Office of Clinical Research

21 CFR Part 11 outlines the federal requirements that help to ensure that electronic records are trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

The first step in becoming compliant with the regulations is to determine whether or not you are required to be compliant. The following questions can help lead to the determination:

• Is your clinical trial conducted under an approved IND? If yes, electronic system needs to meet part 11
• Is your clinical trial conducted under an approved IDE? If yes, electronic system needs to meet part 11
• Does your grant specify that your computer systems must comply with 21 CFR Part 11 or similar requirements? If yes, electronic system needs to meet part 11

If you answered yes to any of these questions, your electronic systems of record that are being used to meet predicate rules are required to comply with 21 CFR Part 11. Your sponsor may provide you with a system to use. The two options available at Pen Medicine are Penn CMTS and Veeva Vault EDC.

Close

REDCap is not part 11 compliant but is part 11 capable. This means the system has the functions to meet part 11 but has not been validated. If you are going to use REDCap you can find ways, in the REDCap section of the site, to run your trial as closely as possible in accordance with part 11. However, you should make it clear to your sponsor that the system is not part 11 at the institutional level. REDCap is best used for studies not under an IND or IDE.

Close

Click HERE to get re-directed to the PennCTMS section of the OCR website.

Close

Veeva Vault EDC is a new product at Penn. If you are interested in using the application, please contact the central OCR email box. To learn more about Veeva as a product you may search here.

Close

LEGAL BACKGROUND AND BASIS

General Rules under HIPAA
Under HIPAA, identifiable data may be used in support of a research project either in a preparatory to research capacity or under an IRB-approved protocol, except for certain specially-regulated data that include behavioral health, HIV/AIDS, and substance use disorder treatment data.

HIPAA’s preparatory to research provision permits covered entities to use or disclose PHI for purposes that are in preparation of research, such as to determine if there is a viable cohort of patients at a site or aid study recruitment. The preparatory to research provision allows such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose their health information as part of a research study. The Penn researcher may not reach out to those patients to recruit or enroll them in a trial without IRB approval. Also, PHI used for these purposes may not be shared outside the covered entity. 

The preparatory to research provision does not allow a researcher outside the covered entity to use or disclose Penn PHI to identify patients who may be study eligible.  This requires a full HIPAA waiver of authorization and appropriate agreements in place.

Once IRB approval is in place for a research study, PHI may be accessed, used, and disclosed as follows:

1. Pursuant to a participant-signed HIPAA research authorization approved by the IRB[1]  
   • This is typically part of the research informed consent but may be separate.  This is commonly seen in prospective interventional trials/ clinical trials
2. Under a waiver of HIPAA authorization approved by the HIPAA privacy board (the Penn IRB) applying specific criteria.[2] 
3. Regarding a “limited dataset” (where direct identifiers are removed), with a HIPAA data use agreement (DUA) in place with the recipient.

Special Records – Behavioral Health, Substance Use, HIV / AIDS 
At the same time, identifiable health information from behavioral health visits and related to HIV/AIDS cannot be used or shared for research purposes unless there is specific patient consent.  Researchers who are providers in those areas may review records of patients they are caring for, but they cannot otherwise conduct research using records without specific consent.  Research involving substance use disorder information is also strictly regulated – please consult with Privacy Office regarding the applicable rules in this area. 

Patient Opt Outs
Patients at Penn Medicine must be offered the opportunity to opt out of specimen use for research purposes. Patients are offered this option in the clinical care consent through the General Consent form.  As stated in that form, patients may decide that residual tissue taken, or discarded, during a clinical procedure cannot be used for research. This does not preclude research teams from reaching out to patients who have not opted out to seek specific consent to use residual specimens for research.

Furthermore, patients at Penn Medicine are offered the opportunity to opt out from research contact. This can be done via MyPennMedicine (MPM), by speaking to a patient service representative.

INSTITUTIONAL MISSION, VISION AND VALUES 

Research is a core mission for Penn Medicine, and therefore it is important to have tools and policies governing research in place to support all areas of research utilizing PHI.  This includes preparatory to research activities, research with a consent/full HIPAA authorization, and research with a waiver of authorization.

           AUTHORIZED USERS, USES, DISCLOSURES AND RISK MITIGATION

Preparatory to Research: Feasibility and Cohort Identification

Internally: Individuals in research roles may be provided access to systems for purposes of establishing feasibility and/or identifying a cohort. 

