Common Rule Infographic

by Jim Gearhart

For Electronic Informed Consent, “Just Following the Rules” May Not Be Straightforward

In December, the Office of Human Research Protections (OHRP) and the Food and Drug Administration (FDA) released joint guidance about the use of electronic informed consent (eIC) in research. The core themes of the new guidance are pretty straightforward: follow the rules as they exist now; do not assume eIC software covers all consenting responsibilities; and participants still must feel comfortable with how consent materials are presented (raising issues of translation, choices of technology, and the availability of hard copies).

This may sound straightforward, but if we take a closer look at that first point—that the current rules apply—meeting security, privacy, and system requirements becomes tricky fast. And through conducting surveys at three industry trade shows last year we learned that these tricky areas are also of central importance to those who are considering eIC solutions.

When we asked 246 respondents what they saw as primary obstacles to transitioning from paper to electronic informed consent forms, their top concerns were:

  • HIPAA, privacy, and security; and
  • Compliance

Fortunately, OHRP and the FDA do address these concerns in this final joint guidance.  The two agencies reviewed what system and security rules apply when, and when one set of rules outranks another. OHRP (that is, the Common Rule) regulations may apply in some cases, FDA rules in others, and HIPAA requirements in still others.

In this realm of security, privacy, and system requirements, the separate strings of OHRP, FDA, and HIPAA regulations can tangle quickly. Let’s see if we can straighten any of them out.


How the Regulations Hurdle Electronic Obstacles

OHRP (The Common Rule): Most federally-funded research falls under the Common Rule, which has the least specific guidelines around eIC. As far as electronic signatures (and related identity verification methods), OHRP allows them as long as they comply with local rules (according to, say, state laws) and an IRB agrees with how and why the electronic signatures will be used.

FDA: The eIC guidance reiterates that software tools in FDA-regulated research must meet the requirements of 21 CFR 11 (commonly known as Part 11). This actually leaves open a broad range of options for something like electronic signatures—Part 11 makes no specific endorsements, but the FDA has a guidance document for that, too.

HIPAA: Once a HIPAA-covered entity or business associate is involved, the software requirements to gather or store personal health information (PHI) falls under another set of guidelines: the Electronic Signatures in Global and National Commerce Act. And the HIPAA rules speak to more than electronic signatures—they also bring in the requirements of notifications about breaches in privacy and security.

Conceivably, for any particular research study all, one, or even none of these guidelines could apply. “All” could be an industry-sponsored drug study at a HIPAA-covered academic medical center which “checked the box” to say the Common Rule would apply to all of its research. “None,” by comparison, could be a self-funded study of surgery techniques at a private clinic.

Could one eIC product work for any and all situations? Anything that supports informed consent must protect study participants and satisfy the relevant requirements, but unnecessarily high standards could complicate an otherwise straightforward project.


Who Decides What’s Right?

A corollary to the question, “What’s required for compliance?” is “Who determines compliance?”

As mentioned above, OHRP places the onus for approving electronic signatures on the IRB with jurisdiction over the research; in its new eIC guidance, the FDA chimes in to agree that the IRB should “ensure there is an adequate informed consent process.”

The implication—that the IRB has some responsibility to approve software configurations—may not be universally understood. Not every IRB has an IT-savvy member or consultant.

Fortunately, the eIC guidance does offer some relief. The policy statement says reviewers and researchers may rely on a statement from the eIC vendor that a product meets requirements. Considering the complexities of technology, and the sometimes less-than-specific requirements of the regulations, however, not all organizations may accept a vendor’s statement at face value.


What is the Safest Course?

What does this all add up to? What solutions or suggestions does the FDA/OHRP guidance present for the specification of an eIC product? Some specific expectations come to mind, ones we have followed in our reviews of eIC products:

  • Look to the most rigorous system requirements that may apply to a situation. For us, this typically means expecting a product to comply with Part 11, HIPAA, and HITECH.
  • For IRBs, establish clear review guidelines for eIC and, if feasible, recruit an IRB member or consultant with relevant IT expertise.
  • Require that a prospective eIC vendor verifies in writing that its product meets all necessary requirements; ideally, the verification would come from a reliable third party rather than self-reporting.

The often-expressed concerns about security, privacy, and systems compliance in an eIC system are understandable. This latest joint guidance from OHRP and the FDA shows routes to alleviating them.

Need Help Evaluating eConsent Solutions?

Register for our free on-demand webinar to learn how the right eConsent tool can streamline study startup time, prevent consenting errors the first time, and improve participant engagement and retention.

Register and Watch Now

Tags: , , , , , ,