QRTI GCP New Page

QRTI Newsline --- Wednesday September 8, 2010

Concerns over Subject Privacy May Block Clinical Studies

By Phyllis B. Kent

Excessive concerns over subject privacy may block clinical studies from being conducted at large institutions due to lack of monitor access to electronic source documents. Many large institutions bar non-hospital employees from accessing electronic medical records.

The recent incident of unauthorized access to George Clooney's medical records (see Exposed: Clooney's Medical Records http://abcnews.go.com/GMA/story?id=3711136&page=1) highlights the need for privacy of medical records. In the traditional paper medical record system, it was much easier to restrict access to a patient's medical chart. A written Authorization for Release of Medical Records had to be signed by the patient before the chart, stored in Medical Records, could be accessed. In clinical research, the subjects authorized study team access via the Informed Consent document.

With the advent of electronic storage of medical records, access can be gained at any computer work station in the hospital facility. Employees of the medical institution have access rights to use the computers and, in many cases, can access any patient's electronic medical record.

To address this situation and to comply with HIPAA regulations, many institutions have implemented additional safeguards that restrict access to medical records..

The Problem for Monitors

Most large institutions now restrict access to the electronic medical records to only those employees granted a "need to know" status. Therefore, monitors cannot gain access to the system because the institutions will not provide visitors with temporary passwords. This makes it impossible to conduct source document verification of the data reported in clinical trials. Prior to the electronic era, monitors were granted direct access to medical records (source data) as long as an informed consent contained a statement of confidentiality and was signed and dated by the patient/subject.

In order to complete the task of source document verification monitors have been gaining access by subverting the system and using the coordinator's password. Working this way bypasses the controls in place to protect patient privacy. Using the coordinator's password, the monitor has access to the electronic records without an electronic trail and therefore becomes attributable to the coordinator rather than the monitor. In addition, investigators and coordinators routinely use this route, although it violates the electronic security policy of most hospitals since because it is much easier and less time-consuming than fighting the hospital administration's rules. Monitors who work this way are endorsing the disregard for the hospital policies. It sends a message that the rules and regulations can be bent when needed. This is not a good message to be conveyed in clinical research which is governed by many regulations and protocol requirements.

The Solutions

In order to prevent problems related to access to electronic source documents, the monitors should determine, during the prestudy visit, what restrictions the hospital has in place. If passwords are provided to monitors, one should be requested as soon as the site is approved, as it may take several weeks to obtain the password. Access should be limited to the study subjects. This prevents the monitor from viewing unauthorized records and protects the privacy of the other patients in the institution. It also provides the appropriate traceability for the records reviewed by the monitor.

If an institution does not provide monitors with their own password, studies should not be placed at the investigational center. The monitor cannot lawfully access the source documents to validate the study data, as required by regulations and study protocols.

Educating the hospital administration

Most administrators are very interested in having research conducted at their facilities. If administrators and IRBs become aware that the studies will not be placed without source document access, they will pursue the necessary changes to provide access. Monitors may have to approach the hospital administration to make them aware of the need for access. They are in the position to realize that we cannot compromise study subject safety and the validation of clinical research because of hospital rules that intend to protect patient privacy but preclude the ability to protect patient safety.