Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
The U.S. Food and Drug Administration (FDA) finalized its revised guidance summarizing how it intends regulate the use of electronic systems, records, and signatures in clinical investigations to account for advances in digital health technologies (DHTs). The guidance applies to clinical trial sponsors, investigators, Institutional Review Boards (IRBs), and Contract Research Organizations (CROs), and it provides advice on implementing data integrity and security controls, including the protection of electronic records. Below we outline the critical differences between the draft and final versions of the guidance, observing how FDA seems to have taken a more flexible approach in the final. In addition, we note that the scope of the guidance has been widened to apply to electronic systems “deployed by” sponsors or other regulated entities, compared to the draft’s applicability to those “owned or controlled by” regulated entities.
Last week, FDA issued the final version of its 2023 revised draft guidance, “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers,” which had updated June 2017 guidance of the same name, in order to keep pace with the evolving use of electronic systems in clinical investigations. We summarized the March 2023 draft guidance online here.
As in the draft version of the guidance, the final guidance highlights the importance of compliance with Good Clinical Practice (GCP) standards; warns that electronic records that incorporate Real-World Data (RWD) sources are subject to the part 11 regulations of Title 21 of the Code of Federal Regulations (21 CFR part 11); prioritizes oversight of Digital Health Technology (DHT) and remote data acquisition; and emphasizes the need to carefully document “audit trails,” including metadata. Clinical study sponsors should recognize that FDA will likely place applicable electronic systems used in clinical research under greater scrutiny during future GCP inspections, especially considering FDA’s recently-enhanced bioresearch monitoring inspection authority, which we noted last month in our discussion of the agency’s newest batch of clinical trials guidance documents online here.
Although the draft and final versions of the guidance are very similar, we have outlined below the key distinctions between the two documents. Clinical trial sponsors, investigators, IRBs, CROs as well clinical trial vendors (e.g., biostatisticians, cloud data management systems) should consider the updates in the final guidance closely as they evaluate their compliance with FDA's regulations for electronic records and signatures:
Broadened scope. The earlier draft guidance stated that it applied to electronic systems “owned or controlled by” sponsors or other regulated entities. However, the final version of the guidance broadens the range to systems “deployed by” regulated entities. In addition, the broader term “regulated entities” is often used in the final to replace the draft’s use of the term “sponsors.”
FDA will not assess RWD Part 11 compliance pre-electronic data capture. Question 1 of the guidance asks whether electronic records from RWD sources submitted to FDA as part of a marketing application or under other predicate rules are subject to part 11 requirements. In the draft, FDA wrote that the answer was “Yes,” adding:
“21 CFR part 11 requirements apply to electronic records from real-world data (RWD) sources that were created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in FDA regulations or submitted to the Agency under requirements of the Federal Food, Drug, and Cosmetic Act (FD&C Act) or the Public Health Service Act (PHS Act), even if such records are not specifically identified in FDA regulations.”
In the final, however, the agency instead writes that “FDA does not intend to assess compliance of an electronic health record (EHR) system or other electronic systems that are sources of real-world data (RWD) with part 11 regulations” (emphasis added). However, the final guidance continues, “[o]nce the electronic record enters the sponsor's electronic data capture (EDC) system, FDA intends to assess compliance with part 11.”
Retaining “source data” information. Question 5 addressed how regulated entities should retain electronic records from a clinical investigation. The draft guidance said that the “relationship between records, source data, and all associated metadata should be preserved in a secure and traceable manner.” By contrast, the final guidance omits the recommendation that the relationship with the “source data” must be preserved by regulated entities. Instead, FDA more generally advises: “electronic records and all associated metadata should be preserved in a secure and traceable manner.” FDA adds in question 23 that it “does not intend to inspect individual DHTs for source data verification.”
Validation regulatory flexibility. FDA’s answer to question 6, pertaining to electronic communication methods, removes the draft guidance language that asserted “the regulated entity should ensure secure end-to-end transfer,” and that “audit trails in the sponsor’s electronic system should capture the date and time that electronic records are transferred and the originator of those records.” Instead, in the final version of the guidance, FDA adds flexibility into their regulatory paradigm by inserting the new recommendation: “The level of validation may vary depending on the nature of the electronic systems (e.g., bespoke or customized systems, systems that are designed to be configured for the proposed use, and systems where no alterations are needed).”
Inspectional focus. The guidance articulates that FDA’s focus during inspections will be on records related to training study staff on electronic systems, and procedures and controls governing system access, data creation, data modification, and data maintenance. Additionally, FDA will likely review documentation demonstrating that users have appropriate access rights that can be revoked and terminated by sponsors as needed, and that backup, recovery, or contingency plans for source records exist.
Time zone. For electronic systems used in clinical investigations that span different time zones, FDA removed language from the draft guidance regarding daylight savings time; and instead of asking that the time zone correspond to the date and time stamp, FDA recommends in the final guidance that the date and time stamp record times as Greenwich Mean Time (GMT).
IT service provider quality agreement. Question 17 addresses what regulated entities should include in agreements with IT service providers. On top of recommending (in both versions of the guidance) that regulated entities have a written agreement with IT service providers that describes how the IT services will meet the regulated entities’ requirements, FDA adds into the final version of the guidance the example that they should have “a master service agreement with an associated service level agreement or quality agreement.” Thus, companies hosting their clinical systems with IT service providers should ensure they have quality agreements prepared to provide oversight of those systems.
Letter of non-repudiation. Although the digital health technology section of the final guidance mostly mirrors the draft version of the guidance, the final version adds question 29, which says users of electronic signatures are required to submit letters of non-repudiation to FDA to certify that an electronic signature is the legally binding equivalent of a traditional handwritten signature. The draft guidance does not mention “letters of non-repudiation.”
Foreign clinical trials. When sponsors conduct clinical investigations with non-U.S. sites under an investigational new drug application (IND) or investigational device exemption (IDE), part 11 applies to electronic study records that will be submitted to FDA or that are maintained under agency regulations.
For studies conducted without an IND / IDE at foreign sites, the quality, integrity, and authenticity of the data submitted to FDA should be equivalent to that of data collected under an IND or IDE. This statement in the guidance strongly suggests that any electronic systems used at non-U.S. sites in non-IND/IDE studies must nonetheless ensure the quality, integrity, and authenticity of the study data in a similar manner to part 11-compliant systems.
Comments on the guidance may be submitted online here. If you have questions on electronic records or compliance with part 11 requirements more generally, please do not hesitate to contact any of the authors of this alert or the Hogan Lovells attorney with whom you generally work.
Authored by Robert Church, Blake Wilson, Alex Smith, Stephanie Agu, and Ashley Grey