT

• For the past year Yale has been preparing for
  national accreditation of its human research
  protection program. 
• Revised old policies, created new policies new
  website going live later this month 
• Structural changes
• Kathy Uscinski has been named director of the
  HRPP, and all of Yales IRBs fall under her
  administrative authority. 
• School of Nursing IRB has merged with the HIC,
  and their protocols will be reviewed by either
  the HIC or the HSC, depending on design.
• Application will be submitted this month.
• Must be reviewed and approved by AAHRPP
• Onsite visit (probably next spring). We will be
  notified of who the review team wants to
  interview, and we will work with all potential
  interviewees in preparation for the visit.
• Well be providing informational emails to the
  community, updating you on the process.  If you
  have any questions, email Jean Larson at
  jean.larson_at_yale.edu.

3
Objectives

• Discuss essential elements of a data and document
  management plan
• Present strategies for efficient management of
  research related documentation
• Highlight effective tools for use in managing
  study files
• Describe measures for ensuring subject
  confidentiality and data storage

4
International Conference on Harmonization

• A unique project that brings together the
  regulatory authorities of Europe, Japan and the
  United States and experts from the pharmaceutical
  industry in the three regions to discuss
  scientific and technical aspects of product
  registration

5
ICH

• Purpose to make recommendations on ways to
  achieve greater harmonization in the
  interpretation and application of technical
  guidelines and requirements for product
  registration in order to reduce or obviate the
  need to duplicate the testing carried out during
  the research and development of new medicines

6
E6Good Clinical PracticeConsolidated Guidance

• An international ethical and scientific quality
  standard for the design, conduct, performance,
  monitoring, auditing, recording, analyses, and
  reporting of clinical trials.

7
GCP

• Compliance with this standard provides public
  assurances that the rights, safety and well-being
  of trial subjects are protected, consistent with
  the Declaration of Helsinki, and that the
  clinical trial data are credible.
• Provide a unified standard to facilitate internal
  acceptance of clinical data by the regulatory
  authorities in these jurisdictions.

8
GCP 2.10

• All clinical trial information should be
  recorded, handled, and stored in a way that
  allows its accurate reporting, interpretation,
  and verification.

9
Documentation is Essential

• If it isnt documented, it didnt happen
• Viewed as a bother, but invaluable if a problem
  arises
• No one method is mandatory (no one-size-fits-all
  solution)
• But there are certain essential elements

10
Range of Complexity

• Simple anonymous survey or use of de-identified
  existing samples
• Versus
• Multi-site coordination of a double-blinded drug
  study with 12 visits over two years

11
Jargon

• Regulatory Binder (File that contains all HIC
  communication, approvals, sponsor materials,
  etc.)
• Trial Master Files
• Case Report Forms (CRFs capture the data the
  sponsor wants)
• Source Documentation (original documents, data
  and records, such as hospital records, lab
  reports, subjects diaries, pharmacy records,
  etc.)

12
Approaches to research documentation

• Chronological
• By topic/section
• Some combination of the two

13
Maintain copies of all final documents

• History or bread-crumb trail or show your
  work
• Word-processing functions such as track changes
• Header/footer use for version/dates
• Version Control only one version is active at
  a point in time
• Future electronic submission will necessitate
  strict electronic version control

14
Important sections of a regulatory binder

• Protocol (including all amendments and all
  versions)
• Consent forms and HIPAA research authorization
  forms (approved by IRB)
• Regulatory approvals (Other IRB, RSC, PRC, etc)
  and any required reapprovals

15
Important sections, contd

• All correspondence, including emails, letters,
  faxes, notes of phone calls
• Signature log, including name, initials,
  signature, dates of involvement, and study
  responsibilities
• Recruitment materials, including letters,
  advertisements, flyers, website postings, etc
  (approved by IRB)

16
Important sections, contd

• Samples of all forms to be used for data
  collection, including screening logs, eligibility
  checklists, case report forms, drug
  accountability logs
• Assessment tools to be used

17
Important sections, contd

• Any reporting requirements, such as
• Annual report to FDA
• Continuing review approved by IRB
• Adverse event reports
• Protocol deviation/violation reports
• Evidence of periodic monitoring (per the
  protocols DSMP)
• DSMB recommendations (if any)

