If you are noticing a message: "Personal Health Information (PHI) and/or sensitive information is prohibited from SimpleTrials product" in certain parts of SimpleTrials, this is a reminder message of what data should and should not be entered in SimpleTrials.
This messaging refers to the Terms of Service (see 17. Data Privacy) and the Master Service Agreement (see Section 5 Privacy by Design and 17. Data Privacy) - documents that frame the relationship between our organization, our client, and all of the licensed users. In 2021 we added this warning directly within the application to remind users of the prohibited data, since individual users may not be as educated on these legal agreements.
Within the legal context, PHI is health information that includes individual identifiers. Therefore any data that identifies patients (subjects) is prohibited. Typically, this messaging would be more applicable to Site clients who may want to build a patient database. This does not include trial assigned "Subject Numbers" that are used to track subjects while keeping anonymity within a trial.
It is important to note that there is a difference between "personal data" and PHI/PII. As an example, we WOULD expect that clients would utilize SimpleTrials to manage "personal data" such as contact records of individuals on your team and your site staff (e.g. name, work phone number, work email) --- this is perfectly appropriate for any CTMS as a collaborative study tool. We would NOT expect, and the Terms of Service (TOS) and Master Service Agreement (MSA) explicitly restrict, the use of SimpleTrials for PHI/PII such as the medical record information "about" your study subject's health (e.g. their diabetes condition). This PHI/PII is appropriately captured in the source medical records and EDC and lab databases (per the client's management of those vendors), however, these are NOT to be entered in SimpleTrials.
Consistent with our Privacy by Design approach, the system default fields that are available to users do not include PHI/PII fields. Because SimpleTrials supports custom columns and custom trackers, it's up to clients to ensure their team members are compliant in the feature use (e.g. and not using custom column feature to track the subject's diabetes health information). The TOS and MSA are clear in this regard.
But What About 21 CFR Part 11 Compliance?
This is not relevant to 21 CFR Part 11 Compliance as this concept is very different than PHI/PII. The Vendor Survey that is available in the ADMIN > COMPLIANCE PORTAL - "All Access" Folder provides information about how the SimpleTrials application complies with the functional elements of 21 Part 11. Because such compliance is a shared responsibility, all clients should also have in place their policies and procedures that govern your adherence actions. This includes but is not limited to:
- The client's management of user activation invitations
- Deactivations from any electronic system when individuals leave the client's organization
- How individuals are trained
- How client's ensure users have the correct User Type and data access permissions
- Users not sharing user accounts
For more information about 21 CFR Part 11 please refer to the FDA's guidance: Part 11, Electronic Records; Electronic Signatures - Scope and Application.
Comments
0 comments
Article is closed for comments.