Policies, Procedures & Guidance

SOP 001   — Sponsor Responsibilities

SOP 002  — Vendor Selection and Qualification

SOP 003  — Investigational Product Management

SOP 004  — Sponsor Monitoring

SOP 005  — Pharmacovigilance and Safety Reporting

SOP 006  — Sponsor Qualification Registration

SOP 007  — Sponsor Data Management

SOP 300 — Research Billing Compliance Review

SOP 301  — NETC Parallel Review

SOP 200 —  Compliance Reviews 

SOP 201 —  Regulatory Inspections

SOP 202 —  Report of Compliance concerns in Clinical Research 

SOP 203 — FDA Form 1572 Policy  

SOP 205 — Dissemination Plan for Clinical Trial Results for NIH Funded Clinical Trials  

SOP 206 — ClinicalTrials.gov

         SOP 206 Attachment —  ClinicalTrials.gov Attachment

SOP 207 — External IND Safety Reports

SOP 400 — CRMS Requirements

SOP 402 — PennChart Research Associations

SOP 403 —  PennChart Research Study Maintenance 

SOP 404 —  PennChart Research Billing 

SOP 405 — REDCap Training and Access

SOP 406 — External Monitoring

SOP 407 — PennVault Training Access

SOP 408 — PennVault eTMF Study Access 

SOP 409 — Veeva SVE Access Change Control 

SOP 410 — Research Honest Broker Access Process

SOP 100 — Manufacturing Qualification, Registration and Training

SOP 101 — Good Documentation Practices

SOP 102 — Deviations and Corrective Action and Preventative Plan

SOP 102 — Form Deviation CAPA

SOP 104 — Training

SOP 401 — Clinical Research Training for PSOM Faculty and Staff

IRB SOPs 

ePHI/ Security

EVD Policies

OACP

Artificial Intelligence, AI, is the process of imparting data, information, and human intelligence to machines. The main goal of Artificial Intelligence is to develop self-reliant machines that can think and act like humans. These machines can mimic human behavior and perform tasks by learning and problem-solving. Most of the AI systems simulate natural intelligence to solve complex problems.

Machine learning is a subfield of artificial intelligence, or an application of AI, which is broadly defined as the capability of a machine to imitate intelligent human behavior. It allows a system to automatically learn and improve experience. Artificial intelligence systems are used to perform complex tasks in a way that is similar to how humans solve problems.

Deep Learning is a subset of machine learning that uses vast volumes of data and complex algorithms to train a model.

There are several different ways that AI might be used in research but of particular note are uses of Electronic Medical Record (EMR) data in order to conduct modeling, predict care pathways or interact with patients.

Penn Medicine’s Position on AI and Research:

New artificial intelligence (AI) and machine learning (ML) capabilities, methods, and platforms offer great promise for patient care and research. Notably, large language models such as ChatGPT have been gaining traction and driving imagination on potential applications in healthcare and clinical research – particularly to increase efficiency and productivity. While we support and encourage exploration of AI/ML capabilities, this guidance provides compliance reminders and guardrails to ensure that we continue to protect patients’ privacy and deliver patient care following validated standards.

Patient Privacy Protection: It is not permissible under HIPAA or Penn Medicine policy to share patient or research participant information in connection with public AI/ML services, such as ChatGPT. This is because, as currently configured, such public services can use and share any data without regard to HIPAA restrictions and other protections. Therefore, individual patient data and patient data sets (even if deidentified) may not be exposed to AI/ML services.

Penn Medicine will contribute to the evaluation and development of innovative technologies, in a manner that is compliant with HIPAA and other privacy laws, Penn policies and guidance.

FDA Regulations and AI as a Device

The use of AI in research

FDA Main Page: Artificial Intelligence and Machine Learning in Software as a Medical Device

https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device

FDA regulation of AI/ML is evolving, as the field continues to rapidly evolve. Additional information can be found at the following link: https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device#regulation

Need additional information or have questions? 

