The new article highlights special considerations for IT service providers, as well as the ones related to the use of digital health technologies.

FDA Guidance

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to electronic systems, electronic records, and electronic signatures in clinical investigations. The document provides an overview of the applicable regulatory requirements, as well as additional clarifications and recommendations to be taken into consideration by medical device manufacturers, sponsors responsible for clinical investigations, and other parties involved. 

At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach complies with the relevant regulatory requirements and has been agreed with the authority in advance. 

The present FDA guidance addresses the aspects related to the use of Information Technology (IT) service providers and Digital Health Technologies (DHTs) in clinical investigations. It discusses the responsibilities of regulated entities in managing IT services, the FDA expectations for agreements with service providers, and considerations when using DHTs to collect and transmit clinical data. 

These guidelines ensure that electronic records, whether managed internally or outsourced, meet FDA regulatory standards under Part 11, protecting the authenticity, integrity, and confidentiality of clinical data. First of all, it is stated that the FDA does not perform preliminary evaluations of electronic systems (e.g., electronic data capture (EDC) systems or clinical trial management systems) to determine their compliance with Part 11. 

Instead, these systems are assessed during FDA inspections, leaving it up to sponsors and regulated entities to ensure compliance through internal oversight and validation processes.

IT Service Providers in Clinical Investigations

According to the guidance, when outsourcing IT services for a clinical investigation, such as data hosting, cloud computing, or infrastructure services, regulated entities remain responsible for ensuring that electronic records meet Part 11 requirements. When evaluating IT service providers, entities should consider several key factors, including the provider’s ability to maintain data authenticity, integrity, and confidentiality.

Key considerations include:

  • Oversight Capabilities: The provider must allow the sponsor to oversee clinical investigation activities.
  • Validation: The provider should have processes in place for validating the specific IT services used in the investigation.
  • Data Retention and Access: The provider must ensure accurate and complete record generation, along with access to data throughout the retention period.
  • Backup and Contingency Plans: Providers should have robust backup, recovery, and data migration procedures.
  • Access Controls: These should be in place to manage user access securely, with SOPs for granting and revoking access.
  • Audit Trails: The provider must generate secure, time-stamped audit trails for tracking user actions and data changes.
  • Security Measures: The provider should secure data both at rest and in transit, employing encryption and other safeguards as appropriate.
  • Electronic Signatures: Providers should have controls in place for managing electronic signatures where necessary.
  • Provider Experience: Providers should have relevant experience in managing IT services in the context of clinical investigations.
FDA on clinical trials with decentralized elements (overview)

Recommendations for Agreements with IT Service Providers

As further explained by the authority, regulated entities should have formal agreements (e.g., service level agreements or quality agreements) with IT service providers, outlining how IT services will meet the regulated entity’s requirements. 

These agreements should specify the scope of work, roles and responsibilities, and quality management expectations. Key elements include:

  • Scope and Services: Clearly define the IT services provided.
  • Roles and Responsibilities: Specify which responsibilities are retained by the sponsor and which are transferred to the provider, particularly regarding quality management and regulatory obligations.
  • Data Access: Ensure that the sponsor has access to data throughout the required retention period.

During FDA inspections, regulated entities must provide:

  • Agreements: Documentation of agreements that outline expectations of the IT service provider.
  • Quality Management Documentation: Records showing oversight of IT services, including quality management activities conducted throughout the clinical trial.

The FDA may inspect IT service providers who have assumed regulatory responsibilities or if there are concerns about the integrity of trial data. Sponsors must have access to all study-related records maintained by the IT service provider, as these records may be reviewed during an FDA inspection.

    Digital Health Technologies (DHTs) in Clinical Investigations

    DHTs, such as wearable sensors, mobile applications, and environmental sensors, are increasingly used to remotely collect data in clinical investigations. These technologies allow for the real-time acquisition of clinical data, improving the efficiency of data collection. 

    However, regulated entities must ensure that DHTs meet Part 11 requirements, particularly in terms of data authenticity and security.

    Key considerations when using DHTs include:

    • Verification and Validation: Ensure the DHT is fit for purpose and has been appropriately validated for use in the clinical trial.
    • Training: Train participants and trial personnel on using the DHT according to the protocol.
    • Data Collection and Security: Address how data will be recorded and transmitted securely to a durable electronic data repository.

    Identifying the Data Originator in DHTs

    Each data element recorded by a DHT should be associated with an authorized data originator. The data originator could be a participant, clinical trial personnel, or the DHT itself (if the data is automatically transmitted without human intervention). 

    The sponsor must maintain a list of authorized data originators, and this list should be available for FDA inspection. In cases where participants manually enter data into a DHT, such as using an electronic patient-reported outcome (ePRO) system, the participant is identified as the data originator. 

    If another person enters data on the participant’s behalf, that individual should be identified, and the reason for this should be documented. Sponsors must ensure that data recorded by DHTs is correctly attributed to the data originator. 

    This may involve the use of access controls (e.g., personal identification numbers, biometrics) and participant education. Access controls must prevent unauthorized changes to data, and participants should be trained on the correct use of DHTs.

    Data collected by a DHT, along with associated metadata, should be transferred to a durable electronic data repository through a validated process. Data transmission should occur as soon as possible after data is recorded, and the audit trail must include the date and time of data transfer.

    Conclusion

    In summary, the relevant section of the FDA guidance emphasizes the importance of selecting, validating, and managing IT service providers and DHTs used in clinical investigations. Regulated entities must establish formal agreements with IT service providers and ensure that all services meet regulatory requirements for data integrity and security. When using DHTs, sponsors must ensure proper data attribution, secure data transmission, and participant training to ensure compliance with Part 11 and maintain the quality and integrity of clinical data.

    How Can RegDesk Help?

    RegDesk is an AI-powered Regulatory Information Management System that provides medical device companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Global expansion has never been this simple.

    RegDesk is recognized as a Regulatory Intelligence Representative Vendor! Learn more by reading the 2024 Gartner® Market Guide for Regulatory Intelligence Solutions.

    Get the report