Greenlight Guru Clinical
GCP, FDA 21 CFR Part 11, and HIPAA Compliance Facilitation Statement

Version 8 - published on September 19, 2023

Purpose

Greenlight Guru Clinical is designed to be used for data collection and data management in clinical operations. To ensure that Good Clinical Practice (such as ISO 14155:2020 and ICH GCP), FDA 21 CFR Part 11, and HIPAA, can be complied within Greenlight Guru Clinical, efforts have been implemented. This statement clarifies the specific measures which have been implemented in Greenlight Guru Clinical.

Application

This document is applicable to those responsible for GCP, regulatory affairs, or QA for organizations that have either implemented, or are to implement Greenlight Guru Clinical as a clinical data collection tool. The information provided here within are intended only to assist organizations in using Greenlight Guru Clinical correctly to comply with GCP (including ISO 14155:2020), FDA 21 CFR Part 11, and HIPAA. This information alone cannot be used to prove that any of these standards were fulfilled, as this requires internal management control.

References

1. Greenlight Guru Clinical Security & Service Level Statement

Statement

1. Standard Operating Procedures

All customers of Greenlight Guru Clinical can access a standard operating procedure (SOP) template which can assist study stakeholders in using Greenlight Guru Clinical correctly, to fulfil the requirements set forward in e.g. ISO 14155:2020

2. Security and Backup Notice

It shall be noted that all aspects of security, quality control, hosting services, and backup procedures have already been described in the Security & Service Level Statement which is publicly available from [1].

3. Audit Log/Trail

An Audit Log (or audit trail) is recorded and stored for every action within a specific study in Greenlight Guru Clinical, i.e. viewing, creating, updating, or deleting elements. Study owners, and those with the "Audit Log" permission, are able to view the Study Audit Log within Greenlight Guru Clinical under the "Audit Log" menu. Within the Audit Log view, a user can review specific actions and data changes made on form answers, subjects and more.

A complete study audit log can be very large. Thus, for now, it is not possible to export the Study audit log directly from within the Greenlight Guru Clinical user interface. Please contact clinical.support@greenlight.guru to request a copy of your Study Audit Log.

4. Reason for Change and Reason for Exclusion

When a change is made to a form answer, a reason for change must be clarified by the editor. When a patient is excluded or discontinued, a reason must be defined by a user.

5. Monitoring Review and Lock

Greenlight Guru Clinical has a special read-only module which can be used by monitors to review data in a simple yet structured manner. Monitors can gain access to both data collected by subjects and investigators, while also being able to review AE/SAE/SAR forms, audit logs, etc. Users with a specific Monitor role can also lock individual answers where any data entry or changes will not be possible, unless unlocked.

6. Query Feature

Users with specific query permissions, can create queries on individual form answers. This allows users to correct values/answers according to query comments etc. Notifications to queries are sent to users who are responsible for completing the query.

7. Direct Validation of Data

All input fields have dynamic input validation. Forms have both pre-defined input validation as well as user-specific validation. This means that subjects or users who are to fill out forms, are not able to complete input without complying to the form specific input rules. This ensures that answers to forms are not only within the correct range, but guides participants in answering the forms as well.

8. Two-Step Authentication

All users which might or might not have access to subject information, answers, or study design, can only log into Greenlight Guru Clinical using two step authentication. The system requires all users to authenticate with a strong password, a unique username, and unique one-time code sent to their mobile number. See more information about authentication and authorization in [1].

9. Subject Authentication

Greenlight Guru Clinical supports individual subject authentication. The system ensures that all subjects receive unique links to the subject’s private e-mail address or mobile number, for an individual subject form response. In addition, the system also supports unique SMS code authentication for subjects for every unique response link – if requested, subjects will receive a unique code via SMS or e-mail which is required to complete their form response. This should ensure that all users authenticated within the system are indeed the owner of the user profile being used.

