Requirements on Privacy in Clinical Trials

Been thinking a lot recently of privacy in regard to clinical trials. As you do, I started with gathering some requirements together. Here is what I have:

Brief Standard IdentifierDescription of Industry StandardRegulation/Guidance/ Source
Subject Identification in Data SystemsThe business has SOPs to ensure that data collection instruments and databases utilize an unambiguous subject identification code that allows identification and linkage of all the data reported for each subject. Data tools and systems do not contain personally identifiable information, except the unique subject identification code to link data across the study.GCDMP – Data Privacy; ICH 5.5.5
Patient Diaries ReviewThe business has and utilizes SOPs to ensure that the Investigator site personnel review paper-based patient diaries prior to sending the diaries to Data Management to confirm that no personal identification information is present.MHRA 8.2.7
Confidentiality of Subject RecordsThe business utilizes formal procedures and practices to ensure that the confidentiality of records that could identify subjects is protected in accordance with the applicable regulatory requirement(s).ICH 2.11
Informed Consent Prior to Data CollectionThe business has a process to establish expectations with the site and confirm that informed consent is obtained from every subject prior to clinical trial participation and prior to processing clinical data. The process should provide direction for withdrawal and revocation of consents.ICH 2.9, 4.8.8, 6.5.3 21 CFR 50
Privacy and Personal Data Protection PolicyThe business has a Privacy and Personal Data Protection Policy and a Chief Privacy Officer/ Data Protection Officer to ensure compliance with EU GDPR and other country, local, and Independent Ethics Committee-required privacy, and data protection practices.US HIPAA EU 1995 Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan 2016 Act on the Protection of Personal Information- US Privacy Act
Privacy and Personal Data Protection Documented PracticesThe business has documented procedures, standards, documentation requirements, and responsibilities for defining and ensuring confidentiality, protection, and security of personal data (including but not limited to employee, client, investigator, and patient data) and applying Privacy by Design requirements into procedures that include: definitions of personally-identifying information descriptions of personal information collected the purposes for which it is collected the lawful basis (in the EU) for its collection/use the types of persons to whom it will be released the countries to which it may be transferred privacy and security safeguards the rights of individuals with respect to their personal information compliance monitoringUS HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan’s Law Concerning the Protection of Personal Information – 2005; Japan Act on the Protection of Personal Information- 2016
 The business has documented procedures, standards, documentation requirements, and responsibilities for conducting Privacy Impact Assessments, including when they are implemented, or documentation regarding why they are not applicable.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Personal Data Processing, De-identification and PseudonymizationThe business has documented procedures, standards, documentation requirements, and responsibilities for enhancing privacy and protecting personal data, both at the time of determining the means for processing data and at the time of actual processing, by adherence to the data minimization principle (i.e., ensuring that only data needed for a clinical trial are collected from clinical trial subjects’ records), encryption at rest and during transit, de-identification and pseudonymization.   Where pseudonymization is deployed, the business has appropriate technical (e.g., encryption, hashing, or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures in place to separate pseudonymous data from identification keys.EU GDPR 2016/679
Personal Data Capture and Data Flow ProceduresThe business has written procedures for documenting the data flow for the organization/for individual projects. The data flow comprises what personal data the organization holds, where it came from, and with whom they share it.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Individual Privacy Notice or ConsentEnsuring that individuals are informed of all required privacy provisions in Privacy Notice or Consent, including: their right to confirm if and how their data are processed, including the right to object to (or limit use of) processing and the right of erasure; plans for data retention; the right to receive a copy of their personal data and to have them transmitted to other organizations; and the complaint process.US HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Support for Personal Data Subject RequestsReceiving, processing, and responding to Personal Data Subject Requests submitted by Data Subjects per their rights under GDPR, and/or assisting the Client to fulfill Client’s obligation to do so: right of access right to rectification restriction of processing erasure (“right to be forgotten”)data portability objection to the processing, or the right not to be subject to automated individual decision makingEU GDPR 2016/679 Directive 1995/45/EC
Privacy and Personal Data Breach ProceduresDetecting, reporting, and investigating personal data breaches, and communicating confirmed data breaches to impacted parties within timelines dictated by applicable regulations (72 hours for regulatory authority reporting) and agreements. Sponsor will be notified of any data breach in association with sponsor projects, including breaches at subcontracted vendors, according to pre-defined timing.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Privacy and Personal Data Protection TrainingThe business trains all individuals who have access to personal data on the policy and practices that ensure confidentiality, protection, and security of personal data.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679

Remote Inspections and Computer Systems

The US FDA recently changed the Investigations Operations Manual to allow Investigators direct access to a company’s databases during a BIMO inspection (See Section 5.10.2.1)

As the conduct of clinical and non-clinical trials increasingly moves toward 100% electronic data capture, to include electronic case report forms, medical records, patient-reported outcomes, informed consent systems and other electronic study records, it has become necessary for bioresearch monitoring investigators to have access to these electronic systems and databases in order to successfully perform inspections. Overseeing the firm’s personnel while they access their system is not always practical in BIMO inspections, as this can result in the firm having to dedicate an individual to this task.

