Policies, Procedures & Guidance

Standard Operating Procedures (SOPs) for Clinical Research

Standard Operating Procedures (SOPs) for Clinical Research are established to ensure we articulated our expectation for clinical research execution standards that adhere to federal and state regulations and institutional policies.

Sponsor SOPs detail the roles and responsibilities for those who serve as regulatory sponsors

A sponsor is a person who initiates a clinical investigation, but who does not actually conduct the investigation, i.e., the test article is administered or dispensed to or used involving, a subject under the immediate direction of another individual.

A sponsor-investigator means an individual who both initiates and actually conducts, alone or with others, a clinical investigation, i.e., under whose immediate direction the test article is administered or dispensed to, or used involving, a subject.

In this context, the sponsor is not necessarily the group or institution funding the research (funding sponsor).

SOP 001   — Sponsor Responsibilities

Defines the responsibilities associated with Sponsors of human subject research conducted under an Investigational New Drug Application (IND), an Investigational Device Exemption (IDE) or outside US Clinical Trial Application (CTA).

 

SOP 002  — Vendor Selection and Qualification

Describes the processes for the selection, qualification, and management of vendors to perform activities associated with the conduct of research under an Investigational New Drug (IND) Application, an Investigational Device Exemption (IDE & Abbreviated. IDE) Application, or a comparable international regulatory filing.

 

SOP 003  — Investigational Product Management

Describes the Sponsor’s responsibility for the management of the manufacturing, packaging, labeling, supplying, distribution, and accounting of investigational product(s) used in research conducted under an Investigational New Drug Application (IND), Investigational Device Exemption Application (IDE), or comparable international regulatory filing.

 

SOP 004  — Sponsor Monitoring

Describes the process for developing and implementing required, risk-based monitoring of clinical trials by the Sponsor.

 

SOP 005  — Pharmacovigilance and Safety Reporting

Describes the responsibilities of a regulatory sponsor associated with managing pharmacovigilance information for clinical trials conducted under an Investigational New Drug (IND), Investigational Device Exemption (IDE), Abbreviated IDE, or comparable international regulatory application (i.e. Clinical Trial Application, CTA).

 

SOP 006  — Sponsor Qualification Registration

Defines the requirements to qualify as a clinical trial Regulatory Sponsor at Penn Medicine, the conditions under which the University must serve as the Sponsor, and the minimum criteria and training.

 

SOP 007  — Sponsor Data Management

Outlines the sponsor’s responsibilities and expectations with respect to clinical data management and data storage for the conduct of a clinical trial. This includes discussion around information technology (IT) tools for electronic data capture.

Penn Manufacturing SOP details the requirements to register manufacturing activities occurring for a regulatory sponsor.

SOP 100 — Manufacturer Registration

Defines the registration process of Manufacturers at the Perelman School of Medicine (PSOM) to inform PSOM leadership of relevant data related to manufacturing.

Outline purchasing and billing compliance review processes.

SOP 300 — Research Billing Compliance Review

SOP 301  — NETC Parallel Review

Detail expectations for clinical investigators adherence to federal state and institutional requirements

Operational / Research Technology SOPs detail the requirements for the use of clinical research systems

Training SOPs detail the training requirements for all research team members

Clinical Research Guidance

The following are guidelines developed for Penn Medicine clinical research teams and links to helpful external resources. They have been developed in partnership with relevant offices across Penn Medicine.

Artificial Intelligence, AI, is the process of imparting data, information, and human intelligence to machines. The main goal of Artificial Intelligence is to develop self-reliant machines that can think and act like humans. These machines can mimic human behavior and perform tasks by learning and problem-solving. Most of the AI systems simulate natural intelligence to solve complex problems.

Machine learning is a subfield of artificial intelligence, or an application of AI, which is broadly defined as the capability of a machine to imitate intelligent human behavior. It allows a system to automatically learn and improve experience. Artificial intelligence systems are used to perform complex tasks in a way that is similar to how humans solve problems.

Deep Learning is a subset of machine learning that uses vast volumes of data and complex algorithms to train a model.

 

A diagram of machine learning

Description automatically generated with medium confidence

There are several different ways that AI might be used in research but of particular note are uses of Electronic Medical Record (EMR) data in order to conduct modeling, predict care pathways or interact with patients.