Contact OCR Regulatory – psom-ind-ide@pobox.upenn.edu or 215-662-4484

Penn IRB Research with Devices information: https://irb.upenn.edu/homepage/biomedical-homepage/guidance/types-of-biomedical-research/research-with-device-products/

Certificate of Confidentiality (CoC) protects the privacy of research subjects by prohibiting the disclosure of identifiable, sensitive research related data to anyone not connected directly to the research except when a patient/research subject consents to the sharing.

Attached guidance and tipsheet provides a high-level overview of a certificate of confidentiality. In addition, it highlights workflows in PennChart that should be used to support the CoC provisions are maintained.

Registering Studies and Submitting Results to ClinicalTrials.gov

The following guidance is designed to help the clinical research team navigate the ClinicalTrials.gov (i.e., the Protocol Registration and Results System or PRS system) registration process. If you have any further questions about the process of setting up an account and submitting information to ClinicalTrials.gov, PRS has published a detailed PRS Users Guide found at https://prsinfo.clinicaltrials.gov/prs-users-guide.html or contact OCR at ocrctgov@pobox.upenn.edu.

Click to review how to Registering Studies and Submitting Results to ClinicalTrials.gov

The 21st Century Cures Act and the new ruling from the Health and Human Services department of the Federal Government, Penn Medicine is required to allow patients increased access to their electronic medical record. The purpose of this Act is to promote the patient’s right to electronically access their information, expand the electronic exchange of health information, standardize & expand the content of the health information dataset, reduce barriers for electronic health information exchange, and prevent health information exchange blocking.

The 21^st Century Cures Act also regulates how to share information with patients including research results. The law has provisions for holding results if the release would reveal the results of the study, hence we need the insight of the research team confirming the need to hold or release research results. For more information refer to the guidance document, HERE

Broadly, ‘digital health’ refers to wearable devices, telehealth, and health information technology. Digital health technologies (DHTs) use computing platforms, software, connectivity, and sensors for medical and healthcare uses.

• Penn’s Center for Digital Health: https://healthcareinnovation.upenn.edu/center-for-digital-health
• FDA Digital Health Center of Excellence: https://www.fda.gov/medical-devices/digital-health-center-excellence
  • “The Digital Health Center of Excellence (DHCoE) is part of the planned evolution of the Digital Health Program in the Center for Devices and Radiological Health (CDRH) and will align and coordinate digital health work across the FDA. It marks the beginning of a comprehensive approach to digital health technology, setting the stage for advancing and realizing the potential of digital health.”
• FDA Guidance: Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
  • Outlines recommendations to facilitate the use of digital health technologies (DHTs) in clinical investigations evaluating medical products.

For studies where data management is being performed by individual research teams, there are a series of documents to assist with overall data management. Find these in the Forms, Tools, & Templates library.

Some of these are high level like:

• Electronic Database Build and Activation Log
• Database Activation Authorization
• CRF Testing Script
• CRF Testing Tracker
• CRF Build and Schedule of Events Tracker
• Data Base Lock Down and CRMS Examples
• Data Management Plan Creation Guidance

Others are more system specific to using the Penn CRMS as an EDC/ Database:

• Testing CRFs Overview in Penn CRMS
• Penn CRMS EDC Guidelines and Tips
• Understanding Using an EDC-CRMS Workflows

At Penn Medicine we have various options to support data management. The following table provides a comparison of the three primary options:

As an Academic Learning Health System,  Penn Medicine recognizes  (i) the value of patient participation in research, (ii) the importance of  studying existing medical record data in both research and quality improvement efforts and (iii) respects patient privacy. We clarify our position in the Notice of Privacy Practices (NPP), the general consent to care and the Patient Bill of Rights.

Our patients can choose to opt out of being contacted by Penn Medicine for research purposes. Penn Medicine research that does not involve contacting patients, such as secondary data analysis, observational research, longitudinal studies, that has been IRB approved,  may include the data of patients who have selected “Research Do Not Contact.” 