FDA Investiations Operations Manual section 5.10.2.1

Obviously, if you haven’t, you should be updating your GCP Inspections SOP, especially since they have a few interesting requirements, such as “While you may complete a form needed by the firm in order to obtain read-only access, such as an account request form, you will not sign such form as per section 5.1.2.3. You may acknowledge via email that you have completed any required training necessary for access.”

I think for many in the GCP world this change is sort of a sleeper change. We have been used to giving access to EMA inspectors for years, who often know more about your TMF than you do by the time they walk in the door.

The real interesting thing is how this spells a shift in attitude at the agency that has been a long-time coming. And how it fits into recent trends in the increase in remote inspections.

Remote inspections are here to stay. Set aside the FDA’s current view that a remote event is not an inspection. And one of the big things that stand out about remote inspections is they do not work well to find data integrity issues, as we’ve seen from the decrease in observations that is not proportionate to the overall size of inspections. I think what we are seeing here is a recognition of that, and the first shift in mindset at the agency.

I’d expect to see the FDA change their approach on the GMP side as they continue to absorb the lessons learned from remote inspections. It is a trend that I would be paying attention to as you continue your digital journey. It is always important to think “how will an inspector view this data”. Usually, we think in terms of printouts. You should also be thinking about read-only access in the near future.

The Failure Space of Clinical Trials – Protocol Deviations and Events

Let us turn our failure space model, and level of problems, to deviations in a clinical trial. This is one of those areas that regulations and tribal practice have complicated, perhaps needlessly. It is also complicated by the different players of clinical sites, sponsor, and usually these days a number of Contract Research Organizations (CRO).

What is a Protocol Deviation?

Protocol deviation is any change, divergence, or departure from the study design or procedures defined in the approved protocol.

Protocol deviations may include unplanned instances of protocol noncompliance. For example, situations in which the clinical investigator failed to perform tests or examinations as required by the protocol or failures on the part of subjects to complete scheduled visits as required by the protocol, would be considered protocol deviations.

In the case of deviations which are planned exceptions to the protocol such deviations should be reviewed and approved by the IRB, the sponsor, and by the FDA for medical devices, prior to implementation, unless the change is necessary to eliminate apparent immediate hazards to the human subjects (21 CFR 312.66), or to protect the life or physical well-being of the subject (21 CFR 812.150(a)(4)).

The FDA, July 2020. Compliance Program Guidance Manual for Clinical Investigator Inspections (7348.811).

In assessing protocol deviations/violations, the FDA instructs field staff to determine whether changes to the protocol were: (1) documented by an amendment, dated, and maintained with the protocol; (2) reported to the sponsor (when initiated by the clinical investigator); and (3) approved by the IRB and FDA (if applicable) before implementation (except when necessary to eliminate apparent immediate hazard(s) to human subjects).