Penn Medicine’s Position on AI and Research:

New artificial intelligence (AI) and machine learning (ML) capabilities, methods, and platforms offer great promise for patient care and research. Notably, large language models such as ChatGPT have been gaining traction and driving imagination on potential applications in healthcare and clinical research – particularly to increase efficiency and productivity. While we support and encourage exploration of AI/ML capabilities, this guidance provides compliance reminders and guardrails to ensure that we continue to protect patients’ privacy and deliver patient care following validated standards.

Patient Privacy Protection: It is not permissible under HIPAA or Penn Medicine policy to share patient or research participant information in connection with public AI/ML services, such as ChatGPT. This is because, as currently configured, such public services can use and share any data without regard to HIPAA restrictions and other protections. Therefore, individual patient data and patient data sets (even if deidentified) may not be exposed to AI/ML services.

Penn Medicine will contribute to the evaluation and development of innovative technologies, in a manner that is compliant with HIPAA and other privacy laws, Penn policies and guidance.

FDA Regulations and AI as a Device

The use of AI in research

FDA Main Page: Artificial Intelligence and Machine Learning in Software as a Medical Device

https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device

FDA regulation of AI/ML is evolving, as the field continues to rapidly evolve. Additional information can be found at the following link: https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device#regulation

 

Penn AI Chat

Penn has an approved version of ChatGPT 4.0 Penn AI Chat (upenn.edu) which can be used in research studies and is HIPAA compliant and secure

 

Data access and AI reviews:

If you study is using clinical/ EMR data and utilizing AI technology please submit for review to the data access and AI governance committee:

Data and AI Governance Initial Request Form

 

AI and consent

Artificial Intelligence (AI) is defined as, development of computer systems able to perform tasks that normally require human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages. AI is an umbrella term used to encompass various technologies used to perform tasks such as machine learning, natural language processing and deep learning.

When conducting human subjects research, a researcher may engage with an AI tool in some of the following capacities, not all of which will always require consent:

  • The AI tool collects data from humans through interaction or intervention like a ChatBot;
  • The AI tool is used to obtain informed consent from patients/ research 500;
  • The AI tool is used to attain, explore, or otherwise access identifiable data about research subjects/ patients for example to ingest data and train a model or perform a screening function for a study; or
  • The AI tool acts as an extension or representative of the investigator/ study team by answering questions for research subjects/ patients during the trial or conducting some trial functions. This may be through note writing, ordering prompts, ChatBot activities, etc.

In accordance with HRPP, the Penn IRB strongly recommends, and in some cases may require, for studies in which there is prospective consent from patients and Artificial Intelligence (AI) is used, that subjects be informed. This allows patients to make informed decisions about whether to participate.

Template AI Language for Consent and Considerations:

This protocol involves the use of Artificial Intelligence (AI.) AI is an umbrella term used to encompass various technologies use to perform tasks such as machine learning, natural language processing and deep learning. In this study the following data from you will be shared with the AI tool  ( list out specifics for your study for example demographic data, answers to questionnaires, medications, medical record data, etc.)

Describe how the subject will be interacting with the AI; will their data be shared, are they chatting, etc.

Describe if the AI is generative in nature, meaning reacting to the persons answers or simply giving preset answers, as applicable.

Describe what the AI will do with the data, what limitations, if any, will be placed on it, whether or not data can be removed and how, how data will be shared, if applicable

Comment on the risks of the use of AI explaining to the subjects that there may be unknown or unforeseeable risks especially in that even with the removal of identifiers, in many cases with AI, it does not necessarily mean that private or sensitive information may not be disclosed and potentially connected back to the research subject. Note: If PHI is being accessed by AI should also be described in the HIPAA authorization as a tool where PHI will be disclosed.

This document does not cover the use of AI to translate or transcribe consents for patients/ research subjects. Use of this functionality should be reviewed, and the technology used vetted for data security and validity, in advance of IRB review.  Additionally refer to the Penn IRB SOP on consent.

Need additional information or have questions? 

Contact OCR Regulatory – psom-ind-ide@pobox.upenn.edu or 215-662-4484

Penn IRB Research with Devices information: https://irb.upenn.edu/homepage/biomedical-homepage/guidance/types-of-biomedical-research/research-with-device-products/

Certificate of Confidentiality (CoC) protects the privacy of research subjects by prohibiting the disclosure of identifiable, sensitive research related data to anyone not connected directly to the research except when a patient/research subject consents to the sharing.

Attached guidance and tipsheet provides a high-level overview of a certificate of confidentiality. In addition, it highlights workflows in PennChart that should be used to support the CoC provisions are maintained.

