Policies, Procedures & Guidance

Standard Operating Procedures (SOPs) for Clinical Research

Standard Operating Procedures (SOPs) for Clinical Research are established to ensure we articulated our expectation for clinical research execution standards that adhere to federal and state regulations and institutional policies.

Sponsor SOPs

Outline purchasing and billing compliance review processes.

SOP 300 — Research Billing Compliance Review

SOP 301  — NETC Parallel Review

Detail expectations for clinical investigators adherence to federal state and institutional requirements

Operational / Research Technology SOPs detail the requirements for the use of clinical research systems

Manufacturing SOPs detail the requirements to register manufacturing activity and detail the training requirements for all manufacturers

Training SOPs detail the training requirements for all research team members

Clinical Research Guidance

The following are guidelines developed for Penn Medicine clinical research teams and links to helpful external resources. They have been developed in partnership with relevant offices across Penn Medicine.

Requests for space to support the conduct of clinical research may require allocation of UPHS space. Such requests may be triaged for consideration by the Office of Clinical Research in conjunction with the hospital Space Committee who will assist investigators in identifying space and in properly specifying suballocations of space with shared research and clinical research uses for clinical research professionals.

Binder Guidance

Clinical Research Space Allocation Guidance 

Requirements for Protecting PHI and Clinical Research Document Storage 

PSOM Incremental Space Request

The intent of the PSOM Guidance for Adverse Event (AE) Assessment is to provide early, mid and senior career investigators a roadmap on how to investigate, perform, and confirm AE assessments.

Registering Studies and Submitting Results to ClinicalTrials.gov

The following guidance is designed to help the clinical research team navigate the ClinicalTrials.gov (i.e., the Protocol Registration and Results System or PRS system) registration process. If you have any further questions about the process of setting up an account and submitting information to ClinicalTrials.gov, PRS has published a detailed PRS Users Guide found at https://prsinfo.clinicaltrials.gov/prs-users-guide.html or contact OCR at ocrctgov@pobox.upenn.edu.

Click to review how to Registering Studies and Submitting Results to ClinicalTrials.gov

NIH Data Management & Sharing Policy (2023)

This page is intended to inform the Penn community about the new National Institutes of Health (NIH) policy
The current NIH policy on sharing research data expires January 25, 2023.

More Information on how Penn is preparing and providing resource: https://guides.library.upenn.edu/NIH

  • What is new about the 2023 NIH Data Management and Sharing Policy?
  • Beginning on January 25, 2023, ALL grant applications or renewals that generate Scientific Data must include a detailed plan for managing and sharing data through the entire funded period with plans for data dissemination. You must provide this information in a Data Management and Sharing Plan (DMSP). In addition, once the award is made and plan approved, compliance with the DMSP will be a determining condition of the work, meaning it can impact future funding decisions.
  • Why is the NIH making these changes? 
  • The NIH is emphasizing good data stewardship with the goals of advancing rigorous and reproducible research and promoting public trust in scientific endeavors.
  • How does the NIH define scientific data?
  • Scientific Data are "the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens."
  • Am I required to share my data?
  • The policy encourages efforts to maximize appropriate sharing, but recognizes exceptions (i.e., legal, ethical, or technical reasons). These reasons must be communicated in the NIH DMSP.  In addition, sharing plans must be communicated in informed consent documents. In the end, ALL data must be managed, even if not all data can be shared.


Permissions & Guidance:

Data Management:

Sharing Plan:

Data Classification/ Sensitivity

Penn Medicine/ University of Penn classifies data into three categories based on the level of data sensitivity, government regulations and existing PSOM or Penn Medicine policies.

  • Low
  • Moderate
  • High

More information on this and the Penn Data Classification policy can be found here. This includes information on Penn Box and what information can and cannot be stored there. 

  • PSOM Data Handling Policy
  • Cures Act FAQ - see guidance section on Cures Act and Research
Use of PHI in Email for Research

These guidance documents are important to the use of email and PHI in communication with patients and other Penn Medicine staff and employees. Penn Medicine’s Privacy Office and Information Security Office’s has issued guidance on avoiding and minimizing PHI in email communications.  The Office of Clinical Research has collaborated with the Office of Audit Compliance and Privacy (OACP) to create a specific guidance on the use of email during the conduct of research studies and clinical trials.

These guidance documents are titled: Avoid and Minimize PHI in Email and Use of Email During the Conduct of Research

As the guidance specifies, spreadsheets of PHI should never be emailed. You may use secure share as an alternative.

