Title: Research Documentation: What to Write, What to Save, How to Store It
1Research Documentation What to Write, What to
Save, How to Store It
- Tracy Rightmer, JD, CIP
- Compliance Manager
- December 8, 2009
2AAHRPP ANNOUNCEMENT
- For the past year Yale has been preparing for
national accreditation of its human research
protection program. - Revised old policies, created new policies new
website going live later this month - Structural changes
- Kathy Uscinski has been named director of the
HRPP, and all of Yales IRBs fall under her
administrative authority. - School of Nursing IRB has merged with the HIC,
and their protocols will be reviewed by either
the HIC or the HSC, depending on design. - Application will be submitted this month.
- Must be reviewed and approved by AAHRPP
- Onsite visit (probably next spring). We will be
notified of who the review team wants to
interview, and we will work with all potential
interviewees in preparation for the visit. - Well be providing informational emails to the
community, updating you on the process. If you
have any questions, email Jean Larson at
jean.larson_at_yale.edu.
3Objectives
- Discuss essential elements of a data and document
management plan - Present strategies for efficient management of
research related documentation - Highlight effective tools for use in managing
study files - Describe measures for ensuring subject
confidentiality and data storage
4International Conference on Harmonization
- A unique project that brings together the
regulatory authorities of Europe, Japan and the
United States and experts from the pharmaceutical
industry in the three regions to discuss
scientific and technical aspects of product
registration
5ICH
- Purpose to make recommendations on ways to
achieve greater harmonization in the
interpretation and application of technical
guidelines and requirements for product
registration in order to reduce or obviate the
need to duplicate the testing carried out during
the research and development of new medicines
6E6Good Clinical PracticeConsolidated Guidance
- An international ethical and scientific quality
standard for the design, conduct, performance,
monitoring, auditing, recording, analyses, and
reporting of clinical trials.
7GCP
- Compliance with this standard provides public
assurances that the rights, safety and well-being
of trial subjects are protected, consistent with
the Declaration of Helsinki, and that the
clinical trial data are credible. - Provide a unified standard to facilitate internal
acceptance of clinical data by the regulatory
authorities in these jurisdictions.
8GCP 2.10
- All clinical trial information should be
recorded, handled, and stored in a way that
allows its accurate reporting, interpretation,
and verification.
9Documentation is Essential
- If it isnt documented, it didnt happen
- Viewed as a bother, but invaluable if a problem
arises - No one method is mandatory (no one-size-fits-all
solution) - But there are certain essential elements
10Range of Complexity
- Simple anonymous survey or use of de-identified
existing samples - Versus
- Multi-site coordination of a double-blinded drug
study with 12 visits over two years
11Jargon
- Regulatory Binder (File that contains all HIC
communication, approvals, sponsor materials,
etc.) - Trial Master Files
- Case Report Forms (CRFs capture the data the
sponsor wants) - Source Documentation (original documents, data
and records, such as hospital records, lab
reports, subjects diaries, pharmacy records,
etc.)
