FDA Draft Guidance: Use of EHR data

On May 17, 2016, FDA published a draft guidance on “Use of Electronic Health Record Data in Clinical Investigations.” This short (9 page) guidance provides recommendations on:

  • Deciding whether and how to use EHRs as a source of data in clinical investigations
  • Ensuring the quality and the integrity of EHR data that are collected and used as electronic source data in clinical investigations
  • Ensuring that the use of EHR data collected and used as electronic source data in clinical  investigations meets FDA’s inspection, recordkeeping, and record retention requirements

The recommendations outlined in the guidance apply to the use of EHR data in prospective clinical investigations of human drugs and biological products, medical devices, and combination products. This includes foreign clinical studies not conducted under an IND or IDE if data from the studies will be submitted to the FDA.

Among the best practices in the guidance:

  • FDA considers the fundamental elements of data quality to be ALCOA. When EHRs are used as a source of data in clinical investigations, sponsors should ensure that the EHRs they use and the processes and policies for their use provide electronic source data that are attributable, legible, contemporaneous, original, and accurate (ALCOA).
  • In general, the EHR is identified as the originator of the data elements that are obtained for a clinical investigation in the course of routine clinical care.  If data elements are obtained solely for research and entered directly into an EHR by study personnel (e.g., by using a dedicated research module within the EHR) then the person entering the study specific data is the originator.
  • FDA will assess compliance with 21 CFR Part 11 on data derived from the EHR at the point where the data enters the sponsor’s electronic system supporting the investigation.  The originator of the data elements (i.e., the EHR or study personnel entering or modifying the clinical study data) should be identified along with an electronic date and time stamp in the sponsor’s electronic system. The sponsor should ensure that the appropriate authority controls are in place to limit system access for entering and modifying data to the research component of the EHR to study personnel only.
  • FDA urges the use of EHRs that are interoperable with electronic systems supporting clinical investigations. Interoperability means the ability of two or more systems to exchange information and to use the information that has been exchanged. Challenges to interoperability are being addressed by the adoption of data standards as well as through standardization requirements as part of the ONC Health Information Technology (Health IT) Certification Program. Use of such certified EHR technology is encouraged and, if used, gives FDA confidence during inspections that the EHR data is reliable and that the technical and software components of privacy and security protection requirements have been met.
  • Non-certified systems must have adequate controls in place to ensure that the confidentiality, integrity, and reliability of data are preserved. To ensure the confidentiality, integrity, and reliability of data, sponsors should consider whether the system has the following internal security safeguards:
    1. Access to electronic systems is limited to authorized users
    2. Authors of records are identifiable
    3. Audit trails are available to track changes to data
    4. Records are available and retained for FDA inspection for as long as the records are required by applicable regulations
  • Sponsors should include (e.g., in the protocol or the data management plan) information about the intended use of the EHR during a clinical investigation and a description or diagram of the electronic data flow between the EHR and the sponsor’s electronic system supporting the clinical investigation. This should include a description of how the relevant EHR data are extracted and subsequently imported into the sponsor’s electronic system. Sponsors should check the extracted data for consistency and completeness with the source data obtained from the EHR, and make corrections when errors are found to properly align the source data with the extracted data.
  • In addition to the usual information provided in an informed consent (e.g., who will access the information, the security measures taken to protect confidentiality) when EHRs are being used,  sponsors should consider whether there are any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches, that must be described to the subject in the informed consent.

When the EHR is identified as the source, all relevant data within the EHR pertaining to the clinical investigation must be made available to FDA for review upon request. During an inspection, FDA may also request other paper or electronic records to support data in the eCRF (e.g., case histories, other data pertaining to the clinical investigation).