10. Permission Based Access

All access within a study is permission based. A study owner is responsible for defining which permissions all collaborating users have within a study. For every collaborator added to the study, a set of permissions must be enabled/disabled. This should allow study owners to specify in detail what information/actions each study collaborator will have access to.

11. Adverse Event and Serious Adverse Event Reporting

Greenlight Guru Clinical provides a structured way to record adverse event and serious adverse events. A collaborator will automatically receive a notification if a serious adverse event is registered. All users can submit an adverse event report. However, specific investigator permissions are required to fill out information requiring clinical evaluation, medical history, medication etc. A specific sponsor permission is required to record Sponsor specific information to e.g. a Serious Adverse Event.

12. Automatic Subject Reminders

To improve compliance, automatic e-mail and SMS reminders can be specified for all data events. Greenlight Guru Clinical will then handle sending out reminders to all subjects at specific time points defined by the process design.

13. Access to Raw Data

Study owners, or collaborators with sufficient permission, always have access to a full raw dataset from a study. This means that at any time all form and subject data can be exported from the system. Export of a complete raw data set requires all users to input unique two factor SMS code before gaining access to the function.

14. Electronic Signatures

All Greenlight Guru Clinical users have their own unique user signature, which is acquired during login. Any action made within a study is recorded in an audit log, where the signature of each user contains its unique Greenlight Guru Clinical id, email, password, two-step verification code, and timestamp. Greenlight Guru Clinical study creators can choose to implement an additional electronic signature support for their study. This allows study managers to add an additional signature to e.g. form entry and other critical actions within the system, by providing their signature via password authentication.

15. System Validation and Verification (including GxP and ISO 14155:2020 7.8.3 requirements)

As noted in [1] Greenlight Guru’s quality assurance is based on and in compliance with the PIC/S Guidance, PI-011-3 Good Practices for Computerized Systems in Regulated “GxP” Environments, and the software verification and validation process is based on IEC 62304. Greenlight Guru Clinical simplifies regulatory compliance for ISO 14155:2020, ICH GCP, FDA 21 CFR Part 11, GDPR, and HIPAA by offering ready-to-use QA templates, system modules, and guidance documents. Greenlight Guru Clinical is a documented software system and has been validated and verified for every publicly available release. This means that Greenlight Guru Clinical customers do not have to perform verification and validation on the software platform, but only the individual study setups (see section 17). If required, customers can request a copy of Greenlight Guru’s internal audit reports and documentation to support this compliance statement.

16. Answer Notes

Users responsible for inputting data into forms (eCRFs) can input custom notes for individual answers if required to clarify missing data or misleading answers.

17. User Acceptance Test (UAT) and Validation of Study Setup

Greenlight Guru Clinical customers are responsible for performing and documenting UAT and validation of their study setup in Greenlight Guru Clinical. This can easily be done by testing the study setup by pressing "Test Study" in Greenlight Guru Clinical. This enables study managers to test and validate the study setup, just like in production. Documentation of the process can be completed by using the Greenlight Guru Clinical UAT/Validation record template provided. to customers during Greenlight Guru Clinical Onboarding.

18. Access to Personal Identifiable Information

Greenlight Guru Clinical provides a special "subject attribute selection" for every study. These attributes shall be used to collect all subject identifiable information. Any study collaborator who must be able to see identifiable information that's collected with a subject attribute will have to have a specific "identifiable information" permission. Those users who do not have this permission, will only be able to see non-identifiable information, such as subjectID. Greenlight Guru Clinical cannot ensure compliant access control of personal identifiable information which is collected outside of subject attributes, such as those collected within a form. Make sure to ensure that identifiable information is ONLY collected in subject attributes, if you e.g. need to comply with HIPAA.

19. Emergency Unblinding

If Greenlight Guru Clinical is used to randomize treatments for subjects, and Study collaborators are blinded, there's a possibility to enable emergency unblinding if needed. This requires a special permission and is recorded in the audit log like everything else.

Are we missing something?

If you have any questions regarding GCP, compliance, technical documentation, validation, or SOPs, you are always welcome to contact us via support