GCP, CFR21 Part 11, and HIPAA Compliance Statement

Revision 5.0 - updated February 12th, 2019

Purpose

SMART-TRIAL is designed to be used for data collection amd management in clinical research. To ensure that good clinical practice, CFR21 Part 11, and HIPAA, can be complied with in SMART-TRIAL, efforts have been implemented. This statement clarifies the specific measures which have been implemented in SMART-TRIAL.

Application

This document is applicable to those responsible for GCP, regulatory affairs, or QA for organisations that have either implemented, or are to implement SMART-TRIAL as a clinical data collection tool. The information provided here within are intended only to assist organisations in using SMART-TRIAL correctly to comply with GCP, FDA CFR-21 Part-11, and HIPAA. This information alone cannot be used to prove that any of these standards were fulfilled, as this requires internal management control.

References

  1. Security & Service Statement

Statement

1. Standard Operating Procedures

All clients of SMART-TRIAL can access a standard operating procedure (SOP) template which can assist study stakeholders in using SMART-TRIAL correctly, to fulfill the requirements set forward in e.g. GCP.

2. Security and Backup Notice

It shall be noted that all aspects of security, quality control, hosting services, and backup procedures have already been described in the Service & Security statement which is publicly available from [1].

3. Audit Log/Trail

A full audit log (audit trail) is recorded and stored for every action within a specific study in SMART-TRIAL, i.e. viewing, creating, updating, deleting. Study owners, or those allowed access to the audit log, are able to both review these actions, specific attribute changes (e.g. subject information, or any form answers) and export the complete log.

4. Reason for Change and Reason for Exclusion

When a change is made to a form answer, a reason for change must be clarified by the editor. When a patient is excluded or discontinued, a reason must be defined by a user.

5. Monitoring Review and Lock

SMART-TRIAL has a special read-only module which can be used by monitors to review data in a simple yet structured manner. Monitors can gain access to both data collected by subjects and investigators, while also being able to review AE/SAE/SAR forms, audit logs, etc. Users with a specific Monitor role can also lock individual answers where any data entry or changes will not be possible, unless unlocked.

6. Query Feature

Users with specific query permissions, can create queries on individual form answers. This allows users to correct values/answers according to query comments etc. Notifications to queries are sent to users who are responsible for completing the query.

7. Direct Validation of Data

All input fields have dynamic input validation. Forms have both pre-defined input validation as well as user-specific validation. This means that subjects or users who are to fill out forms, are not able to complete input without complying to the form specific input rules.
This ensures that answers to forms are not only within the correct range, but guides participants in answering the forms as well.

8. Two-Factor Authorization

All users which might or might not have access to subject information, answers, or study design, can only log into SMART-TRIAL using two factor authentications. The system requires all users to authenticate with a strong password, a unique username, and unique one-time code sent to their mobile number. See more information about authentication and authorization in [1].

9. Subject Authentication

SMART-TRIAL supports individual subject authentication. The system ensures that all subjects receive unique links to the subject’s private e-mail address or mobile number, for an individual subject form response. In addition, the system also supports unique SMS code authentication for subjects for every unique response link – if requested, subjects will receive a unique code via SMS or e-mail which is required to complete their form response. This should ensure that all users authenticated within the system are indeed the owner of the user profile being used.

10. Permission Based Access

All access within a study is permission based. A study owner is responsible for defining which permissions all collaborating users have within a study. For every collaborator added to the study, a set of permissions must be enabled/disabled. This should allow study owners to specify in detail what information/actions each study collaborator will have access to.

11. Adverse Event (AE or SAE) and Serious Adverse Reaction Reports

SMART-TRIAL provides reporting of adverse event, serious adverse event, and serious adverse reaction reports. A collaborator will automatically receive a notification if a serious adverse event is registered. All users can submit an adverse event report. However, specific investigator permissions are required to fill out information requiring clinical evaluation, medical history, medication etc. A specific sponsor permission is required to record Sponsor specific information to e.g. a Serious Adverse Event.

12. Automatic Subject Reminders

To improve compliance, automatic e-mail and SMS reminders can be specified for all data events. SMART-TRIAL will then handle sending out reminders to all subjects at specific time points defined by the process design.

13. Access to Raw Data

Study owners, or collaborators with sufficient permission, always have access to a full raw dataset from a study. This means that at any time all form and subject data can be exported from the system. Export of a complete raw data set requires all users to input unique two factor SMS code before gaining access to the function.

14. Electronic Signatures

All SMART-TRIAL users have their own unique user signature, which is aquired during login. Any action made within a study is recorded in an audit log, where the signature of each user contains its unique SMART-TRIAL id, email, password, two-step verification code, and timestamp. SMART-TRIAL study creators can choose to implement an additional electronic signature support for their study. This allows study managers to add an additional signature to e.g. form entry and other critical actions within the system, by providing their signature via password authentication.

15. System Validation and Verification

As noted in [1] SMART-TRIAL is designed and developed in conformance with the IEC-62304 standard while following MEDEI’s quality management system, where software is design controlled according to ISO 13485. SMART-TRIAL is a documented software system and has been validated and verified. This means that SMART-TRIAL clients do not have to perform any validation on the software. If required, customers can request a copy of MEDEI's declaration of conformity and SMART-TRIAL release certificates.

16. Answer Notes

Users responsible for inputting data into forms (eCRFs) can input custom notes for individual answers if required to clarify missing data or misleading answers.

17. User Acceptance Test (UAT)

SMART-TRIAL clients are responsible for performing and documenting UAT of their study setup in SMART-TRIAL. This can easily be done by testing the study setup by pressing "Test Study" in SMART-TRIAL. This enables study managers to test the study, just like in production, by enrolling up to 5 subjects.

18. Access to Personal Identifiable Information

SMART-TRIAL provides a special "subject attribute selection" for every study. These attributes shall be used to collect all subject identifiable information. Any study collaboratior who must be able to see identifiable information that's collected with a subject attribute will have to have a specific "identifiable information" permission. Those users who do not have this permission, will only be able to see non-identifiable information, such as subjectID. SMART-TRIAL cannot ensure compliant access control of personal identifiable information which is collected outside of subject attributes, such as those collected within a form. Make sure to ensure that identifiable information is ONLY collected in subject attributes, if you e.g. need to comply with HIPAA.

Are we missing something?

If you have any questions regarding GCP, compliance, technical documentation, validation, or SOPs, you are always welcome to contact us via support