12Approaches to research documentation
- Chronological
- By topic/section
- Some combination of the two
13Maintain copies of all final documents
- History or bread-crumb trail or show your
work - Word-processing functions such as track changes
- Header/footer use for version/dates
- Version Control only one version is active at
a point in time - Future electronic submission will necessitate
strict electronic version control
14Important sections of a regulatory binder
- Protocol (including all amendments and all
versions) - Consent forms and HIPAA research authorization
forms (approved by IRB) - Regulatory approvals (Other IRB, RSC, PRC, etc)
and any required reapprovals
15Important sections, contd
- All correspondence, including emails, letters,
faxes, notes of phone calls - Signature log, including name, initials,
signature, dates of involvement, and study
responsibilities - Recruitment materials, including letters,
advertisements, flyers, website postings, etc
(approved by IRB)
16Important sections, contd
- Samples of all forms to be used for data
collection, including screening logs, eligibility
checklists, case report forms, drug
accountability logs - Assessment tools to be used
17Important sections, contd
- Any reporting requirements, such as
- Annual report to FDA
- Continuing review approved by IRB
- Adverse event reports
- Protocol deviation/violation reports
- Evidence of periodic monitoring (per the
protocols DSMP) - DSMB recommendations (if any)
18Important sections, contd
- Versions of all sponsor materials, if applicable,
including - Sponsors clinical protocol
- Investigators Brochure
- Amendments
- Sponsors correspondence
- Records of monitoring visits
19ICH Essential Documents
- Those documents which individually and
collectively permit evaluation of a trial and the
quality of the data produced - Focus heavily on pharmaceutical-sponsored trials
- Include groups of documents, generated before the
trial commences, during the clinical trial, and
after termination of the study
20GCP Essential Documents
- Many sponsor-related items, such as
- CVs of investigators
- 1572s
- Laboratory certifications
- Laboratory normal values
- Master randomization list with plan to decode
21Individual Subject Files
- Consent form and RAF, signed and dated
- Eligibility Checklist
- Visit flowchart
- Case report forms
- Source Documents e.g., Lab data, ECGs, MRIs,
Patient diaries - Adverse Events (AE)
22Separate storage
- Signed consent forms
- Key linking identifiers to codes
23Study Termination/Close-out
- Final report/Form 5C
- Publication
- Local dissemination of results
- Retention and storage of regulatory documents per
requirements
24More complex scenarios
- Yale PI is the Sponsor-investigator of an IND, or
the lead investigator on a multi-site study - Additional responsibilities, including
maintaining CVs and training certificates of all
personnel from all sites, and IRB approvals (and
reapprovals) from all sites
25Multi-site coordination
- Lead PI is responsible for data integrity and
data and safety monitoring - Monitoring is an evaluation of the clinical
research process which should occur throughout
the life of the protocol - Lead PI is responsible for informing all
co-investigators of progress, and events such as
Serious Adverse Events (SAEs), etc
26Common Audit Findings
- 36 of audit issues are related to improper or
lack of documentation - Dont let this happen to you!
- Study Start-up Consultations and personalized
In-services are offered by the HIC - Emails ysmhic_at_yale.edu tracy.rightmer_at_yale.edu
jean.larson_at_yale.edu
27The 1st Rule to Data Storage
- How do I store my data? SECURELY!
- Use common sense when dealing with sensitive
personal data
28Data Security
- Recent developments
- Theft of a laptop with identified data
- Theft of a desktop computer with identified data
(including SSN) - HITECH Act
- Increased penalties. Prior penalties were up to
100 per incident capped at 25,000 per year.
Now 100-50,000 per incident capped at 1.5
million per year. - Unauthorized or inappropriate access to unsecured
PHI could be considered a breach - It is not a breach if it is de-identified or
encrypted. - If it is a breach, must report to patient and to
DHHS within 60 days - If breach involves more than 500 people, must
notify the media and report to DHHS. - All reports to DHHS are available to the public.
- Report all potential breaches to
security_at_yale.edu or 432-3262.
29Best practices
- Work in progress
- Several task forces working on these issues
- Review some basics to think about and incorporate
into practice
30Confidentiality
- Common Rule has always required that
confidentiality be protected to the extent
possible - Good medical practice also incorporates pledges
of confidentiality - Steps must be taken to minimize the risk of
breaches of confidentiality
31Common Rule definition
- Private information includes information about
behavior that occurs in a context in which an
individual can reasonably expect that no
observation or recording is taking place, and
information which has been provided for specific
purposes by an individual and which the
individual can reasonably expect will not be made
public (for example, a medical record) - Private information must be individually
identifiable (i.e., the identity of the subject
is or may readily be ascertained by the
investigator or associated with the information)
in order for obtaining the information to
constitute research involving human subjects
32HIPAA
- Adds layers of ensuring privacy and data security
- HIPAA Security focuses on electronic media, but
Privacy covers all forms of data - Uses somewhat different definitions
33Both CR and HIPAA
- Need to get permission to access, share personal
information, via consent or authorization. - If authorized, sharing is allowed per the
specifics of the approved documents
34Jargon
- Anonymous
- Coded
- De-identified
- Terms are not synonymous!