18
Important sections, contd

• Versions of all sponsor materials, if applicable,
  including
• Sponsors clinical protocol
• Investigators Brochure
• Amendments
• Sponsors correspondence
• Records of monitoring visits

19
ICH Essential Documents

• Those documents which individually and
  collectively permit evaluation of a trial and the
  quality of the data produced
• Focus heavily on pharmaceutical-sponsored trials
• Include groups of documents, generated before the
  trial commences, during the clinical trial, and
  after termination of the study

20
GCP Essential Documents

• Many sponsor-related items, such as
• CVs of investigators
• 1572s
• Laboratory certifications
• Laboratory normal values
• Master randomization list with plan to decode

21
Individual Subject Files

• Consent form and RAF, signed and dated
• Eligibility Checklist
• Visit flowchart
• Case report forms
• Source Documents e.g., Lab data, ECGs, MRIs,
  Patient diaries
• Adverse Events (AE)

22
Separate storage

• Signed consent forms
• Key linking identifiers to codes

23
Study Termination/Close-out

• Final report/Form 5C
• Publication
• Local dissemination of results
• Retention and storage of regulatory documents per
  requirements

24
More complex scenarios

• Yale PI is the Sponsor-investigator of an IND, or
  the lead investigator on a multi-site study
• Additional responsibilities, including
  maintaining CVs and training certificates of all
  personnel from all sites, and IRB approvals (and
  reapprovals) from all sites

25
Multi-site coordination

• Lead PI is responsible for data integrity and
  data and safety monitoring
• Monitoring is an evaluation of the clinical
  research process which should occur throughout
  the life of the protocol
• Lead PI is responsible for informing all
  co-investigators of progress, and events such as
  Serious Adverse Events (SAEs), etc

26
Common Audit Findings

• 36 of audit issues are related to improper or
  lack of documentation
• Dont let this happen to you!
• Study Start-up Consultations and personalized
  In-services are offered by the HIC
• Emails ysmhic_at_yale.edu tracy.rightmer_at_yale.edu
  jean.larson_at_yale.edu

27
The 1st Rule to Data Storage

• How do I store my data? SECURELY!
• Use common sense when dealing with sensitive
  personal data

28
Data Security

• Recent developments
• Theft of a laptop with identified data
• Theft of a desktop computer with identified data
  (including SSN)
• HITECH Act
• Increased penalties. Prior penalties were up to
  100 per incident capped at 25,000 per year. 
  Now 100-50,000 per incident capped at 1.5
  million per year.
• Unauthorized or inappropriate access to unsecured
  PHI could be considered a breach
• It is not a breach if it is de-identified or
  encrypted.
• If it is a breach, must report to patient and to
  DHHS within 60 days
• If breach involves more than 500 people, must
  notify the media and report to DHHS.
• All reports to DHHS are available to the public.
• Report all potential breaches to
  security_at_yale.edu or 432-3262.

29
Best practices

• Work in progress
• Several task forces working on these issues
• Review some basics to think about and incorporate
  into practice

30
Confidentiality

• Common Rule has always required that
  confidentiality be protected to the extent
  possible
• Good medical practice also incorporates pledges
  of confidentiality
• Steps must be taken to minimize the risk of
  breaches of confidentiality

31
Common Rule definition

• Private information includes information about
  behavior that occurs in a context in which an
  individual can reasonably expect that no
  observation or recording is taking place, and
  information which has been provided for specific
  purposes by an individual and which the
  individual can reasonably expect will not be made
  public (for example, a medical record)
• Private information must be individually
  identifiable (i.e., the identity of the subject
  is or may readily be ascertained by the
  investigator or associated with the information)
  in order for obtaining the information to
  constitute research involving human subjects

32
HIPAA

• Adds layers of ensuring privacy and data security
• HIPAA Security focuses on electronic media, but
  Privacy covers all forms of data
• Uses somewhat different definitions

33
Both CR and HIPAA

• Need to get permission to access, share personal
  information, via consent or authorization.
• If authorized, sharing is allowed per the
  specifics of the approved documents

34
Jargon

• Anonymous
• Coded
• De-identified
• Terms are not synonymous!

