Guidance: Obtaining Electronic Medical Records Access for Sponsor-CRO Monitor

Purpose

This guidance document was developed to assist research teams in obtaining temporary access to EMR systems for the purposes of monitoring or auditing by external research sponsor monitors, auditors or regulatory authorities (e.g. FDA).

Background

Under FDA regulations for clinical research and Good Clinical Practice (GCP) E6 external sponsors and federal regulatory agencies are required to monitor and audit the conduct of clinical research. The purpose of this activity is to oversee the progress of a clinical trial; ensure the rights, safety and welfare of research participants are adequately protected; and to ensure that the research is conducted, recorded, and reported in accordance with the protocol, GCP, and the applicable regulatory requirement(s). These activities are usually described in contracts and agreements executed with research sponsors.

In order to perform these functions, monitors and auditors require direct access to source documents, which can be contained in both traditional paper and electronic sources, such as EMRs. Electronic access is recommended.

Direct access is permission to examine, analyze, verify, and reproduce any records and reports that are important to evaluation of a clinical trial. Any party with direct access should take all reasonable precautions within the constraints of the applicable regulatory requirement(s) to maintain the confidentiality of subjects' identities and sponsor’s proprietary information.

Access to Ochsner’s electronic medical record (EPIC) is view only. To view a subject’s record, there are 4 required data variables:

Ø  First name

Ø  Last name

Ø  MRN

Ø  Date of Birth

No remote access will be granted. An Ochsner computer must be utilized. Work space and an Ochsner computer will be made available within the department or upon request within the Research Administration office.

Data Governance (DG) will track the Monitor’s access of subject records. Any unauthorized access of a subject’s legal health record will result in immediate termination of all Ochsner privileges.

All forms require original signatures. Electronic signatures are not acceptable.

Steps
Request is received from the CRC
All forms must be submitted directly to Connie Catha or Carol Marques Do not send the forms directly to data governance or the research legal office.
Documents required to obtain access to the electronic medical record (EPIC):
·  Confidentiality and OMIS Access Agreement **
·  Exhibit A & B – Permitted User Confidentiality and OMIS Access Agreement
·  External Data Access Request Form
Instructions on completing the above documents:
**Confidentiality and OMIS Access Agreement
·  The Confidentiality and OMIS Access Agreement does not need to be submitted for studies active after February 10, 2017 (IRB approved and signed CTA). The research legal office will obtain the signature of the appropriate Sponsor representative at the same time as the execution of the final CTA.
·  For currently approved/active studies (actively enrolling prior to 2/10/2017): Complete the name of the Sponsor only. The research legal office will work with the Sponsor to obtain the required signatures.

Exhibit A
This form is used when there is a group of study staff coming to the site. If there is not a group of staff coming, you can leave this blank.

Exhibit B – Permitted User Confidentiality and OMIS Access Agreement
Page 1

The Monitor’s name should be noted here.
Page 3

The Monitor and the PI should sign this form. The PI should sign on the line ‘Approval Signature of External Entity’.
External Data Access Request Form
This sheet can be completed by the CRC.
It should also be completed for each ongoing monitoring visit.
Request is sent to Data Governance
QA will review the documents for completeness and forward them to Data Governance for processing of the request.
For currently approved active/studies (actively enrolling prior to 2/10/2017), the completed forms must be sent within 6 weeks to a Sponsor/Monitor visit.
For studies active after February 10, 2017 (IRB approved and signed CTA), the completed forms must be sent within 2 weeks of a Sponsor/Monitor visit.
Access complete
Once the process is completed by Data Governance, the Monitor’s credentials (user name and temporary password) are sent to QA.
QA will send the credentials to the Monitor via email the morning of their visit. Once the visit is completed, Data Governance will disable access.
The email will include brief instructions:
Ø  To access the EpicCare Link - https://ohslink.ochsner.org/vpn/index.html
Ø  To change the password and enroll - use this link mypassword.ochsner.org
Ø  Password Requirements:
·  Passwords must meet the criteria for ‘strong passwords’ (e.g., Victory1)
v  Minimum of 7 characters
v  Must contain both numeric and alphabetic characters
v  Cannot be equal to or a derivative of your User ID or contain the words ‘password’ or ‘Ochsner’
·  The new password will expire every 90 days
Ø  The system only allows 3 tries to access EpicCare before it locks out the user

February 2017