Another option to utilize is Penn Medicine MS Teams. This tip sheet and PowerPoint provide additional guidance and information on how to use MS Teams to share PHI securely via Teams. As a reminder, the minimum of PHI should always be used and shared.

Use of PHI in Text for Research

The purpose of this document is to provide guidance to researchers considering using texting as a form of communication with study participants. Please note texting may raise privacy concerns on behalf of recipients, especially before subjects have signed consent.

Updated guidance coming soon. Contact the Office of Clinical Research for interim questions.


Certificate of Confidentiality (CoC) protects the privacy of research subjects by prohibiting the disclosure of identifiable, sensitive research related data to anyone not connected directly to the research except when a patient/research subject consents to the sharing.

Attached guidance and tipsheet provides a high-level overview of a certificate of confidentiality. In addition, it highlights workflows in PennChart that should be used to support the CoC provisions are maintained.

The 21st Century Cures Act and the new ruling from the Health and Human Services department of the Federal Government, Penn Medicine is required to allow patients increased access to their electronic medical record. The purpose of this Act is to promote the patient’s right to electronically access their information, expand the electronic exchange of health information, standardize & expand the content of the health information dataset, reduce barriers for electronic health information exchange, and prevent health information exchange blocking.

The 21st Century Cures Act also regulates how to share information with patients including research results. The law has provisions for holding results if the release would reveal the results of the study, hence we need the insight of the research team confirming the need to hold or release research results. For more information refer to the guidance document, HERE

General Guidance

Subjects are often offered monetary or non-monetary payments for their participation in research studies. While many options exist, the decision to provide payment to research subjects is generally made to facilitate timely recruitment of subjects for the study and thereby decrease time to study completion, with the consideration of ethics and effectiveness. Accepted justification of research subject payment include reimbursement for expenses that the subject may incur to participate in the research and/or payment for the subject's time and inconvenience.  It is never acceptable to use payment as a benefit to offset the risks of a study.  The payment procedures must be detailed in the HS-ERA Protocol Application Form and reviewed by the IRB prior to implementation.



Subject compensation are typically classified as either reimbursement or remuneration.

  • Reimbursement refers to payment, monetary or other form, paid to a subject for out-of-pocket expenses, such as study-related travel, lodging, meals or lost wages.
  • Remuneration refers to payment, monetary or other form, paid to subjects as repayment for their personal time and effort committed to study participation.

All subject payment procedures should be described in the study protocol, HS-ERA Protocol, and the Informed Consent Form, which must be approved by the IRB prior to study initiation. 

Note: Although the IRB may approve a subject payments for a protocol, this does not imply that the payment method is allowable under University Financial Policy. The IRB reviews payments to ensure that they will not unduly influence a subject's decision to participate, but they do not review the payment procedures to ensure they follow University Financial Policy. It is the responsibility of the investigator or research coordinator to ensure that the proposed payment procedures are in compliance with University Financial Policy.

The Business Office’s Guide for Approving Human Subject Payments provides information and guidance on remuneration and reimbursement of out-of-pocket expenditures provided to research subjects participating in research trials.

This guidance has been generated to help distinguish electronic signatures, from part 11 compliant signatures, and digital signatures. DocuSign signatures are considered part 11 compliant if access via the Office of Clinical Research and PMACS/ DART. Other types of DocuSign or access points are not compliant.

Note: This document does not cover the use of digital or electronic signatures related to contracting, business administration, grant/proposal submission systems, or the effort reporting system (ERS).


This document outlines the step by step instructions for creating a compliant adobe eSignature. The purpose of this document is to promote the adoption of digital signatures, by individuals using a PMACS/DART or UPHS managed computer in clinical research, by providing the processes of how to create a signature in Adobe Acrobat and how to verify it to meet 21 CFR Part 11 compliance 

Create and Verify a  Self-Signed Digital Signature in Adobe Acrobat


The purpose of this document is to instruct users on how to use the “Repository” method to document an Adobe Acrobat self-signed digital-signature certificate information so that it may be verified. The purpose of verification is to provide assurance of the signer, thus meeting 21 CFR Part 11 compliance.

Verification Process for Self-signed Digital Signatures

The following documents outline best practices and requirements when using social media to support research recruitment or other research related activities. 

Vendormate is a 3rd party vendor Penn Medicine uses to back ground check pharmaceutical company representatives, and their immunization status. This to mostly protect patients especially immunocompromised patients in clinic spaces. Registration in Vendormate costs about $250 per year to register. This requires yearly renewal by the company, and updates of the representatives immunization records. The cost for this is included in the budget template by OCR Finance so teams can incorporate it before they negotiate with the pharmaceutical sponsor. The pharmaceutical representative category is also extended to CRO/ sponsor monitors that will be in clinic spaces.