35
Jargon

• Anonymous
• 1 not named or identified ltan anonymous authorgt
  ltthey wish to remain anonymousgt2 of unknown
  authorship or origin ltan anonymous tipgt3
  lacking individuality, distinction, or
  recognizability
• Merriam-Webster, on-line

36
Jargon

• Coded
• a system used for brevity or secrecy of
  communication, in which arbitrarily chosen words,
  letters, or symbols are assigned definite
  meanings
• Dictionary.com
• Implies there is a link somewhere

37
Jargon

• De-identified
• Not a word
• Usually thought to refer to stripping the 18
  HIPAA identifiers (including dates)
• So may be more stringent than anonymous, but also
  could be coded or not

38
Jargon

• Anonymous is not de-identified nor coded
• Some use the term no identifiers
• Anonymous should be reserved for situations when
  there are no identifiers and no code to link back
• Anonymous would allow recording of dates

39
Coded

• Some code is used to track subjects and their
  data
• Must be master file listing identifiers (name)
  with code to allow decoding, addition of new data
• NEVER store the link with the data

40

• Separate means separate!

41
Jargon

• Moveable media CDs, diskettes, jump drives,
  laptops, palm tops, Blackberry, flash drives,
  thumb drives
• Encryption
• Secure networks
• Password protection

42
Advice

• Do not keep data with identifiers on moveable
  media
• May become more than just advice

43
Advice

• Tell them never to leave their laptops in the
  back seat of the car.
• Kristina Borror,
• OHRP

44
Other methods to secure data

• Password protection
• Fingerprinting
• Auto log-off
• Lock-down cables on laptops
• Restrictions on downloading

45
Confidentiality section of the HIC application

• Describe all sites where data will be used or
  stored
• Describe how the data will be transmitted or
  transported
• Describe specifically who will have access
• Describe how the data will be secured
• If copies of data are on moveable media, describe
  security measures for these media

46
Sharing with co-investigators

• Avoid unprotected email
• Coded data best

47
Destruction

• Old data/old computers
• Via ITS, Procedure 1609, Media Control
• http//mire.med.yale.edu/hipaapolicies/
• When use or retention of any media containing
  confidential information (including protected
  health information) is completed, the
  confidential information must be destroyed,
  rendered unrecoverable, or returned to the system
  owner.
• The primary means for electronic media reuse is
  zeroing, or degaussing and the primary means for
  electronic media disposal is zeroing, degaussing,
  or physical destruction, as applicable to the
  medium.
• Deleting data or reformatting the disk is NOT
  sufficient if electronic media contains
  electronic Protected Health Information or other
  confidential information.

48
Destruction cont.

• Zeroing uses a disk utility (e.g., Data Removal
  Service software) to write zero to all areas of
  a disk, thereby overwriting any data that may be
  on the disk. Zeroing is required rather than
  simply formatting or initializing the disk which
  simply marks the disk as blank, so that it only
  appears empty - other disk utilities are
  available that can "unformat" the disk and
  recover the data, so formatting/reformatting is
  not an acceptable practice.
• Degaussing or demagnetizing is a procedure that
  reduces the magnetic flux on the disk to virtual
  zero by applying a reverse magnetizing field.
  Degaussing a magnetic storage medium removes all
  the data stored on it.
• In general, other electronic media (DVD, CD,
  diskette, zip drive etc.,) must be physically
  destroyed to be rendered unreadable.
• Medical campus use the online instructions or
  contact the ITS-Med Help Desk http//its.med.yale.
  edu/help/

49
Conclusions

• Take steps to develop a specific document
  management plan tailored to the protocol
• Take steps to implement data security measures
• Stay tuned!

50
References

• Common Rule http//www.hhs.gov/ohrp/humansubjects
  /guidance/45cfr46.htm
• ICH GCP http//www.fda.gov/ScienceResearch/Specia
  lTopics/RunningClinicalTrials/GuidancesInformation
  sheetsandNotices/default.htm
• HIPAA Privacy and Security http//info.med.yale.e
  du/hic/hipaa/index.html
• HIC http//info.med.yale.edu/hic/

51
Take-Away

• If it isnt documented, it didnt happen
• No one-size-fits-all solution
• How do I store my data? Securely!
• Bread-crumb trail
• Separate means separate
• An amendment is an amendment