Registering Studies and Submitting Results to ClinicalTrials.gov

The following guidance is designed to help the clinical research team navigate the ClinicalTrials.gov (i.e., the Protocol Registration and Results System or PRS system) registration process. If you have any further questions about the process of setting up an account and submitting information to ClinicalTrials.gov, PRS has published a detailed PRS Users Guide found at https://prsinfo.clinicaltrials.gov/prs-users-guide.html or contact OCR at ocrctgov@pobox.upenn.edu.

Click to review how to Registering Studies and Submitting Results to ClinicalTrials.gov

The 21st Century Cures Act and the new ruling from the Health and Human Services department of the Federal Government, Penn Medicine is required to allow patients increased access to their electronic medical record. The purpose of this Act is to promote the patient’s right to electronically access their information, expand the electronic exchange of health information, standardize & expand the content of the health information dataset, reduce barriers for electronic health information exchange, and prevent health information exchange blocking.

The 21st Century Cures Act also regulates how to share information with patients including research results. The law has provisions for holding results if the release would reveal the results of the study, hence we need the insight of the research team confirming the need to hold or release research results. For more information refer to the guidance document, HERE

Broadly, ‘digital health’ refers to wearable devices, telehealth, and health information technology. Digital health technologies (DHTs) use computing platforms, software, connectivity, and sensors for medical and healthcare uses.

For studies where data management is being performed by individual research teams, there are a series of documents to assist with overall data management. Find these in the Forms, Tools, & Templates library.

Some of these are high level like:

Others are more system specific to using the Penn CRMS as an EDC/ Database:

As an Academic Learning Health System,  Penn Medicine recognizes  (i) the value of patient participation in research, (ii) the importance of  studying existing medical record data in both research and quality improvement efforts and (iii) respects patient privacy. We clarify our position in the Notice of Privacy Practices (NPP), the general consent to care and the Patient Bill of Rights.

Our patients can choose to opt out of being contacted by Penn Medicine for research purposes. Penn Medicine research that does not involve contacting patients, such as secondary data analysis, observational research, longitudinal studies, that has been IRB approved,  may include the data of patients who have selected “Research Do Not Contact.” 

Any studies in which there is patient contact, even if there is a waiver of consent and authorization, require that the research "do not contacts" be respected and removed from the list of patients to be contacted.
If you need assistance with removing please discuss with OCR at psom-ocr@pobox.upenn.edu

Patients are given the option to opt out of contact via the MyChart application or via the front desk staff or privacy office (215-898-7260 or privacy@uphs.upenn.edu). If patients have questions about research opt outs, please feel free to direct them accordingly. 
Patients may switch their opt out options at any time and as frequently as they like. 
Furthermore, the opt out does not preclude a provider from discussing a trial directly with their patients.

This guidance  is to clarify the roles and responsibilities of those involved in the execution of the informed consent process for prospective human participants consistent with federal and state regulations, and institutional policies.

Guidance for Obtaining Informed Consent of English-Speaking Subjects Who Cannot Speak and/or Write.

NIH Data Management & Sharing Policy (2023)

This page is intended to inform the Penn community about the new National Institutes of Health (NIH) policy
The current NIH policy on sharing research data expires January 25, 2023.

More Information on how Penn is preparing and providing resource: https://guides.library.upenn.edu/NIH

  • What is new about the 2023 NIH Data Management and Sharing Policy?
  • Beginning on January 25, 2023, ALL grant applications or renewals that generate Scientific Data must include a detailed plan for managing and sharing data through the entire funded period with plans for data dissemination. You must provide this information in a Data Management and Sharing Plan (DMSP). In addition, once the award is made and plan approved, compliance with the DMSP will be a determining condition of the work, meaning it can impact future funding decisions.
  • Why is the NIH making these changes? 
  • The NIH is emphasizing good data stewardship with the goals of advancing rigorous and reproducible research and promoting public trust in scientific endeavors.
  • How does the NIH define scientific data?
  • Scientific Data are "the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens."
  • Am I required to share my data?
  • The policy encourages efforts to maximize appropriate sharing, but recognizes exceptions (i.e., legal, ethical, or technical reasons). These reasons must be communicated in the NIH DMSP.  In addition, sharing plans must be communicated in informed consent documents. In the end, ALL data must be managed, even if not all data can be shared.

Resources

Permissions & Guidance:

Data Management:

Sharing Plan:

The intent of the PSOM Guidance for Adverse Event (AE) Assessment is to provide early, mid and senior career investigators a roadmap on how to investigate, perform, and confirm AE assessments.