Any studies in which there is patient contact, even if there is a waiver of consent and authorization, require that the research "do not contacts" be respected and removed from the list of patients to be contacted.
If you need assistance with removing please discuss with OCR at psom-ocr@pobox.upenn.edu

Patients are given the option to opt out of contact via the MyChart application or via the front desk staff or privacy office (215-898-7260 or privacy@uphs.upenn.edu). If patients have questions about research opt outs, please feel free to direct them accordingly. 
Patients may switch their opt out options at any time and as frequently as they like. 
Furthermore, the opt out does not preclude a provider from discussing a trial directly with their patients.

This guidance  is to clarify the roles and responsibilities of those involved in the execution of the informed consent process for prospective human participants consistent with federal and state regulations, and institutional policies.

Guidance for Obtaining Informed Consent of English-Speaking Subjects Who Cannot Speak and/or Write.

NIH Data Management & Sharing Policy (2023)

This page is intended to inform the Penn community about the new National Institutes of Health (NIH) policy. 
The current NIH policy on sharing research data expires January 25, 2023.

More Information on how Penn is preparing and providing resource: https://guides.library.upenn.edu/NIH

• What is new about the 2023 NIH Data Management and Sharing Policy?
• Beginning on January 25, 2023, ALL grant applications or renewals that generate Scientific Data must include a detailed plan for managing and sharing data through the entire funded period with plans for data dissemination. You must provide this information in a Data Management and Sharing Plan (DMSP). In addition, once the award is made and plan approved, compliance with the DMSP will be a determining condition of the work, meaning it can impact future funding decisions.
• Why is the NIH making these changes? 
• The NIH is emphasizing good data stewardship with the goals of advancing rigorous and reproducible research and promoting public trust in scientific endeavors.
• How does the NIH define scientific data?
• Scientific Data are "the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens."
• Am I required to share my data?
• The policy encourages efforts to maximize appropriate sharing, but recognizes exceptions (i.e., legal, ethical, or technical reasons). These reasons must be communicated in the NIH DMSP.  In addition, sharing plans must be communicated in informed consent documents. In the end, ALL data must be managed, even if not all data can be shared.

Resources

Permissions & Guidance:

• IRB Regarding Approvals
• Clinical Trials.gov
• Privacy Policies and Guidance
• Penn Clinical and Biospecimen Data Sharing
• Federal and State-Specific Laws - HIPAA Waiver Form
  (Search HIPAA on left hand side menu, and click update) 

Data Management:

• DART website regarding secure storage and computing options
• Penn Research Analytic Storefront regarding where to find clinical data for research
• Data Analytics Center (DAC) for submitting data request

Sharing Plan:

• ORS regarding research inventory system for submitting DUA, MTA, BAA, etc.
• DMP Tool
• Scholarly Commons

The intent of the PSOM Guidance for Adverse Event (AE) Assessment is to provide early, mid and senior career investigators a roadmap on how to investigate, perform, and confirm AE assessments.

Data Classification/ Sensitivity

Penn Medicine/ University of Penn classifies data into three categories based on the level of data sensitivity, government regulations and existing PSOM or Penn Medicine policies.

• Low
• Moderate
• High

More information on this and the Penn Data Classification policy can be found here. This includes information on Penn Box and what information can and cannot be stored there. 

• PSOM Data Handling Policy
• Cures Act FAQ - see guidance section on Cures Act and Research

Use of PHI in Email for Research

These guidance documents are important to the use of email and PHI in communication with patients and other Penn Medicine staff and employees. Penn Medicine’s Privacy Office and Information Security Office’s has issued guidance on avoiding and minimizing PHI in email communications.  The Office of Clinical Research has collaborated with the Office of Audit Compliance and Privacy (OACP) to create a specific guidance on the use of email during the conduct of research studies and clinical trials.

These guidance documents are titled: Avoid and Minimize PHI in Email and Use of Email During the Conduct of Research

As the guidance specifies, spreadsheets of PHI should never be emailed. You may use secure share as an alternative.

Another option to utilize is Penn Medicine MS Teams. This tip sheet and PowerPoint provide additional guidance and information on how to use MS Teams to share PHI securely via Teams. As a reminder, the minimum of PHI should always be used and shared.