Regulation/GuidanceStates
ICH E-6 (R2) Section 4.5.1-4.5.44.5.1“trial should be conducted in compliance with the protocol agreed to by the sponsor and, if required by the regulatory authorities…”
4.5.2 The investigator should not implement any deviation from, or changes of, the protocol without agreement by the sponsor and prior review and documented approval/favorable opinion from the IRB/IEC of an amendment, except where necessary to eliminate an immediate hazard(s) to trial subjects, or when the change(s) involves only logistical or administrative aspects of the trial (e.g., change in monitor(s), change of telephone number(s)).
4.5.3 The investigator, or person designated by the investigator, should document and explain any deviation from the approved protocol.
4.5.4 The investigator may implement a deviation from, or a change in, the protocol to eliminate an immediate hazard(s) to trial subjects without prior IRB/IEC approval/favorable opinion.
ICH E3, section 9.6The sponsor should describe the quality management approach implemented in the trial and summarize important deviations from the predefined quality tolerance limits and remedial actions taken in the clinical study report
21CFR 312.53(vi) (a)investigators selected “Will conduct the study(ies) in accordance with the relevant, current protocol(s) and will only make changes in a protocol after notifying the sponsor, except when necessary to protect the safety, the rights, or welfare of subjects.”
21CFR 56.108(a)IRB shall….ensur[e] that changes in approved research….may not be initiated without IRB review and approval except where necessary to eliminate apparent immediate hazards to the human subjects.
21 CFR 56.108(b)“IRB shall….follow written procedures for ensuring prompt reporting to the IRB, appropriate institutional officials, and the Food and Drug Administration of… any unanticipated problems involving risks to human subjects or others…[or] any instance of serious or continuing noncompliance with these regulations or the requirements or determinations of the IRB.”
45 CFR 46.103(b)(5)Assurances applicable to federally supported or conducted research shall at a minimum include….written procedures for ensuring prompt reporting to the IRB….[of] any unanticipated problems involving risks to subjects or others or any serious or continuing noncompliance with this policy or the requirements or determinations of the IRB.
FDA Form-1572 (Section 9)lists the commitments the investigator is undertaking in signing the 1572 wherein the clinical investigator agrees “to conduct the study(ies) in accordance with the relevant, current protocol(s) and will only make changes in a protocol after notifying the sponsor, except when necessary to protect the safety, the rights, or welfare of subjects… [and] not to make any changes in the research without IRB approval, except where necessary to eliminate apparent immediate hazards to the human subjects.”
A few key regulations and guidances (not meant to be a comprehensive list)

How Protocol Deviations are Implemented

Many companies tend to have a failure scale built into their process, differentiating between protocol deviations and violations based on severity. Others use a minor, major, and even critical scale to denote differences in severity. The axis here for severity is the degree to which affects the subject’s rights, safety, or welfare, and/or the integrity of the resultant data (i.e., the sponsor’s ability to use the data in support of the drug).

Other companies divide into protocol deviations and violations:

  • Protocol Deviation: A protocol deviation occurs when, without significant consequences, the activities on a study diverge from the IRB-approved protocol, e.g., missing a visit window because the subject is traveling. Not as serious as a protocol violation.
  • Protocol Violation: A divergence from the protocol that materially (a) reduces the quality or completeness of the data, (b) makes the ICF inaccurate, or (c) impacts a subject’s safety, rights or welfare. Examples of protocol violations may include: inadequate or delinquent informed consent; inclusion/exclusion criteria not met; unreported SAEs; improper breaking of the blind; use of prohibited medication; incorrect or missing tests; mishandled samples; multiple visits missed or outside permissible windows; materially inadequate record-keeping; intentional deviation from protocol, GCP or regulations by study personnel; and subject repeated noncompliance with study requirements.

This is probably a place when nomenclature can serve to get in the way, rather than provide benefit. The EMA says pretty much the same in “ICH guideline E3 – questions and answers (R1).

Principles of Events in Clinical Practice

  1. Severity of the event is based on degree to which affects the subject’s rights, safety, or welfare, and/or the integrity of the resultant data
  2. Events (problems, deviations, etc) will happen at all levels of a clinical practice (Sponsor, CRO, Site, etc)
  3. Events happen beyond the Protocol. These need to be managed appropriately as well.
  4. The event needs to be categorized, evaluated and trended by the sponsor

Severity of the Event

Starting in the study planning stage, ICH E6(R2) GCP requires sponsors to identify risks to critical study processes and study data and to evaluate these risks based on likelihood, detectability and impact on subject safety and data integrity.

Sponsors then establish key quality indicators (KQIs) and quality tolerance thresholds. KQI is really just a key risk indicator and should be treated similarly.

Study events that exceed the risk threshold should trigger an evaluation to determine if action is needed. In this way, sponsors can proactively manage risk and address protocol noncompliance.

The best practice here is to have a living risk assessment for each study. Evaluate across studies to understand your overall organization risk, and look for opportunities for wide-scale mitigations. Feedup into your risk register.

Event Classification for Clinical Protocols and GCPs

Where the Event happens

Deviations in the clinical space are a great example of the management of supplier events, and at the end of the day there is little difference between a GMP supplier event management, a GLP or a GCP. The individual requirements might be different but the principles and the process are the same.

Each entity in the trial organization should have their own deviation system where they investigate deviations, performing root cause investigation and enacting CAPAs.

