Tuesday, April 21, 2015

Remote SDV/SDR: Alternatives to Redact/Fax

By Laurie Meehan

As part of their risk-based monitoring strategy, many sponsors and CROs are using remote techniques to conduct source data review and verification (SDR and SDV).  The best implementations out there actually streamline activities at both ends, both for sponsors/CROs and for study sites.  This happy outcome relies on the right combination of enabling technology, privacy/security policies, and source documentation procedures.  At its most elegant, monitors can coordinate with the sites to receive (i) remote, (ii) temporary, and (iii) restricted access to their EMRs.  All quality review of source documentation can be conducted off-site.  Questions and queries about the source data can be also resolved remotely, sometimes by phone and sometimes using online meeting software like WebEx.  With SDV/R complete, on-site monitors can focus on assessing other, more “presence-demanding” study elements, such as drug accountability and PI oversight.

The dropped shoeUnfortunately – [can’t you just hear that other shoe dropping?] – some remote SDV/R techniques are a pretty long drive from elegant.  At its most inefficient, remote monitoring might require site staff to print out and manually redact stacks of source documents, and then either fax or email scanned copies of the documents to a remote location.  The study coordinators we talk to who work on trials like this are understandably frustrated by such labor-intensive and error-prone procedures.   They rarely have the study budget or the personnel to meet these demands, and they’re not the ones realizing cost savings associated with reduced monitoring travel; the sponsors and CROs are.  And face it, from a purely professional satisfaction perspective, this ain’t exactly the glamour detail.

Admittedly, it’s more than a little challenging to devise an efficient remote data monitoring scheme for paper-based sites, but many research institutions use electronic medical records now.  And thanks to the incentives and penalties under Meaningful Use, that number is growing.  Yet many sites with EMRs are the very sites stuck printing, redacting, scanning, and emailing a lot of documents around.
Why Aren’t We Using EMRs More Often for Remote Data Monitoring?

First, not all EMRs are able to sufficiently limit access; monitors would be able to view the records of patients who are not enrolled in their studies.  This is a legitimate concern for sites – they’re Covered Entities under HIPAA -- but it’s not necessarily a nonstarter.  For some sites (and their IRBs), it’s enough that monitors sign a formal agreement indicating they will look only at the appropriate source records. Other sites may choose to rely on their EMRs’ audit trails to alert them to unauthorized monitor access, even though any alert would come after the fact.  (Note: sites that do consider this “trust but verify” position to be integral to their security/privacy measures should make sure they do, indeed, review the audit trail.)

Secondly, even if the EMR offers perfectly restricted remote access, EMR data is unredacted.  Many Covered Entities are unwilling to let unredacted Protected Health Information go off-site, even if the study subjects have signed a HIPAA authorization allowing it.  In addition, many global sponsors are unwilling to accept unredacted medical records, so direct EMR access would violate their policy.

So, if for any of the above reasons (and I’m sure there are others), a site does not allow remote monitoring via EMR, are there alternatives to the print/redact/fax/lather/rinse/repeat cycle?

An EMR Alternative for Remote Source Monitoring

Lyn Goldsmith, Director of Clinical Trials for the Department of Surgery at Columbia University Medical Center, and her team have developed a completely paperless system* for her department to facilitate remote monitoring without granting EMR access.  It’s both efficient and compliant with institutional  and regulatory privacy requirements.

remote reviewWhen Ms. Goldsmith and her team “print” study records for remote review, they print them to PDF using Adobe Pro.  The study team develops a source document sign-off sheet that ensures they supply every document the monitor requires.  The sign-off sheet is reviewed by the monitor at the first monitoring visit to ensure s/he is provided all of the required source.  Some records are standard, like doctors’ notes, lab reports, and medications.  Others, such as physical therapy records, must be requested on a per study basis, but if a monitor requests it, s/he can have it.

Why not just print everything?  Because the inpatient cardiac device and transplant procedures performed at the study site produce medical records that are thousands of pages long.  But guess what – in their electronic form, they’re searchable.

Q: What About Collation, Certification, and Redaction?
A:  Adobe Pro, Adobe Pro, and Adobe Pro.

The study team saves the documents to a secure, backed-up shared server.  They use Adobe Pro to collect individual PDFs to create a comprehensive subject eChart, then sign and certify that each record in the eChart is an exact copy of the original source.  Once certified in Adobe Pro, the record cannot be altered.

CUMC requires that any PHI that is monitored remotely be encrypted and redacted, and Adobe Pro offers both military-grade encryption and a powerful redaction mechanism.  The software can be set to search for and redact specific words or numbers, like street address, or birth date, in a variety of formats.  It can be set up to look for key words that are likely to indicate identifiable data, such as “sister” or “proxy”, and can even search for patterns, like the XXX-XXXX pattern of a phone number.  Scanned documents are particularly challenging to redact.  They require an Optical Character Reader (OCR) and often further manual redaction after the automated tool is finished.  (Still better than doing it all by hand, right?).

Keys to Success

Ms. Goldsmith identifies a few conditions that have been critical for successful implementation of their system:
  • Buy-in of stakeholders, especially from internal privacy offices for encryption and redaction policies
  • SOPs that clearly detail the processes the team must follow
  • Diligent review and update of procedures to incorporate new redaction requirements, respond to Adobe software updates, and accommodate other IT changes

Using their specific blend of technology, policies, and procedures, the study team at CUMC has developed a paperless system for remote data review that saves them time, money, and trees, and leaves them with a blissfully uncluttered study environment.

*Though outside the scope of remote source document review, Ms. Goldsmith’s department also stores regulatory binders and all study correspondence electronically, and makes these available for remote review, as well.


  1. What software might be needed by monitors and/or auditors to access these documents? Will standard Adobe be sufficient? Will encryption keys be needed?

    1. Thanks for your questions.

      (1) Monitors and auditors are given controlled access to the secure shared server where they can view the PDFs. (2) I don't think standard Adobe has all the facilities that Lyn Goldsmith's team uses. It may fall short in the redaction/encryption function. Also, the team uses Adobe Pro to save Outlook email messages in electronic PDF form as part of their paperless document system. I think that feature is unique to Adobe Pro. (I didn't talk about that in the blog since I was focusing on source review only.) (3) Yes, encryption keys are supplied to the reviewers.