Use of PHI in Messaging (Email, text, mobile apps) for Clinical Research

This document provides best practices for use of messaging when communicating with patients and research participants in connection with clinical research and trials, particularly when messaging includes Protected Health Information and Personally Identifiable Information (PHI/PII). Messaging includes email, text/ SMS and/ or through mobile applications (apps).

Guidance on Use OF MESSAGING (EMAIL, text, mobile apps) During the Conduct of Research

Requests for space to support the conduct of clinical research may require allocation of UPHS space. Such requests may be triaged for consideration by the Office of Clinical Research in conjunction with the hospital Space Committee who will assist investigators in identifying space and in properly specifying suballocations of space with shared research and clinical research uses for clinical research professionals.

Binder Guidance

Clinical Research Space Allocation Guidance 

Requirements for Protecting PHI and Clinical Research Document Storage 

PSOM Incremental Space Request

Subjects are often offered monetary or non-monetary payments for their participation in research studies. While many options exist, the decision to provide payment to research subjects is generally made to facilitate timely recruitment of subjects for the study and thereby decrease time to study completion, with the consideration of ethics and effectiveness. Accepted justification of research subject payment include reimbursement for expenses that the subject may incur to participate in the research and/or payment for the subject's time and inconvenience.  It is never acceptable to use payment as a benefit to offset the risks of a study.  The payment procedures must be detailed in the HS-ERA Protocol Application Form and reviewed by the IRB prior to implementation.

TYPES OF SUBJECT COMPENSATION

Subject compensation are typically classified as either reimbursement or remuneration.

• Reimbursement refers to payment, monetary or other form, paid to a subject for out-of-pocket expenses, such as study-related travel, lodging, meals or lost wages.
• Remuneration refers to payment, monetary or other form, paid to subjects as repayment for their personal time and effort committed to study participation.
   

All subject payment procedures should be described in the study protocol, HS-ERA Protocol, and the Informed Consent Form, which must be approved by the IRB prior to study initiation. 

Note: Although the IRB may approve a subject payments for a protocol, this does not imply that the payment method is allowable under University Financial Policy. The IRB reviews payments to ensure that they will not unduly influence a subject's decision to participate, but they do not review the payment procedures to ensure they follow University Financial Policy. It is the responsibility of the investigator or research coordinator to ensure that the proposed payment procedures are in compliance with University Financial Policy.

The Business Office’s Guide for Approving Human Subject Payments provides information and guidance on remuneration and reimbursement of out-of-pocket expenditures provided to research subjects participating in research trials.

Description text: Penn Medicine policy is to ensure compliance with HIPAA and HITECH privacy regulations and applicable law when conducting research involving PHI. It is applicable to all entities under Penn Medicine, this includes PSOM. Policy applies to all research that utilizes PHI and is conducted by the workforce of Penn Medicine.

Penn Medicine has developed guidance on the sharing of clinical data and biological samples, whether deidentified or not, with third parties. The guidance is maintained between OACP and OCR and maybe found HERE

Guidance Document for Source Documentation

This document contains information about Source Documentation for clinical trials.
Contents
• What Are Source Documents?
• Why Are Source Documents Required?
• Source Document vs. Case Report Form (CRF)
• Location of Source Documents

Certifying Electronic Copies of Paper Documents

Certified Copy Attestation

This document explains the purpose of certifying electronic copies of paper source documents and describes two different methods to certify them.

The following documents outline best practices and requirements when using social media to support research recruitment or other research related activities. 