Artificial Intelligence, AI, is the process of imparting data, information, and human intelligence to machines. The main goal of Artificial Intelligence is to develop self-reliant machines that can think and act like humans. These machines can mimic human behavior and perform tasks by learning and problem-solving. Most of the AI systems simulate natural intelligence to solve complex problems.

Machine learning is a subfield of artificial intelligence, or an application of AI, which is broadly defined as the capability of a machine to imitate intelligent human behavior. It allows a system to automatically learn and improve experience. Artificial intelligence systems are used to perform complex tasks in a way that is similar to how humans solve problems.

Deep Learning is a subset of machine learning that uses vast volumes of data and complex algorithms to train a model.


A diagram of machine learning

Description automatically generated with medium confidence

There are several different ways that AI might be used in research but of particular note are uses of Electronic Medical Record (EMR) data in order to conduct modeling, predict care pathways or interact with patients.

Penn Medicine’s Position on AI and Research:

New artificial intelligence (AI) and machine learning (ML) capabilities, methods, and platforms offer great promise for patient care and research. Notably, large language models such as ChatGPT have been gaining traction and driving imagination on potential applications in healthcare and clinical research – particularly to increase efficiency and productivity. While we support and encourage exploration of AI/ML capabilities, this guidance provides compliance reminders and guardrails to ensure that we continue to protect patients’ privacy and deliver patient care following validated standards.

Patient Privacy Protection: It is not permissible under HIPAA or Penn Medicine policy to share patient or research participant information in connection with public AI/ML services, such as ChatGPT. This is because, as currently configured, such public services can use and share any data without regard to HIPAA restrictions and other protections. Therefore, individual patient data and patient data sets (even if deidentified) may not be exposed to AI/ML services.

Penn Medicine will contribute to the evaluation and development of innovative technologies, in a manner that is compliant with HIPAA and other privacy laws, Penn policies and guidance.

FDA Regulations and AI as a Device

The use of AI in research

FDA Main Page: Artificial Intelligence and Machine Learning in Software as a Medical Device


FDA regulation of AI/ML is evolving, as the field continues to rapidly evolve. Additional information can be found at the following link: https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device#regulation

Need additional information or have questions? 

Contact OCR Regulatory – psom-ind-ide@pobox.upenn.edu or 215-662-4484

Penn IRB Research with Devices information: https://irb.upenn.edu/homepage/biomedical-homepage/guidance/types-of-biomedical-research/research-with-device-products/

Penn Medicine has developed guidance on the sharing of clinical data and biological samples, whether deidentified or not, with third parties. The guidance is maintained between OACP and OCR and maybe found HERE

Broadly, ‘digital health’ refers to wearable devices, telehealth, and health information technology. Digital health technologies (DHTs) use computing platforms, software, connectivity, and sensors for medical and healthcare uses.

  • Penn’s Center for Digital Health: https://healthcareinnovation.upenn.edu/center-for-digital-health
  • FDA Digital Health Center of Excellence: https://www.fda.gov/medical-devices/digital-health-center-excellence
    • “The Digital Health Center of Excellence (DHCoE) is part of the planned evolution of the Digital Health Program in the Center for Devices and Radiological Health (CDRH) and will align and coordinate digital health work across the FDA. It marks the beginning of a comprehensive approach to digital health technology, setting the stage for advancing and realizing the potential of digital health.”
  • FDA Guidance: Digital Health Technologies for Remote Data Acquisition in Clinical Investigations: https://www.fda.gov/media/155022/download
    • Outlines recommendations to facilitate the use of digital health technologies (DHTs) in clinical investigations evaluating medical products.

Mobile medical apps are software programs that can run on smartphones and other mobile devices. Some apps are aimed at patients/consumers, and other are aimed at healthcare providers. The FDA regulated mobile medical apps via a risk-based approach. The following links can provide additional information:

For studies where data management is being performed by individual research teams, there are a series of documents to assist with overall data management. Find these in the Forms, Tools, & Templates library.

Some of these are high level like:

Others are more system specific to using the Penn CRMS as an EDC/ Database:


Coming soon

Guidance Document for Source Documentation

This document contains information about Source Documentation for clinical trials.
• What Are Source Documents?
• Why Are Source Documents Required?
• Source Document vs. Case Report Form (CRF)
• Location of Source Documents