35Jargon
- Anonymous
- 1 not named or identified ltan anonymous authorgt
ltthey wish to remain anonymousgt2 of unknown
authorship or origin ltan anonymous tipgt3
lacking individuality, distinction, or
recognizability - Merriam-Webster, on-line
36Jargon
- Coded
- a system used for brevity or secrecy of
communication, in which arbitrarily chosen words,
letters, or symbols are assigned definite
meanings - Dictionary.com
- Implies there is a link somewhere
37Jargon
- De-identified
- Not a word
- Usually thought to refer to stripping the 18
HIPAA identifiers (including dates) - So may be more stringent than anonymous, but also
could be coded or not
38Jargon
- Anonymous is not de-identified nor coded
- Some use the term no identifiers
- Anonymous should be reserved for situations when
there are no identifiers and no code to link back - Anonymous would allow recording of dates
39Coded
- Some code is used to track subjects and their
data - Must be master file listing identifiers (name)
with code to allow decoding, addition of new data - NEVER store the link with the data
40 41Jargon
- Moveable media CDs, diskettes, jump drives,
laptops, palm tops, Blackberry, flash drives,
thumb drives - Encryption
- Secure networks
- Password protection
42Advice
- Do not keep data with identifiers on moveable
media - May become more than just advice
43Advice
- Tell them never to leave their laptops in the
back seat of the car. - Kristina Borror,
- OHRP
44Other methods to secure data
- Password protection
- Fingerprinting
- Auto log-off
- Lock-down cables on laptops
- Restrictions on downloading
45Confidentiality section of the HIC application
- Describe all sites where data will be used or
stored - Describe how the data will be transmitted or
transported - Describe specifically who will have access
- Describe how the data will be secured
- If copies of data are on moveable media, describe
security measures for these media
46Sharing with co-investigators
- Avoid unprotected email
- Coded data best
47Destruction
- Old data/old computers
- Via ITS, Procedure 1609, Media Control
- http//mire.med.yale.edu/hipaapolicies/
- When use or retention of any media containing
confidential information (including protected
health information) is completed, the
confidential information must be destroyed,
rendered unrecoverable, or returned to the system
owner. - The primary means for electronic media reuse is
zeroing, or degaussing and the primary means for
electronic media disposal is zeroing, degaussing,
or physical destruction, as applicable to the
medium. - Deleting data or reformatting the disk is NOT
sufficient if electronic media contains
electronic Protected Health Information or other
confidential information.
48Destruction cont.
- Zeroing uses a disk utility (e.g., Data Removal
Service software) to write zero to all areas of
a disk, thereby overwriting any data that may be
on the disk. Zeroing is required rather than
simply formatting or initializing the disk which
simply marks the disk as blank, so that it only
appears empty - other disk utilities are
available that can "unformat" the disk and
recover the data, so formatting/reformatting is
not an acceptable practice. - Degaussing or demagnetizing is a procedure that
reduces the magnetic flux on the disk to virtual
zero by applying a reverse magnetizing field.
Degaussing a magnetic storage medium removes all
the data stored on it. - In general, other electronic media (DVD, CD,
diskette, zip drive etc.,) must be physically
destroyed to be rendered unreadable. - Medical campus use the online instructions or
contact the ITS-Med Help Desk http//its.med.yale.
edu/help/
49Conclusions
- Take steps to develop a specific document
management plan tailored to the protocol - Take steps to implement data security measures
- Stay tuned!
50References
- Common Rule http//www.hhs.gov/ohrp/humansubjects
/guidance/45cfr46.htm - ICH GCP http//www.fda.gov/ScienceResearch/Specia
lTopics/RunningClinicalTrials/GuidancesInformation
sheetsandNotices/default.htm - HIPAA Privacy and Security http//info.med.yale.e
du/hic/hipaa/index.html - HIC http//info.med.yale.edu/hic/
51Take-Away
- If it isnt documented, it didnt happen
- No one-size-fits-all solution
- How do I store my data? Securely!
- Bread-crumb trail
- Separate means separate
- An amendment is an amendment