Data Classification/ Sensitivity

Penn Medicine/ University of Penn classifies data into three categories based on the level of data sensitivity, government regulations and existing PSOM or Penn Medicine policies.

  • Low
  • Moderate
  • High

More information on this and the Penn Data Classification policy can be found here. This includes information on Penn Box and what information can and cannot be stored there. 

  • PSOM Data Handling Policy
  • Cures Act FAQ - see guidance section on Cures Act and Research
Use of PHI in Email for Research

These guidance documents are important to the use of email and PHI in communication with patients and other Penn Medicine staff and employees. Penn Medicine’s Privacy Office and Information Security Office’s has issued guidance on avoiding and minimizing PHI in email communications.  The Office of Clinical Research has collaborated with the Office of Audit Compliance and Privacy (OACP) to create a specific guidance on the use of email during the conduct of research studies and clinical trials.

These guidance documents are titled: Avoid and Minimize PHI in Email and Use of Email During the Conduct of Research

As the guidance specifies, spreadsheets of PHI should never be emailed. You may use secure share as an alternative.

Another option to utilize is Penn Medicine MS Teams. This tip sheet and PowerPoint provide additional guidance and information on how to use MS Teams to share PHI securely via Teams. As a reminder, the minimum of PHI should always be used and shared.

Use of PHI in Messaging (Email, text, mobile apps) for Clinical Research

This document provides best practices for use of messaging when communicating with patients and research participants in connection with clinical research and trials, particularly when messaging includes Protected Health Information and Personally Identifiable Information (PHI/PII). Messaging includes email, text/ SMS and/ or through mobile applications (apps).

Guidance on Use OF MESSAGING (EMAIL, text, mobile apps) During the Conduct of Research

 

Requests for space to support the conduct of clinical research may require allocation of UPHS space. Such requests may be triaged for consideration by the Office of Clinical Research in conjunction with the hospital Space Committee who will assist investigators in identifying space and in properly specifying suballocations of space with shared research and clinical research uses for clinical research professionals.

Binder Guidance

Clinical Research Space Allocation Guidance 

Requirements for Protecting PHI and Clinical Research Document Storage 

PSOM Incremental Space Request

Subjects are often offered monetary or non-monetary payments for their participation in research studies. While many options exist, the decision to provide payment to research subjects is generally made to facilitate timely recruitment of subjects for the study and thereby decrease time to study completion, with the consideration of ethics and effectiveness. Accepted justification of research subject payment include reimbursement for expenses that the subject may incur to participate in the research and/or payment for the subject's time and inconvenience.  It is never acceptable to use payment as a benefit to offset the risks of a study.  The payment procedures must be detailed in the HS-ERA Protocol Application Form and reviewed by the IRB prior to implementation.

 

TYPES OF SUBJECT COMPENSATION

Subject compensation are typically classified as either reimbursement or remuneration.

  • Reimbursement refers to payment, monetary or other form, paid to a subject for out-of-pocket expenses, such as study-related travel, lodging, meals or lost wages.
  • Remuneration refers to payment, monetary or other form, paid to subjects as repayment for their personal time and effort committed to study participation.
     

All subject payment procedures should be described in the study protocol, HS-ERA Protocol, and the Informed Consent Form, which must be approved by the IRB prior to study initiation. 

Note: Although the IRB may approve a subject payments for a protocol, this does not imply that the payment method is allowable under University Financial Policy. The IRB reviews payments to ensure that they will not unduly influence a subject's decision to participate, but they do not review the payment procedures to ensure they follow University Financial Policy. It is the responsibility of the investigator or research coordinator to ensure that the proposed payment procedures are in compliance with University Financial Policy.

The Business Office’s Guide for Approving Human Subject Payments provides information and guidance on remuneration and reimbursement of out-of-pocket expenditures provided to research subjects participating in research trials.

Description text: Penn Medicine policy is to ensure compliance with HIPAA and HITECH privacy regulations and applicable law when conducting research involving PHI. It is applicable to all entities under Penn Medicine, this includes PSOM. Policy applies to all research that utilizes PHI and is conducted by the workforce of Penn Medicine.