This is where it starts to get tricky. first of all, not all sites have the infrastructure to do this well. Second the nature of reporting, usually through the Electronic Data Capture (EDC) system, can lead to balkanization at the site. Site’s need to have strong compliance programs through compiling deviation details into a single sitewide system that allows the site to trend deviations across studies in addition to following sponsor reporting requirements.

Unfortunately too many site’s rely on the sponsor’s program. Sponsors need to be evaluating the strength of this program during site selection and through auditing.

Events Happen

Consistent Event Reporting is Critical

Deviations should be to all process, procedure and plans, and just not the protocol.

Categorizing deviations is usually a pain point and an area where more consistency needs to be driven. I recommend first having a good standard set of categorizations. The industry would benefit from adopting a standard, and I think Norman Goldfarb’s proposal is still the best.

Once you have categories, and understand to your KQIs and other aspects you need to make sure they are consistently done. The key mechanisms of this are:

  1. Training
  2. Monitoring (in all its funny permutations)
  3. Periodic evaluations and Trending

Deviations should be trended, at a minimum, in several ways:

  1. Per site per study
  2. Per site all activities
  3. All sites per study
  4. All sites all activities

And remember, trending doesn’t count of you do not analyze the problem and take appropriate CAPAs.

This will allow trends to be identified and appropriate corrective and preventive actions identified to systematically improve.

FDA 2021 483s – Bioresearch Monitoring

The FDA has released the 2021 483 data. With my mind being mostly preoccupied with bioresearch monitoring inspection preparation, let’s look at that data, focusing on the top 10.

CFR Reference in 2021# 483s 2021#  483s 2020# 483s 2019
21 CFR 312.609058127
FD-1572, protocol compliance8454119
Informed consent648
21 CFR 312.62(b)483060
Case history records- inadequate or inadequate483060
21 CFR 312.62(a)131117
Accountability records121116
Unused drug disposition (investigator)1#N/A1
21 CFR 50.27(a)937
Consent form not approved/signed/dated726
Copy of consent form not provided211
21 CFR 312.64(b)967
Safety reports967
21 CFR 312.668719
Initial and continuing review626
Unanticipated problems246
21 CFR 312.20(a)513
Failure to submit an IND513
21 CFR 58.130(a)423
Conduct: in accordance with protocol423
21 CFR 312.503716
General responsibilities of sponsors3414
21 CFR 50.20358
Consent not obtained, exceptions do not apply314
Comparison of 2021 Top 10 BIMO 483 categories with 2020 and 2019 data

Based on comparison of number of inspections per year, I am not sure we can really say there was much COVID impact in the data. COVID may have influenced observations, but all it really seemed to do is excaerbate already existing problems,

Key lesson in the data? The GCPs are struggling at accountability of documentation and decision making.

MHRA on Passing the Baton from GPvP to GMP

I love the MHRA Inspectorate blog. They don’t write often, but when they do, good stuff. Here are some of my thoughts on the post on moving patient safety data from determination as part of the pharmacovigilance efforts to labeling to distribution.

Starting in the Good Pharmacovigilance Practice (GPvP) realm, triggers for updates may be identified by pharmacovigilance staff and the corresponding variations submitted by regulatory affairs staff, who will also receive notification of variation approval. At this stage Good Manufacturing Practice (GMP) processes come into play with arrangements for printing the updated leaflets and incorporating these into the supply chain.

MHRA Inspectporate Blog “Passing the baton from GPvP to GMP: Three top tips for protecting patients and staying compliant ” 17 Dec 2019

Unless otherwise stated, updates to patient information leaflets should be introduced within 3 to 6 months of approval” – this is the critical point stressed in this post. The recommendations given in the blog post are solid.

Blog RecommendationThoughts
Check that the end to end process facilitates the timely implementation of updates and that there is seamless transition from written procedures covering GPvP, regulatory affairs and GMP processes. Labeling is often a separate change control process. Integration and simplification in change management is critical and companies should look seriously at balkanization of systems.
Define what is meant by ‘implementation’ of an updated leaflet and make sure this is in advance of regulatory deadlines to prevent the need for batches being re-worked should there be any unexpected delays Effective dates on changes need to take into account deadlines.

Appropriate linkages to ERP and supply chain systems.
Ensure the QP has access to up to date information on the correct leaflet version that should be used at batch certification. Communication, and the use of integrated change management

I also read this morning Teresa Gorecki’s post “Dedicated, Integrated Quality Assurance Systems Critical to Successful Clinical Trials.” All of her points are highly relevant here.