To establish feasibility of a protocol, the preferred systems to utilize are PennChart SlicerDicer, or another approved cohort identification tool such as Atlas or TriNetX.  Access to these datasets provides summary level data (counts) only and do not inherently provide access to record level data (names, SSNs and other direct identifiers are removed) unless IRB number is provided or the data is retained fully in the tool, in the case of Slicer Dicer.

Externally:  The preparatory to research provision does not allow for any access to PHI outside the covered entity. Counts only of potentially eligible patients may be shared with external sponsors, external collaborators, and external staff or research sites.

If an outside collaborator, for example a CHOP employee, would like to recruit Penn patients, they must collaborate with a Penn Medicine faculty member who is accountable for appropriate access or with a central office, such as OCR, or work with the Data Analytics Center (DAC) to serve in an honest broker capacity.

Research Recruitment and Research Under HIPAA Authorization:

Internally: Once IRB approval has been obtained, patients may be contacted to participate in a research study and, if they agree, will be asked to sign a consent form and authorization. This will detail with whom and how data may be shared.  rag

Individual patient level research data that qualifies as “source” (the first place that a research datapoint is recorded) must be stored securely either in PennChart, Penn’s Clinical Trial Management Systems (PennCTMS), Penn+Box, or in other HIPAA-compliant systems, as well as on secured shared drives or on paper.  For more details refer to the following, Information Handling Standard.

PennChart, at a minimum, for all studies that involve hospital services will contain a record of the study, subjects enrolled on the study, research encounter information and, if applicable, information about the investigational medication being provided.

Clinical trial data in aggregate or Case Report Form data must be stored in a HIPAA compliant database such as the PennCTMS, Veeva EDC, or RedCap or a 3d party sponsor system. 

Such data management systems should negate the need for any emailing of spreadsheets of data.

Externally: When collaborating with external users on a clinical research trial, only PHI outlined in the authorization, should be shared. This can be shared via secure electronic data capture systems or via secure methods for external sharing such as Citrix or use of an ftp server. The latter is more efficient for a large share of data and the former more appropriate for ongoing study activities.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office for guidance.  

Special Note regarding Texting Potential Subjects and Subjects:  If research recruitment or research under a HIPAA authorization involves texting potential subjects or subjects, specific texting consent may be required as well as certain disclaimers and operationalizing an opt-out system. Contact the Privacy Office for additional guidance. 

 Special Note regarding Blinded and Highly Sensitive Studies:  With such studies, additional steps in PennChart to protect the sharing of results and certain other research data with patients and internal and external providers should be taken.  See Guidance for Blinded Studies and MyPennMedicine

Research on Identifiable Data sets under a waiver of HIPAA authorization: In addition to the safeguards and tools described above in the context of a HIPAA authorization, note the following distinct rules that apply in the context of a waiver of HIPAA authorization.  First, the research must involve only the minimum PHI necessary.  Second, under the new Common Rule provisions, the research must be supported by documented reasoning as to why these studies cannot be conducted without the requisite PHI.  Further, if using third parties, a HIPAA business associate agreement (BAA) may be required.  Please consult Privacy Office and Data Access Center for guidance.

Research Using a Limited Data Set: A limited data set includes only indirect identifiers, and it can include any date information (for example date of birth, date of service, date of discharge) as well as limited address information excluding street address (for example town, county, state, zip code). 

Internally: Limited Data sets may be used for research with IRB approval by Penn researchers, provided the research application includes a commitment that the research team will abide by HIPAA DUA terms.  Penn researchers not committing to such terms in the research application must agree to them via a separate agreement.

Externally: To share a limited data set externally, a signed DUA must be in place. This is a written agreement that establishes how a limited data set will be transferred between one covered entity to an intended recipient and establishes how that data will be protected. A DUA can be put in place by the Office of Research Services.

In all these cases, the DAC is a resource to assist in data extraction.  See https://www.med.upenn.edu/dac/

SECURITY

Security is of the utmost importance in addressing privacy risks to research data.  Key components are secure storage, transmission and a plan for destruction where feasible.  Regarding storage, all PHI must be maintained on secure devices, secure systems and approved services.  PHI may be maintained for example, as described above, on Penn’s CTMS, the Veeva electronic data capture systems, RedCap or Penn Box.  Regarding transmission of PHI, Citrix FileShare, Penn Secure Share, and secure FTPs may be used.  As for destruction of PHI, researchers should consider whether and when they can securely destroy PHI without compromise to research integrity or obligations to the sponsor or others. 

Close