HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data.

While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements.

The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products.

The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a recruitment tool for clinical investigations, or the use of EHR data in postmarketing observational pharmacoepidemiologic studies that assess adverse events and risks associated with drug exposure or those that are designed to test prespecified hypotheses for such studies.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The FDA is aware that EHRs have the potential to provide researchers with access to real time data for reviews and allow post-trial follow ups on patients to determine the long -term effectiveness of specific treatments. They also provide access to the data or large numbers of patients, which can be particularly useful in clinical investigations, especially when certain outcomes are rarely observed. The use of EHR data in clinical investigations is broadly encouraged by the FDA.

However, it is important for best practices to be adopted to ensure patient privacy is protected, data integrity is maintained, and data are secured at all times.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to establish a voluntary certification program for Health IT. Certified EHRs comply with 45 CFR part 170 of the HITECH Act which covers interoperability and data security and confirms EHRs meet minimum requirements for privacy and security.

The FDA recommends that only certified EHR systems are used in clinical investigations and that policies and procedures on their use should be developed. The FDA recommends that a list of EHR systems is maintained, detailing the manufacturer of the system, the model number, version number, and whether it is certified by ONC.

There may be times when EHRs are de-certified by ONC during the clinical investigation, as they may no longer meet appropriate standards. In such cases, sponsors should determine the reason for de-certification and its impact on the quality and integrity of data used in the clinical investigation.

At times, it may be necessary to incorporate data from EHR systems used in other countries, which are not certified by ONC. While the use of data from these systems is acceptable, and can be highly beneficial for clinical investigations, sponsors should evaluate whether the systems have appropriate privacy and security controls in place to ensure the confidentiality, integrity, and availability of data.

Sponsors should ensure that policies and procedures for these EHRs are in place at the investigation site and appropriate measures have been implemented to protect study data. They must also ensure that access to the electronic systems housing the EHRs is limited to authorized personnel. Authors of the records must be clearly identifiable, audit trails need to be maintained, and records need to be available and retained for FDA inspection.

If these controls are not in place, sponsors should consider the risks associated with using those systems, including the potential for harm to research subjects, the impact on data integrity of the clinical investigation, and the regulatory implications.

The guidelines also suggest EHRs not certified by ONC should meet various data standards, and the guidance offers advice about choosing between structured and unstructured data, and the validation of interoperability between EHRs and electronic data capture (EDC) systems.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.