GCP, FDA 21 CFR Part 11, and HIPAA Compliance Facilitation Statement

Version
6
- published on
February 24, 2021

Purpose

SMART-TRIAL is designed to be used for data collection and data management in clinical operations. To ensure that Good Clinical Practice (such as ISO 14155:2020 and ICH GCP), FDA 21 CFR Part 11, and HIPAA, can be complied with in SMART-TRIAL, efforts have been implemented. This statement clarifies the specific measures which have been implemented in SMART-TRIAL.

Application

This document is applicable to those responsible for GCP, regulatory affairs, or QA for organizations that have either implemented, or are to implement SMART-TRIAL as a clinical data collection tool. The information provided here within are intended only to assist organizations in using SMART-TRIAL correctly to comply with GCP, FDA 21 CFR Part 11, and HIPAA. This information alone cannot be used to prove that any of these standards were fulfilled, as this requires internal management control.

References

  1. SMART-TRIAL Security & Service Level Statement

Statement

1. Standard Operating Procedures

All clients of SMART-TRIAL can access a standard operating procedure (SOP) template which can assist study stakeholders in using SMART-TRIAL correctly, to fulfil the requirements set forward in e.g. ISO 14155:2020

2. Security and Backup Notice

It shall be noted that all aspects of security, quality control, hosting services, and backup procedures have already been described in the Security & Service Level Statement which is publicly available from [1].

3. Audit Log/Trail

A full audit log (audit trail) is recorded and stored for every action within a specific study in SMART-TRIAL, i.e. viewing, creating, updating, deleting. Study owners, or those allowed access to the audit log, are able to both review these actions, specific attribute changes (e.g. subject information, or any form answers) and export the complete log.

For now, it is not possible to export a Study audit log directly from the SMART-TRIAL user interface. Contact support@smart-trial.com to request a copy of your Study audit log.

4. Reason for Change and Reason for Exclusion

When a change is made to a form answer, a reason for change must be clarified by the editor. When a patient is excluded or discontinued, a reason must be defined by a user.

5. Monitoring Review and Lock

SMART-TRIAL has a special read-only module which can be used by monitors to review data in a simple yet structured manner. Monitors can gain access to both data collected by subjects and investigators, while also being able to review AE/SAE/SAR forms, audit logs, etc. Users with a specific Monitor role can also lock individual answers where any data entry or changes will not be possible, unless unlocked.

6. Query Feature

Users with specific query permissions, can create queries on individual form answers. This allows users to correct values/answers according to query comments etc. Notifications to queries are sent to users who are responsible for completing the query.

7. Direct Validation of Data

All input fields have dynamic input validation. Forms have both pre-defined input validation as well as user-specific validation. This means that subjects or users who are to fill out forms, are not able to complete input without complying to the form specific input rules. This ensures that answers to forms are not only within the correct range, but guides participants in answering the forms as well.

8. Two-Step Authentication

All users which might or might not have access to subject information, answers, or study design, can only log into SMART-TRIAL using two step authentication. The system requires all users to authenticate with a strong password, a unique username, and unique one-time code sent to their mobile number. See more information about authentication and authorization in [1].

9. Subject Authentication

SMART-TRIAL supports individual subject authentication. The system ensures that all subjects receive unique links to the subject’s private e-mail address or mobile number, for an individual subject form response. In addition, the system also supports unique SMS code authentication for subjects for every unique response link – if requested, subjects will receive a unique code via SMS or e-mail which is required to complete their form response. This should ensure that all users authenticated within the system are indeed the owner of the user profile being used.

10. Permission Based Access

All access within a study is permission based. A study owner is responsible for defining which permissions all collaborating users have within a study. For every collaborator added to the study, a set of permissions must be enabled/disabled. This should allow study owners to specify in detail what information/actions each study collaborator will have access to.

11. Adverse Event and Serious Adverse Event Reporting

SMART-TRIAL provides a structured way to record adverse event and serious adverse events. A collaborator will automatically receive a notification if a serious adverse event is registered. All users can submit an adverse event report. However, specific investigator permissions are required to fill out information requiring clinical evaluation, medical history, medication etc. A specific sponsor permission is required to record Sponsor specific information to e.g. a Serious Adverse Event.

12. Automatic Subject Reminders

To improve compliance, automatic e-mail and SMS reminders can be specified for all data events. SMART-TRIAL will then handle sending out reminders to all subjects at specific time points defined by the process design.

13. Access to Raw Data

Study owners, or collaborators with sufficient permission, always have access to a full raw dataset from a study. This means that at any time all form and subject data can be exported from the system. Export of a complete raw data set requires all users to input unique two factor SMS code before gaining access to the function.

14. Electronic Signatures

All SMART-TRIAL users have their own unique user signature, which is acquired during login. Any action made within a study is recorded in an audit log, where the signature of each user contains its unique SMART-TRIAL id, email, password, two-step verification code, and timestamp. SMART-TRIAL study creators can choose to implement an additional electronic signature support for their study. This allows study managers to add an additional signature to e.g. form entry and other critical actions within the system, by providing their signature via password authentication.

15. System Validation and Verification - ISO 14155:2020 7.8.3

As noted in [1] SMART-TRIALs quality assurance is based on and in compliance with the PIC/S Guidance, PI-011-3 Good Practices for Computerized Systems in Regulated “GxP” Environments, and the software validation process is based on IEC 62304. SMART-TRIAL simplifies regulatory compliance for ISO 14155 (GCP), FDA 21 CFR Part 11, GDPR, and HIPAA by offering ready-to-use QA templates, system modules, and guidance documents. SMART-TRIAL is a documented software system and has been validated and verified for every publicly available release. This means that SMART-TRIAL clients do not have to perform any validation on the software. If required, customers can request a copy of SMART-TRIAL's audit reports and documentation to support this compliance.

16. Answer Notes

Users responsible for inputting data into forms (eCRFs) can input custom notes for individual answers if required to clarify missing data or misleading answers.

17. User Acceptance Test (UAT)

SMART-TRIAL clients are responsible for performing and documenting UAT of their study setup in SMART-TRIAL. This can easily be done by testing the study setup by pressing "Test Study" in SMART-TRIAL. This enables study managers to test the study, just like in production, by enrolling up to 5 subjects.

18. Access to Personal Identifiable Information

SMART-TRIAL provides a special "subject attribute selection" for every study. These attributes shall be used to collect all subject identifiable information. Any study collaborator who must be able to see identifiable information that's collected with a subject attribute will have to have a specific "identifiable information" permission. Those users who do not have this permission, will only be able to see non-identifiable information, such as subjectID. SMART-TRIAL cannot ensure compliant access control of personal identifiable information which is collected outside of subject attributes, such as those collected within a form. Make sure to ensure that identifiable information is ONLY collected in subject attributes, if you e.g. need to comply with HIPAA.

19. Emergency Unblinding

If SMART-TRIAL is used to randomize treatments for subjects, and Study collaborators are blinded, there's a possibility to enable emergency unblinding if needed. This requires a special permission and is recorded in the audit log like everything else.

Are we missing something?

If you have any questions regarding GCP, compliance, technical documentation, validation, or SOPs, you are always welcome to contact us via support