Penn Medicine has developed guidance on the sharing of clinical data and biological samples, whether deidentified or not, with third parties. The guidance is maintained between OACP and OCR and maybe found HERE

Guidance Document for Source Documentation

This document contains information about Source Documentation for clinical trials.
Contents
• What Are Source Documents?
• Why Are Source Documents Required?
• Source Document vs. Case Report Form (CRF)
• Location of Source Documents

Certifying Electronic Copies of Paper Documents

Certified Copy Attestation

This document explains the purpose of certifying electronic copies of paper source documents and describes two different methods to certify them.

The following documents outline best practices and requirements when using social media to support research recruitment or other research related activities. 

Mobile medical apps are software programs that can run on smartphones and other mobile devices. Some apps are aimed at patients/consumers, and other are aimed at healthcare providers. The FDA regulated mobile medical apps via a risk-based approach. The following links can provide additional information:

Vendormate is a 3rd party vendor Penn Medicine uses to back ground check pharmaceutical company representatives, and their immunization status. This to mostly protect patients especially immunocompromised patients in clinic spaces. Registration in Vendormate costs about $250 per year to register. This requires yearly renewal by the company, and updates of the representatives immunization records. The cost for this is included in the budget template by OCR Finance so teams can incorporate it before they negotiate with the pharmaceutical sponsor. The pharmaceutical representative category is also extended to CRO/ sponsor monitors that will be in clinic spaces.

General Guidance

This guidance has been generated to help distinguish electronic signatures, from part 11 compliant signatures, and digital signatures. DocuSign signatures are considered part 11 compliant if access via the Office of Clinical Research and PMACS/ DART. Other types of DocuSign or access points are not compliant.

Note: This document does not cover the use of digital or electronic signatures related to contracting, business administration, grant/proposal submission systems, or the effort reporting system (ERS).

See Guidance: USE OF ELECTRONIC DOCUMENTS AND SIGNATURES IN RESEARCH AND 21 CFR PART 11 COMPLIANCE


This document outlines the step by step instructions for creating a compliant adobe eSignature. The purpose of this document is to promote the adoption of digital signatures, by individuals using a PMACS/DART or UPHS managed computer in clinical research, by providing the processes of how to create a signature in Adobe Acrobat and how to verify it to meet 21 CFR Part 11 compliance 

Create and Verify a  Self-Signed Digital Signature in Adobe Acrobat

 

The purpose of this document is to instruct users on how to use the “Repository” method to document an Adobe Acrobat self-signed digital-signature certificate information so that it may be verified. The purpose of verification is to provide assurance of the signer, thus meeting 21 CFR Part 11 compliance.

Verification Process for Self-signed Digital Signatures

PHI Disclosures Outside the Covered entity in Research

Position on Research Do Not Contact:

Patient data may be used for clinical research pursuant to IRB approval. For studies that involve any level of patient contact; recruitment messaging, text messaging, nudges, consent administration, questionnaires, etc. “Research Do Not Contact” patients must be removed from any data set. This includes studies which involve a waiver of consent and authorization for a subset of the study and have subsequent patient contact in of any form. The approval for a waiver of consent and authorization by the IRB, alone,  does not permit the use of Research Do Not Contact patients. If there is any contact intended, these patients need to be excluded.

Research approved that does not involve patient contact may include “Research Do Not Contact” patients in the data set. This would include secondary data analysis, longitudinal studies, biospecimen studies with no contact, etc. For some studies it may be appropriate to include Research Do Not Contact Opt Outs in a primary dataset and then they may need to be exclude from subsequent uses that involve contact in the research study.

 

Wording in our NPP / Notice of Privacy Practice

Clinical Research, Patient Opt Out and out Notice of Privacy Practices(NPP)

 

As an academic medical center Penn Medicine recognizes the value of patient participation in research, medical record data and respect for patient privacy. As such, Penn Medicine describes this position in the Notice of Privacy Practices (NPP). The NPP states that patient electronic medical record data may be used for research always with IRB approval and either with their consent, or under a waiver of consent and HIPAA authorization approved by the IRB. We afford patients the opportunity to opt out of clinical research contact as described in the NPP language below:

Research. We may use and disclose your PHI as permitted by applicable law for research. This is subject to your authorization and/or oversight by the University of Pennsylvania IRB, committees charged with protecting the privacy rights and safety of human subject research.

As an academic medical center, Penn Medicine supports research and may contact you to invite you to  tell your patient/customer services associate, or for LGH, please contact the LG Health Research Institute. In such case, we will use reasonable efforts to prevent research-related outreach. Note that Penn Medicine may continue to use your PHI for research purposes as described above and your care providers may discuss research with you.