• Guidance on Recruitment & Research Using Social Media (link out to Penn IRB's website)
• Social Media Best Practices (requires Penn Login)

Mobile medical apps are software programs that can run on smartphones and other mobile devices. Some apps are aimed at patients/consumers, and other are aimed at healthcare providers. The FDA regulated mobile medical apps via a risk-based approach. The following links can provide additional information:

• FDA Main Page: Device Software Functions Including Mobile Medical Applications https://www.fda.gov/medical-devices/digital-health-center-excellence/device-software-functions-including-mobile-medical-applications
  • Describes mobile medical apps, discusses how FDA regulates device software functions, and lists device software functions that are the focus of FDA oversight.
  • FDA Guidance: Policy for Device Software Functions and Mobile Medical Applications: https://www.fda.gov/media/80958/download
• FDA Guidance: Clinical Decision Support Software (CDSS): https://www.fda.gov/media/109618/download
  • CDSS is a type of software intended to provide decision support in the diagnosis, treatment, prevention, cure, or mitigation of diseases. This guidance applies to CDSS intended to be used by healthcare professionals.
• FDA Guidance: Content of Premarket Submissions for Device Software Functions: https://www.fda.gov/media/153781/download
  • Provides guidance about recommended documentation for premarket submissions of device software functions (i.e. Investigational Device Exemptions (IDE), among others).
• FDA Guidance: Off-The-Shelf Software Use in Medical Devices: https://www.fda.gov/media/71794/download
  • Recommended for review if you are considering incorporating off-the-shelf software in developing a medical device.

Vendormate is a 3^rd party vendor Penn Medicine uses to back ground check pharmaceutical company representatives, and their immunization status. This to mostly protect patients especially immunocompromised patients in clinic spaces. Registration in Vendormate costs about $250 per year to register. This requires yearly renewal by the company, and updates of the representatives immunization records. The cost for this is included in the budget template by OCR Finance so teams can incorporate it before they negotiate with the pharmaceutical sponsor. The pharmaceutical representative category is also extended to CRO/ sponsor monitors that will be in clinic spaces.

• The link below is a brief step by step of how a Pharmaceutical vendor representative registers on the platform, and the screen shots below is that of the main website, and video tutorial that the vendor can access https://www.ghx.com/vendor-credentialing-providers/vendormate-credentialing/
• Step-by-Step guide document
• Vendormate Policy at HUP

• Contact for Vendormate at Penn:
  Robert Fisher
  Director, Materials Management
  Hospital of the University of Pa
  Tel: 215-662-4741
  Email: Robert.Fisher@uphs.upenn.edu/  Robert.Fisher@pennmedicine.upenn.edu

General Guidance

• Penn Medicine (UPHS And PSOM) Guidance Video Conference Platforms and HIPAA Protected Health Information (“PHI”). For more information about specifically using telemedicine in research that overlaps with standard of care, continuity of care or any research that involves billing to insurance or mixed billing please refer to the following document/ Clinical Research Connected Health Telemedicine Guidance.
• Telemedicine Document Guidance Tips
• Appendix 1
  How to tell if you are using Penn Medicine or University Meeting Services
• Appendix 2
  How to configure services for privacy and compliance
• Out of State Telemedicine Guidance and FAQs
• Out of State Physician Licensing Guide

This guidance has been generated to help distinguish electronic signatures, from part 11 compliant signatures, and digital signatures. DocuSign signatures are considered part 11 compliant if access via the Office of Clinical Research and PMACS/ DART. Other types of DocuSign or access points are not compliant.

Note: This document does not cover the use of digital or electronic signatures related to contracting, business administration, grant/proposal submission systems, or the effort reporting system (ERS).

See Guidance: USE OF ELECTRONIC DOCUMENTS AND SIGNATURES IN RESEARCH AND 21 CFR PART 11 COMPLIANCE

This document outlines the step by step instructions for creating a compliant adobe eSignature. The purpose of this document is to promote the adoption of digital signatures, by individuals using a PMACS/DART or UPHS managed computer in clinical research, by providing the processes of how to create a signature in Adobe Acrobat and how to verify it to meet 21 CFR Part 11 compliance 

Create and Verify a  Self-Signed Digital Signature in Adobe Acrobat

The purpose of this document is to instruct users on how to use the “Repository” method to document an Adobe Acrobat self-signed digital-signature certificate information so that it may be verified. The purpose of verification is to provide assurance of the signer, thus meeting 21 CFR Part 11 compliance.

Verification Process for Self-signed Digital Signatures